agenttesla | 7eacbc3d02ee34b4f840f20bf8afe38894f3545d403abb105334f176ed515a44

Analysis

max time kernel
26s
max time network
42s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
29-05-2023 10:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

ebdedb0d0018bb3097015535ab716b12
SHA1

208793bf40fecbdc245bf9752d90ec4f3ee1aaf3
SHA256

7eacbc3d02ee34b4f840f20bf8afe38894f3545d403abb105334f176ed515a44
SHA512

98fe11b5073fda169724316d2a54576abe328dde82cb938e8009512d6a46d30e661f06cd051b4ceb2389ea8176f2da82f678bada2d27ceddaf741947060b9d5b
SSDEEP

96:HRYoIuz1zuz1huz1JxrPTi0ak69iDgtwZ+Qp6svNzNt:HuoI0z0h0Jxrri0akxawZ+UFn

Score

10^/10

agenttesla redline smokeloader xworm dix diza redline up3 backdoor discovery evasion infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

10.0.2.15:5555

Mutex

TNZstVyCMYPlDDeU

Attributes

install_file
ms-update.exe

aes.plain

Extracted

Family

redline

Botnet

dix

77.91.124.251:19065

Attributes

auth_value
9b544b3d9c88af32e2f5bf8705f9a2fb

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.lubdub.com
Port:
587
Username:
operations@lubdub.com
Password:
J-y!2e_fWMH_XP8F_008
Email To:
godwingodwin397@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

dwm.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

Drops startup file 2 IoCs

Processes:

alice.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alice.lnk	alice.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\alice.lnk	alice.exe

Executes dropped EXE 27 IoCs

Processes:

blessed.exealice.exedwm.exeOGQ5YTll.exeY2Q0MzM1.exeNmI5NGQx.exex3618941.exex1386670.exex4612096.exex2563617.exe77c43f7e_rd1.exef5747904.exef8338132.exeredline.exetoolspub2.exedd4add6r.s6xlt.exetoolspub2.exetoolspub3.exetoolspub3.exeRebcoana.exeBaldiTrojan-x64.exeBaldiTrojan-x64 (2).exeDisableUAC.exeBaldi.exeBaldiTrojan-x64 (3).exeDisableUAC.exeBaldiTrojan-x64 (4).exe

pid	process
4884	blessed.exe
1576	alice.exe
1632	dwm.exe
3548	OGQ5YTll.exe
2308	Y2Q0MzM1.exe
3372	NmI5NGQx.exe
796	x3618941.exe
412	x1386670.exe
1612	x4612096.exe
1804	x2563617.exe
1792	77c43f7e_rd1.exe
3360	f5747904.exe
2624	f8338132.exe
3232	redline.exe
2672	toolspub2.exe
3148	dd4add6r.s6xlt.exe
4540	toolspub2.exe
4816	toolspub3.exe
3480	toolspub3.exe
3132	Rebcoana.exe
3876	BaldiTrojan-x64.exe
4880	BaldiTrojan-x64 (2).exe
2144	DisableUAC.exe
1844	Baldi.exe
2360	BaldiTrojan-x64 (3).exe
5048	DisableUAC.exe
1916	BaldiTrojan-x64 (4).exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x2563617.exex4612096.exealice.exeNmI5NGQx.exex3618941.exex1386670.exeY2Q0MzM1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2563617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	x2563617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x4612096.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\alice = "C:\\Users\\Admin\\AppData\\Roaming\\alice.exe"	alice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NmI5NGQx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3618941.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1386670.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4612096.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Y2Q0MzM1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Y2Q0MzM1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	NmI5NGQx.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x3618941.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1386670.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3132-347-0x0000000000400000-0x0000000000608000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

dwm.exeAddInProcess32.exetoolspub2.exedd4add6r.s6xlt.exetoolspub3.execolorcpl.exe

description	pid	process	target process
PID 1632 set thread context of 5068	1632	dwm.exe	AddInProcess32.exe
PID 5068 set thread context of 4180	5068	AddInProcess32.exe	a.exe
PID 2672 set thread context of 4540	2672	toolspub2.exe	toolspub2.exe
PID 3148 set thread context of 1592	3148	dd4add6r.s6xlt.exe	AppLaunch.exe
PID 4816 set thread context of 3480	4816	toolspub3.exe	toolspub3.exe
PID 1152 set thread context of 4180	1152	colorcpl.exe	a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 9 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (2).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (2).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (2).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (3).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (3).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (4).exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (4).exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exeAppLaunch.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3252 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1992 taskkill.exe

pid	process
3252	schtasks.exe

pid	process
1992	taskkill.exe

Modifies registry class 1 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exedwm.exeAddInProcess32.exealice.exe

pid	process
1072	powershell.exe
1072	powershell.exe
1072	powershell.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
1632	dwm.exe
5068	AddInProcess32.exe
5068	AddInProcess32.exe
1576	alice.exe
5068	AddInProcess32.exe
5068	AddInProcess32.exe
5068	AddInProcess32.exe
5068	AddInProcess32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

AddInProcess32.execolorcpl.exetoolspub2.exe

pid process

5068 AddInProcess32.exe
5068 AddInProcess32.exe
5068 AddInProcess32.exe
1152 colorcpl.exe
4540 toolspub2.exe
1152 colorcpl.exe

pid	process
5068	AddInProcess32.exe
5068	AddInProcess32.exe
5068	AddInProcess32.exe
1152	colorcpl.exe
4540	toolspub2.exe
1152	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

a.exealice.exepowershell.exedwm.exe77c43f7e_rd1.exeAddInProcess32.execolorcpl.exeRebcoana.exeAppLaunch.exef5747904.exe

