amadey | 7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c

Analysis

max time kernel
80s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe
Size

1002KB
MD5

8bda02393c901b2b0a250c4975d7a41b
SHA1

f490fdef429e2f7e52779fc6fb235032d4c336d6
SHA256

7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c
SHA512

17c4cb97cb11e287a59d2c75fb818f33d60c7742c400567a0646221fba49baa22fda2ae3898b50d18fb1ec1ad1c68463fd665d790658aea010363a1446a8e24f
SSDEEP

24576:ayzBNaM8qYS4Vle2mXKspCR++kRs2L9rMZICr9xPU:h1NaM8mzrg2LlvCB

Score

10^/10

amadey aurora redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v8510EV.exetz6709.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8510EV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6709.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6709.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6709.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6709.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8510EV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8510EV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8510EV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz6709.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6709.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8510EV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8510EV.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4352-210-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-211-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-213-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-215-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-217-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-221-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-219-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-223-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-225-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-227-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-229-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-231-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-233-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-235-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-237-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-241-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-239-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-243-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/4352-431-0x0000000002410000-0x0000000002420000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exey71Ii74.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y71Ii74.exe

Executes dropped EXE 10 IoCs

Processes:

zap2653.exezap5609.exezap0046.exetz6709.exev8510EV.exew44wo83.exexMNkA32.exey71Ii74.exeoneetx.exe2023.exe

pid	process
2732	zap2653.exe
1588	zap5609.exe
4668	zap0046.exe
1636	tz6709.exe
2656	v8510EV.exe
4352	w44wo83.exe
4564	xMNkA32.exe
4160	y71Ii74.exe
2296	oneetx.exe
2776	2023.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz6709.exev8510EV.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6709.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8510EV.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8510EV.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exezap2653.exezap5609.exezap0046.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2653.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap2653.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5609.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap0046.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

320 2656 WerFault.exe v8510EV.exe
4684 4352 WerFault.exe w44wo83.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2844 schtasks.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4660 systeminfo.exe

pid	pid_target	process	target process
320	2656	WerFault.exe	v8510EV.exe
4684	4352	WerFault.exe	w44wo83.exe

