Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

AnaRAT.exe

windows7-x64

10

AnaRAT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 03:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AnaRAT.exe

  • Size

    6.0MB

  • MD5

    b300d99faf11ac3c6d3609c34f39ad5b

  • SHA1

    039310584b1e8fb43a08a865f3ab1b64610c8013

  • SHA256

    b8af724789e01cb47a661d40a22a5ec93a2f1499d0ace4cd5e1d7d9fffa89246

  • SHA512

    2158ca82f753258c4abee3bf425f91bd26a79fcf7c53cbb98fd5980a53d678613258367a5f10117547f3d900456d78a0e4a7c85b0f1806948e8e5b767ccb26d0

  • SSDEEP

    49152:xqU/dfDJH/bKaPMNNteROzxRwF0UCLhCkpMn8HmWIos0/Noyos5rQLiMCPSsAm6o:x1dfDy

Score
10/10
asyncratgh0stratnjratpurplefoxremcosstormkitty2 moneyaugust crypter toolz grace stubfffgolazoneufcollectioncredential_accessdiscoveryevasionexecutionpersistenceprivilege_escalationratrootkitspywarestealertrojanupx

Malware Config

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

C2

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    -YFLE4M

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

0.5.8

Botnet

2 MONEY

C2

twart.myfirewall.org:14143

Mutex

udn3BZ1Fqt3jtiZx

Attributes
  • delay

    30

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Extracted

Family

remcos

Botnet

GOLAZO

C2

agosto14.con-ip.com:7772

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-KKPQTN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

njrat

Version

Hallaj PRO Rat [Fixed]

Botnet

FFF

C2

tibiaserver.ddns.net:2323

Mutex

64805e9b9efcd75e104b05fad0cb2a4c

Attributes
  • reg_key

    64805e9b9efcd75e104b05fad0cb2a4c

  • splitter

    boolLove

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 6 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 27 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 20 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
      "C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
      "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      PID:2104
      • C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
        "C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2308
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2356
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.bat""
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2372
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1792
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            PID:1396
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2332
    • C:\Users\Admin\AppData\Local\62264.exe
      "C:\Users\Admin\AppData\Local\62264.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2704
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1644
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:680
    • C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
      "C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:2736
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:1700
        • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
          C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
          4⤵
          • Executes dropped EXE
          PID:536
        • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
          C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
          4⤵
          • Executes dropped EXE
          PID:2204
        • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
          C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
          4⤵
          • Executes dropped EXE
          PID:2684
        • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
          C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1960
    • C:\Users\Admin\AppData\Local\1231234.exe
      "C:\Users\Admin\AppData\Local\1231234.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A54.tmp.bat""
        3⤵
        • Loads dropped DLL
        PID:2416
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2500
        • C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe
          "C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1700
    • C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
      "C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1756
      • C:\Users\Admin\AppData\Local\Temp\Client.exe
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1092
        • C:\Windows\system32\CMD.exe
          "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
          4⤵
            PID:568
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1392
        • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
          "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
          3⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2196
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2448
        • C:\Users\Admin\AppData\Local\Temp\zzzz.exe
          "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Drops desktop.ini file(s)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2376
      • C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
        "C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        PID:2904
        • C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
          C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\brdeokmuxprbhwgcasdrbllojj"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1768
        • C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
          C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltqxgdwnlxjgjkugjdptmpgxkxryuj"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2144
        • C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
          C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\onvhhvhpzfbluqqkagkupcaoteazwulkp"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2184
      • C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
        "C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2564
        • C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
          "C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2808
      • C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
        "C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2012
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1231234.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1220
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1792
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\OSPPSVC.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2288
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\egjtKZhlKS.bat"
          3⤵
            PID:304
            • C:\Windows\system32\chcp.com
              chcp 65001
              4⤵
                PID:2332
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                4⤵
                  PID:2900
                • C:\Users\All Users\Desktop\OSPPSVC.exe
                  "C:\Users\All Users\Desktop\OSPPSVC.exe"
                  4⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2756
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "zzzzz" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2684
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "zzzz" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2984
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "zzzzz" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2352
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1532
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "12312341" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1231234.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1568
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "1231234" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1231234.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "12312341" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1231234.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2732
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2228
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2728
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2132
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2088
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2828