description	pid	process
Token: SeDebugPrivilege	4180	a.exe
Token: SeDebugPrivilege	1576	alice.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1632	dwm.exe
Token: SeIncreaseQuotaPrivilege	1072	powershell.exe
Token: SeSecurityPrivilege	1072	powershell.exe
Token: SeTakeOwnershipPrivilege	1072	powershell.exe
Token: SeLoadDriverPrivilege	1072	powershell.exe
Token: SeSystemProfilePrivilege	1072	powershell.exe
Token: SeSystemtimePrivilege	1072	powershell.exe
Token: SeProfSingleProcessPrivilege	1072	powershell.exe
Token: SeIncBasePriorityPrivilege	1072	powershell.exe
Token: SeCreatePagefilePrivilege	1072	powershell.exe
Token: SeBackupPrivilege	1072	powershell.exe
Token: SeRestorePrivilege	1072	powershell.exe
Token: SeShutdownPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeSystemEnvironmentPrivilege	1072	powershell.exe
Token: SeRemoteShutdownPrivilege	1072	powershell.exe
Token: SeUndockPrivilege	1072	powershell.exe
Token: SeManageVolumePrivilege	1072	powershell.exe
Token: 33	1072	powershell.exe
Token: 34	1072	powershell.exe
Token: 35	1072	powershell.exe
Token: 36	1072	powershell.exe
Token: SeDebugPrivilege	1792	77c43f7e_rd1.exe
Token: SeDebugPrivilege	5068	AddInProcess32.exe
Token: SeDebugPrivilege	1576	alice.exe
Token: SeDebugPrivilege	1152	colorcpl.exe
Token: SeDebugPrivilege	3132	Rebcoana.exe
Token: SeImpersonatePrivilege	3132	Rebcoana.exe
Token: SeShutdownPrivilege	1592	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1592	AppLaunch.exe
Token: SeDebugPrivilege	3360	f5747904.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

77c43f7e_rd1.exe

pid process

1792 77c43f7e_rd1.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

77c43f7e_rd1.exe

pid process

1792 77c43f7e_rd1.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

alice.exe

pid process

1576 alice.exe

pid	process
1792	77c43f7e_rd1.exe

pid	process
1792	77c43f7e_rd1.exe

pid	process
1576	alice.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a.exedwm.exealice.exe

description	pid	process	target process
PID 4180 wrote to memory of 4884	4180	a.exe	blessed.exe
PID 4180 wrote to memory of 4884	4180	a.exe	blessed.exe
PID 4180 wrote to memory of 4884	4180	a.exe	blessed.exe
PID 4180 wrote to memory of 1576	4180	a.exe	alice.exe
PID 4180 wrote to memory of 1576	4180	a.exe	alice.exe
PID 4180 wrote to memory of 1632	4180	a.exe	dwm.exe
PID 4180 wrote to memory of 1632	4180	a.exe	dwm.exe
PID 1632 wrote to memory of 1072	1632	dwm.exe	powershell.exe
PID 1632 wrote to memory of 1072	1632	dwm.exe	powershell.exe
PID 4180 wrote to memory of 3548	4180	a.exe	OGQ5YTll.exe
PID 4180 wrote to memory of 3548	4180	a.exe	OGQ5YTll.exe
PID 4180 wrote to memory of 3548	4180	a.exe	OGQ5YTll.exe
PID 1632 wrote to memory of 3820	1632	dwm.exe	jsc.exe
PID 1632 wrote to memory of 3820	1632	dwm.exe	jsc.exe
PID 1632 wrote to memory of 3820	1632	dwm.exe	jsc.exe
PID 1632 wrote to memory of 3720	1632	dwm.exe	ngen.exe
PID 1632 wrote to memory of 3720	1632	dwm.exe	ngen.exe
PID 1632 wrote to memory of 2300	1632	dwm.exe	Microsoft.Workflow.Compiler.exe
PID 1632 wrote to memory of 2300	1632	dwm.exe	Microsoft.Workflow.Compiler.exe
PID 1632 wrote to memory of 2064	1632	dwm.exe	RegSvcs.exe
PID 1632 wrote to memory of 2064	1632	dwm.exe	RegSvcs.exe
PID 1632 wrote to memory of 4848	1632	dwm.exe	aspnet_regiis.exe
PID 1632 wrote to memory of 4848	1632	dwm.exe	aspnet_regiis.exe
PID 1632 wrote to memory of 4724	1632	dwm.exe	CasPol.exe
PID 1632 wrote to memory of 4724	1632	dwm.exe	CasPol.exe
PID 1632 wrote to memory of 4728	1632	dwm.exe	EdmGen.exe
PID 1632 wrote to memory of 4728	1632	dwm.exe	EdmGen.exe
PID 1632 wrote to memory of 4740	1632	dwm.exe	ilasm.exe
PID 1632 wrote to memory of 4740	1632	dwm.exe	ilasm.exe
PID 1632 wrote to memory of 4760	1632	dwm.exe	AddInUtil.exe
PID 1632 wrote to memory of 4760	1632	dwm.exe	AddInUtil.exe
PID 1632 wrote to memory of 4776	1632	dwm.exe	ngentask.exe
PID 1632 wrote to memory of 4776	1632	dwm.exe	ngentask.exe
PID 1632 wrote to memory of 4732	1632	dwm.exe	aspnet_compiler.exe
PID 1632 wrote to memory of 4732	1632	dwm.exe	aspnet_compiler.exe
PID 1632 wrote to memory of 4860	1632	dwm.exe	vbc.exe
PID 1632 wrote to memory of 4860	1632	dwm.exe	vbc.exe
PID 1632 wrote to memory of 4448	1632	dwm.exe	AppLaunch.exe
PID 1632 wrote to memory of 4448	1632	dwm.exe	AppLaunch.exe
PID 4180 wrote to memory of 2308	4180	a.exe	Y2Q0MzM1.exe
PID 4180 wrote to memory of 2308	4180	a.exe	Y2Q0MzM1.exe
PID 4180 wrote to memory of 2308	4180	a.exe	Y2Q0MzM1.exe
PID 1632 wrote to memory of 4952	1632	dwm.exe	aspnet_regsql.exe
PID 1632 wrote to memory of 4952	1632	dwm.exe	aspnet_regsql.exe
PID 1632 wrote to memory of 4356	1632	dwm.exe	RegAsm.exe
PID 1632 wrote to memory of 4356	1632	dwm.exe	RegAsm.exe
PID 1632 wrote to memory of 4452	1632	dwm.exe	ComSvcConfig.exe
PID 1632 wrote to memory of 4452	1632	dwm.exe	ComSvcConfig.exe
PID 1632 wrote to memory of 3972	1632	dwm.exe	MSBuild.exe
PID 1632 wrote to memory of 3972	1632	dwm.exe	MSBuild.exe
PID 1576 wrote to memory of 3252	1576	alice.exe	schtasks.exe
PID 1576 wrote to memory of 3252	1576	alice.exe	schtasks.exe
PID 1632 wrote to memory of 3588	1632	dwm.exe	aspnet_regbrowsers.exe
PID 1632 wrote to memory of 3588	1632	dwm.exe	aspnet_regbrowsers.exe
PID 1632 wrote to memory of 3884	1632	dwm.exe	csc.exe
PID 1632 wrote to memory of 3884	1632	dwm.exe	csc.exe
PID 1632 wrote to memory of 4920	1632	dwm.exe	aspnet_state.exe
PID 1632 wrote to memory of 4920	1632	dwm.exe	aspnet_state.exe
PID 1632 wrote to memory of 5012	1632	dwm.exe	SMSvcHost.exe
PID 1632 wrote to memory of 5012	1632	dwm.exe	SMSvcHost.exe
PID 1632 wrote to memory of 4972	1632	dwm.exe	AddInProcess.exe
PID 1632 wrote to memory of 4972	1632	dwm.exe	AddInProcess.exe
PID 1632 wrote to memory of 792	1632	dwm.exe	WsatConfig.exe
PID 1632 wrote to memory of 792	1632	dwm.exe	WsatConfig.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

