a6f48afd03aaa15824a2182e20088a4595f795766f78d679416d123ec17e1de5

Resubmissions

25/02/2025, 18:31

250225-w51ava1jt9 8

11/03/2024, 23:35

240311-3leclahf51 8

05/09/2023, 14:57

230905-sbr6lagd82 8

12/04/2023, 00:00

230412-aaqx2ahh3w 8

Analysis

max time kernel
81s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Elo.exe
Size

96KB
MD5

26b12d61e9e62412748069275521be1a
SHA1

6206f2f1256774a058998da3517cbffc5e70270e
SHA256

a6f48afd03aaa15824a2182e20088a4595f795766f78d679416d123ec17e1de5
SHA512

0e28b335d373c7d1d92f15bd412886472db66ad9b1ab9a4fcae6f1338df07785a62b03ff069aea9543a850c95e9990e3107e0114d63f207721e897b859956491
SSDEEP

1536:f7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfswociK1CFOU:T7DhdC6kzWypvaQ0FxyNTBfspwYp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	3288	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
1560	timeout.exe
2524	timeout.exe
636	timeout.exe
4424	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5288	taskkill.exe
5776	taskkill.exe
6664	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3804	NOTEPAD.EXE
4408	Notepad.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3188	powershell.exe
3288	powershell.exe
3288	powershell.exe
3188	powershell.exe
2820	powershell.exe
2820	powershell.exe
3472	powershell.exe
3472	powershell.exe
4492	chrome.exe
4492	chrome.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	852	cmd.exe
Token: SeSystemtimePrivilege	852	cmd.exe
Token: SeSystemtimePrivilege	852	cmd.exe
Token: SeSystemtimePrivilege	852	cmd.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 852	4380	Elo.exe	84
PID 4380 wrote to memory of 852	4380	Elo.exe	84
PID 852 wrote to memory of 1688	852	cmd.exe	85
PID 852 wrote to memory of 1688	852	cmd.exe	85
PID 1688 wrote to memory of 4600	1688	net.exe	86
PID 1688 wrote to memory of 4600	1688	net.exe	86
PID 852 wrote to memory of 4008	852	cmd.exe	87
PID 852 wrote to memory of 4008	852	cmd.exe	87
PID 852 wrote to memory of 3528	852	cmd.exe	88
PID 852 wrote to memory of 3528	852	cmd.exe	88
PID 852 wrote to memory of 4036	852	cmd.exe	89
PID 852 wrote to memory of 4036	852	cmd.exe	89
PID 852 wrote to memory of 3344	852	cmd.exe	90
PID 852 wrote to memory of 3344	852	cmd.exe	90
PID 852 wrote to memory of 2884	852	cmd.exe	91
PID 852 wrote to memory of 2884	852	cmd.exe	91
PID 852 wrote to memory of 980	852	cmd.exe	92
PID 852 wrote to memory of 980	852	cmd.exe	92
PID 852 wrote to memory of 4480	852	cmd.exe	93
PID 852 wrote to memory of 4480	852	cmd.exe	93
PID 852 wrote to memory of 1672	852	cmd.exe	94
PID 852 wrote to memory of 1672	852	cmd.exe	94
PID 852 wrote to memory of 652	852	cmd.exe	95
PID 852 wrote to memory of 652	852	cmd.exe	95
PID 852 wrote to memory of 116	852	cmd.exe	96
PID 852 wrote to memory of 116	852	cmd.exe	96
PID 852 wrote to memory of 1236	852	cmd.exe	97
PID 852 wrote to memory of 1236	852	cmd.exe	97
PID 852 wrote to memory of 3804	852	cmd.exe	98
PID 852 wrote to memory of 3804	852	cmd.exe	98
PID 852 wrote to memory of 4508	852	cmd.exe	99
PID 852 wrote to memory of 4508	852	cmd.exe	99
PID 1236 wrote to memory of 3188	1236	WScript.exe	100
PID 1236 wrote to memory of 3188	1236	WScript.exe	100
PID 852 wrote to memory of 4836	852	cmd.exe	102
PID 852 wrote to memory of 4836	852	cmd.exe	102
PID 852 wrote to memory of 3288	852	cmd.exe	103
PID 852 wrote to memory of 3288	852	cmd.exe	103
PID 3188 wrote to memory of 3828	3188	powershell.exe	104
PID 3188 wrote to memory of 3828	3188	powershell.exe	104
PID 3828 wrote to memory of 4940	3828	cmd.exe	106
PID 3828 wrote to memory of 4940	3828	cmd.exe	106
