e5c2683f7a605712f83903c9272d7d4bc0b03d8399595d7ae88189b38db2ae84

Resubmissions

29/06/2023, 02:37

230629-c36v3acf8y 8

04/06/2023, 17:51

230604-we6pyadf2s 7

04/06/2023, 17:49

230604-weeapada36 7

04/06/2023, 17:36

230604-v6lcmsde5w 8

Analysis

max time kernel
171s
max time network
662s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
04/06/2023, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ × ADZP 20 Complex.exe
Size

387KB
MD5

580ccf644a5efb8b9d0157ea6b0049ab
SHA1

dd4433c9c670cef10344f3d52a4397a520404a7e
SHA256

e5c2683f7a605712f83903c9272d7d4bc0b03d8399595d7ae88189b38db2ae84
SHA512

402497966cc73cb3d87d3ce72fc08372c996b790c6535253d01604b007b57d9efdcb2bf8e96f9a1418dd23632bb314d9de3c7fcc552d42fab3c11ee47fdd9136
SSDEEP

12288:actEagGmcl4gBF1BRnI6hAVebOe1gsT+tcVtQ:TR+cl7X1BRnI6hmebOe1gmLQ

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 10 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2528	netsh.exe
2292	netsh.exe
2156	netsh.exe
372	netsh.exe
4144	netsh.exe
4476	netsh.exe
2012	netsh.exe
2692	netsh.exe
3440	netsh.exe
4340	netsh.exe

Executes dropped EXE 7 IoCs

pid	Process
1072	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1340	MEMZ-Destructive.exe

