hawkeye | aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e

Analysis

max time kernel
4294212s
max time network
161s
platform
windows7_x64
resource
win7-20220311-en
submitted
12-03-2022 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
Size

6.6MB
MD5

dc70508f10ea72c1ad810c72b179bf28
SHA1

5c7ef633b20ad47c1a9967a181ebf42a5094c07d
SHA256

aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e
SHA512

8dc1d9ef4c4b9b4fef91c55734a0e813b1a8a4582fab36b7b52c3b2c0d217a25dce3dbc1d364d438766c1fa8fc1f64498c2f779848a5208f2ea7ce06ed43f06b

Score

10^/10

hawkeye revengerat collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

NirSoft MailPassView 11 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
behavioral1/memory/900-127-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/900-130-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 11 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
behavioral1/memory/1428-132-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1428-135-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 13 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
behavioral1/memory/900-127-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/900-130-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1428-132-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1428-135-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

RevengeRat Executable 11 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
behavioral1/memory/308-90-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
behavioral1/memory/308-92-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
behavioral1/memory/308-94-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
behavioral1/memory/308-96-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat
behavioral1/memory/308-98-0x0000000000400000-0x000000000042E000-memory.dmp	revengerat

Executes dropped EXE 7 IoCs

Processes:

1.exe2.exeGerenciador de audio HD Realltek.exeWindows Explorer.exeWindows Update.exeGerenciador de audio HD Realltek.exe

pid	process
560	1.exe
1244	2.exe
1428	Gerenciador de audio HD Realltek.exe
1820	Windows Explorer.exe
1276
1920	Windows Update.exe
1820	Gerenciador de audio HD Realltek.exe

Drops startup file 7 IoCs

Processes:

RegSvcs.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Diagnostic execution services.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Support updater.URL	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gerenciador de audio HD Realltek.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gerenciador de audio HD Realltek.exe	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gerenciador de audio HD Realltek.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Servicos do grupo updater ( grupdate).vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome Elevation Services.js	RegSvcs.exe

Loads dropped DLL 17 IoCs

Processes:

aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe1.exeWindows Explorer.exeRegSvcs.exeRegSvcs.exe

pid	process
1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
560	1.exe
560	1.exe
560	1.exe
560	1.exe
560	1.exe
560	1.exe
560	1.exe
560	1.exe
1276
1820	Windows Explorer.exe
308	RegSvcs.exe
308	RegSvcs.exe
1628	RegSvcs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows Update.exeRegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gerenciador de audio HD Realltek = "C:\\Users\\Admin\\AppData\\Roaming\\Gerenciador de audio HD Realltek.exe"	RegSvcs.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 whatismyipaddress.com
9 whatismyipaddress.com
11 whatismyipaddress.com

flow	ioc
12	whatismyipaddress.com
9	whatismyipaddress.com
11	whatismyipaddress.com

Suspicious use of SetThreadContext 6 IoCs

Processes:

Gerenciador de audio HD Realltek.exeRegSvcs.exeWindows Update.exeGerenciador de audio HD Realltek.exeRegSvcs.exe

description	pid	process	target process
PID 1428 set thread context of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 308 set thread context of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 1920 set thread context of 900	1920	Windows Update.exe	vbc.exe
PID 1920 set thread context of 1428	1920	Windows Update.exe	vbc.exe
PID 1820 set thread context of 1628	1820	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1628 set thread context of 484	1628	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1548 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Windows Update.exe

pid process

1920 Windows Update.exe

pid	process
1548	schtasks.exe

pid	process
1920	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Gerenciador de audio HD Realltek.exe2.exeRegSvcs.exeWindows Update.exeGerenciador de audio HD Realltek.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1428	Gerenciador de audio HD Realltek.exe
Token: SeDebugPrivilege	1244	2.exe
Token: SeDebugPrivilege	308	RegSvcs.exe
Token: SeDebugPrivilege	1920	Windows Update.exe
Token: SeDebugPrivilege	1820	Gerenciador de audio HD Realltek.exe
Token: SeDebugPrivilege	1628	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe1.exeGerenciador de audio HD Realltek.exe2.exeRegSvcs.exeWindows Explorer.exeWindows Update.exe