dwm.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dwm.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dwm.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\a\blessed.exe
"C:\Users\Admin\AppData\Local\Temp\a\blessed.exe"
2⤵
- Executes dropped EXE
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\a\alice.exe
"C:\Users\Admin\AppData\Local\Temp\a\alice.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "alice" /tr "C:\Users\Admin\AppData\Roaming\alice.exe"
3⤵
- Creates scheduled task(s)
PID:3252

C:\Users\Admin\AppData\Local\Temp\a\dwm.exe
"C:\Users\Admin\AppData\Local\Temp\a\dwm.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\dwm.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
PID:3820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:3720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:2300

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:2064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:4848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:4724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:4728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:4740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:4760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:4776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:4860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:4448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:4952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
3⤵
PID:4356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:3972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:3588

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:3884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:4452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:4920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
3⤵
PID:5012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:4972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:5092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:3396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:5080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:512

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Users\Admin\AppData\Local\Temp\a\OGQ5YTll.exe
"C:\Users\Admin\AppData\Local\Temp\a\OGQ5YTll.exe"
2⤵
- Executes dropped EXE
PID:3548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\a\Y2Q0MzM1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Y2Q0MzM1.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2308

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3618941.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3618941.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:796

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4612096.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4612096.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1612

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\f5747904.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\f5747904.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Users\Admin\AppData\Local\Temp\a\NmI5NGQx.exe
"C:\Users\Admin\AppData\Local\Temp\a\NmI5NGQx.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1386670.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1386670.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:412

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x2563617.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x2563617.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1804

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f8338132.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f8338132.exe
5⤵
- Executes dropped EXE
PID:2624

C:\Users\Admin\AppData\Local\Temp\a\77c43f7e_rd1.exe
"C:\Users\Admin\AppData\Local\Temp\a\77c43f7e_rd1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1792

C:\Users\Admin\AppData\Local\Temp\a\redline.exe
"C:\Users\Admin\AppData\Local\Temp\a\redline.exe"
2⤵
- Executes dropped EXE
PID:3232

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2672

C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4540

C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
"C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4816

C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe"
3⤵
- Executes dropped EXE
PID:3480

C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
"C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe"
2⤵
- Executes dropped EXE
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
3⤵
PID:760

C:\Baldi\DisableUAC.exe
C:\Baldi\DisableUAC.exe
4⤵
- Executes dropped EXE
PID:2144

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DE8D.tmp\DE8E.bat C:\Baldi\DisableUAC.exe"
5⤵
PID:3748

C:\Windows\system32\reg.exe
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:2584

C:\Windows\system32\shutdown.exe
shutdown -r -t 1 -c "BALDI EVIL..."
6⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (2).exe"
2⤵
- Executes dropped EXE
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
3⤵
PID:1476

C:\Baldi\Baldi.exe
C:\Baldi\Baldi.exe
4⤵
- Executes dropped EXE
PID:1844

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
5⤵
- Kills process with taskkill
PID:1992

C:\Baldi\DisableUAC.exe
C:\Baldi\DisableUAC.exe
4⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E350.tmp\E380.bat C:\Baldi\DisableUAC.exe"
5⤵
PID:3512

C:\Windows\system32\reg.exe
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:2580

C:\Windows\system32\shutdown.exe
shutdown -r -t 1 -c "BALDI EVIL..."
6⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (3).exe
"C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (3).exe"
2⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (4).exe
"C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (4).exe"
2⤵
- Executes dropped EXE
PID:1916

C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (5).exe
"C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (5).exe"
2⤵
PID:4504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ac9055 /state1:0x41c64e6d
1⤵
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Baldi\7note.mp3
Filesize
242KB

MD5
6d5f23f17ee8ea50408555eb4bb5be89

SHA1
267b0e75e69405b8472654fe7327e4f4d70782b6

SHA256
69d1a8275264511e2fb77eac49f0f64494c2beb1752aae347cdff47cb587c1e4

SHA512
50a50a5c42a5c1d44ab42b1bbe5981a0ff6be6c57af010b9206e1432516f9589dfc889bc5246f00a595ecd5b879acf1a1f1059e44662e25827b46384acb66e0f