PID 3828 wrote to memory of 1464	3828	cmd.exe	107
PID 3828 wrote to memory of 1464	3828	cmd.exe	107
PID 4940 wrote to memory of 2820	4940	WScript.exe	108
PID 4940 wrote to memory of 2820	4940	WScript.exe	108
PID 852 wrote to memory of 3472	852	cmd.exe	110
PID 852 wrote to memory of 3472	852	cmd.exe	110
PID 2820 wrote to memory of 2008	2820	powershell.exe	111
PID 2820 wrote to memory of 2008	2820	powershell.exe	111
PID 852 wrote to memory of 1560	852	cmd.exe	113
PID 852 wrote to memory of 1560	852	cmd.exe	113
PID 852 wrote to memory of 1564	852	cmd.exe	115
PID 852 wrote to memory of 1564	852	cmd.exe	115
PID 852 wrote to memory of 4084	852	cmd.exe	116
PID 852 wrote to memory of 4084	852	cmd.exe	116
PID 852 wrote to memory of 2012	852	cmd.exe	117
PID 852 wrote to memory of 2012	852	cmd.exe	117
PID 852 wrote to memory of 4644	852	cmd.exe	118
PID 852 wrote to memory of 4644	852	cmd.exe	118
PID 852 wrote to memory of 1456	852	cmd.exe	119
PID 852 wrote to memory of 1456	852	cmd.exe	119
PID 852 wrote to memory of 4048	852	cmd.exe	120
PID 852 wrote to memory of 4048	852	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 17 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
652	attrib.exe
4508	attrib.exe
1456	attrib.exe
2884	attrib.exe
4480	attrib.exe
1672	attrib.exe
4644	attrib.exe
4008	attrib.exe
116	attrib.exe
2012	attrib.exe
980	attrib.exe
4084	attrib.exe
4048	attrib.exe
1564	attrib.exe
3528	attrib.exe
4036	attrib.exe
3344	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Elo.exe
"C:\Users\Admin\AppData\Local\Temp\Elo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\69FA.tmp\69FB.tmp\69FC.bat C:\Users\Admin\AppData\Local\Temp\Elo.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4600
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Local\Temp\Elo.exe
    3⤵
    - Views/modifies file attributes
    PID:4008
- - C:\Windows\system32\attrib.exe
    attrib +h +s 25234.vbs
    3⤵
    - Views/modifies file attributes
    PID:3528
- - C:\Windows\system32\attrib.exe
    attrib +h +s 28535.vbs
    3⤵
    - Views/modifies file attributes
    PID:4036
- - C:\Windows\system32\attrib.exe
    attrib +h +s 1032.vbs
    3⤵
    - Views/modifies file attributes
    PID:3344
- - C:\Windows\system32\attrib.exe
    attrib +h +s Automate.bat
    3⤵
    - Views/modifies file attributes
    PID:2884
- - C:\Windows\system32\attrib.exe
    attrib +h +s Test.vbs
    3⤵
    - Views/modifies file attributes
    PID:980
- - C:\Windows\system32\attrib.exe
    attrib +h +s Test.bat
    3⤵
    - Views/modifies file attributes
    PID:4480
- - C:\Windows\system32\attrib.exe
    attrib +h +s Detect.vbs
    3⤵
    - Views/modifies file attributes
    PID:1672
- - C:\Windows\system32\attrib.exe
    attrib +h +s Detect.bat
    3⤵
    - Views/modifies file attributes
    PID:652
- - C:\Windows\system32\attrib.exe
    attrib +h +s bsod.bat
    3⤵
    - Views/modifies file attributes
    PID:116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25234.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process Detect.bat -Verb RunAs -windowstyle hidden
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Detect.bat"
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Detect.vbs"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process Test.bat -Verb RunAs -windowstyle hidden -wait
        7⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Test.bat"
        8⤵
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process Automate.bat -Verb RunAs -windowstyle hidden
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Automate.bat"
        8⤵
        