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Event Triggered Execution

          2
          T1546

          AppInit DLLs

          1
          T1546.010

          Netsh Helper DLL

          1
          T1546.007

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Event Triggered Execution

          2
          T1546

          AppInit DLLs

          1
          T1546.010

          Netsh Helper DLL

          1
          T1546.007

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Impair Defenses

          1
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Modify Registry

          2
          T1112

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          2
          T1552

          Credentials In Files

          2
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Query Registry

          3
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          2
          T1005

          Email Collection

          2
          T1114

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\NNYJZAHP\Browsers\Firefox\Bookmarks.txt
            Filesize

            105B

            MD5

            2e9d094dda5cdc3ce6519f75943a4ff4

            SHA1

            5d989b4ac8b699781681fe75ed9ef98191a5096c

            SHA256

            c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

            SHA512

            d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\BlockSelect.xlsx
            Filesize

            10KB

            MD5

            e9faa70844e819a8a34f17ba51f29347

            SHA1

            ea7ad09cf4da18866dc9cef3e827e9c324a8db6c

            SHA256

            6a4225dc68dbf5d28868cdd31f3f06657659e239ebe917bc5af334c323b0a667

            SHA512

            76b4f8b505fdd91c34ffda2f58d242a42ea9ed48d4a72ea8dd7f5360df3b093e414223bd23b6ca36e8afb7a7a63b3530cdcac7e036465fc2280217d821f98a8b

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\ExportRead.bmp
            Filesize

            148KB

            MD5

            80458c50ddcdab61b4f0beeba470daa0

            SHA1

            aed0fbc7a831410fc203c9bc982104089f721e0c

            SHA256

            0a0b7729203eac13438933fca6d93c9f3f75938347efe9aa1dcf1383518a8c6d

            SHA512

            5cd0ac32bf07bd4825d42e3d6b8f457bea94d11dbc804393db91944c1c978da4fe29e151fe260f5b8f17d88dfff34776d0d5a0f08826e2c1371b17007eadd650

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\PingCompare.js
            Filesize

            307KB

            MD5

            06e53a3c4f811e3f2ec6b9537eb7abf5

            SHA1

            319110069e006b3a8b19d48986ccbc04e143ee55

            SHA256

            bb340cf5cc4bbe6df54453fb1c870aa3b39c02b7b65c2447a0470ed5d8fc0778

            SHA512

            80a227b983fdcfa38bfe215850eebe23944a41ca153d2a7570f2e28e74fc4d1b355c27ae361ae709fc9175515bb9ff5e8b36cebb8a375004205dc4dc4eb48468

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\RedoUnblock.css
            Filesize

            339KB

            MD5

            afdc741a1304a65da0ce003a6eaa6c3a

            SHA1

            f5e1fbeaad5067209e24970792a6619b73abc381

            SHA256

            4bb40b716a05baddda8040bc1971ceb23d13d372059b1a3a14f9fa5bf9199af3

            SHA512

            f0f6e4c4b7ecbcc9b415fed960018ed78602408b9945342c11601ab01a27fdef1d68164700cade4699f0631fa6eeb17465ac78ab8bf93fad9c2e1dc2c64606e4

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\SaveMeasure.ppt
            Filesize

            265KB

            MD5

            a2866baba3d49f8abea371b592de6a73

            SHA1

            89ee627f7df114e7ad13b4ad6e7a0ba5be8a7791

            SHA256

            3313bcdc4fef6a53d6de3c9dcdc9ec33bf2642f1ab2027bbce976d35943134ec

            SHA512

            5d947c44f0fda48d6bf856cd4c9be947428fe6711651c61646a38d8f3b1210d43e215aaf4340dd07ff3f7448e42f5d4a64fc47734ad2f54eaa6ad34b9bf33db3