Download Submit
C:\Baldi\7note.mp3
Filesize
242KB

MD5
6d5f23f17ee8ea50408555eb4bb5be89

SHA1
267b0e75e69405b8472654fe7327e4f4d70782b6

SHA256
69d1a8275264511e2fb77eac49f0f64494c2beb1752aae347cdff47cb587c1e4

SHA512
50a50a5c42a5c1d44ab42b1bbe5981a0ff6be6c57af010b9206e1432516f9589dfc889bc5246f00a595ecd5b879acf1a1f1059e44662e25827b46384acb66e0f

Download Submit
C:\Baldi\7note.mp3
Filesize
242KB

MD5
6d5f23f17ee8ea50408555eb4bb5be89

SHA1
267b0e75e69405b8472654fe7327e4f4d70782b6

SHA256
69d1a8275264511e2fb77eac49f0f64494c2beb1752aae347cdff47cb587c1e4

SHA512
50a50a5c42a5c1d44ab42b1bbe5981a0ff6be6c57af010b9206e1432516f9589dfc889bc5246f00a595ecd5b879acf1a1f1059e44662e25827b46384acb66e0f

Download Submit
C:\Baldi\7note.mp3
Filesize
242KB

MD5
6d5f23f17ee8ea50408555eb4bb5be89

SHA1
267b0e75e69405b8472654fe7327e4f4d70782b6

SHA256
69d1a8275264511e2fb77eac49f0f64494c2beb1752aae347cdff47cb587c1e4

SHA512
50a50a5c42a5c1d44ab42b1bbe5981a0ff6be6c57af010b9206e1432516f9589dfc889bc5246f00a595ecd5b879acf1a1f1059e44662e25827b46384acb66e0f

Download Submit
C:\Baldi\Baldi.exe
Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\Baldi.exe
Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\Baldi.exe
Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\CleanZUpdater.bat
Filesize
66B

MD5
b54e64a1f0b58d09cf57d983d7ba7361

SHA1
d6c36454390be4eea41512bd39a9c68d77f614bf

SHA256
2683d451ab3423e25bcbeca902e6b586d0d9e8689c9c1bb6dca47bfae547a7d7

SHA512
583a6b07d584a433a78c8a948807caf5d1bfa0a1b8ef6dcf5a7f67db38e03baf875cabdc91f974276295c01485b78c11002b4cf10f08346ab92c2375479beb0a

Download Submit
C:\Baldi\CleanZUpdater.bat
Filesize
66B

MD5
b54e64a1f0b58d09cf57d983d7ba7361

SHA1
d6c36454390be4eea41512bd39a9c68d77f614bf

SHA256
2683d451ab3423e25bcbeca902e6b586d0d9e8689c9c1bb6dca47bfae547a7d7

SHA512
583a6b07d584a433a78c8a948807caf5d1bfa0a1b8ef6dcf5a7f67db38e03baf875cabdc91f974276295c01485b78c11002b4cf10f08346ab92c2375479beb0a

Download Submit
C:\Baldi\DisableUAC.exe
Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
C:\Baldi\DisableUAC.exe
Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
C:\Baldi\DisableUAC.exe
Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
C:\Baldi\DisableUAC.exe
Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
C:\Baldi\kill.exe
Filesize
105KB

MD5
58f681015149ce6c120e5b9f55761d2c

SHA1
a71e4a2e95493e69d9233c66e096c19b6afd8147

SHA256
c09d5f30c31a01a4e0f8ea829278d8d4e99a20e122eacd7648e5c9c605256290

SHA512
0d6746ddf605ac718dc750e6e65131ecde410b2548616c404d263c4647149dbfea1922aaef5277012d90a07b548ac7d9c9edab5de38b54bb9ca8f7c1f1d16457

Download Submit
C:\Baldi\lol.png
Filesize
148KB

MD5
41c46f443e8ee13bfaa86399eb6ee3f8

SHA1
e1de323885e86321591d6b31c3354fe2f7236510

SHA256
88135e8ced1ddd25e2d92fbc5ab19b5c251cd8fdb8303cf4026ec644a989a8ab

SHA512
e638200b40a19fe282dd7f1ba38558bd02d81f7dd10765e0207e2b2f77b9840848c8a9982092d02e76dea76c12b3ef6db5c9f8ee896b8aeea475f9118d32ac18

Download Submit
C:\Baldi\lol.png
Filesize
148KB

MD5
41c46f443e8ee13bfaa86399eb6ee3f8

SHA1
e1de323885e86321591d6b31c3354fe2f7236510

SHA256
88135e8ced1ddd25e2d92fbc5ab19b5c251cd8fdb8303cf4026ec644a989a8ab

SHA512
e638200b40a19fe282dd7f1ba38558bd02d81f7dd10765e0207e2b2f77b9840848c8a9982092d02e76dea76c12b3ef6db5c9f8ee896b8aeea475f9118d32ac18

Download Submit
C:\Baldi\mbr.exe
Filesize
60KB

MD5
74e58b34423ddf2a72789d9927c5578d

SHA1
4f43e0e17bf802ca32a55fcd0612f1a16a14f9dc

SHA256
28deddca10a4d9081bdf3bab9e7e66a53b5de493b062b1fd124bdf41f386aed1

SHA512
6cfc02bf6c46e2219b2a8fee45d8e537dc86b6563fd6e94fa72abdafedc8b1a1b44a537efe9bcda011426585d82ab17e7c8025a1e7a44271a63d8abe0e904f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE8D.tmp\DE8E.bat
Filesize
186B

MD5
a708b066fda65f8d7f94a2cbd4919b0f

SHA1
5c723e4f1ba46b5cb6813b5db490dd63748cb07c

SHA256
754d5b111ec7225c4d643142ddf0dfaab585f12b2f69bcca088abbd0d23a5a79

SHA512
75b7a6401ebfb2aa9194ff3ef48f8c23044342ddb2f2b9b33020b6ec7592dd2a1b0546ef7387641fb17cccd7f726fe665386c471f01b4e715d7e9b713baa1bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E350.tmp\E380.bat
Filesize
186B

