amadey | b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2023 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

235KB
MD5

6779cd6f17fa7536c4490cc6d72a00a0
SHA1

2976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256

b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA512

88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
SSDEEP

6144:eLUoeyDABOdDubDXqgraG0JzSRuVyL+VYjQqgE:elu0LgwJ4uVyaV+J

Score

10^/10

amadey dcrat redline st1 tanos temp999 discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.242/9vZbns/index.php

Extracted

Family

redline

Botnet

tanos

62.204.41.159:4062

Attributes

auth_value
bcb77cd67cf9918d25e4b6ae210a9305

Extracted

Family

redline

Botnet

temp999

82.115.223.9:15486

Attributes

auth_value
c12cdc1127b45350218306e5550c987e

Extracted

Family

redline

Botnet

st1

librchichelpai.shop:81

rniwondunuifac.shop:81

Attributes

auth_value
a7232a45d6034ee2454fc434093d8f12

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

hyperReviewwin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\lsass.exe\", \"C:\\Users\\Admin\\Videos\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\lsass.exe\", \"C:\\Users\\Admin\\Videos\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\nesto1.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\lsass.exe\", \"C:\\Users\\Admin\\Videos\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\", \"C:\\Users\\Public\\Libraries\\nesto1.exe\", \"C:\\Users\\Public\\Pictures\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\lsass.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\lsass.exe\", \"C:\\Users\\Admin\\Videos\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\lsass.exe\", \"C:\\Users\\Admin\\Videos\\sppsvc.exe\", \"C:\\Users\\Admin\\Local Settings\\explorer.exe\""	hyperReviewwin.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

loda.exeloda1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	loda1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	loda1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	loda1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	loda1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	loda1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	loda.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3756	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3756	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe	dcrat
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe	dcrat
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe	dcrat
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe	dcrat
behavioral2/memory/4712-207-0x0000000000EA0000-0x0000000000FAA000-memory.dmp	dcrat
C:\Users\Admin\Videos\sppsvc.exe	dcrat
C:\Users\Admin\Videos\sppsvc.exe	dcrat

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

nbveek.exeloda.exeloda1.exenesto1.exetanos.exelove1.exenesto.exelove.exetanos1.exestown.exestown1.exehyperReviewwin.exesppsvc.exenbveek.exenbveek.exe

pid	process
3272	nbveek.exe
3708	loda.exe
4300	loda1.exe
1092	nesto1.exe
4112	tanos.exe
5072	love1.exe
2208	nesto.exe
3408	love.exe
3384	tanos1.exe
1312	stown.exe
2392	stown1.exe
4712	hyperReviewwin.exe
2600	sppsvc.exe
3996	nbveek.exe
2232	nbveek.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nbveek.exelove1.exeWScript.exehyperReviewwin.exetmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	love1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	hyperReviewwin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3728 rundll32.exe
1984 rundll32.exe
4036 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3728	rundll32.exe
1984	rundll32.exe
4036	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

loda.exeloda1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	loda.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	loda1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 17 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hyperReviewwin.exenbveek.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\lsass.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Videos\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\Local Settings\\explorer.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000010051\\nesto.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto1 = "\"C:\\Users\\Public\\Libraries\\nesto1.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loda.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003051\\loda.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tanos.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000006051\\tanos.exe"	nbveek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Admin\\Videos\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Admin\\Local Settings\\explorer.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto1 = "\"C:\\Users\\Public\\Libraries\\nesto1.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nesto1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005051\\nesto1.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tanos1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000017051\\tanos1.exe"	nbveek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Java\\jdk1.8.0_66\\bin\\lsass.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Public\\Pictures\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Public\\Pictures\\SearchApp.exe\""	hyperReviewwin.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

stown1.exe

description pid process target process

PID 2392 set thread context of 888 2392 stown1.exe AppLaunch.exe

description	pid	process	target process
PID 2392 set thread context of 888	2392	stown1.exe	AppLaunch.exe