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\SkipResume.rtf
            Filesize

            201KB

            MD5

            8f21bf6fd322f6b121286293a987c06d

            SHA1

            7fe4648d433637ab69285a325e2c1c5e9220cb09

            SHA256

            6abb64f1823988c4efd32008a49ad15dee625b9d45bdd524b0af3556d2557619

            SHA512

            516fafa6c3d158eb74a08442e6b7b6e6fe3caa8529574f0348ad9f8250dc937bc24ab0cb6a9dcecb7c2a1886384e1d9464f529342173e67dea8b6c6f2291a078

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Documents\CompressExpand.pdf
            Filesize

            368KB

            MD5

            e8d10cf653f35a50c099cc50432f7fce

            SHA1

            3439cbee6680df96d83c9d51581b5b26c141a2d2

            SHA256

            09e90e69ac27a607b249b868aaf889db165449faef137f375d225f4bea451d0a

            SHA512

            a87f4747a835df9314e313d21145b098c6273aee37f664d398f88e4b5610069046e2c8d26d5e4bfc341cba42bff7f37daf6741f6fd24b1f462b47daabb9e039c

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Documents\PingInstall.docx
            Filesize

            409KB

            MD5

            4851060ec0cadc22d5bc6f1cbf810d85

            SHA1

            90d192d16dac939017d41b7d2c72251c4c66e6a3

            SHA256

            dc8da8bd2d99e6a0e41df2223c63a848cd2c89404a23be90f6f1a3b0502e97b6

            SHA512

            51703941b598a46bffaa7feee97e8b136a17ca21521ac378a4e8cb4731ec98ab79d85c469473d2b1ae13eedaac29c259bcb29c1363877b42fd61d8989257aa0f

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Documents\SuspendPublish.pdf
            Filesize

            839KB

            MD5

            83c5d15e0f9ddaae4c60b43aae987e7e

            SHA1

            1490e207440f82c2c6f03299cec32ec030cf6cab

            SHA256

            6f2f05110066ca866e9a390fc94c51e08daec362967b39b7a533e0d4839b5ef7

            SHA512

            9399dcb41257bb8e95461d4612b8932261336de814268e3498c1791ddde7dac7d5bfdcd865c8c8a330ed8d6ce92596e7d7d09bc7ec496339b9ce534e76796c38

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Downloads\CompareRestore.txt
            Filesize

            989KB

            MD5

            f5af125bcb1d1027bff05c91600c3724

            SHA1

            7dfc756c72b447af0d45a0d4c7b02e8154951f3c

            SHA256

            23641d1dcab7f42354da9aa59c39b90805d415a7bcbf331646961ee2fc7bca90

            SHA512

            4af3cc2baa415115b329e64b0ae4b1fb63c803ec94cdb481a74baa30848aa63aff77cbd4d0da84f8406461002b06ecd750f72ca0ef6a869295ec93cfaee18446

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Downloads\ConvertToPop.xlsx
            Filesize

            391KB

            MD5

            f069d4049635838ac2823d361edb0392

            SHA1

            27a60423d85517baef990ea3d84f9ecd5157c8c3

            SHA256

            5df0822856fe80043f6025d67e7a8d00ed1b0c0bf674c369b8edc1a7a0db51c6

            SHA512

            78d5248b87810aedbea1e8906f1ff082811add6f9ddc5239bcafb1a57ac9364fda3e0359c0df3446fd51bc516518c52380f6da6228be6555fd878a21db9636da

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Pictures\InitializeUndo.bmp
            Filesize