MD5
a708b066fda65f8d7f94a2cbd4919b0f

SHA1
5c723e4f1ba46b5cb6813b5db490dd63748cb07c

SHA256
754d5b111ec7225c4d643142ddf0dfaab585f12b2f69bcca088abbd0d23a5a79

SHA512
75b7a6401ebfb2aa9194ff3ef48f8c23044342ddb2f2b9b33020b6ec7592dd2a1b0546ef7387641fb17cccd7f726fe665386c471f01b4e715d7e9b713baa1bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3618941.exe
Filesize
749KB

MD5
a36ab6538a52544b9e629fdb6b2dc1e8

SHA1
257e59886996a6b737def1ef9202b0e9e335d863

SHA256
4cad8ffc2e0192a4836e75c685e5da171610fce9b45aa930837dc25c4955a45e

SHA512
c2159d2b76e7f7bc5e1590c32a2cfe73ebdfd56dc6fa34394d1eb2273e018446a41b4ef4ad14ff8066b56744eb13fe95f36dbd4799d4a1ce126c2ba06b7d3299

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3618941.exe
Filesize
749KB

MD5
a36ab6538a52544b9e629fdb6b2dc1e8

SHA1
257e59886996a6b737def1ef9202b0e9e335d863

SHA256
4cad8ffc2e0192a4836e75c685e5da171610fce9b45aa930837dc25c4955a45e

SHA512
c2159d2b76e7f7bc5e1590c32a2cfe73ebdfd56dc6fa34394d1eb2273e018446a41b4ef4ad14ff8066b56744eb13fe95f36dbd4799d4a1ce126c2ba06b7d3299

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1386670.exe
Filesize
750KB

MD5
7798e21850d673a10681cd94d42cf9b1

SHA1
243769506f02a2f57df25f0279f22603a3dc3181

SHA256
d9de90414ddf23d710780f7153996eac80da8a786ba6f301355fd8c95ea4619c

SHA512
807ac139031f71f4b16e3871197050be2606adf9bc100cd4480f46a79de7ff41202ba2e4e267ec3dc2117d92500978d5688531c9598d65f5a715bfad88a59490

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1386670.exe
Filesize
750KB

MD5
7798e21850d673a10681cd94d42cf9b1

SHA1
243769506f02a2f57df25f0279f22603a3dc3181

SHA256
d9de90414ddf23d710780f7153996eac80da8a786ba6f301355fd8c95ea4619c

SHA512
807ac139031f71f4b16e3871197050be2606adf9bc100cd4480f46a79de7ff41202ba2e4e267ec3dc2117d92500978d5688531c9598d65f5a715bfad88a59490

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4612096.exe
Filesize
305KB

MD5
561ea853294c3338de69f365aa65de45

SHA1
992af3c088266c4b6461ffd37e9e4d60533d535d

SHA256
7219037e54027863ec74f1b5b95ab8b27d680dd845c3b014a3c7d666235e8686

SHA512
72e74e22086efd644132820c06590ef003b68e9abbc467f3780e7888d89d6e1f577a541fc93202e896871f8f3950572546f0f72638bf6b5d57f033f70620c525

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4612096.exe
Filesize
305KB

MD5
561ea853294c3338de69f365aa65de45

SHA1
992af3c088266c4b6461ffd37e9e4d60533d535d

SHA256
7219037e54027863ec74f1b5b95ab8b27d680dd845c3b014a3c7d666235e8686

SHA512
72e74e22086efd644132820c06590ef003b68e9abbc467f3780e7888d89d6e1f577a541fc93202e896871f8f3950572546f0f72638bf6b5d57f033f70620c525

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x2563617.exe
Filesize
306KB

MD5
9261e4c9d0b0d3dfd9962d43d2279329

SHA1
fe476e97e31c90b0a9ae5ffdcbdfea00bcae35d5

SHA256
c1f54ef2f218a1334ec8a845d48de775e2fcfdf0f7a65da899f0e879040708e1

SHA512
eec70ab7725f80e27b0ab1169646250ea39d0769008bc351fe853d33d3d467bc54b2055823022ac0c834c3b972b92cc4d725de4c84131c0629119ba53e4a59b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x2563617.exe
Filesize
306KB

MD5
9261e4c9d0b0d3dfd9962d43d2279329

SHA1
fe476e97e31c90b0a9ae5ffdcbdfea00bcae35d5

SHA256
c1f54ef2f218a1334ec8a845d48de775e2fcfdf0f7a65da899f0e879040708e1

SHA512
eec70ab7725f80e27b0ab1169646250ea39d0769008bc351fe853d33d3d467bc54b2055823022ac0c834c3b972b92cc4d725de4c84131c0629119ba53e4a59b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\f5747904.exe
Filesize
145KB

MD5
d86ce6a345e6b6c2b12adefc6d0b1a72

SHA1
12e33c0064c59b03254064af15cea36b72ed9b97

SHA256
8435e247b3a456d28d1583e229fe70ae7d36164be1b9461272af085adb1ea5e1

SHA512
856b3790a2e343947c05e9dc24a8c97a87e5b4506365bf1fc84d94990714584c1bf39d21148fd0835ddfc7e6b68154ab9eb1164beeb40e9c6d8f54249164ff89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\f5747904.exe
Filesize
145KB

MD5
d86ce6a345e6b6c2b12adefc6d0b1a72

SHA1
12e33c0064c59b03254064af15cea36b72ed9b97

SHA256
8435e247b3a456d28d1583e229fe70ae7d36164be1b9461272af085adb1ea5e1

SHA512
856b3790a2e343947c05e9dc24a8c97a87e5b4506365bf1fc84d94990714584c1bf39d21148fd0835ddfc7e6b68154ab9eb1164beeb40e9c6d8f54249164ff89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f8338132.exe
Filesize
146KB

MD5
70ef918ef632a925491193ca32071d89

SHA1
eb7b1d334c6f921b937fd56b5738cae5b794c6e1

SHA256
72987ad0d900099eb014740953726fbb4077f475a26ae64cb676ce5e75a97a44

SHA512
2052f98ecf6309f014b63c866dbe6f73b8baaf86831162c1c8e091155fc18d4bd5709c6826918cc9e5a821b38f50ad8469cc4c9eed0469d63a7458232ffd11e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f8338132.exe
Filesize
146KB