        PID:5616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28535.vbs"
        9⤵
        
        PID:5744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process bsod.bat -Verb RunAs -windowstyle hidden
        10⤵
        
        PID:6196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bsod.bat"
        11⤵
        
        PID:6552
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im svchost.exe
        12⤵
        Kills process with taskkill
        
        PID:6664
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:5776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:3320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:3648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:3776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:2100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:3328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:4740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:3188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:1300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:4180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:4944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:5804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:4008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1032.vbs"
        9⤵
        
        PID:6600
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Test.vbs"
        6⤵
        
        PID:1464
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MEMZ.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3804
- - C:\Windows\system32\attrib.exe
    attrib +h +s MEMZ.txt
    3⤵
    - Views/modifies file attributes
    PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type NirCmd.ps1 "
    3⤵
    PID:4836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell gci -Recurse -Filter *.zip |ForEach-Object {Expand-Archive -Path $_.Fullname -DestinationPath $_.BaseName -Force}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3472
- - C:\Windows\system32\timeout.exe
    timeout 15 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1560
- - C:\Windows\system32\attrib.exe
    attrib +h +s NirCmd.bat
    3⤵
    - Views/modifies file attributes
    PID:1564
- - C:\Windows\system32\attrib.exe
    attrib +h +s NirCmd.txt
    3⤵
    - Views/modifies file attributes
    PID:4084
- - C:\Windows\system32\attrib.exe
    attrib +h +s NirCmd2.txt
    3⤵
    - Views/modifies file attributes
    PID:2012
- - C:\Windows\system32\attrib.exe
    attrib +h +s NirCmd.zip
    3⤵
    - Views/modifies file attributes
    PID:4644
- - C:\Windows\system32\attrib.exe
    attrib +h +s NirCmd.ps1
    3⤵
    - Views/modifies file attributes
    PID:1456
- - C:\Windows\system32\attrib.exe
    attrib +h +s NirCmd.exe
    3⤵
    - Views/modifies file attributes
    PID:4048
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.google.com/search?q=how+2+remove+a+virus&rlz=1C1CHBF_enUS897US897&oq=how+2+rem&aqs=chrome.1.69i57j35i39j0i512l8.4367j0j7&sourceid=chrome&ie=UTF-8"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4492
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3cbe9758,0x7ffd3cbe9768,0x7ffd3cbe9778
      4⤵
      PID:4480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1828,i,12136558425672490533,6187810489789524751,131072 /prefetch:2
      4⤵
      PID:2756
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1828,i,12136558425672490533,6187810489789524751,131072 /prefetch:8
      4⤵
      PID:4452
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1828,i,12136558425672490533,6187810489789524751,131072 /prefetch:8
      4⤵
      PID:3124
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3264 --field-trial-handle=1828,i,12136558425672490533,6187810489789524751,131072 /prefetch:1
      4⤵
      PID:5116
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3240 --field-trial-handle=1828,i,12136558425672490533,6187810489789524751,131072 /prefetch:1
      4⤵
      PID:2772
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4508 --field-trial-handle=1828,i,12136558425672490533,6187810489789524751,131072 /prefetch:1
      4⤵
      PID:4504
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4848 --field-trial-handle=1828,i,12136558425672490533,6187810489789524751,131072 /prefetch:1
      4⤵
      PID:4992
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1828,i,12136558425672490533,6187810489789524751,131072 /prefetch:8
      4⤵
      PID:2344
- - C:\Windows\system32\timeout.exe
    timeout 20 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.google.com/search?q=what+happens+if+you+delete+system32&rlz=1C1CHBF_enUS897US897&oq=what+happens+if+you+dele&aqs=chrome.1.69i57j35i39j0i512l8.30417j0j7&sourceid=chrome&ie=UTF-8"
    3⤵
    PID:1112
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3cbe9758,0x7ffd3cbe9768,0x7ffd3cbe9778
      4⤵
      PID:4916
- - C:\Windows\system32\timeout.exe
    timeout 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4424
- - C:\Windows\system32\sethc.exe
    sethc 250
    3⤵
    PID:4320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4640