pid	process
2844	schtasks.exe

pid	process
4660	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

tz6709.exev8510EV.exew44wo83.exexMNkA32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1636	tz6709.exe
1636	tz6709.exe
2656	v8510EV.exe
2656	v8510EV.exe
4352	w44wo83.exe
4352	w44wo83.exe
4564	xMNkA32.exe
4564	xMNkA32.exe
4496	powershell.exe
4496	powershell.exe
2152	powershell.exe
2152	powershell.exe
1252	powershell.exe
1252	powershell.exe
2232	powershell.exe
2232	powershell.exe
4596	powershell.exe
4596	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tz6709.exev8510EV.exew44wo83.exexMNkA32.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1636	tz6709.exe
Token: SeDebugPrivilege	2656	v8510EV.exe
Token: SeDebugPrivilege	4352	w44wo83.exe
Token: SeDebugPrivilege	4564	xMNkA32.exe
Token: SeIncreaseQuotaPrivilege	4128	WMIC.exe
Token: SeSecurityPrivilege	4128	WMIC.exe
Token: SeTakeOwnershipPrivilege	4128	WMIC.exe
Token: SeLoadDriverPrivilege	4128	WMIC.exe
Token: SeSystemProfilePrivilege	4128	WMIC.exe
Token: SeSystemtimePrivilege	4128	WMIC.exe
Token: SeProfSingleProcessPrivilege	4128	WMIC.exe
Token: SeIncBasePriorityPrivilege	4128	WMIC.exe
Token: SeCreatePagefilePrivilege	4128	WMIC.exe
Token: SeBackupPrivilege	4128	WMIC.exe
Token: SeRestorePrivilege	4128	WMIC.exe
Token: SeShutdownPrivilege	4128	WMIC.exe
Token: SeDebugPrivilege	4128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4128	WMIC.exe
Token: SeRemoteShutdownPrivilege	4128	WMIC.exe
Token: SeUndockPrivilege	4128	WMIC.exe
Token: SeManageVolumePrivilege	4128	WMIC.exe
Token: 33	4128	WMIC.exe
Token: 34	4128	WMIC.exe
Token: 35	4128	WMIC.exe
Token: 36	4128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4128	WMIC.exe
Token: SeSecurityPrivilege	4128	WMIC.exe
Token: SeTakeOwnershipPrivilege	4128	WMIC.exe
Token: SeLoadDriverPrivilege	4128	WMIC.exe
Token: SeSystemProfilePrivilege	4128	WMIC.exe
Token: SeSystemtimePrivilege	4128	WMIC.exe
Token: SeProfSingleProcessPrivilege	4128	WMIC.exe
Token: SeIncBasePriorityPrivilege	4128	WMIC.exe
Token: SeCreatePagefilePrivilege	4128	WMIC.exe
Token: SeBackupPrivilege	4128	WMIC.exe
Token: SeRestorePrivilege	4128	WMIC.exe
Token: SeShutdownPrivilege	4128	WMIC.exe
Token: SeDebugPrivilege	4128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4128	WMIC.exe
Token: SeRemoteShutdownPrivilege	4128	WMIC.exe
Token: SeUndockPrivilege	4128	WMIC.exe
Token: SeManageVolumePrivilege	4128	WMIC.exe
Token: 33	4128	WMIC.exe
Token: 34	4128	WMIC.exe
Token: 35	4128	WMIC.exe
Token: 36	4128	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3452	wmic.exe
Token: SeSecurityPrivilege	3452	wmic.exe
Token: SeTakeOwnershipPrivilege	3452	wmic.exe
Token: SeLoadDriverPrivilege	3452	wmic.exe
Token: SeSystemProfilePrivilege	3452	wmic.exe
Token: SeSystemtimePrivilege	3452	wmic.exe
Token: SeProfSingleProcessPrivilege	3452	wmic.exe
Token: SeIncBasePriorityPrivilege	3452	wmic.exe
Token: SeCreatePagefilePrivilege	3452	wmic.exe
Token: SeBackupPrivilege	3452	wmic.exe
Token: SeRestorePrivilege	3452	wmic.exe
Token: SeShutdownPrivilege	3452	wmic.exe
Token: SeDebugPrivilege	3452	wmic.exe
Token: SeSystemEnvironmentPrivilege	3452	wmic.exe
Token: SeRemoteShutdownPrivilege	3452	wmic.exe
Token: SeUndockPrivilege	3452	wmic.exe
Token: SeManageVolumePrivilege	3452	wmic.exe
Token: 33	3452	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y71Ii74.exe

pid process

4160 y71Ii74.exe

pid	process
4160	y71Ii74.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exezap2653.exezap5609.exezap0046.exey71Ii74.exeoneetx.execmd.exe2023.execmd.exe