description	pid	process	target process
PID 1504 wrote to memory of 560	1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	1.exe
PID 1504 wrote to memory of 560	1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	1.exe
PID 1504 wrote to memory of 560	1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	1.exe
PID 1504 wrote to memory of 560	1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	1.exe
PID 1504 wrote to memory of 1244	1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	2.exe
PID 1504 wrote to memory of 1244	1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	2.exe
PID 1504 wrote to memory of 1244	1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	2.exe
PID 1504 wrote to memory of 1244	1504	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	2.exe
PID 560 wrote to memory of 1428	560	1.exe	Gerenciador de audio HD Realltek.exe
PID 560 wrote to memory of 1428	560	1.exe	Gerenciador de audio HD Realltek.exe
PID 560 wrote to memory of 1428	560	1.exe	Gerenciador de audio HD Realltek.exe
PID 560 wrote to memory of 1428	560	1.exe	Gerenciador de audio HD Realltek.exe
PID 560 wrote to memory of 1820	560	1.exe	Windows Explorer.exe
PID 560 wrote to memory of 1820	560	1.exe	Windows Explorer.exe
PID 560 wrote to memory of 1820	560	1.exe	Windows Explorer.exe
PID 560 wrote to memory of 1820	560	1.exe	Windows Explorer.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1428 wrote to memory of 308	1428	Gerenciador de audio HD Realltek.exe	RegSvcs.exe
PID 1244 wrote to memory of 1996	1244	2.exe	arp.exe
PID 1244 wrote to memory of 1996	1244	2.exe	arp.exe
PID 1244 wrote to memory of 1996	1244	2.exe	arp.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 308 wrote to memory of 1556	308	RegSvcs.exe	RegSvcs.exe
PID 1820 wrote to memory of 1920	1820	Windows Explorer.exe	Windows Update.exe
PID 1820 wrote to memory of 1920	1820	Windows Explorer.exe	Windows Update.exe
PID 1820 wrote to memory of 1920	1820	Windows Explorer.exe	Windows Update.exe
PID 1820 wrote to memory of 1920	1820	Windows Explorer.exe	Windows Update.exe
PID 1820 wrote to memory of 1920	1820	Windows Explorer.exe	Windows Update.exe
PID 1820 wrote to memory of 1920	1820	Windows Explorer.exe	Windows Update.exe
PID 1820 wrote to memory of 1920	1820	Windows Explorer.exe	Windows Update.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 900	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 1428	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 1428	1920	Windows Update.exe	vbc.exe
PID 1920 wrote to memory of 1428	1920	Windows Update.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
"C:\Users\Admin\AppData\Local\Temp\aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
"C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nqbtkuxd\nqbtkuxd.cmdline"
5⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE762.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C88573DD8E14356B702758CB549767.TMP"
6⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wjvurbhp\wjvurbhp.cmdline"
5⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE85C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc595E063DAAE44D53AEC7E73E8E84CC48.TMP"
6⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iygkv5tg\iygkv5tg.cmdline"
5⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D0CDA9E6610430BAAADA73759F0B797.TMP"
6⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bnfgr4yr\bnfgr4yr.cmdline"
5⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECCF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F93CB414D8448F6A7ED6FC18B625EBB.TMP"
6⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ic5e0xdq\ic5e0xdq.cmdline"
5⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDDD143F16C1D42C2AA59AC8BEFE217E1.TMP"
6⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skqn0fda\skqn0fda.cmdline"
5⤵
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc44C71D92D3EC4BF0AEE77A14BB935E78.TMP"
6⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ei2pvoa3\ei2pvoa3.cmdline"
5⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47146B1EC848443581FDEE84CBF3C95C.TMP"
6⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\otmgbj2s\otmgbj2s.cmdline"
5⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc477D6BA21024160876758B0263F684E.TMP"
6⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mt123tzv\mt123tzv.cmdline"
5⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF650F73844E34D6B8C3DF5BF113E17FF.TMP"
6⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bx5ntjo0\bx5ntjo0.cmdline"
5⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF170.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9297E9B7FB148888B8D12E7545A76A5.TMP"
6⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fuavn4r1\fuavn4r1.cmdline"
5⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF24B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCA92963573D4D4B9449EBCA60CE5919.TMP"
6⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lpnkdk2j\lpnkdk2j.cmdline"
5⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF306.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6508DB08A4B4FBF98CEADC3767A824D.TMP"
6⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4fg4eoci\4fg4eoci.cmdline"
5⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A9B447E2234BC191E75C548297278.TMP"
6⤵
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ulyq4mnf\ulyq4mnf.cmdline"
5⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc14045CB67BA14B04803452C3BB96982C.TMP"
6⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ebl4ge4u\ebl4ge4u.cmdline"
5⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF586.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EF94ADD24E14930B0524E4BBE5C4DCD.TMP"
6⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wtn5xrma\wtn5xrma.cmdline"
5⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF650.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc669C0594E3D04F9BB033C85139E433.TMP"
6⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yttrzyto\yttrzyto.cmdline"
5⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF788.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6EBB7C23A494FCC99A47FDC926DED4D.TMP"
6⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uditt4et\uditt4et.cmdline"
5⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF853.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc281EF054F8CC4B1CA1C78C274F52A82F.TMP"
6⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n0mp0ht0\n0mp0ht0.cmdline"
5⤵
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF95C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD74912BFB49B435B8FB3B73AD614D69.TMP"
6⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tgdlg12m\tgdlg12m.cmdline"
5⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5F75352520714602808C8432E68BF956.TMP"
6⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oz5hrzkl\oz5hrzkl.cmdline"
5⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB7E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc851708844FF54E1AA153F96E91CDDFDF.TMP"
6⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sk5c2xn2\sk5c2xn2.cmdline"
5⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91B0AD16839247F5A91D6533F1EB82F.TMP"
6⤵
PID:1772

