cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

Analysis

max time kernel
175s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Size

65KB
MD5

19d88235a435a3f2199eabfe427e9c48
SHA1

ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68
SHA256

cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca
SHA512

2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e
SSDEEP

1536:8RkN4xKr7TVkSzODZIC4o91zxeqjD/vaGv9MCNp0nhz:2kCKrFk2C4o91zxP3aGvRNChz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgrdam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgwsvcm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avcntlx.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsdlp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgupsrvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashsvam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ashwbsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgmsva.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aswupsrc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgemkdr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avgapgui.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 29 IoCs

pid	Process
552	ashsvam.exe
1712	ashsvam.exe
2708	avgrdam.exe
4216	avgrdam.exe
4380	avgupsrvc.exe
1396	avgupsrvc.exe
4880	aswupsrc.exe
4552	aswupsrc.exe
4252	avcntlx.exe
3180	avcntlx.exe
4812	avgemkdr.exe
4260	avgemkdr.exe
5112	avgapgui.exe
4768	avgapgui.exe
4724	avgmsva.exe
4688	avgmsva.exe
4368	avcntlx.exe
2180	avcntlx.exe
2696	ashsvam.exe
552	ashsvam.exe
1564	avgemkdr.exe
1340	avgemkdr.exe
4780	ashwbsm.exe
3556	ashwbsm.exe
4380	ashsdlp.exe
1460	ashsdlp.exe
5012	avgwsvcm.exe
4016	avgwsvcm.exe
1212	avgectam.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avgupsrvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ashwbsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	aswupsrc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avgapgui.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ashsvam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avgemkdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avgrdam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avcntlx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avgemkdr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avgmsva.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ashsvam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avcntlx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ashsdlp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	avgwsvcm.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avgemkdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Security System = "avgwsvcm.exe"	ashsdlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus GUI = "avgapgui.exe"	avgemkdr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Active-Guard = "avgrdam.exe"	ashsvam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avgrdam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avcntlx.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avgapgui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Management Service = "avgemkdr.exe"	ashsvam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast WebWatch Client = "ashwbsm.exe"	avgemkdr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avgemkdr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Servicer = "ashsvam.exe"	avcntlx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Controller = "avgectam.exe"	avgwsvcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Control = "avcntlx.exe"	aswupsrc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast AutoBackup Client = "avgmsva.exe"	avgapgui.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ashwbsm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avgwsvcm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Auto-Updater = "aswupsrc.exe"	avgupsrvc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	aswupsrc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ashsvam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiVir Control = "avcntlx.exe"	avgmsva.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Display Service = "ashsdlp.exe"	ashwbsm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ashsvam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ashsdlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avast Servicer = "ashsvam.exe"	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVG AntiVirus Servicer = "avgupsrvc.exe"	avgrdam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avgupsrvc.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ashwbsm.exe	avgemkdr.exe
File created	C:\Windows\SysWOW64\avgapgui.exe	avgemkdr.exe
File created	C:\Windows\SysWOW64\ashsvam.exe	avcntlx.exe
File created	C:\Windows\SysWOW64\avgmsva.exe	avgapgui.exe
File created	C:\Windows\SysWOW64\avgectam.exe	avgwsvcm.exe
File opened for modification	C:\Windows\SysWOW64\avgupsrvc.exe	avgrdam.exe
File created	C:\Windows\SysWOW64\avgemkdr.exe	avcntlx.exe
File opened for modification	C:\Windows\SysWOW64\avcntlx.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\ashsdlp.exe	ashwbsm.exe
File created	C:\Windows\SysWOW64\ashsvam.exe	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
File created	C:\Windows\SysWOW64\avgupsrvc.exe	avgrdam.exe
File created	C:\Windows\SysWOW64\ashsdlp.exe	ashwbsm.exe
File opened for modification	C:\Windows\SysWOW64\avgwsvcm.exe	ashsdlp.exe
File created	C:\Windows\SysWOW64\avcntlx.exe	avgmsva.exe
File opened for modification	C:\Windows\SysWOW64\ashsvam.exe	avcntlx.exe
File opened for modification	C:\Windows\SysWOW64\avgemkdr.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\ashwbsm.exe	avgemkdr.exe
File opened for modification	C:\Windows\SysWOW64\avgemkdr.exe	avcntlx.exe
File opened for modification	C:\Windows\SysWOW64\avgmsva.exe	avgapgui.exe
File created	C:\Windows\SysWOW64\aswupsrc.exe	avgupsrvc.exe
File opened for modification	C:\Windows\SysWOW64\aswupsrc.exe	avgupsrvc.exe
File opened for modification	C:\Windows\SysWOW64\avgapgui.exe	avgemkdr.exe
File created	C:\Windows\SysWOW64\avgwsvcm.exe	ashsdlp.exe
File opened for modification	C:\Windows\SysWOW64\avgectam.exe	avgwsvcm.exe
File created	C:\Windows\SysWOW64\avgrdam.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\avgrdam.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\avcntlx.exe	aswupsrc.exe
File created	C:\Windows\SysWOW64\avgemkdr.exe	ashsvam.exe
File opened for modification	C:\Windows\SysWOW64\ashsvam.exe	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
File created	C:\Windows\SysWOW64\avcntlx.exe	aswupsrc.exe