description	pid	process	target process
PID 2364 wrote to memory of 2732	2364	7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe	zap2653.exe
PID 2364 wrote to memory of 2732	2364	7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe	zap2653.exe
PID 2364 wrote to memory of 2732	2364	7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe	zap2653.exe
PID 2732 wrote to memory of 1588	2732	zap2653.exe	zap5609.exe
PID 2732 wrote to memory of 1588	2732	zap2653.exe	zap5609.exe
PID 2732 wrote to memory of 1588	2732	zap2653.exe	zap5609.exe
PID 1588 wrote to memory of 4668	1588	zap5609.exe	zap0046.exe
PID 1588 wrote to memory of 4668	1588	zap5609.exe	zap0046.exe
PID 1588 wrote to memory of 4668	1588	zap5609.exe	zap0046.exe
PID 4668 wrote to memory of 1636	4668	zap0046.exe	tz6709.exe
PID 4668 wrote to memory of 1636	4668	zap0046.exe	tz6709.exe
PID 4668 wrote to memory of 2656	4668	zap0046.exe	v8510EV.exe
PID 4668 wrote to memory of 2656	4668	zap0046.exe	v8510EV.exe
PID 4668 wrote to memory of 2656	4668	zap0046.exe	v8510EV.exe
PID 1588 wrote to memory of 4352	1588	zap5609.exe	w44wo83.exe
PID 1588 wrote to memory of 4352	1588	zap5609.exe	w44wo83.exe
PID 1588 wrote to memory of 4352	1588	zap5609.exe	w44wo83.exe
PID 2732 wrote to memory of 4564	2732	zap2653.exe	xMNkA32.exe
PID 2732 wrote to memory of 4564	2732	zap2653.exe	xMNkA32.exe
PID 2732 wrote to memory of 4564	2732	zap2653.exe	xMNkA32.exe
PID 2364 wrote to memory of 4160	2364	7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe	y71Ii74.exe
PID 2364 wrote to memory of 4160	2364	7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe	y71Ii74.exe
PID 2364 wrote to memory of 4160	2364	7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe	y71Ii74.exe
PID 4160 wrote to memory of 2296	4160	y71Ii74.exe	oneetx.exe
PID 4160 wrote to memory of 2296	4160	y71Ii74.exe	oneetx.exe
PID 4160 wrote to memory of 2296	4160	y71Ii74.exe	oneetx.exe
PID 2296 wrote to memory of 2844	2296	oneetx.exe	schtasks.exe
PID 2296 wrote to memory of 2844	2296	oneetx.exe	schtasks.exe
PID 2296 wrote to memory of 2844	2296	oneetx.exe	schtasks.exe
PID 2296 wrote to memory of 1172	2296	oneetx.exe	cmd.exe
PID 2296 wrote to memory of 1172	2296	oneetx.exe	cmd.exe
PID 2296 wrote to memory of 1172	2296	oneetx.exe	cmd.exe
PID 1172 wrote to memory of 4332	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 4332	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 4332	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 4980	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 4980	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 4980	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 404	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 404	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 404	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 4252	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 4252	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 4252	1172	cmd.exe	cmd.exe
PID 1172 wrote to memory of 3832	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 3832	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 3832	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 1596	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 1596	1172	cmd.exe	cacls.exe
PID 1172 wrote to memory of 1596	1172	cmd.exe	cacls.exe
PID 2296 wrote to memory of 2776	2296	oneetx.exe	2023.exe
PID 2296 wrote to memory of 2776	2296	oneetx.exe	2023.exe
PID 2296 wrote to memory of 2776	2296	oneetx.exe	2023.exe
PID 2776 wrote to memory of 5012	2776	2023.exe	cmd.exe
PID 2776 wrote to memory of 5012	2776	2023.exe	cmd.exe
PID 2776 wrote to memory of 5012	2776	2023.exe	cmd.exe
PID 5012 wrote to memory of 4128	5012	cmd.exe	WMIC.exe
PID 5012 wrote to memory of 4128	5012	cmd.exe	WMIC.exe
PID 5012 wrote to memory of 4128	5012	cmd.exe	WMIC.exe
PID 2776 wrote to memory of 3452	2776	2023.exe	wmic.exe
PID 2776 wrote to memory of 3452	2776	2023.exe	wmic.exe
PID 2776 wrote to memory of 3452	2776	2023.exe	wmic.exe
PID 2776 wrote to memory of 3040	2776	2023.exe	cmd.exe
PID 2776 wrote to memory of 3040	2776	2023.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe
"C:\Users\Admin\AppData\Local\Temp\7b4942a9a9e161a7472bfa54de006b4533549fc3dffbc2fea234ec7602ec641c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2653.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2653.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5609.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5609.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0046.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0046.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6709.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6709.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8510EV.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8510EV.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1080
        6⤵
        Program crash
        
        PID:320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w44wo83.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w44wo83.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1540
        5⤵
        Program crash
        