C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe
"C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
7⤵
PID:484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1mdc1inw\1mdc1inw.cmdline"
7⤵
- Drops startup file
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28D19DC3A21B40538A556A509CD5814F.TMP"
8⤵
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Gerenciador de audio HD Realltek" /tr "C:\Users\Admin\AppData\Roaming\Gerenciador de audio HD Realltek.exe"
7⤵
- Creates scheduled task(s)
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zuy4qogx\zuy4qogx.cmdline"
7⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F8A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc93948FA66F2B475A879BFFC1E52A2C16.TMP"
8⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tubzqms3\tubzqms3.cmdline"
7⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17085F416B0B401098CCA6FEEC9DEF1E.TMP"
8⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5bt4ls3t\5bt4ls3t.cmdline"
7⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92E25BD465A343F8BB425096582DF038.TMP"
8⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1yyn2kkr\1yyn2kkr.cmdline"
7⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3DD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CB71178DEB4A4E9E62B46C1FE15B.TMP"
8⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r1uev4kx\r1uev4kx.cmdline"
7⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD17728C7303B4E2F968BAE9354B2E26F.TMP"
8⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qh4geshs\qh4geshs.cmdline"
7⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA563.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C237D4772EF4A4F82D6FC90F72BB8F1.TMP"
8⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cdpgs3sk\cdpgs3sk.cmdline"
7⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA62E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50F598CFF6804C91AFF9AD6F749FA510.TMP"
8⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksh4bbhm\ksh4bbhm.cmdline"
7⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEACF133F234840559F149C328E94044.TMP"
8⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\izm1vumw\izm1vumw.cmdline"
7⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7A5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc507F4E25EBD2439A96A6F294926B4766.TMP"
8⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nslum11f\nslum11f.cmdline"
7⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc41D95ED7CF4A4DB0A7AD51EDC28A26A.TMP"
8⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
5⤵
- Accesses Microsoft Outlook accounts
PID:900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
5⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\System32\arp.exe
"C:\Windows\System32\arp.exe" -a
3⤵
PID:1996