Suspicious use of SetThreadContext 15 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 552 set thread context of 1712	552	ashsvam.exe	95
PID 2708 set thread context of 4216	2708	avgrdam.exe	105
PID 4380 set thread context of 1396	4380	avgupsrvc.exe	115
PID 4880 set thread context of 4552	4880	aswupsrc.exe	125
PID 4252 set thread context of 3180	4252	avcntlx.exe	135
PID 4812 set thread context of 4260	4812	avgemkdr.exe	145
PID 5112 set thread context of 4768	5112	avgapgui.exe	155
PID 4724 set thread context of 4688	4724	avgmsva.exe	169
PID 4368 set thread context of 2180	4368	avcntlx.exe	179
PID 2696 set thread context of 552	2696	ashsvam.exe	189
PID 1564 set thread context of 1340	1564	avgemkdr.exe	199
PID 4780 set thread context of 3556	4780	ashwbsm.exe	211
PID 4380 set thread context of 1460	4380	ashsdlp.exe	221
PID 5012 set thread context of 4016	5012	avgwsvcm.exe	231

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsdlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avcntlx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsvam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avcntlx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgupsrvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aswupsrc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgmsva.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashwbsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ashsvam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgrdam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgwsvcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgapgui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	avgemkdr.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
Token: SeIncBasePriorityPrivilege	1712	ashsvam.exe
Token: SeIncBasePriorityPrivilege	4216	avgrdam.exe
Token: SeIncBasePriorityPrivilege	1396	avgupsrvc.exe
Token: SeIncBasePriorityPrivilege	4552	aswupsrc.exe
Token: SeIncBasePriorityPrivilege	3180	avcntlx.exe
Token: SeIncBasePriorityPrivilege	4260	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	4768	avgapgui.exe
Token: SeIncBasePriorityPrivilege	4688	avgmsva.exe
Token: SeIncBasePriorityPrivilege	2180	avcntlx.exe
Token: SeIncBasePriorityPrivilege	552	ashsvam.exe
Token: SeIncBasePriorityPrivilege	1340	avgemkdr.exe
Token: SeIncBasePriorityPrivilege	3556	ashwbsm.exe
Token: SeIncBasePriorityPrivilege	1460	ashsdlp.exe
Token: SeIncBasePriorityPrivilege	4016	avgwsvcm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 1844 wrote to memory of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 1844 wrote to memory of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 1844 wrote to memory of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 1844 wrote to memory of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 1844 wrote to memory of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 1844 wrote to memory of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 1844 wrote to memory of 4364	1844	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	81
PID 4364 wrote to memory of 552	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	86
PID 4364 wrote to memory of 552	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	86
PID 4364 wrote to memory of 552	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	86
PID 4364 wrote to memory of 4180	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	87
PID 4364 wrote to memory of 4180	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	87
PID 4364 wrote to memory of 4180	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	87
PID 4364 wrote to memory of 3172	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	88
PID 4364 wrote to memory of 3172	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	88
PID 4364 wrote to memory of 3172	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	88
PID 4364 wrote to memory of 2084	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	90
PID 4364 wrote to memory of 2084	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	90
PID 4364 wrote to memory of 2084	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	90