        PID:4684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xMNkA32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xMNkA32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y71Ii74.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y71Ii74.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4332
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4980
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4252
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c5d2db5804" /P "Admin:N"
        5⤵
        
        PID:3832
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c5d2db5804" /P "Admin:R" /E
        5⤵
        
        PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe
      "C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:3040
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:4888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:4448
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd "/c " systeminfo
        5⤵
        
        PID:4708
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:4660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History\" \"C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC\""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx\""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL\""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1252
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State\" \"C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP\""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "copy \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\LDnJObCsNV\""
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2656 -ip 2656
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4352 -ip 4352
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
481a03329529614210dec28f62eba705

SHA1
bda0b9277a567a2be9efc9a3a8c5b42160896b98

SHA256
20a794d8a04a99dc8e9377c5230596816d89133f2838935db66d25252ec8f24d

SHA512
2a9d4296384bc8b639d05f73d17e8daa3bcb51b19f9ccc8342a33b3011a56b4077fc0b4072c78b037ca6d83f14bc812c02e3c5bca8bd56b66c886fff31713498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
7810459c99c225d56c6c45b40c6e62b0

SHA1
6666890681e382d576a6f7c21d0ac890715ed983

SHA256
47a43e36d5da15ac4e029b5edad7a0af6ef0bca65350139faf72094b0bc1d1fc

SHA512
e9c53a8fdcfd1c7f93fc24b7dca2a169520d6b007ef85fa356722c5bf30a346f96d9e21effb4e99bd05d5db6683114e5308d16f68a6e2a94cae0411574d91674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
322cdf0dd62fa8c30190ee7f9d21cc14

SHA1
87e75f711a744268bf4367420f7ec5bdee5bf940

SHA256
c08228f2dbb706b6341f04068af738426290ccf5d0c79b6f852ba466b184edc6

SHA512
322ac2506e707e1e0b4d57c176f2ff98dd87db30c750e4bebe05f10e11f8e7a8fc175d8f5fc7185f247f9bbd3ee76b278b7bb52f95b871ca0f0f224975fed790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
8f40d9c1231a5f5226725a9572291436

SHA1
02b8d6cda9394d98da93c724238062f406b3626d

SHA256
6e65e20e8b08c9ccd5cf03df37e3954239c3036c36877b32bf72f7073661da11

SHA512
0a36727053b42ed46d196c4fb0829f9cab1b78f72cc46847d78c5cd093e16c49dddf58427d97cd22813229b6764c98a79cf6770edc486d68cbb3a00c899cabfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y71Ii74.exe

Filesize
236KB

MD5
99d419cae856ffaf00e7764fa1b4fbfb

SHA1
8de7bffde3925a3fed144329492fd15fd36cda42

SHA256
87b7f78d3fb9bb45fa1f2dfa85f134da737312c02585d0d82e67501e231cb3f1

SHA512
5c85a6c406901c2114b4b0166fbf9fa888d22376f2ce3274e51eab89df96ab776d12866f66c2b8fe437b17f45ef8e8c85a154449288c6d5c9d8c21e83d5d9d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y71Ii74.exe

Filesize
236KB

MD5
99d419cae856ffaf00e7764fa1b4fbfb

SHA1
8de7bffde3925a3fed144329492fd15fd36cda42

SHA256
87b7f78d3fb9bb45fa1f2dfa85f134da737312c02585d0d82e67501e231cb3f1

SHA512
5c85a6c406901c2114b4b0166fbf9fa888d22376f2ce3274e51eab89df96ab776d12866f66c2b8fe437b17f45ef8e8c85a154449288c6d5c9d8c21e83d5d9d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2653.exe

Filesize
818KB

MD5
89360bc1d53d01f0b6112852d618cb6e

SHA1
26efd9ea3a598bbbbb3fbf4b456c18b5a93fed12

SHA256
d36bd8668fb730fc1873086e79df9cdabe98ca97d39bfebeeaedfddd022e168a

SHA512
ba42118ff14051cab9da288578e1c318c29143b230bf2d647157a29c4f42ec4f779f433e4f40194d7900173e57378c970eddd2b5fcd83e20d4e7a3789fc880b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2653.exe