C:\Windows\system32\taskeng.exe
taskeng.exe {212A7D9C-F983-4C2B-876D-19A6DAA8AB45} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
PID:772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PORNO\vcredist2010_x64.log-MSI_vc_red.msi.ico
MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\PORNO\vcredist2010_x64.log.ico
MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\ProgramData\PORNO\vcredist2010_x86.log-MSI_vc_red.msi.ico
MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\PORNO\vcredist2010_x86.log.ico
MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\ProgramData\PORNO\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico
MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\PORNO\vcredist2012_x64_1_vcRuntimeAdditional_x64.ico
MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\PORNO\vcredist2012_x86_0_vcRuntimeMinimum_x86.ico
MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjWSTUK.txt
MD5
f45d326b2e70f86c04c202ca0c4178f8

SHA1
d6abdb718d980bd3b63f6ac640c0a2719d8aefaa

SHA256
45cd2299ff183f0567df478da15cdfdf51d25e2671e7f95f2c93e2a93ef5d560

SHA512
d4a75b15417ea248b70b5f14a60ef0d17297ddd84e3f68c4c75ba7fe16abf387ba37fe6dd82b1e05641f1f8bf1932244d3d39c028c97f31e7a55d141e0fadfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE762.tmp
MD5
7c4ae0997de4f3a810b8400c665bd8df

SHA1
92cd63a22121e738de135f7f4af0dc750cffa27d

SHA256
0d1ac52517d9d92d318f6c0a43ffcd67c7df27875b7baf01c0e5e06d22a108c1

SHA512
509a4408385f3d4480e9acab71728e483fc3d9d528be53df8a1dbc45faf9b95a6345020d12fb6c4e33e7156d8c05baa2e58cbae6b35bf90ecad88cd8fe078bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE85C.tmp
MD5
8dfc94a92c43121ea6d0f46ba292cdfe

SHA1
df4340b8ed25832193262ac568d3047a570cb24d

SHA256
d0b9cdba9667b64fabb188154c2f966ba3a13faaff586f628eba9f310e25ddbe

SHA512
ec77437ec860bd518ecc086c4bce624d3dae7a26e295201f5e817d4bbe8cb477316330e21210f48a3c32e71b104f6fe71cf36139459a06887e9b2c7a97aa97cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC23.tmp
MD5
29891e77e8626e8635f5a270b4f47213

SHA1
3dbdf18f99d6a7651de2002f5dbc210abc5e3163

SHA256
a953ae77c29770441c39c5d2adf9fd8fdef5aa16502fda349b80f79ff06b41b9

SHA512
8a46e070efce2d469dfc61b097639f01e3a7395a421c01ab05991489fd4174f9a0204889aa1fa9de978ffe5074bdc6a41a0c005ab0058169eb5c6f0800993643

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESECCF.tmp
MD5
d4959911b225b988c51e3981b174f9a0

SHA1
e5cad31b727f8b644285f88bc4f4503160f99911

SHA256
5be2ee928b87850405b1dbd19488b52ac6e97e450d6661e23cc3fc374147e825

SHA512
4966a8d522654271171b236bf14abb13ec9b68e09aaa5e06a66132ad2b77e61af945469d9c80e35b540026cce7feb637c23a05d97dee87261bb98208f8885867

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESED8A.tmp
MD5
9b0aa0a0bb4ef3ec7745f6a162ca3cab