            595KB

            MD5

            21d57bc2f9d8c30d15c7120f76dae308

            SHA1

            e8e7cd9e55ee9ebc64cc7843158b1c30c3f0bd2f

            SHA256

            61b23e885fbe30c54542d47506ed8b0c910614affc3a16c1ba610263873c1a73

            SHA512

            71015ddd850aee0c53a7e1610a666df27acf79762135ac333a0b3298289da0c7acdbc4e4868988dd7ba0699ed97bb7b5141a1c1ab562fafa4870684a00d860b8

            Download Submit

          • C:\ProgramData\NNYJZAHP\FileGrabber\Pictures\ResolveTest.bmp
            Filesize

            1.2MB

            MD5

            835a4d5ff00e119b32f573c9987e9c3d

            SHA1

            522031b3c21cb332c7197deb607b31cdea8c170c

            SHA256

            0388029d8ec40231f22b288fb52165973fa02b357115324cd981ff5bbf71e09e

            SHA512

            1fa43c10f3862e1fdebd64f37bb3587a9ade94e60e10ebeb449a263a70e61133f833b17ce4bc137c6b826e0b0592f589cae9fed16c0b69ff8b317c97ecb6ce0a

            Download Submit

          • C:\ProgramData\remcos\logs.dat
            Filesize

            182B

            MD5

            a65f85e1a9b0821be88bd6110e5b6da6

            SHA1

            fba58fbf6258c56e059766413f65790b7b582d10

            SHA256

            fdae46e0ec6b2604c042dfe4caec04f3ca345c5dc3e6543e569d2cbc4d367437

            SHA512

            6309cc9519e450aecb9efdf8c65f60b0a3592f7a256b6b08e02e83c4a223286a9aa4a7a1ea27fc118c87342744245ebd283d3f68403edb9aa46d5cc1545341ea

            Download Submit

          • C:\Users\Admin\AppData\Local\1231234.exe
            Filesize

            37KB

            MD5

            8f00376c7ee9fb1653dc2ae09afa5589

            SHA1

            0005d278c062b496628e9c2a27043e87fc05689e

            SHA256

            6d2223ee967236cbc2c35809fce753553cfdb0aac7ba34e7087e19d61eecaa18

            SHA512

            2512a5b67867c7c1cfbc19f7adc7ad56c3a2bf821f0c74341d0e69ee89dc20bbdc9118714d67ada6a846edced58afc6d01b0fe7560f2166e02c9044f85bc00f9

            Download Submit

          • C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
            Filesize

            110KB

            MD5

            0dcc21bdebe05957ca2922be486abe22

            SHA1

            8bcbd8a839a58e0050c17221e6a1cc775f07586b

            SHA256

            73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3

            SHA512

            0752ba22340fd3383132243580cb28a147e67b42bb920af8c0fde491d550556fdfa296e70d94f2ce9798faddd0dad4664e2c2edda8f6604b9ba9e63e8f875e0f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Cab3249.tmp
            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Client.exe
            Filesize

            100KB

            MD5

            21560cb75b809cf46626556cd5fbe3ab

            SHA1

            f2eec01d42a301c3caacd41cddb0ef2284dbb5a6

            SHA256

            d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa

            SHA512

            21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
            Filesize

            210KB

            MD5

            4ca15a71a92f90c56b53d9d03da17657

            SHA1

            3d610aee0423eea84ad9dc0df7865e1bed982327

            SHA256

            ab532f166e08886166c0ed6426bb6a8998de8273d37ccac5823528a1ba3d8ca1

            SHA512

            e0d9e11b9a0fb84bab21cbe4638ead80319a9b38ed810a59a612ab844331adec32f2499425b0d9269f2eb3714e497ad31c9bdfded1f829533cc77bf2dea6464f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
            Filesize

            22KB

            MD5

            4c8f3a1e15f370ca8afe2992902a6e98

            SHA1

            dc6324d924ac31bea4ad7e4dd6720ecdad3877dd

            SHA256

            dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92

            SHA512

            b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\R1N1465zW7
            Filesize