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\ConvertToGet.vbs
1⤵
- Opens file in notepad (likely ransom note)
PID:4408

C:\Windows\system32\sethc.exe
sethc.exe 101
1⤵
PID:2540

C:\Windows\System32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\themes\Aero\AeroLite.msstyles?NormalColor?NormalSize
1⤵
PID:4908

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im cmd.exe
1⤵
- Kills process with taskkill
PID:5288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8da121b8326f1eef18a97eb59d0ad5e2

SHA1
408632f615ea5ee863c7562105d8536ff7de062d

SHA256
06f284e3c5df4fedd4267c7e8929660fa14aef7400b5f4000109979df29769fc

SHA512
72a08f838371f1ee26357b5104e7f45b4aa0c954554c6e8e877d492c848d82b5f2bf061b4c9d43af1476619ffb911ce19b99f29d0e41be05f3e143df6e2aa1a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b2986d9529e6a0c054c571aade4b5b76

SHA1
f7aa3b76bbf23d165e9487b28304acdeca847253

SHA256
f15b0e061102627fddbe7daba20404b877bec69b80a2396a6ace6d081411d3f3

SHA512
cfe632c65503682cc99cce1fe62099333e410402d281a074695ac49ac8cf87118be8df6baa20a4237346c4714719c9cdc9f7fff5ca0da29e27e4eb15120a6e0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6543b569789399685728af805c18c941

SHA1
2d5eeb2057ec5736d1e856aad50c649cb291b082

SHA256
333f065295d916f0cc3c8f31d8c7a8c4c06f3f263c987c44f334b9862c238f71

SHA512
d014e967eb54127682984499b5dbeb119bbebbbe8fa63287c7079f8aff6fa02fce36dee26f652b2a2f7c89b56de5809d590abeffe1b64b694906b6d59f2c12a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
9fb90dd923ad5d22dbb0d6fcfcf65926

SHA1
ae7a13a5017ff8209c26489bee95bff99565cc1b

SHA256
2d558416eec619373a53148531fc639028190c5e445722d82ada0aa4ec4b4e4c

SHA512
b5641a7401d4aea2de3c7bf57e897ad6dbbd24f0dcd4c1633ccf78ed6d633c7139b89193890dd44a43225715aa2dc5fcbea150838083e31b4967759ec1d05bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
27bfa1595c5a606ca59a49f129ac23fd

SHA1
a25b328f884e2b8a2fe0ea9cbf64fbf07453839f

SHA256
39225556809fd27e41c59dfe53dabe3717acecf6b3c23fafcb60d54141c51ad3

SHA512
d8d92dc513a386cab917033ac3f5598645bbd792f277e7b513ced7edec49fcca130fb2788c13ff40e1928a4e9eb6c51521508a050cf332a31ad78c54456f90e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1032.vbs

Filesize
218B

MD5
a5ffacb76079366b573d25fec3dccf7f

SHA1
5039dc66332fdade2b16d3b9065fb5fc9061f6ba

SHA256
24ab295f3ea0d46fc827398c8b1d3b23752de36c8100bcfc4b5f011915b4f4f8

SHA512
85b40e401e88dd13f84ec781956980c59ccb338f3953240da0be5bf17ce7d42d1654cada7e8fc70a52a2a1befb697f7ad63622c2f97f7659d481e315fb4f1046

Download Submit
C:\Users\Admin\AppData\Local\Temp\25234.vbs

Filesize
128B

MD5
de77acb4970462a84d1418426ef768c0

SHA1
9f9420eecfda1a228b31ba6a7a7cac2a2885d59e

SHA256
533d3759b2dc9f801b1440002bbe45a19099d87378faa7cd1ca38b6ed15c91cf

SHA512
c9bd51a8f42d51e4ecf3b699aaf5c907fb85d4c727f376677604f7bac369740a13953631c4164c988707e64494c8ecb7164074b782ce2a544220b1abd0aef0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\28535.vbs