SHA1
3ef6a72d9b73fdc406a6579fff3bac85e11cd905

SHA256
4f5bfc54d09673a7af16377c3816f55e3a3b8e57feb873bc37d61d4ae3d396b9

SHA512
263a4b33299e6c132a0c28f8a76949318bd35a057a276d05e88e8fc1f8149ee6f2d00c07f69315ba4e32d9fb106617758b3040fa715b1c745780965ec1f78689

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEE26.tmp
MD5
6e45730fc719035f8ad6f3c2a408d10a

SHA1
06ef480d5313d28cf371772f120a9a2eb9d7176c

SHA256
708da1302d711637cfcaab0087f7981a400e93ede3e4bf59fdc3add9e7b6bcae

SHA512
dabadd2982d2c95235a5e733cf395a5cb4f2459fb415be46f3432b91767d1b8a219a86bffa871fb9619e5968c16f45ac7135dc9fc4fca25e96d2da5b5f4db791

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF10.tmp
MD5
ea317a01494e6e5476343cdd74772fd0

SHA1
c871d40e1a125158765a7d394015cd13875add44

SHA256
6efe1f281d7dc36e5fa36e1d8001fdd06a111b39ec5ca00e5a61fa7c0b9bf74c

SHA512
58059f7794d611fe392578f2d5dcfd8188e696a673cb3b3051f2b0c7e42ba62e86b62f64f8f7fca5add9570d88193900ed7891b58495e31cb8048bea2673d82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
MD5
5d67274c809c854f9233b1b460988bf4

SHA1
bf22c7b3d41df443ebdb577b1c830c4c77ee8fd5

SHA256
0a7db94e071eae09340bdd372acc3ef1529a209f6eb5d35fa6f60ed70e224558

SHA512
89d5ada77eb0f9080a52659d786dc071705f7922780eb730e66b451f2689ef2d6a7595897541e301432d00eef518aa4755f8fbb12d2353969b6e9ef6c68e3ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnfgr4yr\bnfgr4yr.0.vb
MD5
9fd40c0f94484ce65a5a3c2ae1183a6d

SHA1
3ee2ca01aca4d6262b30444dc8903e6186fb0216

SHA256
d71fa17e6ca132361822496a9be6a50024db393c2d4359ca127e7a01d9c3cba3

SHA512
9443c776f8feb297b3e861d7ee6e90f7e695e7c0f779457b5e19ac30dee50ceb965eb3c70f4857351c4048c3ff0d797ac33eb61cb4df5c8b1b784a60e9d95cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnfgr4yr\bnfgr4yr.cmdline
MD5
cd6683df88c2039f6073cdbc52411bc0

SHA1
a4a2a6c5397459bc65d8f2a81af54d8bd8cb9faf

SHA256
b8156aaf3701ceecda88314c6df4a5cad4ff2d396614fc2089ba6d8156a9c845

SHA512
761ea27947c323492171d3d3ec45643e80261a10f2fa06329ad0eef050877ba35ffeea519c2c82a272c37ee4c539dfd3290e09553bf6266e206248431ab7e454

Download Submit
C:\Users\Admin\AppData\Local\Temp\ei2pvoa3\ei2pvoa3.0.vb
MD5
021ea6294c265eb48cf616e0f139b5e6

SHA1
82ff6a00da648980525e14b408d4ffad17068822

SHA256
07d8e6de429f514a05161e3bba61d6dc2e887e22b25ba56469aaa96692daa586

SHA512
c7b676a9e27834bd8a7f4b61693aa070c8a4494ea277f646c7d2c724b3631adb86d54fd506736f7ce5fd19e93425f44f41cce64bad8c6095134a23e51fdb1dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ei2pvoa3\ei2pvoa3.cmdline
MD5
2f08b01e87e0e575e8a0e8ed5c164819