PID 4364 wrote to memory of 1860	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	93
PID 4364 wrote to memory of 1860	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	93
PID 4364 wrote to memory of 1860	4364	cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe	93
PID 552 wrote to memory of 1712	552	ashsvam.exe	95
PID 552 wrote to memory of 1712	552	ashsvam.exe	95
PID 552 wrote to memory of 1712	552	ashsvam.exe	95
PID 552 wrote to memory of 1712	552	ashsvam.exe	95
PID 552 wrote to memory of 1712	552	ashsvam.exe	95
PID 552 wrote to memory of 1712	552	ashsvam.exe	95
PID 552 wrote to memory of 1712	552	ashsvam.exe	95
PID 552 wrote to memory of 1712	552	ashsvam.exe	95
PID 1712 wrote to memory of 2708	1712	ashsvam.exe	101
PID 1712 wrote to memory of 2708	1712	ashsvam.exe	101
PID 1712 wrote to memory of 2708	1712	ashsvam.exe	101
PID 1712 wrote to memory of 4544	1712	ashsvam.exe	100
PID 1712 wrote to memory of 4544	1712	ashsvam.exe	100
PID 1712 wrote to memory of 4544	1712	ashsvam.exe	100
PID 1712 wrote to memory of 1340	1712	ashsvam.exe	99
PID 1712 wrote to memory of 1340	1712	ashsvam.exe	99
PID 1712 wrote to memory of 1340	1712	ashsvam.exe	99
PID 1712 wrote to memory of 4260	1712	ashsvam.exe	97
PID 1712 wrote to memory of 4260	1712	ashsvam.exe	97
PID 1712 wrote to memory of 4260	1712	ashsvam.exe	97
PID 1712 wrote to memory of 1668	1712	ashsvam.exe	102
PID 1712 wrote to memory of 1668	1712	ashsvam.exe	102
PID 1712 wrote to memory of 1668	1712	ashsvam.exe	102
PID 2708 wrote to memory of 4216	2708	avgrdam.exe	105
PID 2708 wrote to memory of 4216	2708	avgrdam.exe	105
PID 2708 wrote to memory of 4216	2708	avgrdam.exe	105
PID 2708 wrote to memory of 4216	2708	avgrdam.exe	105
PID 2708 wrote to memory of 4216	2708	avgrdam.exe	105
PID 2708 wrote to memory of 4216	2708	avgrdam.exe	105
PID 2708 wrote to memory of 4216	2708	avgrdam.exe	105
PID 2708 wrote to memory of 4216	2708	avgrdam.exe	105
PID 4216 wrote to memory of 4380	4216	avgrdam.exe	106
PID 4216 wrote to memory of 4380	4216	avgrdam.exe	106
PID 4216 wrote to memory of 4380	4216	avgrdam.exe	106
PID 4216 wrote to memory of 1752	4216	avgrdam.exe	107
PID 4216 wrote to memory of 1752	4216	avgrdam.exe	107
PID 4216 wrote to memory of 1752	4216	avgrdam.exe	107
PID 4216 wrote to memory of 4764	4216	avgrdam.exe	108
PID 4216 wrote to memory of 4764	4216	avgrdam.exe	108
PID 4216 wrote to memory of 4764	4216	avgrdam.exe	108
PID 4216 wrote to memory of 4852	4216	avgrdam.exe	109

C:\Users\Admin\AppData\Local\Temp\cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
"C:\Users\Admin\AppData\Local\Temp\cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe
  "C:\Users\Admin\AppData\Local\Temp\cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\ashsvam.exe
    "C:\Windows\system32\ashsvam.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\ashsvam.exe
      "C:\Windows\SysWOW64\ashsvam.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        5⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        5⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        5⤵
        
        PID:4544
    - - C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\system32\avgrdam.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\avgrdam.exe
        
        "C:\Windows\SysWOW64\avgrdam.exe"
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\system32\avgupsrvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4380
        
        C:\Windows\SysWOW64\avgupsrvc.exe
        
        "C:\Windows\SysWOW64\avgupsrvc.exe"
        8⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\system32\aswupsrc.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4880
        
        C:\Windows\SysWOW64\aswupsrc.exe
        
        "C:\Windows\SysWOW64\aswupsrc.exe"
        10⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4252
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        12⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4812
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        14⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\system32\avgapgui.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5112
        