Loads dropped DLL 7 IoCs

pid	Process
1072	MEMZ-Destructive.exe
1072	MEMZ-Destructive.exe
1072	MEMZ-Destructive.exe
1072	MEMZ-Destructive.exe
1072	MEMZ-Destructive.exe
1072	MEMZ-Destructive.exe
1072	MEMZ-Destructive.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3024	takeown.exe
3288	takeown.exe
3356	takeown.exe
2012	takeown.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd"	reg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
188	ipconfig.exe
3296	ipconfig.exe
4264	ipconfig.exe
4664	ipconfig.exe
1816	ipconfig.exe
2720	ipconfig.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2828	taskkill.exe
3040	taskkill.exe
3320	taskkill.exe
4660	taskkill.exe
1100	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70539A61-02FE-11EE-9F91-E6255E64A624} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000344fdf43dcee364ab960c775a30d31c300000000020000000000106600000001000020000000da6b5c4011976478445cdd19bdae0ae035eef435609ab3a9b1adf7cf635116c7000000000e80000000020000200000006297e2a2f7bbb74f63398151c4e7ce9a1ae32e09fbf1e202bc2061b66a30eb2190000000bbb47b380c6a82c5ad5602594529dacc5ebf447cb57ca8bec95686a469b97bb2f23c99975469c5ff4f75af9505ef28e152db37d714803f31686cff28f45adafab5292b7aa98a8fbee1ccaa6f9bbcf3c96efecf8876afbb8d0e4f1cf24c20aa7e8bd5a9f1e6b400c39762489e20edbbf9cdc529656649560581aacf7e60368c0f99b5f13e4635c2baa1d113ad88a468a740000000c41249d56d23adb148519d4b66c6ac91d50bc1534b9da057978deae1e4dff634e693975d2e22ad3985f062a67c8e886262e056365f817e2e9e7758a5651381db	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6023544b0b97d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392665207"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000344fdf43dcee364ab960c775a30d31c3000000000200000000001066000000010000200000007f84100cb80bcc3340f7dea1fa0b332b865ca0df8d532283d3c6ec21b973235c000000000e800000000200002000000060b64e366967510f83652eb3a5deffa77ca43ba2b44be6af50cddcc9250a4f2920000000ce3ec3796609790fe65a6379fa1aaf92b5fececbbe4adfde958855cd5ed524324000000095dc05dbc9bcd7df9508a6808575d0c0b84e68c39abccf8dcd864454bd314441c339bb6bc62194520ead7c6233665cef2f5290551fdbc9c300d1f2d581c76233	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe
760	MEMZ-Destructive.exe
1168	MEMZ-Destructive.exe
1728	MEMZ-Destructive.exe
1492	MEMZ-Destructive.exe
1508	MEMZ-Destructive.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2004	AUDIODG.EXE
Token: 33	2004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2004	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	2012	takeown.exe
Token: SeDebugPrivilege	1100	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
692	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
692	iexplore.exe
692	iexplore.exe
904	IEXPLORE.EXE
904	IEXPLORE.EXE
904	IEXPLORE.EXE
904	IEXPLORE.EXE
2876	mspaint.exe
2832	mspaint.exe
2948	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1072	1060	MEMZ × ADZP 20 Complex.exe	27
PID 1060 wrote to memory of 1072	1060	MEMZ × ADZP 20 Complex.exe	27
PID 1060 wrote to memory of 1072	1060	MEMZ × ADZP 20 Complex.exe	27
PID 1060 wrote to memory of 1072	1060	MEMZ × ADZP 20 Complex.exe	27
PID 1060 wrote to memory of 524	1060	MEMZ × ADZP 20 Complex.exe	28
PID 1060 wrote to memory of 524	1060	MEMZ × ADZP 20 Complex.exe	28
PID 1060 wrote to memory of 524	1060	MEMZ × ADZP 20 Complex.exe	28
PID 1072 wrote to memory of 1168	1072	MEMZ-Destructive.exe	29
PID 1072 wrote to memory of 1168	1072	MEMZ-Destructive.exe	29
PID 1072 wrote to memory of 1168	1072	MEMZ-Destructive.exe	29
PID 1072 wrote to memory of 1168	1072	MEMZ-Destructive.exe	29
PID 1072 wrote to memory of 1728	1072	MEMZ-Destructive.exe	30
PID 1072 wrote to memory of 1728	1072	MEMZ-Destructive.exe	30
PID 1072 wrote to memory of 1728	1072	MEMZ-Destructive.exe	30
PID 1072 wrote to memory of 1728	1072	MEMZ-Destructive.exe	30
PID 1072 wrote to memory of 1492	1072	MEMZ-Destructive.exe	31
PID 1072 wrote to memory of 1492	1072	MEMZ-Destructive.exe	31
PID 1072 wrote to memory of 1492	1072	MEMZ-Destructive.exe	31
PID 1072 wrote to memory of 1492	1072	MEMZ-Destructive.exe	31
PID 1072 wrote to memory of 1508	1072	MEMZ-Destructive.exe	32
PID 1072 wrote to memory of 1508	1072	MEMZ-Destructive.exe	32
PID 1072 wrote to memory of 1508	1072	MEMZ-Destructive.exe	32
PID 1072 wrote to memory of 1508	1072	MEMZ-Destructive.exe	32
PID 1072 wrote to memory of 760	1072	MEMZ-Destructive.exe	33
PID 1072 wrote to memory of 760	1072	MEMZ-Destructive.exe	33
PID 1072 wrote to memory of 760	1072	MEMZ-Destructive.exe	33
PID 1072 wrote to memory of 760	1072	MEMZ-Destructive.exe	33
PID 1072 wrote to memory of 1340	1072	MEMZ-Destructive.exe	34
PID 1072 wrote to memory of 1340	1072	MEMZ-Destructive.exe	34
PID 1072 wrote to memory of 1340	1072	MEMZ-Destructive.exe	34
PID 1072 wrote to memory of 1340	1072	MEMZ-Destructive.exe	34
PID 1340 wrote to memory of 972	1340	MEMZ-Destructive.exe	35
PID 1340 wrote to memory of 972	1340	MEMZ-Destructive.exe	35
PID 1340 wrote to memory of 972	1340	MEMZ-Destructive.exe	35
PID 1340 wrote to memory of 972	1340	MEMZ-Destructive.exe	35
PID 1340 wrote to memory of 692	1340	MEMZ-Destructive.exe	36
PID 1340 wrote to memory of 692	1340	MEMZ-Destructive.exe	36
PID 1340 wrote to memory of 692	1340	MEMZ-Destructive.exe	36
PID 1340 wrote to memory of 692	1340	MEMZ-Destructive.exe	36
PID 692 wrote to memory of 904	692	iexplore.exe	38
PID 692 wrote to memory of 904	692	iexplore.exe	38
PID 692 wrote to memory of 904	692	iexplore.exe	38
PID 692 wrote to memory of 904	692	iexplore.exe	38
PID 524 wrote to memory of 1072	524	WScript.exe	41
PID 524 wrote to memory of 1072	524	WScript.exe	41
PID 524 wrote to memory of 1072	524	WScript.exe	41
PID 1072 wrote to memory of 1804	1072	cmd.exe	43
PID 1072 wrote to memory of 1804	1072	cmd.exe	43
PID 1072 wrote to memory of 1804	1072	cmd.exe	43
PID 1072 wrote to memory of 1612	1072	cmd.exe	44
PID 1072 wrote to memory of 1612	1072	cmd.exe	44
PID 1072 wrote to memory of 1612	1072	cmd.exe	44
PID 1072 wrote to memory of 2012	1072	cmd.exe	45
PID 1072 wrote to memory of 2012	1072	cmd.exe	45
PID 1072 wrote to memory of 2012	1072	cmd.exe	45
PID 1612 wrote to memory of 920	1612	cmd.exe	47
PID 1612 wrote to memory of 920	1612	cmd.exe	47
PID 1612 wrote to memory of 920	1612	cmd.exe	47
PID 1072 wrote to memory of 1720	1072	cmd.exe	48
PID 1072 wrote to memory of 1720	1072	cmd.exe	48
PID 1072 wrote to memory of 1720	1072	cmd.exe	48
PID 1072 wrote to memory of 2020	1072	cmd.exe	50
PID 1072 wrote to memory of 2020	1072	cmd.exe	50
PID 1072 wrote to memory of 2020	1072	cmd.exe	50