SHA1
76a3cc7448b3c958370631daf4b0801370f0bdc4

SHA256
16a157d34ea198747133664dc5722a91ee0f79aaa9bf154b862b8cf2cfbf3df9

SHA512
07c996e0466f0f02f5184f00f15e2fa451b1762039de9e76b38e9c9a0ad88784194133950e39cbc5fc1142c4db4c11cca79f852ae52df8a2376ffa7fe82da39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic5e0xdq\ic5e0xdq.0.vb
MD5
d54cba2d1778ec6b30405c8c1cf41b6a

SHA1
c322a061e5be3b4357cda080e22dc9da2f90f7a9

SHA256
3acc8c56373998e01be02c270c7aafa4cbbedf53973a09a9c758a348a93f2d27

SHA512
27be3f5465816b797ff8f4b7d5caa40e8def47627095497100ed22d02e7804682288db7742c686bad6f314725216cc67f1c1d30fb415f27febe779745b0a2694

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic5e0xdq\ic5e0xdq.cmdline
MD5
c62b1da4b42373ed9567d563caed657b

SHA1
d72c7262b183233e445b52af4d7c745eae2c4c2e

SHA256
cedaace68842282a5136c19a3ddc054ed482ac26dccb840f957f17c9d1533287

SHA512
fddc948e213434b461e0edc065e6494c9e04d103c45134b7c3bcd0bf2814a6cb28ec1a5b480e85dd68ad9037f0012cbd9302160eddea36d64c61b7d0175c4f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\iygkv5tg\iygkv5tg.0.vb
MD5
f4d6e283e213657675173992c2f1c9b6

SHA1
16ea4c546a2993d1d66261f5b37a37f3a96003b7

SHA256
8997eb22f1357914c868ea895ee8fa92d92498a4bb87eddf7023f84169500fe2

SHA512
389dbaca85409820908d56f6541c6e112e6233801132247c082b96a77f48d0e8c796c6b3af09d93580188a410f03288eb5cd83beaa5bebc1d9b121b6d81f0ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iygkv5tg\iygkv5tg.cmdline
MD5
a44678a608f4a4efddd97a380e868db8

SHA1
b05148325ee2f05bd3a17a55d7c8acce01fa249e

SHA256
bc65546a491af18b19ff53856c147d29e09c12f061e4ef3a5ebf45f1c0d19e1c

SHA512
924c39b0ffe5e389f1b2603a6ea42edec492e692c2c33abd1972c7da369f6081ec2e25ee19e7f1805efa3cd4679e5c3bf49f6abba99fd03aa1ff6fc4c08c0f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqbtkuxd\nqbtkuxd.0.vb
MD5
8375652f5a328760850fe1b0b7e4e101

SHA1
2ac35046ad2360cb39cdd66c346247b998c01f12

SHA256
6f1d3999d3dc16829adb2e83970960c4ecc596b2efa1168fe2798f7e9be4eddb

SHA512
5699617cd37484d9e3f40590c60ceae9bc01f2a63d5019e29d53d4060426cf45999304a46515d5daf451c342457028744c6f3e854a6a93f3809fecf6833cf6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqbtkuxd\nqbtkuxd.cmdline
MD5
b1346da3ec72ad4885d85e911ce96da6

SHA1
f2417e72f9a8504d810d672a4a0a54bc6334a148

SHA256
3ca11acde3c85455fb898b76009c3936f879ec6b3ec9784a059f11ad62c0ce76

SHA512
8a6454a9b4ee0194fb92bdc36206648328cded30a99d582a1558a7a90810a62b1547c3c7de861ee0ee9e99102fe30620196b75b4279cf832497da5cab56b9b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\otmgbj2s\otmgbj2s.cmdline
MD5
71aac1967933adc31de4cd2ae6cf20d8