            92KB

            MD5

            a58d87b023e155c10b4e15fdfc6fcb06

            SHA1

            0ee449b782aeac54c0406adde543f19ecd9dfd38

            SHA256

            331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61

            SHA512

            1965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Tar326B.tmp
            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\egjtKZhlKS.bat
            Filesize

            214B

            MD5

            14fc3f11b153ca5e6ef0d7617851a111

            SHA1

            922bad6c77677529e65e87f76ccd5f42676ebd34

            SHA256

            03aaa5f87980d3cead074e086782ec868bbce5765640c9fae99270fae6b61ffe

            SHA512

            63a8fb1deac361af866343b0c59f025b9fd5643685ab31726eea37bf57e517c46c8af8e03c76d3b7372f8ea8904966e6c5ce7fa6683cbda46e3fcbd582dcbed9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmp1A54.tmp.bat
            Filesize

            173B

            MD5

            fad26880a406054dce9a17006547dc61

            SHA1

            d206b5220986a63dc8948c32c25e88ed3b51696c

            SHA256

            65cff2b2083666f7b2e9059d0f963bad325566714334d0f3e53a93aee1740e5b

            SHA512

            e58cdca2adab920bdb2eb95dbe259b384b4482a8c9b98a831c584d5f4f67e84e076e320dd614164ec71640e45919d29a7800d3402e5c4fc26f9565d903324399

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.bat
            Filesize

            154B

            MD5

            5caa639aea42a35722614a24553e6734

            SHA1

            9a8c41f3524fb428187beda054954b1fa8947b93

            SHA256

            c2498c688896c00a47f8908b96c33a5d3e094f4486a42275df9d1749492be6a4

            SHA512

            79e9d283543bcf4cbfe9f2865b45bf91c99f492b7839fa47c4f256ab984a11cb0e588023f0d2b5dead6481cd2eccfc42f32725bb8e07c6842af3749514e21e12

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\zEFl46k9Yg
            Filesize

            46KB

            MD5

            02d2c46697e3714e49f46b680b9a6b83

            SHA1

            84f98b56d49f01e9b6b76a4e21accf64fd319140

            SHA256

            522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

            SHA512

            60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\zzzz.exe
            Filesize

            320KB

            MD5

            de4824c195cf1b2bb498511ef461e49b

            SHA1

            f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

            SHA256

            51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

            SHA512

            b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B28K0R9OCQ6AUL1SG1IO.temp
            Filesize

            7KB

            MD5

            1d1255135b8ec863ac6543d4ee4fbce4

            SHA1

            b9da052f66b3b07b06435153f6b66528dda72474

            SHA256

            6b9259938ecad529f7ca1c4559dbf3b4a0e33b35665fde9d2df929bd25b7e412

            SHA512

            a25a242adf9063018a8c5a7b791861310818031657e7932020b76ac7454bb876da4edadf0ad7b2bc844f9b080e5aaa9246eb7e07ecb340c0d483ef90cecd761b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NW4BK931H45592EKXK7Z.temp
            Filesize

            7KB

            MD5

            c630c1d4fbbc495530f7795b2b41c82f

            SHA1

            e1c3f9dd207e5ecbaf9592faad39bc41cb86f9e2

            SHA256

            e299853c7fc2d70851897197914f80de5a02ed216da245f2f7ac3c6427468511

            SHA512

            845d705b60254c035c536dbad59042e1f89926a06cc534690979c8aa2d1642f6f55a0341ef3d167550956c1a9454712bba1a9e12f01272c7cbefbaf3e552430c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
            Filesize

            110KB

            MD5

            622612f0d0c64efaee69441b875aded0

            SHA1

            6959b24d41566cb7f468503feca38c312e0b6a18

            SHA256

            4bd34e42d5175064c1e7cffc2c552291bf0cd3f157616f2abc83e8b862ecbbb0

            SHA512

            369b3cc119c15c10041b1f00ed0691ad43dece0031d219da8c430c2fba3991452adf851afdc0183afcccbe4dc5e84451dc899e1f2319d1f8428d0608560d72e9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            152KB