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
304	attrib.exe
3348	attrib.exe
3380	attrib.exe
3400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ × ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ × ADZP 20 Complex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1168
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:692
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:904
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex-Destructive.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempShingapi.sk.bat" "
    3⤵
    - Drops autorun.inf file
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\certutil.exe
      certutil -decode x.bin ADZP-20-Complex.bat
      4⤵
      PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        5⤵
        Adds Run key to start application
        
        PID:920
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set publicprofile state off
      4⤵
      Modifies Windows Firewall
      PID:2012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:1720
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
      4⤵
      PID:2020
  - - C:\Windows\system32\reg.exe
      reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:1964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:1344
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        5⤵
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
  - - C:\Windows\system32\reg.exe
      reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:1952
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1816
  - - C:\Windows\system32\taskkill.exe
      taskkill /im DiskPart /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Drops autorun.inf file
      Views/modifies file attributes
      PID:304
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:612
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:2032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1384
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:1792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:2112
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:2232
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:2352
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:2472
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:2592
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:2712
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:2724
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:2760
  - - C:\Windows\system32\msg.exe
      msg * Has Sido Hackeado!
      4⤵
      PID:2776
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:2796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      Drops autorun.inf file
      PID:2788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:2260
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:2292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:2064
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:3044
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2096
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2296
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:3024
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2720
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:2828
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:3380
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3816
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3472
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3212
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3560
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3112
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3340
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3528
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3388
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:1764
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:3628
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:2152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:2524
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:3440
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:4124
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2732
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:2464
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2532
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2560
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:2480
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:3600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:4368
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:4364
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:4024
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:4752
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:3584
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:4664
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:2536
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2608
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2660
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:2668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:4128
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:4144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:4840
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:4100
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:3920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:4408
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:4536
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:4264
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:4660
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:3000
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2516
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2664
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2864
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:1668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4424
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4564
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4864
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:2824
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:2884
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:2156
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:2228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:3032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:3196
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:3356
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:3228
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:3280
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:3296
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:3320
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:3400
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2720
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3912
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3332
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3452
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3180
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3460
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3456
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3380
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:3620
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:2384
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:3984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:4072
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:4340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:4328
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:3796
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:3812
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:4476
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:4740
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1232
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2288
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:4056
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:3208
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3240
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:1820
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:1480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:3308
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:3764
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:2528
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:3864
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1684
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3576
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3680
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3724
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4240
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4744
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:5052
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2000
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2876
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:2868
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      Drops autorun.inf file
      PID:2840
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:2692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:2684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:2872
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2312
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:3288
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:2728
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2956
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:188
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:3040
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:3348
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3496
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3608
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3780
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3132
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2832
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2816
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:2912
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2932
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:2940
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2948
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3060

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1325414103997108180-1686877391211413490207689844-818013415-19968371241590589259"
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Command-Line Interface

T1059

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0a21f36c06aff1df76328d3cc253f3b