SHA1
a3a6a90ae7a0bf8abb7d3e79d2e189e88155a363

SHA256
fecc350e170b9dac0e745d323379840488f6572dc111bb02d9cc7e46e3970a2c

SHA512
94d84711e27b872b70710ccf511ea4b1a4ce571118b0ae2fb4ce2cce718bcf916deee3426f962ffb8bb693a3e1f7e8881a489ab05b6ab9e27a59fe78a0ea3d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\skqn0fda\skqn0fda.0.vb
MD5
e1def3642552ad3b6ebf2cc88ae307ea

SHA1
d919a16f19644e7676aedfcc0d3f4db97c096dc0

SHA256
344479a9669ade72ed3e3e801c1315b6e86036eeab0a1d92883ee74b3afa67b5

SHA512
01d636c02c2696d7bfc871e58530ce70f057cc49f0154fb9731b02c500d7595433bb90f505d93a0c670b5927e135871f3d4ef31b3e6b52e6e8e472c1d2d5ac84

Download Submit
C:\Users\Admin\AppData\Local\Temp\skqn0fda\skqn0fda.cmdline
MD5
741daf90e1f88a789364c86e1f78a43d

SHA1
a7eadcb276924dea020776806fb44af40aa93b8f

SHA256
76ff3bafff07c6c19b0f0ad3efd4fbc87aa8b1890101b65ef8571f972dfc3067

SHA512
6a2385d66f74440b21e0fedad4e7945b7a1cd9103f620579446c2c824d545401433eb77266617f556e16720f263ae84ee3af8bb79b5354172dc6c699580f9c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2F93CB414D8448F6A7ED6FC18B625EBB.TMP
MD5
054f484544043c718720b3022d514037

SHA1
1feef83579d8b46b9248263f974d42202339b776

SHA256
b9e80de3536ac1e6c279b1517b97eb47ab170fa19e9ae4c278c92941e67cd840

SHA512
8d0a90d8301d6df9ed84cf50953b4dac2fc452fe152c4a9d9ff15e611729088e06e134bf5c74191d0bf9565f5125d1fdcd80cb9f158c0a350a10f20589a03f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc44C71D92D3EC4BF0AEE77A14BB935E78.TMP
MD5
9005789d2d36ea0bc27c3f296342f4af

SHA1
e791a73004c209ab5b40ccfdebe47c0f2db98151

SHA256
ae890b658cd2dfd0b02d96c28486b845afb00231f46beac23f0687d2d4193b3c

SHA512
a2abd1a5fbdb155dcabecd3022d3f920474ee083967e2fce259edd9332d4604adc7cec417a0ae44a159f8421a71fb812335e640573d8b7fb3d162c9fd3e0d2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc47146B1EC848443581FDEE84CBF3C95C.TMP
MD5
6c39e27d3bcd56393a5d0e75ff3d5ffb

SHA1
9fd190e5304ee44ba5d0888ad81ba1d7583192c1

SHA256
63525cae8e11e02ed74d68053b675b5d3d8fc28db95ab36dc10159725aa30c8e

SHA512
f88c5307cee0a6036960805d4ea47816a689130c7c46c330bae22170db65611602094ddf4249012bf1461cbe36e1231a30ee56847dae5a99597703ce5a35467e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc595E063DAAE44D53AEC7E73E8E84CC48.TMP
MD5
2632d574a8856cd0f0c565bd0a4c7db6

SHA1
4a0e23647b5950f819234b43a7fe664d24e5e4fc

SHA256
ddb43ef99f253352fbf0dbcfc54c6a7f79f3cb93b4ec4a6e18ea83cd4c8cab3d

SHA512
83be0a9dce593c1f122ab482713be587bf02ba65d061b2e307855b43a61f06b5986dba4ae2c6d9de0ac278c5f0d66fb2d237762d2b2f4f3f255b6abf1457079f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5C88573DD8E14356B702758CB549767.TMP
MD5
8c5cfe7b1c4cbc59065e9fdd0ab137dc