Filesize
147B

MD5
9e058306bf7f9c484a7553dcd1a080ad

SHA1
98670b4b9c36eea14078343272418104aee382c0

SHA256
245c3a8cf02aa38b997b3a4eea47b1872c68d882a2e63c19e142b5f3e72a9d0c

SHA512
bd4455afc947671eae07099d026124aeeda1c2f0ecac05f1fdf48bbe7ad2213d42dc797282cf1e7a206232d2463d8765944e6e9db8ce5c404f64b6d0c6f16fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\69FA.tmp\69FB.tmp\69FC.bat

Filesize
7KB

MD5
481a357d27e7c1a2cfbe617f14600b8b

SHA1
5c29901995a3d345eaa0d3cc9ee763ec21638b89

SHA256
970b56f67e1996e434fc45c12b5157fb96ae4886b3ea4e77fad2e86fc78321aa

SHA512
3504010edfa0f8a17b888fdaa1631c5a2efc20a5689bb8cc06fe1a6a95067cc1ebd6ef52d2ea8c52867b7e16280292972025358beccf0937313822c6199b2bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Automate.bat

Filesize
249B

MD5
efd420e2cde98d01d7f610ff5f39c5ce

SHA1
f144ad72cdee6922407fd6afd597ca58601bc427

SHA256
4be89496cb4b6c35e246e3c16308032d8f593d7a6581787823b9e113beef9f0d

SHA512
ae00320bbfd26a502932d068ef8cff5529f69cfa6e4f88b65457f5581a2a5cd047deffad4038048970505d47e7914858e51c5eaf4850418e552a31ba93b770bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Detect.bat

Filesize
111B

MD5
3cb76846869bcbb44cebf7c7e4c6218c

SHA1
6d05544d37255fff5b838d3f3b7e0113fbb67c03

SHA256
a6c5a78cb4cb2427005933c394abc76ed075e3c7fb996e14802b306a7838bcf2

SHA512
a6017cccc5692992bcd9069f4593d3d56af9146628d9716daa0a663941a22522d2fe265dc1bc727b9eaeef1b06027c6d2b077db9ee2ea73802621ff89c980e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Detect.vbs

Filesize
220B

MD5
0ba0411f0d555bebb7752316e799f779

SHA1
4bdc902ee5300a65a4bad277f2a8b0175da7674d

SHA256
d7c456e54e9a5621b7df7cce19994ac3dd348ee98b086ae43112348c7935da06

SHA512
6738b93630327a2c2ef326abc4b896533523c602d57cd8a2305b151efd1e727938f6afce4e090e92d74964a01d748666a24847d537caf46e1a562c98927f9275

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.txt

Filesize
202B

MD5
c6e2a6fe68bdcf28fd4632bcdea5a8ee

SHA1
4b8239cdafbba61992260695dc0e5249e37cb18c

SHA256
1a790c636b4b92759ff47ea50792fec9d7da67d2764b49d64644fc562c35a908

SHA512
0115a40e16647873223d6450b00b2168a00282b6decebbd92722a64c9625bdfa79bc65645e8fe021f76201f72a78c46676037953ea2918114e26b1076a912067

Download Submit
C:\Users\Admin\AppData\Local\Temp\NirCmd.ps1

Filesize
104B

MD5
66f27c86f734b28d170f3c4e1db8958e

SHA1
25557a67a5dc675e518e1bd83b32d346cc95025c

SHA256
1e9a3e5b03f1f763274fd17b8f5c64e2629923dd0c9cfc94865eadef9c69e90b

SHA512
f793c9742586e3150974e490c849dd0ed7a6a57e31d7affcc02406662e81378218991e6dbe63105db01cf7c352f1e76b4e71249fe8781a880258f9e9cab7fd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Test.bat

Filesize
18B

MD5
e57a11eb25dd25ed755c1839d0e4a9b7

SHA1
e26d908081f93f2f28cef5091fd43a3ca1920dcf

SHA256
c196c15d05b0197ea127877380a5001d6b294083c4fd92e62be55438e6a7bdff

SHA512
1e2b50c39b67f0f1ac0cec2126817b033355147923ae8303b82ea9e19194820e9796c5cbff4af4f89683b471f4b7262dbd3953bdd7d87bfcd2cdaaf0991ad607

Download Submit
C:\Users\Admin\AppData\Local\Temp\Test.vbs

Filesize
10B

MD5
7aba77b3cbdf0b7c78cee71d55dd6f50

SHA1
e1c06f4fc0029aa239aa2a8d5d6a0ec6bbd89516

SHA256
9b972e91c3c303336561ca43420e9a808c34812246b9fe6d85c22bf005254e3a

SHA512
d6e8770db9f96c32dc76fa2d8a78f50a24938be6e2aabd3214080a4db0ec497ec5ce6ae1b481d8b0bb442779812e7222e435d8f5e6b5dd763c46a959a4c14f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmrvinv3.szk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsod.bat

Filesize
40B

MD5
e9ca92728d880c80a242d55390769d37

SHA1
c82e73e41912b3543150d2f8e520b77e66c64876

SHA256
a67f7e91a028d2695cdacf984b5fd2f33ee90e95d84467df1e33a94e3573e19e

SHA512
70fc9d051486e2ec964baefedf4fb8959baa3dee74887028dd4ff4337ecf0f70012c9eec855f1a65e9f141d3b76d9c616039a292e779ce690f1e191397eb088c

Download Submit
memory/2820-247-0x000002BE64140000-0x000002BE64150000-memory.dmp

Filesize
64KB

Download
memory/2820-245-0x000002BE64140000-0x000002BE64150000-memory.dmp

Filesize
64KB

Download
memory/2820-233-0x000002BE64140000-0x000002BE64150000-memory.dmp

Filesize
64KB

Download
memory/2820-232-0x000002BE64140000-0x000002BE64150000-memory.dmp

Filesize
64KB

Download
memory/2820-246-0x000002BE64140000-0x000002BE64150000-memory.dmp

Filesize
64KB

Download
memory/3188-201-0x00000295FC7F0000-0x00000295FC812000-memory.dmp

Filesize
136KB

Download
memory/3188-218-0x00000295FE240000-0x00000295FE250000-memory.dmp

Filesize
64KB

Download
memory/3188-220-0x00000295FE240000-0x00000295FE250000-memory.dmp

Filesize
64KB

Download
memory/3288-216-0x000001E923400000-0x000001E923476000-memory.dmp

Filesize
472KB

Download
memory/3288-215-0x000001E923170000-0x000001E9231B4000-memory.dmp

Filesize
272KB

Download
memory/3288-217-0x000001E920DA0000-0x000001E920DB0000-memory.dmp

Filesize
64KB

Download
memory/3288-219-0x000001E920DA0000-0x000001E920DB0000-memory.dmp

Filesize
64KB

Download
memory/5424-335-0x000002A6D4760000-0x000002A6D4770000-memory.dmp

Filesize
64KB

Download
memory/5424-336-0x000002A6D4760000-0x000002A6D4770000-memory.dmp

Filesize
64KB

Download
memory/5424-337-0x000002A6D4760000-0x000002A6D4770000-memory.dmp

Filesize
64KB

Download
memory/6196-351-0x00000230A5760000-0x00000230A5770000-memory.dmp

Filesize
64KB

Download
memory/6196-352-0x00000230A5760000-0x00000230A5770000-memory.dmp

Filesize
64KB

Download
memory/6196-353-0x00000230A5760000-0x00000230A5770000-memory.dmp

Filesize
64KB

Download
memory/6196-355-0x00000230A56C0000-0x00000230A5708000-memory.dmp

Filesize
288KB

Download
memory/6196-356-0x00000230A5770000-0x00000230A598C000-memory.dmp

Filesize
2.1MB

Download