Filesize
818KB

MD5
89360bc1d53d01f0b6112852d618cb6e

SHA1
26efd9ea3a598bbbbb3fbf4b456c18b5a93fed12

SHA256
d36bd8668fb730fc1873086e79df9cdabe98ca97d39bfebeeaedfddd022e168a

SHA512
ba42118ff14051cab9da288578e1c318c29143b230bf2d647157a29c4f42ec4f779f433e4f40194d7900173e57378c970eddd2b5fcd83e20d4e7a3789fc880b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xMNkA32.exe

Filesize
175KB

MD5
c1388c189719b3fb90a49ef8eaa21570

SHA1
2bcd54843d7bd9762ab823108983329a6452ba52

SHA256
06e4d5a801dae926b314d00f06e482a1acec3d8e2cfbd244590531b11c593942

SHA512
20227ffd66b92a46d26085cf94ae1e8658ab8e3d87e9996e10fcd4a965285417851447b32d9a7becb5c4491ca9e378e533d9b3cf87471798527d370f405287bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xMNkA32.exe

Filesize
175KB

MD5
c1388c189719b3fb90a49ef8eaa21570

SHA1
2bcd54843d7bd9762ab823108983329a6452ba52

SHA256
06e4d5a801dae926b314d00f06e482a1acec3d8e2cfbd244590531b11c593942

SHA512
20227ffd66b92a46d26085cf94ae1e8658ab8e3d87e9996e10fcd4a965285417851447b32d9a7becb5c4491ca9e378e533d9b3cf87471798527d370f405287bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5609.exe

Filesize
676KB

MD5
7d4930007cba4b06bed8fd788b3ab373

SHA1
1f453bf076ec660d8c6214d43c0dafbce5a7495b

SHA256
93920333c2f17edc1a2fd09465d3dcfe9b0194fd16d3c404319b8138b3424184

SHA512
4135331371ba5e93d3022e4c1a6583812365fe97f0edacb4841f1757794498f893d4d3744cbb6d59832ef8b71224e15dd8aaaae71e2060c021c862698accac38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5609.exe

Filesize
676KB

MD5
7d4930007cba4b06bed8fd788b3ab373

SHA1
1f453bf076ec660d8c6214d43c0dafbce5a7495b

SHA256
93920333c2f17edc1a2fd09465d3dcfe9b0194fd16d3c404319b8138b3424184

SHA512
4135331371ba5e93d3022e4c1a6583812365fe97f0edacb4841f1757794498f893d4d3744cbb6d59832ef8b71224e15dd8aaaae71e2060c021c862698accac38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w44wo83.exe

Filesize
319KB

MD5
ab9ec1630d1e3c156f4244aa44685249

SHA1
995b65da41e187c2d2e674bf309ad19069a5cf87

SHA256
1fbacae327d6c23aeb769ca79f366f57c4b7953eef2be09273b8b03f9d0ceffe

SHA512
eed8f7ec1e63f0a8ecb02e900fca091f801bf5dc6cca80dbbe1492c27b225fdbd31c44c572bfa1e70c7e007d8a1dd51e8ac2c09f0bbb5b20c909a1617249c30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w44wo83.exe

Filesize
319KB

MD5
ab9ec1630d1e3c156f4244aa44685249

SHA1
995b65da41e187c2d2e674bf309ad19069a5cf87

SHA256
1fbacae327d6c23aeb769ca79f366f57c4b7953eef2be09273b8b03f9d0ceffe

SHA512
eed8f7ec1e63f0a8ecb02e900fca091f801bf5dc6cca80dbbe1492c27b225fdbd31c44c572bfa1e70c7e007d8a1dd51e8ac2c09f0bbb5b20c909a1617249c30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0046.exe

Filesize
335KB

MD5
08fc2620d189eb9451707c80685e85c8

SHA1
e2f7e9e7dc802314b7823d663420d72d34871aff

SHA256
ec3fbfb7f9d5c5cc74f3ef32209d0347c0a37401bea08c01185d65b56ab46189

SHA512
cfa1603cd36a379626908d2506e176142a2ed48c015b1e2bba48866e21f710a273c422de1b1aadc9e165ff1a8549a3be52a684086408fe4a420c85a6604d6414

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0046.exe

Filesize
335KB

MD5
08fc2620d189eb9451707c80685e85c8

SHA1
e2f7e9e7dc802314b7823d663420d72d34871aff

SHA256
ec3fbfb7f9d5c5cc74f3ef32209d0347c0a37401bea08c01185d65b56ab46189

SHA512
cfa1603cd36a379626908d2506e176142a2ed48c015b1e2bba48866e21f710a273c422de1b1aadc9e165ff1a8549a3be52a684086408fe4a420c85a6604d6414

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6709.exe

Filesize
11KB

MD5
700f8bf7bb0a908c2e850ec81ec209a4

SHA1
ce123ad1d707414dc953ef9bf892521ff1c57769

SHA256
eeac0ece4b578619fbf40ff1c88735e585a0deaf6f6c1ec3a60f1abe3e0e7fb8

SHA512
2a774b17ba805c5a3d546b9d7795c8ce84035b17506d5549d71fe2c9d409124fdeab74d5ce5be7a9b8e07bf0fb474df6738950c28d3909126f0f1116378780e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6709.exe

Filesize
11KB

MD5
700f8bf7bb0a908c2e850ec81ec209a4

SHA1
ce123ad1d707414dc953ef9bf892521ff1c57769

SHA256
eeac0ece4b578619fbf40ff1c88735e585a0deaf6f6c1ec3a60f1abe3e0e7fb8

SHA512
2a774b17ba805c5a3d546b9d7795c8ce84035b17506d5549d71fe2c9d409124fdeab74d5ce5be7a9b8e07bf0fb474df6738950c28d3909126f0f1116378780e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8510EV.exe

Filesize
260KB

MD5
524c5c59e573d101ece5f15584820b65

SHA1
606798d7cccb8ce7ea7586377b97671eece3fb79

SHA256
5253ee20582f268ba99782c9b08fa6b4c5a00ac2472674e834d0c5539db06d91

SHA512
c462992dca047015a4ba032ad8d0d243159779f3e95374a69dfb3f4541024d461069f0a81e85d5ddb859a9c79ffdcce20eed2c57922b6b6ce23756bf3b6b0945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8510EV.exe

Filesize
260KB

MD5
524c5c59e573d101ece5f15584820b65

SHA1
606798d7cccb8ce7ea7586377b97671eece3fb79

SHA256
5253ee20582f268ba99782c9b08fa6b4c5a00ac2472674e834d0c5539db06d91

SHA512
c462992dca047015a4ba032ad8d0d243159779f3e95374a69dfb3f4541024d461069f0a81e85d5ddb859a9c79ffdcce20eed2c57922b6b6ce23756bf3b6b0945

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRAjWwhTHctcuAx

Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SjFbcXoEFfRsWxP

Filesize
71KB

MD5
46988a922937a39036d6b71e62d0f966

SHA1
4a997f2a0360274ec7990aac156870a5a7030665

SHA256
5954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6

SHA512
dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igzxgvpc.mz2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
99d419cae856ffaf00e7764fa1b4fbfb

SHA1
8de7bffde3925a3fed144329492fd15fd36cda42

SHA256
87b7f78d3fb9bb45fa1f2dfa85f134da737312c02585d0d82e67501e231cb3f1

SHA512
5c85a6c406901c2114b4b0166fbf9fa888d22376f2ce3274e51eab89df96ab776d12866f66c2b8fe437b17f45ef8e8c85a154449288c6d5c9d8c21e83d5d9d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
99d419cae856ffaf00e7764fa1b4fbfb

SHA1
8de7bffde3925a3fed144329492fd15fd36cda42

SHA256
87b7f78d3fb9bb45fa1f2dfa85f134da737312c02585d0d82e67501e231cb3f1

SHA512
5c85a6c406901c2114b4b0166fbf9fa888d22376f2ce3274e51eab89df96ab776d12866f66c2b8fe437b17f45ef8e8c85a154449288c6d5c9d8c21e83d5d9d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
99d419cae856ffaf00e7764fa1b4fbfb

SHA1
8de7bffde3925a3fed144329492fd15fd36cda42

SHA256
87b7f78d3fb9bb45fa1f2dfa85f134da737312c02585d0d82e67501e231cb3f1

SHA512
5c85a6c406901c2114b4b0166fbf9fa888d22376f2ce3274e51eab89df96ab776d12866f66c2b8fe437b17f45ef8e8c85a154449288c6d5c9d8c21e83d5d9d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxKQFDaFpL

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
memory/1252-1213-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/1252-1212-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/1636-161-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/2152-1207-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/2152-1208-0x0000000004800000-0x0000000004810000-memory.dmp

Filesize
64KB

Download
memory/2232-1237-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/2232-1238-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/2656-197-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/2656-167-0x0000000000630000-0x000000000065D000-memory.dmp

Filesize
180KB

Download
memory/2656-190-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-192-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-186-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-184-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-182-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-194-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-180-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-178-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-176-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-174-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-172-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-170-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-196-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-198-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/2656-188-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-199-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/2656-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2656-202-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/2656-203-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/2656-204-0x0000000002260000-0x0000000002270000-memory.dmp

Filesize
64KB

Download
memory/2656-205-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2656-169-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/2656-168-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/4352-243-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-1119-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/4352-1126-0x00000000064B0000-0x0000000006672000-memory.dmp

Filesize
1.8MB

Download
memory/4352-1127-0x0000000006680000-0x0000000006BAC000-memory.dmp

Filesize
5.2MB

Download
memory/4352-1129-0x0000000006D00000-0x0000000006D76000-memory.dmp

Filesize
472KB

Download
memory/4352-1130-0x0000000006D80000-0x0000000006DD0000-memory.dmp

Filesize
320KB

Download
memory/4352-1131-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/4352-1132-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/4352-1133-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/4352-1134-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/4352-211-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-210-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-1124-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4352-1123-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/4352-1122-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/4352-1121-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/4352-1120-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4352-1125-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4352-431-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/4352-429-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/4352-427-0x0000000000750000-0x000000000079B000-memory.dmp

Filesize
300KB

Download
memory/4352-239-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-241-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-237-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-235-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-233-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-231-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-229-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-227-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-225-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-213-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-223-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-219-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-221-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-217-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4352-215-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/4496-1188-0x00000000060F0000-0x000000000610E000-memory.dmp

Filesize
120KB

Download
memory/4496-1175-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4496-1190-0x00000000065C0000-0x00000000065DA000-memory.dmp

Filesize
104KB

Download
memory/4496-1189-0x00000000070E0000-0x0000000007176000-memory.dmp

Filesize
600KB

Download
memory/4496-1178-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4496-1177-0x0000000005220000-0x0000000005242000-memory.dmp

Filesize
136KB

Download
memory/4496-1176-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4496-1191-0x0000000006620000-0x0000000006642000-memory.dmp

Filesize
136KB

Download
memory/4496-1174-0x00000000053B0000-0x00000000059D8000-memory.dmp

Filesize
6.2MB

Download
memory/4496-1173-0x00000000027C0000-0x00000000027F6000-memory.dmp

Filesize
216KB

Download
memory/4564-1142-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/4564-1141-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/4564-1140-0x00000000007D0000-0x0000000000802000-memory.dmp

Filesize
200KB

Download
memory/4596-1242-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/4596-1243-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download