        C:\Windows\SysWOW64\avgapgui.exe
        
        "C:\Windows\SysWOW64\avgapgui.exe"
        16⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\system32\avgmsva.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4724
        
        C:\Windows\SysWOW64\avgmsva.exe
        
        "C:\Windows\SysWOW64\avgmsva.exe"
        18⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\system32\avcntlx.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4368
        
        C:\Windows\SysWOW64\avcntlx.exe
        
        "C:\Windows\SysWOW64\avcntlx.exe"
        20⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\system32\ashsvam.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2696
        
        C:\Windows\SysWOW64\ashsvam.exe
        
        "C:\Windows\SysWOW64\ashsvam.exe"
        22⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\system32\avgemkdr.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1564
        
        C:\Windows\SysWOW64\avgemkdr.exe
        
        "C:\Windows\SysWOW64\avgemkdr.exe"
        24⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\system32\ashwbsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4780
        
        C:\Windows\SysWOW64\ashwbsm.exe
        
        "C:\Windows\SysWOW64\ashwbsm.exe"
        26⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\system32\ashsdlp.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4380
        
        C:\Windows\SysWOW64\ashsdlp.exe
        
        "C:\Windows\SysWOW64\ashsdlp.exe"
        28⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\system32\avgwsvcm.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5012
        
        C:\Windows\SysWOW64\avgwsvcm.exe
        
        "C:\Windows\SysWOW64\avgwsvcm.exe"
        30⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\SysWOW64\avgectam.exe
        
        "C:\Windows\system32\avgectam.exe"
        31⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        31⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        31⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgwsvcm.exe > nul
        31⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        31⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        29⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsdlp.exe > nul
        29⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        29⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        29⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        27⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashwbsm.exe > nul
        27⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        27⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        27⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        25⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        25⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        25⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        25⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        23⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        23⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        23⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        23⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        21⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        21⤵
        
        PID:812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        21⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        21⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        19⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        19⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        19⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgmsva.exe > nul
        19⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        17⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        17⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        17⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgapgui.exe > nul
        17⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        15⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        15⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        15⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgemkdr.exe > nul
        15⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        13⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avcntlx.exe > nul
        13⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        13⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        13⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        11⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        11⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\aswupsrc.exe > nul
        11⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        11⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        9⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        9⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        9⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\AVGUPS~1.EXE > nul
        9⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.zip
        7⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.com
        7⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\CMD.exe
        
        CMD /C del /F /S /Q *.scr
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\avgrdam.exe > nul
        7⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\ashsvam.exe > nul
        5⤵
        
        PID:1668
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.zip
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.com
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\CMD.exe
    CMD /C del /F /S /Q *.scr
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CC124E~1.EXE > nul
    3⤵
    PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ashsdlp.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashsdlp.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashsdlp.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashsvam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashsvam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashsvam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashsvam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashsvam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\ashwbsm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\aswupsrc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\aswupsrc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\aswupsrc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avcntlx.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgapgui.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgectam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgectam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgemkdr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgemkdr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgemkdr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgemkdr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgemkdr.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgmsva.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgmsva.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgmsva.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgrdam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgrdam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgrdam.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgupsrvc.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgwsvcm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgwsvcm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
C:\Windows\SysWOW64\avgwsvcm.exe

Filesize
65KB

MD5
19d88235a435a3f2199eabfe427e9c48

SHA1
ea5e8bb360e1d371fd9a858beb0b7b4a22b3af68

SHA256
cc124e1b81c4e10d1fd972601315975d1a5a35ca54265e4ddafe14592bd993ca

SHA512
2647df1c45e6e60a86963cb00194c712231d7ef2d0a56adf538b00ccdaa79440c7aa08119ce99d2c3f9eb381a4090b4b18f0a09db1584182756addc93b90df3e

Download Submit
memory/552-153-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1212-338-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1564-306-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1564-299-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1712-154-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/1844-132-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/1844-139-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/2180-279-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/2696-294-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/2708-162-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/2708-170-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4252-210-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4252-218-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4364-138-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/4364-134-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/4364-135-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/4364-136-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/4368-272-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4368-280-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4380-325-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4380-183-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4380-186-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4724-265-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4724-257-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4780-316-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4780-309-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4812-233-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4880-194-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4880-202-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/5012-328-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/5012-335-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/5112-241-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/5112-249-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads