amadey | b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22

Analysis

max time kernel
39s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2023, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe
Size

249KB
MD5

e023ee706cf7e6d3f9fe870353148182
SHA1

ed8df69d77fb4ca4fd4baff1d3367b58fa2cc60a
SHA256

b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22
SHA512

59f4da9229f3abbf3d4ac062dc8a3256ce28cc9feebf401127cc0b5444a1f1b7445f8a5c8d9bf0a8477310cb36d948fac9d9955b295cfd10f1446e47c8d1ff20
SSDEEP

6144:0xxlc2CYw9MwaL56Qwfa4LQUE59kSjAMJeK:Slc3Yw9MwaV6QMbQdvheK

Score

10^/10

amadey djvu redline smokeloader pub1 rober backdoor discovery infostealer ransomware trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test2/get.php

http://zexeq.com/lancer/get.php

Attributes

extension
.jywd
offline_id
MEMHlobHgXqvmTWaMsLcwGZhDOd00bblO1yevst1
payload_url
http://uaery.top/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-fkW8qLaCVQ Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0675JOsie

rsa_pubkey.plain

Extracted

Family

redline

Botnet

ROBER

138.201.195.134:15564

Attributes

auth_value
de311ede2b43457816afc0d9989c5255

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detected Djvu ransomware 19 IoCs

resource	yara_rule
behavioral1/memory/4940-158-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3436-164-0x00000000022C0000-0x00000000023DB000-memory.dmp	family_djvu
behavioral1/memory/4940-162-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4940-166-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5112-167-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5112-169-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3476-170-0x0000000002250000-0x000000000236B000-memory.dmp	family_djvu
behavioral1/memory/5112-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4940-174-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5112-181-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2864-218-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2864-220-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2864-229-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2864-313-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5112-312-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4660-431-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1640-429-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4940-465-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4940-486-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 24 IoCs

resource	yara_rule
behavioral1/memory/3596-188-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-191-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-186-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-195-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-203-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-209-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-212-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-219-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-222-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-224-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-235-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-252-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-257-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-269-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-280-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-287-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-308-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-310-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-304-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-294-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-265-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-239-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-230-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline
behavioral1/memory/3596-314-0x0000000004B20000-0x0000000004B72000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
3436	75CC.exe
3596	7792.exe
3476	78AC.exe
3932	82B0.exe
4940	75CC.exe
5112	78AC.exe
4788	8726.exe
2336	89A7.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3820	icacls.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.2ip.ua
36	api.2ip.ua
37	api.2ip.ua
49	api.2ip.ua
61	api.2ip.ua
62	api.2ip.ua

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 4940	3436	75CC.exe	93
PID 3476 set thread context of 5112	3476	78AC.exe	95

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5000	2336	WerFault.exe	97
3616	3632	WerFault.exe	100
4568	3632	WerFault.exe	100

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe
1972	b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found
3164	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1972	b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found
Token: SeShutdownPrivilege	3164	Process not Found
Token: SeCreatePagefilePrivilege	3164	Process not Found

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 3436	3164	Process not Found	90
PID 3164 wrote to memory of 3436	3164	Process not Found	90
PID 3164 wrote to memory of 3436	3164	Process not Found	90
PID 3164 wrote to memory of 3596	3164	Process not Found	91
PID 3164 wrote to memory of 3596	3164	Process not Found	91
PID 3164 wrote to memory of 3596	3164	Process not Found	91
PID 3164 wrote to memory of 3476	3164	Process not Found	92
PID 3164 wrote to memory of 3476	3164	Process not Found	92
PID 3164 wrote to memory of 3476	3164	Process not Found	92
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3436 wrote to memory of 4940	3436	75CC.exe	93
PID 3164 wrote to memory of 3932	3164	Process not Found	94
PID 3164 wrote to memory of 3932	3164	Process not Found	94
PID 3164 wrote to memory of 3932	3164	Process not Found	94
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3476 wrote to memory of 5112	3476	78AC.exe	95
PID 3164 wrote to memory of 4788	3164	Process not Found	96
PID 3164 wrote to memory of 4788	3164	Process not Found	96
PID 3164 wrote to memory of 4788	3164	Process not Found	96
PID 3164 wrote to memory of 2336	3164	Process not Found	97
PID 3164 wrote to memory of 2336	3164	Process not Found	97
PID 3164 wrote to memory of 2336	3164	Process not Found	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe
"C:\Users\Admin\AppData\Local\Temp\b14562b8c3d16c3ab7700f11abfa158b0b080eda1b3d2dbf823d295be710ff22.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1972

C:\Users\Admin\AppData\Local\Temp\75CC.exe
C:\Users\Admin\AppData\Local\Temp\75CC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Local\Temp\75CC.exe
  C:\Users\Admin\AppData\Local\Temp\75CC.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\46257304-6015-4af8-ab04-599c1fed755c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3820
- - C:\Users\Admin\AppData\Local\Temp\75CC.exe
    "C:\Users\Admin\AppData\Local\Temp\75CC.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2392

C:\Users\Admin\AppData\Local\Temp\7792.exe
C:\Users\Admin\AppData\Local\Temp\7792.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\AppData\Local\Temp\78AC.exe
C:\Users\Admin\AppData\Local\Temp\78AC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\78AC.exe
  C:\Users\Admin\AppData\Local\Temp\78AC.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- - C:\Users\Admin\AppData\Local\Temp\78AC.exe
    "C:\Users\Admin\AppData\Local\Temp\78AC.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\78AC.exe
      "C:\Users\Admin\AppData\Local\Temp\78AC.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:1640

C:\Users\Admin\AppData\Local\Temp\82B0.exe
C:\Users\Admin\AppData\Local\Temp\82B0.exe
1⤵
- Executes dropped EXE
PID:3932
- C:\Users\Admin\AppData\Local\Temp\82B0.exe
  C:\Users\Admin\AppData\Local\Temp\82B0.exe
  2⤵
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\82B0.exe
    "C:\Users\Admin\AppData\Local\Temp\82B0.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\82B0.exe
      "C:\Users\Admin\AppData\Local\Temp\82B0.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:4660

C:\Users\Admin\AppData\Local\Temp\8726.exe
C:\Users\Admin\AppData\Local\Temp\8726.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Users\Admin\AppData\Local\Temp\89A7.exe
C:\Users\Admin\AppData\Local\Temp\89A7.exe
1⤵
- Executes dropped EXE
PID:2336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 340
  2⤵
  - Program crash
  PID:5000

C:\Users\Admin\AppData\Local\Temp\94C4.exe
C:\Users\Admin\AppData\Local\Temp\94C4.exe
1⤵
PID:4396
- C:\Users\Admin\AppData\Local\Temp\XandETC.exe
  "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
  2⤵
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\ss31.exe
  "C:\Users\Admin\AppData\Local\Temp\ss31.exe"
  2⤵
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\Player3.exe
  "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
  2⤵
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
    3⤵
    PID:1388

C:\Users\Admin\AppData\Local\Temp\9C76.exe
C:\Users\Admin\AppData\Local\Temp\9C76.exe
1⤵
PID:3632
- C:\Users\Admin\AppData\Local\Temp\Player3.exe
  "C:\Users\Admin\AppData\Local\Temp\Player3.exe"
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
    3⤵
    PID:4700
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
      4⤵
      PID:4380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nbveek.exe" /P "Admin:N"
        5⤵
        
        PID:3704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1508
  2⤵
  - Program crash
  PID:3616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1508
  2⤵
  - Program crash
  PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3632 -ip 3632
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2336 -ip 2336
1⤵
PID:524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:2188

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:1148

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:3352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
e5b1cc0ae5af6a8277d75cff4af2c5e8

SHA1
4768fff3d4bbe02f89683b4a0e7b15b24b54eb9f

SHA256
d950c0d748aae641d71b11cd1c519b289917c23bee1a2b6bc5c496fd8e5d4655

SHA512
57a4737deeefac0124d73b52525993fecbbebd21a556ece87f8e79e845e07f037abb5e49f7458e8a010935c6691f18fbb913d77ecfb2ba902067788c483ec3d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
e5b1cc0ae5af6a8277d75cff4af2c5e8

SHA1
4768fff3d4bbe02f89683b4a0e7b15b24b54eb9f

SHA256
d950c0d748aae641d71b11cd1c519b289917c23bee1a2b6bc5c496fd8e5d4655

SHA512
57a4737deeefac0124d73b52525993fecbbebd21a556ece87f8e79e845e07f037abb5e49f7458e8a010935c6691f18fbb913d77ecfb2ba902067788c483ec3d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
3adac03b181d7980568dda0da0efc9de

SHA1
a283c4c9bd26a65b8240d21708e57f5946778341

SHA256
24c4973ced938b77d9670ac79eb76cd52411b17ab59ec78ba14c1b433f342933

SHA512
6fbd2a32fc18606628ea56311764cd879a1196405dddd4d269ad6163b2ffdcf916786f1c0328f27ec089be5cb9b4ecb3542363f4dfb3df1c1b91a0e038b67241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
3adac03b181d7980568dda0da0efc9de

SHA1
a283c4c9bd26a65b8240d21708e57f5946778341

SHA256
24c4973ced938b77d9670ac79eb76cd52411b17ab59ec78ba14c1b433f342933

SHA512
6fbd2a32fc18606628ea56311764cd879a1196405dddd4d269ad6163b2ffdcf916786f1c0328f27ec089be5cb9b4ecb3542363f4dfb3df1c1b91a0e038b67241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
5ff0cb9b8c787acf6aa5a05c10979bd9

SHA1
a16681550dd5a222f304f376cea221322a733a5c

SHA256
1773bed42f41cd18740817f959de2c253a6b5d95ff2630f05910b63b613a5db4

SHA512
881afc893141177a912309076012af638404001ee89dc52f1cea111c489acf01a9e3be0e8ddbbe441e2f20d47d51fc825803d8ad17bd022c53c34a0a692ca029

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
9e7ffae800aa1ee6f5ec48fc047659f2

SHA1
c5559e2fce776ccecc89fc66024ad7da14a28178

SHA256
437aef6f467b6fb7fac72a6d7ee5199949cf1adfc42ae81eafe1c2aea59c0544

SHA512
115dd75b77c1c82910c9619bd8e025a6d41e90f99740d39f0251c77e7d9758b32da032fb40782f92361508eaa9315fbdcd175b75256f6e2d41f7d6670d1a03bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
ae05671350c9265cfc4ed0a135e55390

SHA1
e0f9790b965b9597bcae587f570a7aa0d0a31bb3

SHA256
16c5da1ed105c324dc224676f9d2984deda4d107a7b2159194d05d6da9065433

SHA512
de3ca9c79747ebdd6060633188dbb1f26a310c4377c52b1c69084f2d287b1071805ef2a6bb223623a471756c77e9df23d79d07e7bc82c7fc94ef7b17ccbece92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
dac2d37924521a3b8cbebc0cdf207575

SHA1
65b968c8485d15de9b82190612bba6e2827bad82

SHA256
b2a25122a69bdc66af0210ac307cea8a45f9b91ea4205faff0745ec6e1508771

SHA512
b52cad225ed54b78cc233be9805d67db36b2c1e9769d425cd0622b21af22d163c7b7c69f7b13072ded32b8fb6d140b906a2c2beef5c88168dd71b60be12701ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
dac2d37924521a3b8cbebc0cdf207575

SHA1
65b968c8485d15de9b82190612bba6e2827bad82

SHA256
b2a25122a69bdc66af0210ac307cea8a45f9b91ea4205faff0745ec6e1508771

SHA512
b52cad225ed54b78cc233be9805d67db36b2c1e9769d425cd0622b21af22d163c7b7c69f7b13072ded32b8fb6d140b906a2c2beef5c88168dd71b60be12701ff

Download Submit
C:\Users\Admin\AppData\Local\46257304-6015-4af8-ab04-599c1fed755c\75CC.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\46257304-6015-4af8-ab04-599c1fed755c\75CC.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\geo[1].json

Filesize
651B

MD5
ef24ef8c1730588a1dd2390ff41de1ae

SHA1
e038515e02e13c8e5001590bdecc654799ac75b0

SHA256
0be4c089ae025f7c47141188da0cd158d706197bc37c97e5224169574a9a7e55

SHA512
56932ef89b974a1502a28ef5075a39695915a282d7971b87918b2b38551f18ed34b187732a522ad5473fe374483eb00db5b94372fb6355b2e27866064e1b5f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\75CC.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\75CC.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\75CC.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\75CC.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7792.exe

Filesize
341KB

MD5
d08e59d0f35d163600f46cb9dd539a19

SHA1
4c81b408b289f1e08cab45a81fc958fcf398ac7e

SHA256
244895a9e53013aa19d5bff01184a03da64a402accbe82132b876b4f18243529

SHA512
0f17347cdf4593445f55f9f6134afe08309e1d765629cc9b5eb6a36d5456cc98384c2e858ee4d04808d2653580c5ac98abd10a62e314864a4f687a22b41f09e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7792.exe

Filesize
341KB

MD5
d08e59d0f35d163600f46cb9dd539a19

SHA1
4c81b408b289f1e08cab45a81fc958fcf398ac7e

SHA256
244895a9e53013aa19d5bff01184a03da64a402accbe82132b876b4f18243529

SHA512
0f17347cdf4593445f55f9f6134afe08309e1d765629cc9b5eb6a36d5456cc98384c2e858ee4d04808d2653580c5ac98abd10a62e314864a4f687a22b41f09e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\78AC.exe

Filesize
744KB

MD5
04f4adbff19505399b6d449f367678ca

SHA1
3c669bcd0c38bbf517c318a882659695e73d1ccc

SHA256
9dad82b93164ac76f20225e9c11f9a2886ebcf4fde70338e8b6917b74ed8c77c

SHA512
3bf2dce09edc7d30bcc19ab5a64a383b2372a6d666dabcb7e29808e26b8d960681147bcff23aceef1743ac8377eecf267c7940df00f9d61d05774cfa1aea3915

Download Submit
C:\Users\Admin\AppData\Local\Temp\78AC.exe

Filesize
744KB

MD5
04f4adbff19505399b6d449f367678ca

SHA1
3c669bcd0c38bbf517c318a882659695e73d1ccc

SHA256
9dad82b93164ac76f20225e9c11f9a2886ebcf4fde70338e8b6917b74ed8c77c

SHA512
3bf2dce09edc7d30bcc19ab5a64a383b2372a6d666dabcb7e29808e26b8d960681147bcff23aceef1743ac8377eecf267c7940df00f9d61d05774cfa1aea3915

Download Submit
C:\Users\Admin\AppData\Local\Temp\78AC.exe

Filesize
744KB

MD5
04f4adbff19505399b6d449f367678ca

SHA1
3c669bcd0c38bbf517c318a882659695e73d1ccc

SHA256
9dad82b93164ac76f20225e9c11f9a2886ebcf4fde70338e8b6917b74ed8c77c

SHA512
3bf2dce09edc7d30bcc19ab5a64a383b2372a6d666dabcb7e29808e26b8d960681147bcff23aceef1743ac8377eecf267c7940df00f9d61d05774cfa1aea3915

Download Submit
C:\Users\Admin\AppData\Local\Temp\78AC.exe

Filesize
744KB

MD5
04f4adbff19505399b6d449f367678ca

SHA1
3c669bcd0c38bbf517c318a882659695e73d1ccc

SHA256
9dad82b93164ac76f20225e9c11f9a2886ebcf4fde70338e8b6917b74ed8c77c

SHA512
3bf2dce09edc7d30bcc19ab5a64a383b2372a6d666dabcb7e29808e26b8d960681147bcff23aceef1743ac8377eecf267c7940df00f9d61d05774cfa1aea3915

Download Submit
C:\Users\Admin\AppData\Local\Temp\78AC.exe

Filesize
744KB

MD5
04f4adbff19505399b6d449f367678ca

SHA1
3c669bcd0c38bbf517c318a882659695e73d1ccc

SHA256
9dad82b93164ac76f20225e9c11f9a2886ebcf4fde70338e8b6917b74ed8c77c

SHA512
3bf2dce09edc7d30bcc19ab5a64a383b2372a6d666dabcb7e29808e26b8d960681147bcff23aceef1743ac8377eecf267c7940df00f9d61d05774cfa1aea3915

Download Submit
C:\Users\Admin\AppData\Local\Temp\82B0.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\82B0.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\82B0.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\82B0.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\82B0.exe

Filesize
749KB

MD5
4b4aadf3ad2fc2ce44a0488a3033faba

SHA1
2f7d9b1075e504fcfb21eda5fb94986d97a394c3

SHA256
d89183dddceaaed625f4be9cdbcafbc68af7879fd82a714c414e0d3257785238

SHA512
958ee461bcf680075dca11d6ac0a8cbdef5b3ee22654d90a485f6d11011591801fef0c861ebfa961f7dcf4caabf1ce32394f5070204a5f792d958ed79017bd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\8726.exe

Filesize
250KB

MD5
f0493c90ed435ead0899da9ce1f6c55b

SHA1
5639792986e6e08ff958cbd82c9b3d5c1ce6daac

SHA256
c033b352a7df528ed34d155300a93659251c7a9c527601ec5fe4c230b359a188

SHA512
3890491ce48962757a28be64246cf5444efe966f41151586a5339557a04fcb3162acc7972679b09b9984d49a4136b0a8aa1fe3a6ebce3540f6137080fba3acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\8726.exe

Filesize
250KB

MD5
f0493c90ed435ead0899da9ce1f6c55b

SHA1
5639792986e6e08ff958cbd82c9b3d5c1ce6daac

SHA256
c033b352a7df528ed34d155300a93659251c7a9c527601ec5fe4c230b359a188

SHA512
3890491ce48962757a28be64246cf5444efe966f41151586a5339557a04fcb3162acc7972679b09b9984d49a4136b0a8aa1fe3a6ebce3540f6137080fba3acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\89A7.exe

Filesize
250KB

MD5
f0493c90ed435ead0899da9ce1f6c55b

SHA1
5639792986e6e08ff958cbd82c9b3d5c1ce6daac

SHA256
c033b352a7df528ed34d155300a93659251c7a9c527601ec5fe4c230b359a188

SHA512
3890491ce48962757a28be64246cf5444efe966f41151586a5339557a04fcb3162acc7972679b09b9984d49a4136b0a8aa1fe3a6ebce3540f6137080fba3acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\89A7.exe

Filesize
250KB

MD5
f0493c90ed435ead0899da9ce1f6c55b

SHA1
5639792986e6e08ff958cbd82c9b3d5c1ce6daac

SHA256
c033b352a7df528ed34d155300a93659251c7a9c527601ec5fe4c230b359a188

SHA512
3890491ce48962757a28be64246cf5444efe966f41151586a5339557a04fcb3162acc7972679b09b9984d49a4136b0a8aa1fe3a6ebce3540f6137080fba3acab

Download Submit
C:\Users\Admin\AppData\Local\Temp\94C4.exe

Filesize
4.4MB

MD5
326665e5f77114ea09307e4cd002b82f

SHA1
ae7a70a90eb1e89e91aa8a6cad113c73ee5b826d

SHA256
4244acb6f883e56baebf36785ce5b2c1affc38b46472cd2795df3405d98d2ac0

SHA512
c941b7486fb9dcc6c5a50fc653f8d090654610749e8061af5a4089ea6daf8a3cf807ac866d071c384e437a02b7baf20b6b6958b3a4796b2f63431589fd7f2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\94C4.exe

Filesize
4.4MB

MD5
326665e5f77114ea09307e4cd002b82f

SHA1
ae7a70a90eb1e89e91aa8a6cad113c73ee5b826d

SHA256
4244acb6f883e56baebf36785ce5b2c1affc38b46472cd2795df3405d98d2ac0

SHA512
c941b7486fb9dcc6c5a50fc653f8d090654610749e8061af5a4089ea6daf8a3cf807ac866d071c384e437a02b7baf20b6b6958b3a4796b2f63431589fd7f2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C76.exe

Filesize
4.4MB

MD5
326665e5f77114ea09307e4cd002b82f

SHA1
ae7a70a90eb1e89e91aa8a6cad113c73ee5b826d

SHA256
4244acb6f883e56baebf36785ce5b2c1affc38b46472cd2795df3405d98d2ac0

SHA512
c941b7486fb9dcc6c5a50fc653f8d090654610749e8061af5a4089ea6daf8a3cf807ac866d071c384e437a02b7baf20b6b6958b3a4796b2f63431589fd7f2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\9C76.exe

Filesize
4.4MB

MD5
326665e5f77114ea09307e4cd002b82f

SHA1
ae7a70a90eb1e89e91aa8a6cad113c73ee5b826d

SHA256
4244acb6f883e56baebf36785ce5b2c1affc38b46472cd2795df3405d98d2ac0

SHA512
c941b7486fb9dcc6c5a50fc653f8d090654610749e8061af5a4089ea6daf8a3cf807ac866d071c384e437a02b7baf20b6b6958b3a4796b2f63431589fd7f2b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_divqlas3.5tf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
417KB

MD5
34ff8af4a01c1dd79149160c41dbcf7c

SHA1
0a439e12ae6cc354b5bae34271a9c8f229014543

SHA256
cb822ab02a16a3e9925643830c692f67cb5cfe127d58e0448d9e925f27f58ba3

SHA512
db1168117cc746cfa415bf463b9d431662dee61c319654567c2d1a845e15ae10b1bc72a5c6de575bdb3f3d736fd565efbaf91971a341837da79f203e357815a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
417KB

MD5
34ff8af4a01c1dd79149160c41dbcf7c

SHA1
0a439e12ae6cc354b5bae34271a9c8f229014543

SHA256
cb822ab02a16a3e9925643830c692f67cb5cfe127d58e0448d9e925f27f58ba3

SHA512
db1168117cc746cfa415bf463b9d431662dee61c319654567c2d1a845e15ae10b1bc72a5c6de575bdb3f3d736fd565efbaf91971a341837da79f203e357815a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
417KB

MD5
34ff8af4a01c1dd79149160c41dbcf7c

SHA1
0a439e12ae6cc354b5bae34271a9c8f229014543

SHA256
cb822ab02a16a3e9925643830c692f67cb5cfe127d58e0448d9e925f27f58ba3

SHA512
db1168117cc746cfa415bf463b9d431662dee61c319654567c2d1a845e15ae10b1bc72a5c6de575bdb3f3d736fd565efbaf91971a341837da79f203e357815a3

Download Submit
C:\Users\Admin\AppData\Local\bowsakkdestx.txt

Filesize
560B

MD5
6ab37c6fd8c563197ef79d09241843f1

SHA1
cb9bd05e2fc8cc06999a66b7b2d396ff4b5157e5

SHA256
d4849ec7852d9467f06fde6f25823331dad6bc76e7838d530e990b62286a754f

SHA512
dd1fae67d0f45ba1ec7e56347fdfc2a53f619650892c8a55e7fba80811b6c66d56544b1946a409eaaca06fa9503de20e160360445d959122e5ba3aa85b751cde

Download Submit
C:\Users\Admin\AppData\Roaming\tfhtcgc

Filesize
250KB

MD5
f0493c90ed435ead0899da9ce1f6c55b

SHA1
5639792986e6e08ff958cbd82c9b3d5c1ce6daac

SHA256
c033b352a7df528ed34d155300a93659251c7a9c527601ec5fe4c230b359a188

SHA512
3890491ce48962757a28be64246cf5444efe966f41151586a5339557a04fcb3162acc7972679b09b9984d49a4136b0a8aa1fe3a6ebce3540f6137080fba3acab

Download Submit
memory/1640-429-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1972-134-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/1972-136-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/2752-372-0x0000000002FA0000-0x00000000030D4000-memory.dmp

Filesize
1.2MB

Download
memory/2752-370-0x0000000002E20000-0x0000000002F93000-memory.dmp

Filesize
1.4MB

Download
memory/2864-313-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2864-229-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2864-218-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2864-220-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3164-135-0x0000000002DD0000-0x0000000002DE6000-memory.dmp

Filesize
88KB

Download
memory/3436-164-0x00000000022C0000-0x00000000023DB000-memory.dmp

Filesize
1.1MB

Download
memory/3476-170-0x0000000002250000-0x000000000236B000-memory.dmp

Filesize
1.1MB

Download
memory/3596-184-0x0000000004C70000-0x0000000005214000-memory.dmp

Filesize
5.6MB

Download
memory/3596-219-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-269-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-287-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-266-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3596-257-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-252-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-308-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-310-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-304-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-165-0x0000000002140000-0x00000000021A2000-memory.dmp

Filesize
392KB

Download
memory/3596-294-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-235-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-224-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-222-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-182-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3596-212-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-209-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-265-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-239-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-469-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3596-230-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-203-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-280-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-195-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-186-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-191-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-314-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-189-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3596-188-0x0000000004B20000-0x0000000004B72000-memory.dmp

Filesize
328KB

Download
memory/3596-187-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3700-393-0x00000194EE6E0000-0x00000194EE6F0000-memory.dmp

Filesize
64KB

Download
memory/3700-399-0x00000194EE6E0000-0x00000194EE6F0000-memory.dmp

Filesize
64KB

Download
memory/3700-417-0x00000194EEA00000-0x00000194EEA22000-memory.dmp

Filesize
136KB

Download
memory/4396-202-0x0000000000940000-0x0000000000DA4000-memory.dmp

Filesize
4.4MB

Download
memory/4660-431-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4788-232-0x00000000020A0000-0x00000000020A9000-memory.dmp

Filesize
36KB

Download
memory/4940-465-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4940-174-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4940-158-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4940-486-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4940-166-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4940-162-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5112-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5112-167-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5112-169-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5112-181-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5112-312-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download