SHA1
484a89688ac3fee6690d0ab9371f4b659d3a6639

SHA256
ca8ba864595beb721064a695d36b1bd0706fbf78da2f2b7c41fbac96fc263d6b

SHA512
9032b460cb4d940efc11f1ff466f41c4d98f7c0325d743d903ddb5838276a889ed8077248cc3337f700e4298babf1897402afe561cc1a92e5dd42a911225d4ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9435713f5d5b9b8a689ca729b16357d0

SHA1
8b0f769eb4617cc99f151086430b3f811e866b57

SHA256
a2859dd350852a8e8bf59d114e5b32442d24bf20aaef914aa25a6e005dcbca1d

SHA512
c1cdcbcfa558758656c35db2fee945cd6ab1404c9707f0b492c4953b766fb71f14a063d3bfd52def4f62739dca749d768ed3369bf89b14c80c3eb1871a561962

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
173a03ecfda4ed550409ca20aba7357e

SHA1
a4094bab6932f106a08e6d6a73ea8290fad3d21d

SHA256
a1baff026db18d8581ccab122ba8532342dbfffb78a793546e254a89fcbeeb72

SHA512
ab4f29e5be2ff34740a0a309b2d374d536f3d17f91467e47486241672918dedbefe8aad96182dfb2b6cc6aca092567959ec5e79cc1cc855b1298522ddfd14a59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
666b18f0059edea1fcfae175f7b7627a

SHA1
556a41fa1f516983493d0f7a1eac70ed5a8f3f39

SHA256
4723600f4f8ff2b8d4112184786d01b6b9c83162785e1dd657271d7fb827ed87

SHA512
7a977cd19c8e46ca6d2f4c0e18332191657d9b216174314d1e9ab7b9f6f62d7f8bc6346ce98a900fb0afdc2821a03d3cf547931a52a0657f22da1bcb2bbdfe3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e196be50d7b6174bd018051f2bc64a3d

SHA1
3a701b7f3b4a27065547934c4e876da59c78fb6b

SHA256
4536e3422958c83c060af037836a6dc08770e338879934995553643f9a9c54b8

SHA512
39a52afb5c68f10a01a5a1f6980f725a92d99907c2bce1fabd1ee79d200dc3d82f068729990466ce9cf9db24876344ccdb73ebc3cbe26d2f71ec1a151e770552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9229e140571bde9731578c78e0debd5

SHA1
721f6ef677f27a291f153ece464951a517bea2c3

SHA256
d17feaf8fe85cd90877d511f6e95ca9990d0ca25d64be50dcda952ef416aa6f7

SHA512
2c51ea33265f12e2531174c6fc9c9aea17e98bfb688d12698e7b20ebbab09e0b43adc2da867559b75abfd9a63fb1deabab33ea5e97b7c4539b27e9f47f6290b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
713525c64c99282a442ef472c08308a3

SHA1
2dd7456e9611c1a91e8c2aad993b84647c11b173

SHA256
429fde42104f769206be26da86e7b67ff149abfc563f271ac1094589eb1c7122

SHA512
7846b67b03cf6a1f1721bbf6a54accc49e50ca3983769176083da10682bb7dd43d7b86cc742c389ea505eeadf884d1ab9c038fa0ce2af7ebfae3948d419aa2d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\62yy7f8\imagestore.dat

Filesize
9KB

MD5
720fb630cb1447e488942d8e3a6ac1ae

SHA1
e8ae4b4ca60fae6f370226e9441b9fad5fd6bd20

SHA256
0a3fe373f4b0b7157b5451f4338ebe7e2fe63fcf880141eaf31c21e472d18fbb

SHA512
a7fd3ae239fe5cb876bbea3a5e199d0f27fbce1d3e325f3739221d9fbb0af168ee16846ddcd98e8d88405cf14731093da0bbe76fd7803668c75dd48d9b458542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJWXLGAS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T22XS5WA\favicon[2].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\TempShingapi.sk.bat

Filesize
26KB

MD5
977b003963e42262994223bfb827d610

SHA1
c357ccea26f64da9ad5c3bf96b83e12ccaeb916e

SHA256
d7a449acbcb78e0fb137a868d2c8b4e86f32d643cde7e7f291f77e5480ae2bb8

SHA512
99e3dadeebc8c35c6a47a0c7de4e82dbd558f5c23df910ff6899537f3ae370c4c5ea125353cb22ae469a332dfec14577a06ae651309405ef2e69ea000ff18e6d