MD5
70ef918ef632a925491193ca32071d89

SHA1
eb7b1d334c6f921b937fd56b5738cae5b794c6e1

SHA256
72987ad0d900099eb014740953726fbb4077f475a26ae64cb676ce5e75a97a44

SHA512
2052f98ecf6309f014b63c866dbe6f73b8baaf86831162c1c8e091155fc18d4bd5709c6826918cc9e5a821b38f50ad8469cc4c9eed0469d63a7458232ffd11e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvbra2nb.svg.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\77c43f7e_rd1.exe
Filesize
560KB

MD5
ea9775eca677ed8dea5646a7aa6b750e

SHA1
9429b4fa7b57f05099361862c4070f4533ba96bd

SHA256
a7fccc560bbac61bfc74829d2d4af7fbe362fc988192352a6ee90f8a651f3d06

SHA512
105c4f7cef772839cb0aac3677e5322b326c927494d77ffab86e9e0d79f3b73e86c459e088a562bd87d1e2f67aa7d64afa9edcae7e00d324c696b404795f9a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\77c43f7e_rd1.exe
Filesize
560KB

MD5
ea9775eca677ed8dea5646a7aa6b750e

SHA1
9429b4fa7b57f05099361862c4070f4533ba96bd

SHA256
a7fccc560bbac61bfc74829d2d4af7fbe362fc988192352a6ee90f8a651f3d06

SHA512
105c4f7cef772839cb0aac3677e5322b326c927494d77ffab86e9e0d79f3b73e86c459e088a562bd87d1e2f67aa7d64afa9edcae7e00d324c696b404795f9a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (2).exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (2).exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (2).exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (3).exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (3).exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (4).exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64 (4).exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NmI5NGQx.exe
Filesize
1.0MB

MD5
ff56e0a4736897e92bd468d862fd9249

SHA1
76d396f1adc632df8265cbfa984fbb84eb7a1ada

SHA256
46d08fd61a333a68c40eedbef5960f2142a8ef703f90452de043cbf956d47129

SHA512
1b8479a3ec5644dabbbb358731251d937649105f89d7db96f6dca8db82600b78f827cb73dac3184196cc091dc81d0d4c11aae27c4bf0e4ed3f91ece05eaef47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NmI5NGQx.exe
Filesize
1.0MB

MD5
ff56e0a4736897e92bd468d862fd9249

SHA1
76d396f1adc632df8265cbfa984fbb84eb7a1ada

SHA256
46d08fd61a333a68c40eedbef5960f2142a8ef703f90452de043cbf956d47129

SHA512
1b8479a3ec5644dabbbb358731251d937649105f89d7db96f6dca8db82600b78f827cb73dac3184196cc091dc81d0d4c11aae27c4bf0e4ed3f91ece05eaef47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\OGQ5YTll.exe
Filesize
693KB

MD5
33aafdcbbee5896be71abe19e26000db

SHA1
108a28b629bd34d8c766face9eebc01eae7dde1b

SHA256
89aac1da79c39c6dca27fbd441600f2fc6b72e051d3e31e6c6738f4fa84698b8

SHA512
bbe6a96c78f81c28acb8b8e0b59f11fd44e473a046dc19a9b4b771d9ec5024fed71595785ba81311adbb894121ca6479e5dc555d6ea2fcee67e1e1034f46cfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\OGQ5YTll.exe
Filesize
693KB

MD5
33aafdcbbee5896be71abe19e26000db

SHA1
108a28b629bd34d8c766face9eebc01eae7dde1b

SHA256
89aac1da79c39c6dca27fbd441600f2fc6b72e051d3e31e6c6738f4fa84698b8

SHA512
bbe6a96c78f81c28acb8b8e0b59f11fd44e473a046dc19a9b4b771d9ec5024fed71595785ba81311adbb894121ca6479e5dc555d6ea2fcee67e1e1034f46cfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
Filesize
1.2MB

MD5
edfad6bc3bc4d075a440b49baf575f56

SHA1
2d4c069a8549863ac4f9f18601e4e62170309b10

SHA256
db9091ba1e3f755972a5ca4bc0b3e76b77c3fd79a398313d5511b1bedffd46f6

SHA512
c4246c4a0117139c90a3b599959875aef9fde1035d0bb83298038b31cb2b7236c09484845f47cae670cf5d7b5548bdd7f6425741a025dfc7c3b59a9260c0093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
Filesize
1.2MB

MD5
edfad6bc3bc4d075a440b49baf575f56

SHA1
2d4c069a8549863ac4f9f18601e4e62170309b10

SHA256
db9091ba1e3f755972a5ca4bc0b3e76b77c3fd79a398313d5511b1bedffd46f6

SHA512
c4246c4a0117139c90a3b599959875aef9fde1035d0bb83298038b31cb2b7236c09484845f47cae670cf5d7b5548bdd7f6425741a025dfc7c3b59a9260c0093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Y2Q0MzM1.exe
Filesize
1.0MB

MD5
53ddfea8b518d5dcb6e1db29b8405187

SHA1
e1a29fe0a77d1ffde01aba0f4e28b2278364fc34

SHA256
f4f258cc129269bff283373addadd07eb257016cf1912b8eb203cda37db53ad5

SHA512
1bc609e5a5a1256912ac2c55be05ebedbdc9ab2e78ee45fd629f93b4cd58781e96db8e7320a8484440b39393bd045360dbfdf59289db5871627302de3b23ff47

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Y2Q0MzM1.exe
Filesize
1.0MB

MD5
53ddfea8b518d5dcb6e1db29b8405187

SHA1
e1a29fe0a77d1ffde01aba0f4e28b2278364fc34

SHA256
f4f258cc129269bff283373addadd07eb257016cf1912b8eb203cda37db53ad5

SHA512
1bc609e5a5a1256912ac2c55be05ebedbdc9ab2e78ee45fd629f93b4cd58781e96db8e7320a8484440b39393bd045360dbfdf59289db5871627302de3b23ff47