            MD5

            4b6d4727ca3c277e5af47092ec9e3ef1

            SHA1

            8faea131181960c1f43ccee6a2b7bcdaa23fcd81

            SHA256

            5fb62cc6421cf636023381cc6fd5a06e3b326a58ea3d3ce9c879f1cc408519f4

            SHA512

            8a1814ec549a42771cbe83fe7612d7e269af27d092a5c0ae685e92772dc7effd2b14829090f0b12edfbabeb9804f80558f2b316efb4f48a6a3b500b1172c2bbc

            Download Submit

          • \Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
            Filesize

            446KB

            MD5

            385585748cd6feff767a913bd76c2457

            SHA1

            1bedac2bc0da78c4dbaaf3914816d84f5c08f005

            SHA256

            0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5

            SHA512

            80619ee207d6c5a352d811405c40bcb9043fb2b2759ad40575e03e9e7b89f4ad55f6bc01dfe62a64b42dcd9b3b5bfef10503ce72f4efa0d2e39546f92047a880

            Download Submit

          • \Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
            Filesize

            227KB

            MD5

            1a83a244d9e90a4865aac14bc0e27052

            SHA1

            d2b65e7aed7657c9915f90f03d46902087479753

            SHA256

            150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712

            SHA512

            f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f

            Download Submit

          • \Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
            Filesize

            233KB

            MD5

            4ef3177a2e94ce3d15ae9490a73a2212

            SHA1

            a34f47568ce7fcea97a002eebeae385efa98790c

            SHA256

            87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0

            SHA512

            635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502

            Download Submit

          • \Users\Admin\AppData\Local\62264.exe
            Filesize

            198KB

            MD5

            f30e9ff8706f3ec72c82a74ee6328db9

            SHA1

            b526d52d22600b28892f898a717eb25779ef3044

            SHA256

            d22bf8ad4fc9b769ea2944bbdee78277ab29bac7199407baf7c3b489568a9489

            SHA512

            a21220d5f1818c9c5aa55cf8560365888046a090b8892a9d87919b48ac921bd2fdfd6016ace77fa8205fde067c7d45cb01032a47f4325fcac560361d66cc58f6

            Download Submit

          • \Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
            Filesize

            1.6MB

            MD5

            e2100d88aca7c0a44ba9bb988ccd3916

            SHA1

            ddaf17adbc769556037bb4fbf4bce7065bf57ef3

            SHA256

            75f846b15fa1b548a0143f35584b25875a03c03a783e9310c8573f3b76957688

            SHA512

            5b7fb077ea9d7d1310db3eb26b6624e3d12fe9f3d55d0a37d57c28197dab7e05449c6611d5b9a02f054d8ad790e12050228c8d7b913bb55e3f2b0da694c67ec5

            Download Submit

          • \Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
            Filesize

            608KB

            MD5

            690c1b65a6267d6d0b201ba46089aabc

            SHA1

            9eb6859bae82bcf8b9df7cf4fc061cd9155fdc39

            SHA256

            244f3a2fad1afa232909355901f33cca18ea95444c5d142c7aa308170db5294f

            SHA512

            cc540851386a3b98227822b2c952a57caf15db4563f9c246b8be5bca0989aaff70e64191d010738db86598d76dd8ad4e59a50965224db9f623edb64f2f8b3e2a

            Download Submit

          • \Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
            Filesize

            874KB

            MD5

            a6a1abaf12a28ea8f6553356c3bdcf57

            SHA1

            b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53

            SHA256

            f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76

            SHA512

            e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65

            Download Submit

          • memory/680-782-0x0000000000EE0000-0x0000000000F0C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/1092-123-0x0000000000190000-0x00000000001B0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1396-868-0x0000000000C60000-0x0000000000CFA000-memory.dmp