Download Submit
C:\Users\Admin\AppData\Local\TempShingapi.sk.bat

Filesize
26KB

MD5
977b003963e42262994223bfb827d610

SHA1
c357ccea26f64da9ad5c3bf96b83e12ccaeb916e

SHA256
d7a449acbcb78e0fb137a868d2c8b4e86f32d643cde7e7f291f77e5480ae2bb8

SHA512
99e3dadeebc8c35c6a47a0c7de4e82dbd558f5c23df910ff6899537f3ae370c4c5ea125353cb22ae469a332dfec14577a06ae651309405ef2e69ea000ff18e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex-Destructive.vbs

Filesize
32KB

MD5
268ad0d0582547195a60ebe86948e93a

SHA1
7bbf897816101572fc0111a94b7f36ed59bd1ff2

SHA256
59bbca836c4db770d30c3be2713733629709ac3f573e2037bfc6507820284589

SHA512
93493ddc7cb360f3a02ea53d1c1efa5d9c86d37163ea13f2e9c172e9158a8e51026ed0554b05d13a7039f6ab0f3f485e4fa4515797eaa32e5141ef4ee6326d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat

Filesize
17KB

MD5
591700c81fbd38cf8c83092030536c14

SHA1
a122ca4b91ec2275400e10f21093c43186391c97

SHA256
29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e

SHA512
ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
180B

MD5
b2206e980c51067d6e9dd7575d842bdc

SHA1
5aa6f76eee9efd569089be7f363e30ebf0531a22

SHA256
add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd

SHA512
89ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
240B

MD5
482dcfe952218cf31ad2adddd8f6616b

SHA1
7a6bcfce28c76bc3319c871696531d21200f3bc0

SHA256
093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5

SHA512
440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
240B

MD5
482dcfe952218cf31ad2adddd8f6616b

SHA1
7a6bcfce28c76bc3319c871696531d21200f3bc0

SHA256
093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5

SHA512
440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
360B

MD5
8d485f3ac2acb6e586e8f1d8af2df57f

SHA1
43e9653ecedbad263a5e015ecaa3eebb7a44feb9

SHA256
530f6ebaf4445acb0855efc516729598a3312aeedd0ef9024da6f347f152e783

SHA512
4105fa612f86d46457f77449c095cd9e1f59dcb4d137bf3d822e4f52f89c517faadfbaa00b07d15aabfc0d2afdb093ea63d59add313525149f17b7427917494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
360B

MD5
8d485f3ac2acb6e586e8f1d8af2df57f

SHA1
43e9653ecedbad263a5e015ecaa3eebb7a44feb9

SHA256
530f6ebaf4445acb0855efc516729598a3312aeedd0ef9024da6f347f152e783

SHA512
4105fa612f86d46457f77449c095cd9e1f59dcb4d137bf3d822e4f52f89c517faadfbaa00b07d15aabfc0d2afdb093ea63d59add313525149f17b7427917494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
600B

MD5
cd9f223417a22613cb9bc5fdd2afb8f8

SHA1
c4a11561926d191879953a406cb6ebfe06d06a20

SHA256
58f7537bd66b058fef463f1fdd0a898a415d81a1a80b93de4a4ea6a27a23c96d

SHA512
b68a1039c24a33d0b4ca3da03a581ea044103dd84a22b6d7c0a8f40eb044457b2249f874ff5e38e2f1713c9159e42f0280e93d80e98e53277534521327fc9ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
222B

MD5
05a4d4594b598cfe885bf862787b8cde

SHA1
dfb26e156e88af25bd00db0bc788b81c521a4db9

SHA256
fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab

SHA512
ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
444B

MD5
929d76643e667f8d6faa590f5cfee782

SHA1
e120fdfc91c88681f835b703c336908b9cd4b649

SHA256
dedb3209e6ffe8a68578145eda5a34b9f64108c4ccb3b228fb9fa3d7ada5380a

SHA512
bfd61aaf55a50d3c4bbb0386ac02aebfdf14fb8d009bc47eb0e6398b49229222e3c0b7d23b22b235efa14398d6340084d0b9b683bbd9c3ab2f66c0a6d27a4171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
740B

MD5
61926e1aa621b3e80c605021096b5604

SHA1
5d8933de849c1efbeb2c0a017c5c18a49f4cb219

SHA256
7b98caf54bc59f3a4677583a483bff7b5b6071c9f0836d5826e5ee10d0eac72d

SHA512
49cceabb32422cf220e4d17a517a3cd6ed7d3d283cb01d76005b3a57993a95aa2659bd53a6bef46cc6a0085ab8be5b3c003eaaf0a5fb84e2d30a278b50d489f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab25DB.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab26E8.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
324B

MD5
b260589bc116e407e75412be10ce0c7c

SHA1
b3498d228b26ad13ba76b27d624ef5eef940221c

SHA256
61bf3a4e7eb43119fb6f69c2d63872f35b9b6d79fd5a846ad824951ccea9898f

SHA512
007b78a36ea10d91360610ceec313bfa51c663c719859edf95dae0cdb75bdbbe6908bf0cb4c3f2e237539e0e20dc64266328e8a82ad5a7c90b59b6f56f683c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
324B

MD5
b260589bc116e407e75412be10ce0c7c

SHA1
b3498d228b26ad13ba76b27d624ef5eef940221c

SHA256
61bf3a4e7eb43119fb6f69c2d63872f35b9b6d79fd5a846ad824951ccea9898f

SHA512
007b78a36ea10d91360610ceec313bfa51c663c719859edf95dae0cdb75bdbbe6908bf0cb4c3f2e237539e0e20dc64266328e8a82ad5a7c90b59b6f56f683c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
540B

MD5
a0d53ce8671866b5dda0223aa03f34bd

SHA1
a01fb0a2a14cc65c1a1f539fb764e210a2c3b76c

SHA256
091ba8ba204f1b627c4f161d287fe5c91b4ef13278676d88d83360683093125a

SHA512
d777a2c931778f6337415e31a14bfbb122cb5cc7a10332743ef9a9d68729174dd5826750c909747fc32e856eb6ad9d46a88af959669f94790efa1c6ff91d50d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
414B

MD5
873781e160d6c7a2c7100536f95e373a

SHA1
439389553b0f4b61327c0160a92e4c8ddca8f84d

SHA256
e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35

SHA512
1116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
483B

MD5
21321634b2c2bf8223d389be19d13d4e

SHA1
116c0af8712cc2120fbb6c4893f9a99a77242960

SHA256
fa1ddb950fadc33035dc70e015155e7db6fefaddc05d83cc1fab233e3c416f60

SHA512
feea91421292af2cb0348c6c09b2bbe810f3a3385c5b5ddbb7e6312aa7f97f48eebf10d6f9966b2fee8f4e843e87ceabf78318c9ac9b070478f0372471acce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
690B

MD5
043a30fc8650761808d41f5fcfde26a1

SHA1
c71eedf8d55ef22be3fce347cb598b45146ce052

SHA256
089be700cf538d6c4db0f3991f4961c5ec9f197e5af9e69a84caf69c7a7791e2

SHA512
c7d364d20112f3597b7d32406df17c192c8e79a64354c05457497ff5453ac0cf491995e76fe18a98e4ed177935a15000e990df626225951c63e6eb89f2270ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25DC.tmp

Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2892.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
865B

MD5
5dfd819273a34eeb1a213e66dd8308a7

SHA1
65291936bcbe05742a6bc15d989d5e3acff59998

SHA256
7699fff0e361a55cce19ca7922fae4f70eb6ca56b770223fab5d1fd936b0a184

SHA512
d19cf3e05df7d5d1f360d20a47e2658d03067cffce1b767bf2e430ebba5f49bcdb37e9c098c195c919682bf90b5a54c508dad587bff3f4c1c73ac6065b019913

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
8d42b25e34da75cd09d10b534d7a6012

SHA1
a408aa5cb02089156497c1976c7fe41dd42f06d9

SHA256
d20e9eb2185a2d21b55a5f1ae338e500337d8a43c117c0929c0e3233a58bea1a

SHA512
ead990dff8a6a1d47ca32ad4899e48261c2c628afa5d25cc201ce6c1406a8a52cff6be0718964641b3f610160277122fcfdcb93ac0b68d050effc3e2fc26f8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
8d42b25e34da75cd09d10b534d7a6012

SHA1
a408aa5cb02089156497c1976c7fe41dd42f06d9

SHA256
d20e9eb2185a2d21b55a5f1ae338e500337d8a43c117c0929c0e3233a58bea1a

SHA512
ead990dff8a6a1d47ca32ad4899e48261c2c628afa5d25cc201ce6c1406a8a52cff6be0718964641b3f610160277122fcfdcb93ac0b68d050effc3e2fc26f8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
9ef0c2dfbcc7c519a88d0f08e217bf99

SHA1
3f679f39b27b59ebb53e1870a5b1061eaa926e51

SHA256
434c41d38af23f56652eca901add4c2530a25c6f4379881bf2c552c45a2c2553

SHA512
0dc21bb77ffeb94f811271c4083145a01b69da81004c347b8e65e26be3ba6539075734c371969839c78ad5f1393bbf5c03885c653f6ab3b69ad2ca7ac03e42c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
277e1a2dd49b05d06fc57a224f172e8c

SHA1
cfbc082cd9f07678a247a3a45e1b18bab8b972e7

SHA256
9614387211e9f37f5defa24434741e5c68eb281bc2964e7a1bd4d2063f4ecb2a

SHA512
dd6f5e3a9ab8abb6dd133a6b1374634e083d765f4cf306c3aebdcb82196f3329b89b09ccdfbad8fc691ad6b31160f8d9ea814126ae1ba08b7020e54662d73512

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
b6957bf19cc51a25a9500aad7d3cee2d

SHA1
d03db03ae31f0fdc799538ca51307bb3dc914873

SHA256
62bde1ceb28b3ca2701a708724e6e9b94adfafaba6066bc67d6117d38f64c733

SHA512
13f9f5e553f93b8d0f9d2707c904fe5837597e257e92625c0004e43ea8477ca927d4aaee3db767766d1c5b301b4ef8051ed886fc74d599b0aa852f741dad98a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
10KB

MD5
fd90bcb7538794b5900d51539fdcf3e2

SHA1
24542295d920418a404091c86bce11172bfd1302

SHA256
b3fa5fd1298a6484069549e4e6868394c41e78f9f86b975054216e8b3f56f3f1

SHA512
c2d0eded24a2cebb9eb7339a1f098de933a6189cce3f4e7bfa3bbdb18ebd28f9271339495ef2e27e8edbbdcafc23ee4f49f7279189db9c8c86fac3e0feaea1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
14KB

MD5
e01ee754dcce25265bdc974369951f6b

SHA1
217d02766d4c2c94c5f5f6d0df9c1a0aebacbaed

SHA256
4346ffa06953fbe76f31048fc99f412643beba06f9f3e0476177234dfde80bba

SHA512
8c3defb726a6992bc21a1e158170a99240241ece192370c50a82ff2c81c96ff150d997f6eb07694ac57f7dac149df0bd688f6ecc2d5f3a0a4b4d18070895ac28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
db7ae41d418ed5e35ce3a58cde8e1a78

SHA1
550ec8918e6569a277d320be00f64c9237423642

SHA256
50eab719a5a3e4a1c5c1feb3d3d546bfc04e41e27a2154a2dc5887e252546184

SHA512
2cf6c81a6703014251923c68436dd4c8f3f443ad4b730fb9c876cd89e72bdff52ba3cc26b893f1527c662b60265f9220d69bd468710e18d774b7305c50c01eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
27KB

MD5
2bfcb61bfa1de5e3d3897802efd02b0d

SHA1
a8539c6ad17f89cce48707eaa831844d7acfb6a5

SHA256
c3716dfe737087d0da3dac14e84e624469da71eee68a2a27bae404ade8ae3b3d

SHA512
fcd77970bec0d989a9925900418de43fd243ec5ce152a10ad56ca33eb70f815b308297147a1c2c240b89ad4156a18bcd90041e7c6beb107494470031fc92649f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
b3e85983b2cd13d3aede01432b744629

SHA1
7a37a6dc8f8e1a58ef0b09827e35fb44b43e92a6

SHA256
1823501af5f2d22d5c0311ba646050b4d618bf61f07f6287fad15df8f0703b30

SHA512
39bc97551759b4ef0adc2b90406067522f440e983679f77ba775d06fc96963ae37c0669bd994daed2affd49595aa5bd7a17f6290598298fd915e19138c129d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
5KB