SHA1
24d007d18e55a1b0cc39e441fdea82e51485a09f

SHA256
c4fe47a32bc7a0c0bb58097d82435be2e74c758eef0b0faf85e0c4ab5c481d41

SHA512
55a07a2e70de70f409ec1e3c987040b98c4e80306c3be80c74cabd44bbbcf4b4fb735630c8297fa08ed424f87d7f1fb5529631828241addfaa349cd7cc1e8d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D0CDA9E6610430BAAADA73759F0B797.TMP
MD5
2cf20a972220e40c90da9926040c1bb3

SHA1
0759b3146cfa66fa27f42f6eeeb6b2cf8ed36891

SHA256
00a23897184d0139097beab73c836458cc93573d7f2f397ccfbfb74af0617409

SHA512
a0f71d3100a7791cbcf41b4e03e30ce7c700c4b3f8efaaf89cbd7a7f57767c8b3ec008f8e744514a0ad41f2176ab35c24363c47827bdaeb22b7f10ce12e2b047

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDDD143F16C1D42C2AA59AC8BEFE217E1.TMP
MD5
b3d34f1f1b07ddc84705bb35f064eb34

SHA1
d39143b6e177fe3271578d69c605b9ebe0c7ec8b

SHA256
6f2d26d0a9750652a2dcef7837dd27897d2e078afd31541a223a6e991d30a64b

SHA512
cfd7ee2401128baa8febc408db07d828fe95a239dc68b044cda435f48442641846d1d20b475645dec964f3a5720bf52ac0ed335d52878e03954f9905b0c86b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjvurbhp\wjvurbhp.0.vb
MD5
6e820becbb84e269088ddfcdd1a30ee7

SHA1
86a0ff672c71c58d66ff6056becaf700bacc3e4d

SHA256
1e9e733af13dbef71fb8f7dd7f95afe88b2d3c220fefd5fe391c5e3ef6d35a11

SHA512
339fc23e8e921d707a24e756bf56e57db31e3df1a05e64f537b46b1930dbb648dd118376f280f8c3cda284c2524cbbd6420cb1b14ec5d6db249a9382bf48eca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjvurbhp\wjvurbhp.cmdline
MD5
4514aed7562cfc7ffd48ce5fe877dcfd

SHA1
647bca33bcb6832e1df7cb8bc830134f264ef375

SHA256
a07671a8d17ac1e7097433f3351d43073e2a996f5c9919c08b42982374acb853

SHA512
ca079a95117ab589742de759d1e038f6302cd25aef43eef299d9312720d67e05772c8e38fe0ce2da366c0ee6c32d4ec0f1623902b02af2f493288e062d083f10

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
memory/308-92-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/308-90-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/308-119-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/308-86-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/308-101-0x0000000070BC0000-0x00000000712AE000-memory.dmp

Filesize
6.9MB

Download
memory/308-88-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/308-98-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/308-96-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/308-94-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/484-203-0x0000000070BC0000-0x00000000712AE000-memory.dmp

Filesize
6.9MB

Download
memory/484-202-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/900-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/900-130-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1244-78-0x000000013FB70000-0x0000000140198000-memory.dmp

Filesize
6.2MB

Download
memory/1244-79-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/1244-102-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/1428-135-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1428-85-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-83-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1428-81-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1504-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1556-107-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1556-109-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1556-114-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1556-118-0x0000000070BC0000-0x00000000712AE000-memory.dmp

Filesize
6.9MB

Download
memory/1556-103-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1556-111-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1556-116-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1556-117-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1556-105-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1628-189-0x0000000070BC0000-0x00000000712AE000-memory.dmp

Filesize
6.9MB

Download
memory/1628-204-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1820-82-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1820-186-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-80-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-84-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-124-0x0000000073BF0000-0x000000007419B000-memory.dmp

Filesize
5.7MB

Download
memory/1920-125-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/1920-131-0x0000000002165000-0x0000000002176000-memory.dmp

Filesize
68KB

Download