            Filesize

            616KB

            Download

          • memory/1632-330-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1632-338-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1632-339-0x0000000000400000-0x000000000040C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1644-718-0x0000000000530000-0x000000000053C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/1644-717-0x0000000000E20000-0x0000000000E4C000-memory.dmp

            Filesize

            176KB

            Download

          • memory/1700-593-0x000000013F9C0000-0x000000013F9CE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1756-112-0x000000001B770000-0x000000001BA52000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/1756-113-0x0000000001E70000-0x0000000001E78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1768-468-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/1768-480-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/1768-465-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/1768-461-0x0000000000400000-0x0000000000478000-memory.dmp

            Filesize

            480KB

            Download

          • memory/1972-97-0x0000000010000000-0x00000000101A5000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/1972-96-0x0000000010000000-0x00000000101A5000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/1972-99-0x0000000010000000-0x00000000101A5000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/1972-94-0x0000000010000000-0x00000000101A5000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2104-310-0x0000000000250000-0x0000000000266000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2104-311-0x0000000005B90000-0x0000000005BE4000-memory.dmp

            Filesize

            336KB

            Download

          • memory/2104-98-0x0000000000910000-0x000000000092E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2104-73-0x0000000000C10000-0x0000000000CAA000-memory.dmp

            Filesize

            616KB

            Download

          • memory/2144-463-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2144-467-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2144-546-0x0000000000470000-0x00000000005F1000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2144-548-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2144-462-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2144-469-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

            Download

          • memory/2184-470-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2184-473-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2184-466-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2184-471-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2196-142-0x0000000003CB0000-0x0000000003CC0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2288-215-0x00000000028D0000-0x00000000028D8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2316-92-0x0000000074680000-0x0000000074C2B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2316-0-0x0000000074681000-0x0000000074682000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2316-72-0x0000000004670000-0x00000000046FA000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2316-71-0x0000000004670000-0x00000000046FA000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2316-2-0x0000000074680000-0x0000000074C2B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2316-1-0x0000000074680000-0x0000000074C2B000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2376-140-0x0000000001040000-0x0000000001096000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2448-132-0x00000000022C0000-0x00000000022C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2448-131-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2564-348-0x0000000000400000-0x000000000058F000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2564-354-0x0000000000400000-0x000000000058F000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2656-66-0x00000000010D0000-0x0000000001110000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2672-146-0x0000000000BD0000-0x0000000000BEC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2672-152-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2672-148-0x00000000020D0000-0x00000000020E8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2672-150-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2672-157-0x0000000002100000-0x000000000210E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2672-106-0x000000001B020000-0x000000001B1A4000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/2672-155-0x00000000020F0000-0x00000000020FC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2672-93-0x0000000000540000-0x0000000000546000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2672-144-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2672-91-0x0000000000BF0000-0x0000000000CCC000-memory.dmp

            Filesize

            880KB

            Download

          • memory/2672-159-0x0000000002210000-0x000000000221C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2672-107-0x0000000000550000-0x0000000000556000-memory.dmp

            Filesize

            24KB

            Download

          • memory/2688-325-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2688-323-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2688-314-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2688-318-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2688-312-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2688-320-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2688-316-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2688-321-0x0000000000400000-0x0000000000412000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2700-63-0x000000013F0A0000-0x000000013F0AE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2756-329-0x0000000000AC0000-0x0000000000B9C000-memory.dmp

            Filesize

            880KB

            Download

          • memory/2808-362-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-353-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-544-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-545-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-458-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-459-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-456-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-350-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-352-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2808-484-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-357-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-358-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-361-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-482-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2808-474-0x00000000001C0000-0x0000000000242000-memory.dmp

            Filesize

            520KB

            Download

          • memory/2904-75-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2904-308-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2904-309-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download

          • memory/2904-549-0x0000000010000000-0x0000000010019000-memory.dmp

            Filesize

            100KB

            Download

          • memory/2904-483-0x0000000000400000-0x000000000048A000-memory.dmp

            Filesize

            552KB

            Download