MD5
53abb3bb7e01b61a0b6b8f11d9f37620

SHA1
c74e3329360009e0454a7a3874447b597dec33c9

SHA256
497413ab7341e4f85d78490c273cbe132333fc8bb10eba97ef2dadaf8c2dccec

SHA512
faead04e839dad8361b693535203e4edc022ed82bedc734a4828cd56901433864c0387b1697f072bce8c62f41f151a9cc86ce3d8968a4274acc42528ec68e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
231B

MD5
da5f8d71afd8ce9598ec5e5443c459d9

SHA1
abd2267aaea39b0a9208bc7f094df5fb2754d233

SHA256
a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80

SHA512
1318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
87B

MD5
ec687bebeb045b0b7b30ac9742ff70f2

SHA1
8c48b82b81d6c1a546215caf58a9d56890872b14

SHA256
5e2e70a75b88f3de0a6eaecfbfb6b08d162420bc7046659f8afcacefc2de5d3b

SHA512
fd24d4f4e5c891c67f2ba31068f9604ffaead75744f7ccba7a2ad9c1e6c98eff90ac7743420fe5f668aba3ff6a29a9addb176fc27e54272899cb1263b587219c

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.bin

Filesize
24KB

MD5
2e40c97f7790fed7606c2ab881340ce5

SHA1
b45ccff0eaffed71c822b8ad31bf2342e5aaa2cb

SHA256
299fedc96d0eaf4f1bf6398fb9c8d30b1f3f10571e834b93432bb02297b0648f

SHA512
339a2e2e931890628aee8e708a8f5d2057e8ca3a40c48689852867d99d1c56ee926f192ab3893201823ce25b0174384fcbf1e1fe7567eb11beed3babcd8e7b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFACBAC464ABB25981.TMP

Filesize
16KB

MD5
71661d61a28d385f2e1c5ece2215a9ed

SHA1
d32a349cc8c1be3c2f341e0bbc5eddd73fb11b93

SHA256
4f7fbd0fad1889f38b0f56416224b6e8d7451df9457591fbcc9c6d132b6f83c3

SHA512
174b492c2f793d0cdc1f47219dccdef868c59a64f70f8ab947e99ddb3794baa0509690765e1c968e8a58ee882e3fc5406b8b161414623494ffa762e59eee7c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFB33BCE6C42EAEB5B.TMP

Filesize
16KB

MD5
0edd4a0bc76ba1255d6d4816b275062a

SHA1
b1301361c859b2f929362605371d38eef427f637

SHA256
e2cf30d332fec96297aa44db41457f247bca91526cd9782e62920bb9844790b8

SHA512
5820b3eaa1be0c79ebbc5b378dac3494492bda9fccdb2155dae384b0692173716548bcc1cfe1599fc441a04699acc261a453129fb101c27b57df35829802d6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFBF2DC57BE860ED10.TMP

Filesize
16KB

MD5
91c0e1262f1cc4b3906ceb9e42d8972c

SHA1
41496de568f3bb38b787b05712154c48f724114a

SHA256
e3d37caaf5f01f869dc1fddff5e48e4bae71db6ea02afb557d7e674770d52752

SHA512
d35314c815bf1055beef4427181a729de9300ba432959c66537f1bac1fdf30131b6f5add572f8399bd6a33eaea567780b152f89b1327e9747a8b21f18de71355

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\60OJ3HES.txt

Filesize
608B

MD5
552bfdaf80b4f58916b342a4a1fd3a45

SHA1
fbfc499d9abb2d5c9bfb467707617d24ccc007e3

SHA256
7326eb875983e91887a473c73784db31ba006f63e0afa36abba778f601741f4d

SHA512
321b29bf25acbdb98df833552b581e102a29f660f360721ef0795297db1e5421b186c12031ef5d5a84761b08ac54253234e25c77020e5008e4922f15428543e0

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
memory/2464-2240-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2464-1723-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download
memory/2536-2169-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2536-1770-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download
memory/2832-1062-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/2832-1059-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download
memory/2876-1060-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download
memory/2876-1125-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2876-1362-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2948-1063-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2948-1061-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download
memory/3000-1771-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download
memory/3000-2219-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3208-1910-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download
memory/3208-2241-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/3796-1845-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download
memory/3864-1909-0x000007FEF62C0000-0x000007FEF630C000-memory.dmp

Filesize
304KB

Download