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alice.exe
Filesize
138KB

MD5
ee8d7bb249af9a72c38da00c0822c75f

SHA1
bc4ca72a72470b6df7bea36572f71ed440ac61e0

SHA256
777a742286d0f7283f50cffe654e8d7c34f14f261fc1e6a120289f52b28e64d3

SHA512
b4a2a188cfddc07a10782b3136245d9389d0b28bb71c58cbffb3d9330349348c8eaf12749ab791f156af4719301f92136fb814402f701faf746baead72e0f6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alice.exe
Filesize
138KB

MD5
ee8d7bb249af9a72c38da00c0822c75f

SHA1
bc4ca72a72470b6df7bea36572f71ed440ac61e0

SHA256
777a742286d0f7283f50cffe654e8d7c34f14f261fc1e6a120289f52b28e64d3

SHA512
b4a2a188cfddc07a10782b3136245d9389d0b28bb71c58cbffb3d9330349348c8eaf12749ab791f156af4719301f92136fb814402f701faf746baead72e0f6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\blessed.exe
Filesize
727KB

MD5
4ddfcaf4794dc757f9f4806af87b233d

SHA1
c1212aa57e211329d943e8d3cc7ec63eb373b218

SHA256
1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292

SHA512
a4620b6b914d61bcd38a62de31518a41bbfc95aad08c4c6d92959f153c19a9d73ea922de7e6026cdd4d06f213e81dac8147cfc299721a9e5035988f669bf0ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\blessed.exe
Filesize
727KB

MD5
4ddfcaf4794dc757f9f4806af87b233d

SHA1
c1212aa57e211329d943e8d3cc7ec63eb373b218

SHA256
1ed23ba2f4f0f91fe3ef1cbb68126fa47ca460aa8d77da6f0c345cbaea062292

SHA512
a4620b6b914d61bcd38a62de31518a41bbfc95aad08c4c6d92959f153c19a9d73ea922de7e6026cdd4d06f213e81dac8147cfc299721a9e5035988f669bf0ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
Filesize
623KB

MD5
63d2ab075242a38f5c6240cb7eafbd35

SHA1
36621dbe302900010d8dc1916f0fa022885d4d59

SHA256
87513157828305d4d09ff58df2a39eb9e2bdcaa72bd01f11bb86dc56dc164fb2

SHA512
a36109647c4eabfd8c270adf11a0cfd05284c5e411e0ebd3427bffa104eed2337857ebbcbecf29e847a10f76731023d54462d24934e7719e90a60d3bb414035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
Filesize
623KB

MD5
63d2ab075242a38f5c6240cb7eafbd35

SHA1
36621dbe302900010d8dc1916f0fa022885d4d59

SHA256
87513157828305d4d09ff58df2a39eb9e2bdcaa72bd01f11bb86dc56dc164fb2

SHA512
a36109647c4eabfd8c270adf11a0cfd05284c5e411e0ebd3427bffa104eed2337857ebbcbecf29e847a10f76731023d54462d24934e7719e90a60d3bb414035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dwm.exe
Filesize
477KB

MD5
71a7fe01a3c2c02294e4904babc3d8cc

SHA1
af08b7bb2d0c2472e37ddda4b8cf731f0c382b0f

SHA256
de80076c4c1d002abd45622a0e79f3f823560d66ef4ef66055ab1a88341d16a7

SHA512
409df79372f7f065a4908a3b8b5dcc621b8ae87fd235ab5dc1eba3026e005898f682b3f73f9fea038270ce2268d7ea528d0172660324a120c7f77a1e34654d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dwm.exe
Filesize
477KB

MD5
71a7fe01a3c2c02294e4904babc3d8cc

SHA1
af08b7bb2d0c2472e37ddda4b8cf731f0c382b0f

SHA256
de80076c4c1d002abd45622a0e79f3f823560d66ef4ef66055ab1a88341d16a7

SHA512
409df79372f7f065a4908a3b8b5dcc621b8ae87fd235ab5dc1eba3026e005898f682b3f73f9fea038270ce2268d7ea528d0172660324a120c7f77a1e34654d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
Filesize
326KB

MD5
ca673e1c050a50d0560a615de08188b6

SHA1
5c4cb8d58bd49d7e65897b2ef90d85feab31ed09

SHA256
f3052878865704277dbbbc6d8e38a009468cb0fa5fc911b426d26fd13e75b337

SHA512
6000f139f042f7ccd2fe528942a37857264a89d91c08f38ddee923ae6c735acd0cb5658437c96f52596b37698ae76f101d3c4934af448ce9201a86eacf546f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
Filesize
326KB

MD5
ca673e1c050a50d0560a615de08188b6

SHA1
5c4cb8d58bd49d7e65897b2ef90d85feab31ed09

SHA256
f3052878865704277dbbbc6d8e38a009468cb0fa5fc911b426d26fd13e75b337

SHA512
6000f139f042f7ccd2fe528942a37857264a89d91c08f38ddee923ae6c735acd0cb5658437c96f52596b37698ae76f101d3c4934af448ce9201a86eacf546f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
Filesize
326KB

MD5
ca673e1c050a50d0560a615de08188b6

SHA1
5c4cb8d58bd49d7e65897b2ef90d85feab31ed09

SHA256
f3052878865704277dbbbc6d8e38a009468cb0fa5fc911b426d26fd13e75b337

SHA512
6000f139f042f7ccd2fe528942a37857264a89d91c08f38ddee923ae6c735acd0cb5658437c96f52596b37698ae76f101d3c4934af448ce9201a86eacf546f3e