Drops file in Program Files directory 5 IoCs

Processes:

hyperReviewwin.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe	hyperReviewwin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe	hyperReviewwin.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\6203df4a6bafc7	hyperReviewwin.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchApp.exe	hyperReviewwin.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\38384e6a620884	hyperReviewwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1468 1092 WerFault.exe nesto1.exe
2168 2208 WerFault.exe nesto.exe
456 1984 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1468	1092	WerFault.exe	nesto1.exe
2168	2208	WerFault.exe	nesto.exe
456	1984	WerFault.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4528	schtasks.exe
2336	schtasks.exe
5092	schtasks.exe
1436	schtasks.exe
3208	schtasks.exe
4644	schtasks.exe
3904	schtasks.exe
3032	schtasks.exe
4736	schtasks.exe
3224	schtasks.exe
4480	schtasks.exe
1804	schtasks.exe
2484	schtasks.exe
3928	schtasks.exe
1656	schtasks.exe
2236	schtasks.exe
1056	schtasks.exe
4252	schtasks.exe
2628	schtasks.exe

Modifies registry class 2 IoCs

Processes:

love1.exehyperReviewwin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	love1.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	hyperReviewwin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4208 reg.exe

pid	process
4208	reg.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

loda.exeloda1.exenesto1.exelove.exehyperReviewwin.exetanos1.exetanos.exenesto.exestown.exeAppLaunch.exesppsvc.exe

pid	process
3708	loda.exe
3708	loda.exe
4300	loda1.exe
4300	loda1.exe
1092	nesto1.exe
3408	love.exe
1092	nesto1.exe
4712	hyperReviewwin.exe
4712	hyperReviewwin.exe
4712	hyperReviewwin.exe
4712	hyperReviewwin.exe
4712	hyperReviewwin.exe
3384	tanos1.exe
4112	tanos.exe
4712	hyperReviewwin.exe
4712	hyperReviewwin.exe
4112	tanos.exe
2208	nesto.exe
1312	stown.exe
3408	love.exe
1312	stown.exe
3384	tanos1.exe
2208	nesto.exe
888	AppLaunch.exe
888	AppLaunch.exe
2600	sppsvc.exe
2600	sppsvc.exe
2600	sppsvc.exe
2600	sppsvc.exe
2600	sppsvc.exe
2600	sppsvc.exe
2600	sppsvc.exe
2600	sppsvc.exe
2600	sppsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sppsvc.exe

pid process

2600 sppsvc.exe

pid	process
2600	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

loda.exeloda1.exenesto1.exenesto.exelove.exehyperReviewwin.exetanos1.exetanos.exestown.exeAppLaunch.exesppsvc.exe

description	pid	process
Token: SeDebugPrivilege	3708	loda.exe
Token: SeDebugPrivilege	4300	loda1.exe
Token: SeDebugPrivilege	1092	nesto1.exe
Token: SeDebugPrivilege	2208	nesto.exe
Token: SeDebugPrivilege	3408	love.exe
Token: SeDebugPrivilege	4712	hyperReviewwin.exe
Token: SeDebugPrivilege	3384	tanos1.exe
Token: SeDebugPrivilege	4112	tanos.exe
Token: SeDebugPrivilege	1312	stown.exe
Token: SeDebugPrivilege	888	AppLaunch.exe
Token: SeDebugPrivilege	2600	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exenbveek.execmd.exelove1.exeWScript.execmd.exestown1.exe

description	pid	process	target process
PID 1436 wrote to memory of 3272	1436	tmp.exe	nbveek.exe
PID 1436 wrote to memory of 3272	1436	tmp.exe	nbveek.exe
PID 1436 wrote to memory of 3272	1436	tmp.exe	nbveek.exe
PID 3272 wrote to memory of 3224	3272	nbveek.exe	schtasks.exe
PID 3272 wrote to memory of 3224	3272	nbveek.exe	schtasks.exe
PID 3272 wrote to memory of 3224	3272	nbveek.exe	schtasks.exe
PID 3272 wrote to memory of 2720	3272	nbveek.exe	cmd.exe
PID 3272 wrote to memory of 2720	3272	nbveek.exe	cmd.exe
PID 3272 wrote to memory of 2720	3272	nbveek.exe	cmd.exe
PID 2720 wrote to memory of 5032	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 5032	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 5032	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 5004	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 5004	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 5004	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 4332	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 4332	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 4332	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 4952	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 4952	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 4952	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 4916	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 4916	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 4916	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 3436	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 3436	2720	cmd.exe	cacls.exe
PID 2720 wrote to memory of 3436	2720	cmd.exe	cacls.exe
PID 3272 wrote to memory of 3708	3272	nbveek.exe	loda.exe
PID 3272 wrote to memory of 3708	3272	nbveek.exe	loda.exe
PID 3272 wrote to memory of 4300	3272	nbveek.exe	loda1.exe
PID 3272 wrote to memory of 4300	3272	nbveek.exe	loda1.exe
PID 3272 wrote to memory of 1092	3272	nbveek.exe	nesto1.exe
PID 3272 wrote to memory of 1092	3272	nbveek.exe	nesto1.exe
PID 3272 wrote to memory of 1092	3272	nbveek.exe	nesto1.exe
PID 3272 wrote to memory of 4112	3272	nbveek.exe	tanos.exe
PID 3272 wrote to memory of 4112	3272	nbveek.exe	tanos.exe
PID 3272 wrote to memory of 4112	3272	nbveek.exe	tanos.exe
PID 3272 wrote to memory of 5072	3272	nbveek.exe	love1.exe
PID 3272 wrote to memory of 5072	3272	nbveek.exe	love1.exe
PID 3272 wrote to memory of 5072	3272	nbveek.exe	love1.exe
PID 5072 wrote to memory of 220	5072	love1.exe	WScript.exe
PID 5072 wrote to memory of 220	5072	love1.exe	WScript.exe
PID 5072 wrote to memory of 220	5072	love1.exe	WScript.exe
PID 3272 wrote to memory of 2208	3272	nbveek.exe	nesto.exe
PID 3272 wrote to memory of 2208	3272	nbveek.exe	nesto.exe
PID 3272 wrote to memory of 2208	3272	nbveek.exe	nesto.exe
PID 3272 wrote to memory of 3408	3272	nbveek.exe	love.exe
PID 3272 wrote to memory of 3408	3272	nbveek.exe	love.exe
PID 3272 wrote to memory of 3408	3272	nbveek.exe	love.exe
PID 3272 wrote to memory of 3384	3272	nbveek.exe	tanos1.exe
PID 3272 wrote to memory of 3384	3272	nbveek.exe	tanos1.exe
PID 3272 wrote to memory of 3384	3272	nbveek.exe	tanos1.exe
PID 3272 wrote to memory of 1312	3272	nbveek.exe	stown.exe
PID 3272 wrote to memory of 1312	3272	nbveek.exe	stown.exe
PID 3272 wrote to memory of 1312	3272	nbveek.exe	stown.exe
PID 3272 wrote to memory of 2392	3272	nbveek.exe	stown1.exe
PID 3272 wrote to memory of 2392	3272	nbveek.exe	stown1.exe
PID 3272 wrote to memory of 2392	3272	nbveek.exe	stown1.exe
PID 220 wrote to memory of 2300	220	WScript.exe	cmd.exe
PID 220 wrote to memory of 2300	220	WScript.exe	cmd.exe
PID 220 wrote to memory of 2300	220	WScript.exe	cmd.exe
PID 2300 wrote to memory of 4712	2300	cmd.exe	hyperReviewwin.exe
PID 2300 wrote to memory of 4712	2300	cmd.exe	hyperReviewwin.exe
PID 2392 wrote to memory of 888	2392	stown1.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe" /F
3⤵
- Creates scheduled task(s)
PID:3224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:5032

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
4⤵
PID:5004

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
4⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4952

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:N"
4⤵
PID:4916

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:R" /E
4⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe
"C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe
"C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1112
4⤵
- Program crash
PID:1468

C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe
"C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Users\Admin\AppData\Roaming\1000007000\love1.exe
"C:\Users\Admin\AppData\Roaming\1000007000\love1.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
"C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JVbmw4TunD.bat"
7⤵
PID:3224

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:3436

C:\Users\Admin\Videos\sppsvc.exe
"C:\Users\Admin\Videos\sppsvc.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
6⤵
- Modifies registry key
PID:4208

C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe
"C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1476
4⤵
- Program crash
PID:2168

C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe
"C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Users\Admin\AppData\Local\Temp\1000018001\stown.exe
"C:\Users\Admin\AppData\Local\Temp\1000018001\stown.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Users\Admin\AppData\Local\Temp\1000019001\stown1.exe
"C:\Users\Admin\AppData\Local\Temp\1000019001\stown1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:3728

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:1984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1984 -s 680
5⤵
- Program crash
PID:456

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nesto1n" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\nesto1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nesto1" /sc ONLOGON /tr "'C:\Users\Public\Libraries\nesto1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "nesto1n" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\nesto1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Pictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1092 -ip 1092
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2208 -ip 2208
1⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 1984 -ip 1984
1⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
1⤵
- Executes dropped EXE
PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003051\loda.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\loda1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe

Filesize
303KB

MD5
fc288c369c4731573f68766309b00706

SHA1
54c77141ac83db020b0b762a5723a32e252741b9

SHA256
5c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8

SHA512
ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005051\nesto1.exe

Filesize
303KB

MD5
fc288c369c4731573f68766309b00706

SHA1
54c77141ac83db020b0b762a5723a32e252741b9

SHA256
5c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8

SHA512
ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006051\tanos.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe

Filesize
303KB

MD5
fc288c369c4731573f68766309b00706

SHA1
54c77141ac83db020b0b762a5723a32e252741b9

SHA256
5c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8

SHA512
ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000010051\nesto.exe

Filesize
303KB

MD5
fc288c369c4731573f68766309b00706

SHA1
54c77141ac83db020b0b762a5723a32e252741b9

SHA256
5c29dc5a8aa66044b270e79bbeb9213f360c3196c5db255a0693b0e4f8131df8

SHA512
ff28b5ebf29a5a61da54eb0067b0f65df5d2d1f74a9a893e5f37e9ae839a382b316519d15f063ad491842e58b68829778bafc95d06c808d0950e3f0fed18e8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe

Filesize
175KB

MD5
68e8e72cf791f738b1574ae25bcbd45b

SHA1
47b58f095e0beefa1caaba7ec7e8d609ee7e3d1f

SHA256
3aa8e492247c9bc7c9a3dec184e09cc407bbc98683d9646ed984a372fd0958a9

SHA512
5f002166f3bb935dd3bfc5c604104d0249b0e378ec370e49efa313b95ff9ba910389448e6c3e124d539aa563af4d727d9e31a4542b9a610fb07fdb4bded10e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\love.exe

Filesize
175KB

MD5
68e8e72cf791f738b1574ae25bcbd45b

SHA1
47b58f095e0beefa1caaba7ec7e8d609ee7e3d1f

SHA256
3aa8e492247c9bc7c9a3dec184e09cc407bbc98683d9646ed984a372fd0958a9

SHA512
5f002166f3bb935dd3bfc5c604104d0249b0e378ec370e49efa313b95ff9ba910389448e6c3e124d539aa563af4d727d9e31a4542b9a610fb07fdb4bded10e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017051\tanos1.exe

Filesize
175KB

MD5
1d71ce85fb4517119a51fc33910f1975

SHA1
de346e455b4435dc9b9b8dbc506bd5f2b3e84052

SHA256
f3bba4b243aafa14e55ebea622e10b30591d46538f9bd88f7360f45f7b2f4bf2

SHA512
77e5ebd54456473001116641a9a663c2a75087d096e2d1d3c0a6a93b06c1a15a45dd1731339cd7a2746acedfc87137c95ffc9812e6bd82030b43398d817bd673

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000018001\stown.exe

Filesize
175KB

MD5
8959136f8f925f4dc1c5d1d61bc5a98c

SHA1
490d66f171581e0f7e9af5881a631a692b84a1c3

SHA256
99e029131148d09b427e5b2e4859ded511aa569161c2c31f80250cec61b62154

SHA512
c3b9d13ef1929e97f5727c329be472c0199ccbc121457af609f1dff0196e24476434e65e73bff9e761dae2d5706c43e88981276a3115dfe43d69361ccf1f40a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000018001\stown.exe

Filesize
175KB

MD5
8959136f8f925f4dc1c5d1d61bc5a98c

SHA1
490d66f171581e0f7e9af5881a631a692b84a1c3

SHA256
99e029131148d09b427e5b2e4859ded511aa569161c2c31f80250cec61b62154

SHA512
c3b9d13ef1929e97f5727c329be472c0199ccbc121457af609f1dff0196e24476434e65e73bff9e761dae2d5706c43e88981276a3115dfe43d69361ccf1f40a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\stown1.exe

Filesize
3.7MB

MD5
f93efd436289bde91568c958b19abb69

SHA1
9e899b3f05de951a1a35dd130955e52610350932

SHA256
b3424e7615f9ad35d6e1a60a813db6d5e3d85c15d05bdc945d3c59d42465dfe2

SHA512
e250435607e53b1de1d8da50e2cbb3488216ec60d216bd7e416f7bc2bb29d2a103740d552358e7419c0250917455155084af383c21e9142a90a5b349fe7bb80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000019001\stown1.exe

Filesize
3.7MB

MD5
f93efd436289bde91568c958b19abb69

SHA1
9e899b3f05de951a1a35dd130955e52610350932

SHA256
b3424e7615f9ad35d6e1a60a813db6d5e3d85c15d05bdc945d3c59d42465dfe2

SHA512
e250435607e53b1de1d8da50e2cbb3488216ec60d216bd7e416f7bc2bb29d2a103740d552358e7419c0250917455155084af383c21e9142a90a5b349fe7bb80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
6779cd6f17fa7536c4490cc6d72a00a0

SHA1
2976ecc0ecc2800be22fa92868c2173a44e04ee0

SHA256
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65

SHA512
88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
6779cd6f17fa7536c4490cc6d72a00a0

SHA1
2976ecc0ecc2800be22fa92868c2173a44e04ee0

SHA256
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65

SHA512
88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
6779cd6f17fa7536c4490cc6d72a00a0

SHA1
2976ecc0ecc2800be22fa92868c2173a44e04ee0

SHA256
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65

SHA512
88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
6779cd6f17fa7536c4490cc6d72a00a0

SHA1
2976ecc0ecc2800be22fa92868c2173a44e04ee0

SHA256
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65

SHA512
88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVbmw4TunD.bat

Filesize
197B

MD5
82770364723531324ce378525dc3c31f

SHA1
e01a1dd831af999f042b69611a4fb2e446da4cde

SHA256
67a7b22a052821b28e8df98d180da2d5f28dd1c3d667d9341935be098b41f98f

SHA512
f3220f0f8b0e95ac608dbb43e9ef0fc1ecea9d0ea28f31021fcc3e3cb8a08a415b01200868ee6b54fe72b4ccb2ae50c13f9fd7cb718fd4672a22116af40cbfdb

Download Submit
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe

Filesize
1.3MB

MD5
b9a0002e9a104374dea2f4ba571f1764

SHA1
627488abb7aeeb5f8f411a9694cebd6b4748a86f

SHA256
5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

SHA512
439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5

Download Submit
C:\Users\Admin\AppData\Roaming\1000007000\love1.exe

Filesize
1.3MB

MD5
b9a0002e9a104374dea2f4ba571f1764

SHA1
627488abb7aeeb5f8f411a9694cebd6b4748a86f

SHA256
5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

SHA512
439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
46132baadaa4c318d24db8ed2220b80a

SHA1
e923041a849d6c4719564280aaf48fe61ed62fa4

SHA256
45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e

SHA512
c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
46132baadaa4c318d24db8ed2220b80a

SHA1
e923041a849d6c4719564280aaf48fe61ed62fa4

SHA256
45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e

SHA512
c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.0MB

MD5
17ffefed5c2de006ac35f47b84d2477b

SHA1
7cd101050de0f53973e8144fbae9db8ebb74adcc

SHA256
398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3

SHA512
d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.0MB

MD5
17ffefed5c2de006ac35f47b84d2477b

SHA1
7cd101050de0f53973e8144fbae9db8ebb74adcc

SHA256
398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3

SHA512
d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.0MB

MD5
17ffefed5c2de006ac35f47b84d2477b

SHA1
7cd101050de0f53973e8144fbae9db8ebb74adcc

SHA256
398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3

SHA512
d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat

Filesize
173B

MD5
2445216481e9c79fe7a7d2dddd5dd047

SHA1
5caaf8f423f587b26c0d98bb57db0e295d7ca6a7

SHA256
0d8405ad4bde2e23144377872f204baf9cdbc1343a55c075dabeec49a64c7c3d

SHA512
7000b171a053a0bb20c435765f2c76272e71eb4f429e2b500282f4765b9141757cdcb93a94480ae8ae0b78624098a02bb71caa111e8ab516f12c863725f86484

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe

Filesize
221B

MD5
fc584ab062886ba5b7b34c8a8e4f1809

SHA1
6be7eeee2021f69be9e4513f0cb28408a56caba9

SHA256
873395e08f2ca43b4698329c5e2b6667dec76f2eeb08b05a1cff0a14e5a9db76

SHA512
a74d1b3567e169ed0ec0d135e31312eeae71f87e43c2311a16539f670116f2ce75bb4b4f33a6b462aa417c3764637b3e6c027b44728b2da7874031ac0cc4a7b8

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\Users\Admin\Videos\sppsvc.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\Users\Admin\Videos\sppsvc.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
memory/220-170-0x0000000000000000-mapping.dmp

Download
memory/888-208-0x0000000000000000-mapping.dmp

Download
memory/1092-215-0x0000000002F6B000-0x0000000002F99000-memory.dmp

Filesize
184KB

Download
memory/1092-186-0x00000000082A0000-0x0000000008332000-memory.dmp

Filesize
584KB

Download
memory/1092-222-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/1092-221-0x0000000002F6B000-0x0000000002F99000-memory.dmp

Filesize
184KB

Download
memory/1092-165-0x0000000007230000-0x00000000077D4000-memory.dmp

Filesize
5.6MB

Download
memory/1092-203-0x0000000008BE0000-0x0000000008C30000-memory.dmp

Filesize
320KB

Download
memory/1092-202-0x0000000008B50000-0x0000000008BC6000-memory.dmp

Filesize
472KB

Download
memory/1092-164-0x00000000047F0000-0x000000000483B000-memory.dmp

Filesize
300KB

Download
memory/1092-163-0x0000000002F6B000-0x0000000002F99000-memory.dmp

Filesize
184KB

Download
memory/1092-152-0x0000000000000000-mapping.dmp

Download
memory/1092-168-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/1312-187-0x0000000000000000-mapping.dmp

Download
memory/1312-190-0x00000000009E0000-0x0000000000A12000-memory.dmp

Filesize
200KB

Download
memory/1984-234-0x0000000000000000-mapping.dmp

Download
memory/2208-191-0x0000000002BC0000-0x0000000002CC0000-memory.dmp

Filesize
1024KB

Download
memory/2208-224-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/2208-172-0x0000000000000000-mapping.dmp

Download
memory/2208-223-0x0000000002BC0000-0x0000000002CC0000-memory.dmp

Filesize
1024KB

Download
memory/2208-192-0x0000000000400000-0x0000000002BB6000-memory.dmp

Filesize
39.7MB

Download
memory/2300-198-0x0000000000000000-mapping.dmp

Download
memory/2392-193-0x0000000000000000-mapping.dmp

Download
memory/2392-199-0x0000000000320000-0x00000000008BE000-memory.dmp

Filesize
5.6MB

Download
memory/2600-228-0x00007FFD89850000-0x00007FFD8A311000-memory.dmp

Filesize
10.8MB

Download
memory/2600-229-0x00007FFD89850000-0x00007FFD8A311000-memory.dmp

Filesize
10.8MB

Download
memory/2600-225-0x0000000000000000-mapping.dmp

Download
memory/2720-136-0x0000000000000000-mapping.dmp

Download
memory/3224-216-0x0000000000000000-mapping.dmp

Download
memory/3224-135-0x0000000000000000-mapping.dmp

Download
memory/3272-132-0x0000000000000000-mapping.dmp

Download
memory/3384-180-0x0000000000000000-mapping.dmp

Download
memory/3408-196-0x0000000006A20000-0x0000000006BE2000-memory.dmp

Filesize
1.8MB

Download
memory/3408-175-0x0000000000000000-mapping.dmp

Download
memory/3408-178-0x0000000000900000-0x0000000000932000-memory.dmp

Filesize
200KB

Download
memory/3408-200-0x0000000007120000-0x000000000764C000-memory.dmp

Filesize
5.2MB

Download
memory/3436-219-0x0000000000000000-mapping.dmp

Download
memory/3436-142-0x0000000000000000-mapping.dmp

Download
memory/3708-150-0x00007FFD89720000-0x00007FFD8A1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3708-183-0x00007FFD89720000-0x00007FFD8A1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3708-146-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/3708-143-0x0000000000000000-mapping.dmp

Download
memory/3728-231-0x0000000000000000-mapping.dmp

Download
memory/4036-236-0x0000000000000000-mapping.dmp

Download
memory/4112-155-0x0000000000000000-mapping.dmp

Download
memory/4112-159-0x0000000005270000-0x0000000005888000-memory.dmp

Filesize
6.1MB

Download
memory/4112-161-0x0000000004D20000-0x0000000004D32000-memory.dmp

Filesize
72KB

Download
memory/4112-162-0x0000000004D90000-0x0000000004DCC000-memory.dmp

Filesize
240KB

Download
memory/4112-185-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/4112-158-0x0000000000360000-0x0000000000392000-memory.dmp

Filesize
200KB

Download
memory/4112-160-0x0000000004DF0000-0x0000000004EFA000-memory.dmp

Filesize
1.0MB

Download
memory/4208-220-0x0000000000000000-mapping.dmp

Download
memory/4300-147-0x0000000000000000-mapping.dmp

Download
memory/4300-151-0x00007FFD89720000-0x00007FFD8A1E1000-memory.dmp

Filesize
10.8MB

Download
memory/4300-184-0x00007FFD89720000-0x00007FFD8A1E1000-memory.dmp

Filesize
10.8MB

Download
memory/4332-139-0x0000000000000000-mapping.dmp

Download
memory/4712-207-0x0000000000EA0000-0x0000000000FAA000-memory.dmp

Filesize
1.0MB

Download
memory/4712-204-0x0000000000000000-mapping.dmp

Download
memory/4712-212-0x00007FFD89850000-0x00007FFD8A311000-memory.dmp

Filesize
10.8MB

Download
memory/4712-217-0x00007FFD89850000-0x00007FFD8A311000-memory.dmp

Filesize
10.8MB

Download
memory/4916-141-0x0000000000000000-mapping.dmp

Download
memory/4952-140-0x0000000000000000-mapping.dmp

Download
memory/5004-138-0x0000000000000000-mapping.dmp

Download
memory/5032-137-0x0000000000000000-mapping.dmp

Download
memory/5072-166-0x0000000000000000-mapping.dmp

Download