Download Submit
memory/1072-174-0x000001F9EE690000-0x000001F9EE6A0000-memory.dmp

Filesize
64KB

Download
memory/1072-175-0x000001F9EE690000-0x000001F9EE6A0000-memory.dmp

Filesize
64KB

Download
memory/1072-151-0x000001F9D61D0000-0x000001F9D61F2000-memory.dmp

Filesize
136KB

Download
memory/1072-154-0x000001F9EE8A0000-0x000001F9EE916000-memory.dmp

Filesize
472KB

Download
memory/1152-319-0x00000000047B0000-0x0000000004AD0000-memory.dmp

Filesize
3.1MB

Download
memory/1152-378-0x00000000046D0000-0x000000000475F000-memory.dmp

Filesize
572KB

Download
memory/1152-317-0x00000000003A0000-0x00000000003B9000-memory.dmp

Filesize
100KB

Download
memory/1152-318-0x00000000030E0000-0x000000000310D000-memory.dmp

Filesize
180KB

Download
memory/1152-315-0x00000000003A0000-0x00000000003B9000-memory.dmp

Filesize
100KB

Download
memory/1152-313-0x00000000003A0000-0x00000000003B9000-memory.dmp

Filesize
100KB

Download
memory/1576-411-0x0000000001590000-0x00000000015A0000-memory.dmp

Filesize
64KB

Download
memory/1576-133-0x0000000000F40000-0x0000000000F68000-memory.dmp

Filesize
160KB

Download
memory/1576-288-0x0000000001590000-0x00000000015A0000-memory.dmp

Filesize
64KB

Download
memory/1592-329-0x0000000000B90000-0x0000000000B97000-memory.dmp

Filesize
28KB

Download
memory/1592-312-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1592-304-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1592-330-0x0000000006800000-0x0000000006C00000-memory.dmp

Filesize
4.0MB

Download
memory/1592-332-0x0000000006800000-0x0000000006C00000-memory.dmp

Filesize
4.0MB

Download
memory/1632-141-0x000001FC83D20000-0x000001FC83D94000-memory.dmp

Filesize
464KB

Download
memory/1632-139-0x000001FC821D0000-0x000001FC8224C000-memory.dmp

Filesize
496KB

Download
memory/1632-144-0x000001FC9C810000-0x000001FC9C820000-memory.dmp

Filesize
64KB

Download
memory/1844-442-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download
memory/1844-417-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/2624-412-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/2624-296-0x0000000005250000-0x000000000529B000-memory.dmp

Filesize
300KB

Download
memory/2624-278-0x0000000005140000-0x000000000524A000-memory.dmp

Filesize
1.0MB

Download
memory/2624-260-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/2624-280-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/2624-291-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/2672-301-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2804-348-0x0000000007EC0000-0x0000000007ED6000-memory.dmp

Filesize
88KB

Download
memory/2804-458-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3132-347-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3132-345-0x0000000000400000-0x0000000000608000-memory.dmp

Filesize
2.0MB

Download
memory/3232-268-0x0000000000B00000-0x0000000000B2A000-memory.dmp

Filesize
168KB

Download
memory/3232-403-0x0000000006890000-0x0000000006906000-memory.dmp

Filesize
472KB

Download
memory/3232-292-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3232-413-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/3232-284-0x00000000053A0000-0x00000000053DE000-memory.dmp

Filesize
248KB

Download
memory/3360-294-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/3360-359-0x0000000005280000-0x00000000052E6000-memory.dmp

Filesize
408KB

Download
memory/3360-425-0x0000000006EF0000-0x000000000741C000-memory.dmp

Filesize
5.2MB

Download
memory/3360-422-0x00000000067F0000-0x00000000069B2000-memory.dmp

Filesize
1.8MB

Download
memory/3360-261-0x0000000000670000-0x000000000069A000-memory.dmp

Filesize
168KB

Download
memory/3360-415-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/3360-273-0x0000000005490000-0x0000000005A96000-memory.dmp

Filesize
6.0MB

Download
memory/3360-407-0x0000000005F30000-0x0000000005F80000-memory.dmp

Filesize
320KB

Download
memory/3480-344-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3548-448-0x0000000005990000-0x00000000059C0000-memory.dmp

Filesize
192KB

Download
memory/3548-445-0x0000000006B70000-0x0000000006BEE000-memory.dmp

Filesize
504KB

Download
memory/3548-176-0x0000000005910000-0x0000000005966000-memory.dmp

Filesize
344KB

Download
memory/3548-171-0x0000000000CE0000-0x0000000000D94000-memory.dmp

Filesize
720KB

Download
memory/4180-290-0x000000001BEA0000-0x000000001BFB1000-memory.dmp

Filesize
1.1MB

Download
memory/4180-438-0x000000001BB10000-0x000000001BBDC000-memory.dmp

Filesize
816KB

Download
memory/4180-122-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

Filesize
64KB

Download
memory/4180-362-0x000000001BB10000-0x000000001BBDC000-memory.dmp

Filesize
816KB

Download
memory/4180-286-0x000000001B1A0000-0x000000001B1B0000-memory.dmp

Filesize
64KB

Download
memory/4180-121-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/4540-299-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4540-302-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4540-349-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4716-447-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4884-145-0x00000000059E0000-0x0000000005A7C000-memory.dmp

Filesize
624KB

Download
memory/4884-140-0x0000000000F90000-0x000000000104C000-memory.dmp

Filesize
752KB

Download
memory/4884-446-0x0000000007080000-0x00000000070B2000-memory.dmp

Filesize
200KB

Download
memory/4884-146-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/4884-142-0x0000000005EE0000-0x00000000063DE000-memory.dmp

Filesize
5.0MB

Download
memory/4884-156-0x0000000005890000-0x000000000589A000-memory.dmp

Filesize
40KB

Download
memory/4884-444-0x0000000006FC0000-0x000000000703C000-memory.dmp

Filesize
496KB

Download
memory/4884-143-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/4884-197-0x0000000005B00000-0x0000000005B14000-memory.dmp

Filesize
80KB

Download
memory/5068-289-0x0000000000C90000-0x0000000000CA0000-memory.dmp

Filesize
64KB

Download
memory/5068-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-287-0x00000000010F0000-0x0000000001410000-memory.dmp

Filesize
3.1MB

Download
memory/5068-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-450-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads