zeon | c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

Resubmissions

30/09/2024, 13:59

240930-ralrrayfnq 10

09/02/2022, 12:42

220209-pxfsxaaebj 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
Size

7.6MB
MD5

33f612338b6b5e6b4fe8cbb17208795c
SHA1

66535700bbce7f90d2add7c504bc0e0523d4d71d
SHA256

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a
SHA512

7dfce042f5287858cf1d2942f6672084d01ad5677c7b47a1e9c2bcd4e0a2ea375ccd3a33676dc64dbe28edfe4fd19d25de5232c8fd23c0c7b24708c85b647fb2
SSDEEP

196608:2SdJhhiIbZg4T4hac7p6eDcGRYTOzBVUuuB1z5:2SdJhVbehacQeHt1VUuur

Score

10^/10

zeon discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\re_ad_me.txt

Family

zeon

Ransom Note

All of your files are currently encrypted by ZEON strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh ---END ID---

URLs

http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/

Signatures

Zeon
Zeon is a ransomware written in the Python first seen in January 2022.
ransomware zeon
Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Loads dropped DLL 31 IoCs

pid	Process
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\pqBxGx.jpg"	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 53 IoCs

evasion

pid	Process
6140	taskkill.exe
6456	taskkill.exe
4908	taskkill.exe
1984	taskkill.exe
1000	taskkill.exe
3320	taskkill.exe
5144	taskkill.exe
5960	taskkill.exe
7044	taskkill.exe
4268	taskkill.exe
2424	taskkill.exe
5404	taskkill.exe
7008	taskkill.exe
2492	taskkill.exe
2236	taskkill.exe
6312	taskkill.exe
6380	taskkill.exe
3476	taskkill.exe
3580	taskkill.exe
6248	taskkill.exe
4632	taskkill.exe
6112	taskkill.exe
5268	taskkill.exe
736	taskkill.exe
5236	taskkill.exe
4168	taskkill.exe
5440	taskkill.exe
5828	taskkill.exe
944	taskkill.exe
5980	taskkill.exe
7072	taskkill.exe
2340	taskkill.exe
4540	taskkill.exe
3256	taskkill.exe
1736	taskkill.exe
1268	taskkill.exe
7080	taskkill.exe
1232	taskkill.exe
1736	taskkill.exe
4664	taskkill.exe
3820	taskkill.exe
5536	taskkill.exe
2240	taskkill.exe
5720	taskkill.exe
6664	taskkill.exe
6728	taskkill.exe
1032	taskkill.exe
6064	taskkill.exe
6984	taskkill.exe
3188	taskkill.exe
6184	taskkill.exe
4936	taskkill.exe
6660	taskkill.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
4068	schtasks.exe
4504	schtasks.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	736	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	5144	taskkill.exe
Token: SeDebugPrivilege	5236	taskkill.exe
Token: SeDebugPrivilege	5440	taskkill.exe
Token: SeDebugPrivilege	5720	taskkill.exe
Token: SeDebugPrivilege	5828	taskkill.exe
Token: SeDebugPrivilege	5960	taskkill.exe
Token: SeDebugPrivilege	6112	taskkill.exe
Token: SeDebugPrivilege	6184	taskkill.exe
Token: SeDebugPrivilege	6312	taskkill.exe
Token: SeDebugPrivilege	6380	taskkill.exe
Token: SeDebugPrivilege	7044	taskkill.exe
Token: SeDebugPrivilege	7008	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	3256	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	5268	taskkill.exe
Token: SeDebugPrivilege	5404	taskkill.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	5980	taskkill.exe
Token: SeDebugPrivilege	6064	taskkill.exe
Token: SeDebugPrivilege	6140	taskkill.exe
Token: SeDebugPrivilege	6248	taskkill.exe
Token: SeDebugPrivilege	6456	taskkill.exe
Token: SeDebugPrivilege	6664	taskkill.exe
Token: SeDebugPrivilege	6660	taskkill.exe
Token: SeDebugPrivilege	6728	taskkill.exe
Token: SeDebugPrivilege	7072	taskkill.exe
Token: SeDebugPrivilege	6984	taskkill.exe
Token: SeDebugPrivilege	7080	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3612	2204	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	82
PID 2204 wrote to memory of 3612	2204	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	82
PID 2204 wrote to memory of 3612	2204	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	82
PID 3612 wrote to memory of 7032	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	83
PID 3612 wrote to memory of 7032	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	83
PID 3612 wrote to memory of 7032	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	83
PID 7032 wrote to memory of 7080	7032	net.exe	85
PID 7032 wrote to memory of 7080	7032	net.exe	85
PID 7032 wrote to memory of 7080	7032	net.exe	85
PID 3612 wrote to memory of 7104	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	86
PID 3612 wrote to memory of 7104	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	86
PID 3612 wrote to memory of 7104	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	86
PID 7104 wrote to memory of 7152	7104	net.exe	88
PID 7104 wrote to memory of 7152	7104	net.exe	88
PID 7104 wrote to memory of 7152	7104	net.exe	88
PID 3612 wrote to memory of 4632	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	89
PID 3612 wrote to memory of 4632	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	89
PID 3612 wrote to memory of 4632	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	89
PID 3612 wrote to memory of 944	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	92
PID 3612 wrote to memory of 944	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	92
PID 3612 wrote to memory of 944	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	92
PID 944 wrote to memory of 1016	944	net.exe	94
PID 944 wrote to memory of 1016	944	net.exe	94
PID 944 wrote to memory of 1016	944	net.exe	94
PID 3612 wrote to memory of 4908	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	95
PID 3612 wrote to memory of 4908	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	95
PID 3612 wrote to memory of 4908	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	95
PID 3612 wrote to memory of 4396	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	97
PID 3612 wrote to memory of 4396	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	97
PID 3612 wrote to memory of 4396	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	97
PID 4396 wrote to memory of 4664	4396	net.exe	99
PID 4396 wrote to memory of 4664	4396	net.exe	99
PID 4396 wrote to memory of 4664	4396	net.exe	99
PID 3612 wrote to memory of 2240	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	100
PID 3612 wrote to memory of 2240	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	100
PID 3612 wrote to memory of 2240	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	100
PID 3612 wrote to memory of 1984	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	102
PID 3612 wrote to memory of 1984	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	102
PID 3612 wrote to memory of 1984	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	102
PID 3612 wrote to memory of 2492	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	104
PID 3612 wrote to memory of 2492	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	104
PID 3612 wrote to memory of 2492	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	104
PID 2492 wrote to memory of 224	2492	net.exe	106
PID 2492 wrote to memory of 224	2492	net.exe	106
PID 2492 wrote to memory of 224	2492	net.exe	106
PID 3612 wrote to memory of 3328	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	107
PID 3612 wrote to memory of 3328	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	107
PID 3612 wrote to memory of 3328	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	107
PID 3328 wrote to memory of 4168	3328	net.exe	109
PID 3328 wrote to memory of 4168	3328	net.exe	109
PID 3328 wrote to memory of 4168	3328	net.exe	109
PID 3612 wrote to memory of 3800	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	110
PID 3612 wrote to memory of 3800	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	110
PID 3612 wrote to memory of 3800	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	110
PID 3800 wrote to memory of 752	3800	net.exe	112
PID 3800 wrote to memory of 752	3800	net.exe	112
PID 3800 wrote to memory of 752	3800	net.exe	112
PID 3612 wrote to memory of 1516	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	113
PID 3612 wrote to memory of 1516	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	113
PID 3612 wrote to memory of 1516	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	113
PID 1516 wrote to memory of 4796	1516	net.exe	115
PID 1516 wrote to memory of 4796	1516	net.exe	115
PID 1516 wrote to memory of 4796	1516	net.exe	115
PID 3612 wrote to memory of 736	3612	FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe	116

C:\Users\Admin\AppData\Local\Temp\FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
"C:\Users\Admin\AppData\Local\Temp\FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe
  "C:\Users\Admin\AppData\Local\Temp\FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh_enc.exe"
  2⤵
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\net.exe
    net stop /y wbengine
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:7032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y wbengine
      4⤵
      PID:7080
- - C:\Windows\SysWOW64\net.exe
    net stop /y AVP
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:7104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y AVP
      4⤵
      PID:7152
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng50.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\SysWOW64\net.exe
    net stop /y SmcService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SmcService
      4⤵
      PID:1016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im PccNTMon.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- - C:\Windows\SysWOW64\net.exe
    net stop /y WRSVC
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y WRSVC
      4⤵
      System Location Discovery: System Language Discovery
      PID:4664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im excel.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im synctime.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\SysWOW64\net.exe
    net stop /y RESvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y RESvc
      4⤵
      PID:224
- - C:\Windows\SysWOW64\net.exe
    net stop /y W3S
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y W3S
      4⤵
      PID:4168
- - C:\Windows\SysWOW64\net.exe
    net stop /y Monitor
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Monitor
      4⤵
      PID:752
- - C:\Windows\SysWOW64\net.exe
    net stop /y tmlisten
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y tmlisten
      4⤵
      PID:4796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqbcoreservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\SysWOW64\net.exe
    net stop /y Antivirus
    3⤵
    PID:1244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Antivirus
      4⤵
      System Location Discovery: System Language Discovery
      PID:3852
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfevtp
    3⤵
    PID:4016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfevtp
      4⤵
      PID:1584
- - C:\Windows\SysWOW64\net.exe
    net stop /y Back
    3⤵
    PID:5112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Back
      4⤵
      System Location Discovery: System Language Discovery
      PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wordpad.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\SysWOW64\net.exe
    net stop /y Afee
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Afee
      4⤵
      System Location Discovery: System Language Discovery
      PID:3104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocomm.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - C:\Windows\SysWOW64\net.exe
    net stop /y UIODetect
    3⤵
    - System Location Discovery: System Language Discovery
    PID:904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y UIODetect
      4⤵
      System Location Discovery: System Language Discovery
      PID:920
- - C:\Windows\SysWOW64\net.exe
    net stop /y SMTP
    3⤵
    PID:516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SMTP
      4⤵
      PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xchange.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3320
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfefire
    3⤵
    PID:2972
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfefire
      4⤵
      System Location Discovery: System Language Discovery
      PID:3864
- - C:\Windows\SysWOW64\net.exe
    net stop /y CCSF
    3⤵
    PID:2368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y CCSF
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thunderbird.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- - C:\Windows\SysWOW64\net.exe
    net stop /y Veeam
    3⤵
    PID:3480
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Veeam
      4⤵
      PID:1076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefox.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im calc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im visio.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im winword.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5236
- - C:\Windows\SysWOW64\net.exe
    net stop /y MsDts
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5304
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y MsDts
      4⤵
      System Location Discovery: System Language Discovery
      PID:5356
- - C:\Windows\SysWOW64\net.exe
    net stop /y Exchange
    3⤵
    PID:5372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Exchange
      4⤵
      PID:5424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlbcoreservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5440
- - C:\Windows\SysWOW64\net.exe
    net stop /y EPSecurity
    3⤵
    PID:5504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EPSecurity
      4⤵
      PID:5556
- - C:\Windows\SysWOW64\net.exe
    net stop /y ekrn
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ekrn
      4⤵
      PID:5628
- - C:\Windows\SysWOW64\net.exe
    net stop /y task
    3⤵
    PID:5648
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y task
      4⤵
      PID:5700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefoxconfig.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5720
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im onenote.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im steam.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5960
- - C:\Windows\SysWOW64\net.exe
    net stop /y bedbg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y bedbg
      4⤵
      PID:6096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tbirdconfig.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6112
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xfssvccon.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6184
- - C:\Windows\SysWOW64\net.exe
    net stop /y klnagent
    3⤵
    PID:6248
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y klnagent
      4⤵
      PID:6296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sofos.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mbamtray.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6380
- - C:\Windows\SysWOW64\net.exe
    net stop /y swi_
    3⤵
    PID:6448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y swi_
      4⤵
      PID:6500
- - C:\Windows\SysWOW64\net.exe
    net stop /y ntrt
    3⤵
    PID:6516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ntrt
      4⤵
      PID:6568
- - C:\Windows\SysWOW64\net.exe
    net stop /y xchange
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y xchange
      4⤵
      PID:6636
- - C:\Windows\SysWOW64\net.exe
    net stop /y Eraser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Eraser
      4⤵
      PID:6704
- - C:\Windows\SysWOW64\net.exe
    net stop /y TrueKey
    3⤵
    PID:6720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y TrueKey
      4⤵
      PID:6768
- - C:\Windows\SysWOW64\net.exe
    net stop /y FA_Scheduler
    3⤵
    PID:6788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y FA_Scheduler
      4⤵
      System Location Discovery: System Language Discovery
      PID:6840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocssd.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7044
- - C:\Windows\SysWOW64\net.exe
    net stop /y acronis
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y acronis
      4⤵
      PID:6940
- - C:\Windows\SysWOW64\net.exe
    net stop /y NetMsmq
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y NetMsmq
      4⤵
      PID:7024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im CNTAoSMgr.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7008
- - C:\Windows\SysWOW64\net.exe
    net stop /y MBAM
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y MBAM
      4⤵
      PID:2784
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfemms
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfemms
      4⤵
      PID:1276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im vmcomp.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:944
- - C:\Windows\SysWOW64\net.exe
    net stop /y Enterprise
    3⤵
    PID:4476
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Enterprise
      4⤵
      PID:2340
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im powerpnt.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\SysWOW64\net.exe
    net stop /y VeeamNFSSvc
    3⤵
    PID:4136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y VeeamNFSSvc
      4⤵
      PID:2912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im encsvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im veeam.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocautoupds.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\net.exe
    net stop /y sql
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y sql
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Raccine.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\SysWOW64\net.exe
    net stop /y DCAgent
    3⤵
    PID:2504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y DCAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:2752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im zoolz.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktop.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3580
- - C:\Windows\SysWOW64\net.exe
    net stop /y Report
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Report
      4⤵
      System Location Discovery: System Language Discovery
      PID:4900
- - C:\Windows\SysWOW64\net.exe
    net stop /y KAVF
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y KAVF
      4⤵
      PID:3204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im vmwp.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\SysWOW64\net.exe
    net stop /y mms
    3⤵
    PID:656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mms
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
- - C:\Windows\SysWOW64\net.exe
    net stop /y EhttpSrv
    3⤵
    PID:3980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EhttpSrv
      4⤵
      PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im oracle.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
- - C:\Windows\SysWOW64\net.exe
    net stop /y backup
    3⤵
    PID:5024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y backup
      4⤵
      PID:4940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Backup.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- - C:\Windows\SysWOW64\net.exe
    net stop /y IMAP4
    3⤵
    PID:2444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y IMAP4
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msaccess.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3256
- - C:\Windows\SysWOW64\net.exe
    net stop /y EPUpdate
    3⤵
    PID:956
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EPUpdate
      4⤵
      PID:5132
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im virtual.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\SysWOW64\net.exe
    net stop /y vmwp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vmwp
      4⤵
      PID:5292
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im word.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5268
- - C:\Windows\SysWOW64\net.exe
    net stop /y veeam
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y veeam
      4⤵
      System Location Discovery: System Language Discovery
      PID:5396
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopqos.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5404
- - C:\Windows\SysWOW64\net.exe
    net stop /y Endpoint
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5440
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Endpoint
      4⤵
      PID:5528
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im backup.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5536
- - C:\Windows\SysWOW64\net.exe
    net stop /y EsgShKernel
    3⤵
    PID:5696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EsgShKernel
      4⤵
      System Location Discovery: System Language Discovery
      PID:5720
- - C:\Windows\SysWOW64\net.exe
    net stop /y ESHASRV
    3⤵
    PID:5864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ESHASRV
      4⤵
      PID:5828
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sql.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5980
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im infopath.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6064
- - C:\Windows\SysWOW64\net.exe
    net stop /y vss
    3⤵
    PID:6052
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vss
      4⤵
      PID:6116
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Ntrtscan.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6140
- - C:\Windows\SysWOW64\net.exe
    net stop /y McShield
    3⤵
    PID:6212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y McShield
      4⤵
      PID:6264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mspub.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6248
- - C:\Windows\SysWOW64\net.exe
    net stop /y VeeamTransportSvc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y VeeamTransportSvc
      4⤵
      PID:6380
- - C:\Windows\SysWOW64\net.exe
    net stop /y SNAC
    3⤵
    PID:6388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SNAC
      4⤵
      System Location Discovery: System Language Discovery
      PID:6448
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6456
- - C:\Windows\SysWOW64\net.exe
    net stop /y vmcomp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vmcomp
      4⤵
      System Location Discovery: System Language Discovery
      PID:6636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im raccine.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbsnmp.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6728
- - C:\Windows\SysWOW64\net.exe
    net stop /y PDVF
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y PDVF
      4⤵
      System Location Discovery: System Language Discovery
      PID:6880
- - C:\Windows\SysWOW64\net.exe
    net stop /y POP3
    3⤵
    PID:6908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y POP3
      4⤵
      System Location Discovery: System Language Discovery
      PID:6940
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im notepad.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im isqlplussvc.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tmlisten.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7080
- - C:\Windows\SysWOW64\net.exe
    net stop /y AcrSch
    3⤵
    PID:1216
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y AcrSch
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\net.exe
    net stop /y Smcinst
    3⤵
    PID:4868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Smcinst
      4⤵
      System Location Discovery: System Language Discovery
      PID:4912
- - C:\Windows\SysWOW64\net.exe
    net stop /y IISAdmin
    3⤵
    PID:3860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y IISAdmin
      4⤵
      System Location Discovery: System Language Discovery
      PID:3964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im outlook.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\SysWOW64\net.exe
    net stop /y Backup
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Backup
      4⤵
      PID:4092
- - C:\Windows\SysWOW64\net.exe
    net stop /y Sophos
    3⤵
    PID:2240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Sophos
      4⤵
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6us /TR "CMD.EXE DEL /F /Q "{DNAME}\{PRNAME}" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6us /TR "CMD.EXE DEL /F /Q "{DNAME}\{PRNAME}" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6bGus /TR "CMD.EXE DEL /F /Q "C:\ProgramData\pqBxGx.jpg" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:4224
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6bGus /TR "CMD.EXE DEL /F /Q "C:\ProgramData\pqBxGx.jpg" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6us
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4772
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6us
      4⤵
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6tMpus
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6tMpus
      4⤵
      PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6bGus
    3⤵
    PID:2264
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6bGus
      4⤵
      PID:5168

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q {DNAME}\{PRNAME} >> NUL
1⤵
PID:1144

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q {PATHIM} >> NUL
1⤵
PID:3188

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q C:\ProgramData\pqBxGx.jpg >> NUL
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\re_ad_me.txt

Filesize
1KB

MD5
5b6f1ad72274603dac19a9bda46b529d

SHA1
b4371f7b87c9422ecc046cb4f1feff52b31c3998

SHA256
8492ca11ab706cba386d1f01aac9651fb8c96c436c8627eb17ffd3d0169994a1

SHA512
1b357324dad4d1b362d5ca30c0c784aefda0da57fdf7ae136b1159597be0415f4146ec898f2d2e6aa9463e8c036337df90240bb882b9e2dd20f28008969eb60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_Salsa20.pyd

Filesize
17KB

MD5
ddbd242c046e6f339adcec3b26660006

SHA1
82acc4665101fc344eec7b8a965aa920c6293310

SHA256
f34ce0dfa4b81f566b51b3cb384ad21b0f81c36069c045287807278f4dfd76fa

SHA512
8ca9496297a297b8a54763365786aaaf25fec72cfc83e792f7498c0c809c52c6b9552f9eb5334b124a9afa6215806c2439cfcbd9759df2662a544e63d06488d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_aes.pyd

Filesize
36KB

MD5
39345a5d7496eb3fef372d893c32e324

SHA1
a90d2c69edc58d2a222553911edbe700be32f0ee

SHA256
f8e64eab899c3f8ce30f2ca0835d4ebdd2707e4591553ac5114b2edfd14ed510

SHA512
cffbff16587c27936a0add35a131def7f4371f9c72b1a049f6a4dd69ed5164fc4f368c19d3e6655dc02154888699a87404532c1e73dd3f405e519132c388d756

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_aesni.pyd

Filesize
19KB

MD5
add4de8ac56c96b135b4d281648a5924

SHA1
c9e9709f22557bf85102902b2f6e873831192135

SHA256
3a29bcfb18adff15daf7b1d8dfbab372be324a1fd5f20a2f4224929af3a03e0f

SHA512
65a43bf46c36e1f31371c5443daf7b88efe285dc7a82f5e8e49558070522bd9bfa62f02022b50d1d72e55d66420bce0d7a5e621c308aeaf6ec51b4d18c87c833

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_cbc.pyd

Filesize
17KB

MD5
1b15377994b7f1880b397c4060bf6ed2

SHA1
2e0771da29c6a3f31c9a87d6f9d17740275715da

SHA256
1bed49d92baeeba20c5d6e7baf2b9287672932edd3b0b9354e9cd39f87902120

SHA512
1080159eb82585852e27b9cd3ed0b4a6cdd10973f3a611b420b1920fd193c143ced843014aa8de14ac8cf06353c58ef2fbbc4717e18bb9b4bdcda7fc15b86801

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_cfb.pyd

Filesize
18KB

MD5
ffaae5a56ccd4ff6869cf16a36532cf5

SHA1
9fd0f35d4519e94f768287bfd27c2bfdef75f1b9

SHA256
79213b7e9f85931b424c818ccecdf9b06cf6abdf091ac0de3e3e5751145193b2

SHA512
15a5b5f7e6c2cebb7f6f56b3e881a96d63ae9595573c15b8afe8a4029679b07f511966bf84fe89e1efda44d83d3178c1e9879ff41e3ff4e3491910e28f78d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_ctr.pyd

Filesize
19KB

MD5
d01b5c0cedae84707903f9660aae2f31

SHA1
c86c9c156bc56ed2ee8d0e4b1d8a5d9ba04968d8

SHA256
d08caad9eeae42266fba08936450462a69db4b96365d792e3529c1aa7ff6db6d

SHA512
1b99a3d5a4085da07f188c63575a59343ed3e938990e3c96116bb8b6ed0cef3e53493c313157cfa51e76b64a8a9e08950dc418650a16351dd54704d860ff7b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_des.pyd

Filesize
58KB

MD5
d9ac60737322166ac2aa4abdbb5bf8d1

SHA1
48ddfb12db35ceecaadfd29cb434c323298d2bd7

SHA256
2d0334905a6aab7504352bcf7e6d1457398d801253c4f0b4a298f4f12ab7c579

SHA512
c8148a1baf2d1c59c844f231467d3133dd9c160c90e0a53caaf76906b8c4e977ea2754451f8e3f2e8cbfdba9b7b8f97402f6d49b047d6673aaad346c5622a34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_des3.pyd

Filesize
58KB

MD5
0cac4561a1240e1bde27decac1017a8d

SHA1
47c0c38007f7b07af6cfc10c4554af8430ada7e8

SHA256
d043db2c5f626c65a91197088a08cc30c707e3fd59bd1e1e46b485520a980529

SHA512
25dfa7134b70d8d78345486c229c2f07770c2c235cf906e8e7d0e710582dd53b7e0a3d7e8371c1a33cb896c23fd49a7a4faf7ddc7d620f8b5feb093932f35c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_ecb.pyd

Filesize
15KB

MD5
c7fe7cae847d9cc7ffb20ff218a5e0b9

SHA1
158f29ee4698a228da98418f9583b768211b2dfc

SHA256
4c30627081ef86f23c3292d28ea8beae9d32f63e4664e6799924032ba584ba72

SHA512
e2a795a76d83d10df4e9df46f763a8b208f06c1fb5c8fe0bb080fcb66cbbd6ac0a9b8d6ea4d1aa58928ce8905d5e44c953846a05927feac0455a1e4920a30690

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_ocb.pyd

Filesize
19KB

MD5
001afd2cf3631fba20c0ea51915cb269

SHA1
ec4250ea47640ce1d1dcd1dec9f7c3ea17a77d29

SHA256
1deb00c3e0f17b86e912cb8ea05a6575d97b1aed9b9e4b06a5f4bacc9c828278

SHA512
2083d762877943b9ced28b97763750d24e6a56f607538545850429410c9ab79052734f06c16556b565e566a25ef0fa99b598b9deb32735fbed0cffc4898b4639

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Cipher\_raw_ofb.pyd

Filesize
17KB

MD5
caab7ca0a1bc6554c275300c18c3047b

SHA1
b1ed17a2af6941545e59cb0c5864af76fc706ccb

SHA256
701cbde9ce6fb828c46a19202ae63674670a61c9a4381bc49017cfb3ce1ced81

SHA512
563613ff5263f0469786816376e83dca44a8b5e2d0322f74ea57f9c4a6f29a19cc061f4db59971330696d510621b4b12a275d66b7ff5d1905867b6447c5ff952

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Hash\_BLAKE2s.pyd

Filesize
18KB

MD5
c64058302e86dc35c79429084d38c9f5

SHA1
14b6fd0c4f41a3b668eab47344cd89168705971d

SHA256
2700b50ff4f23506c6ef48100860cb00610ec78c8da20233c195362139c95cf6

SHA512
87eda9d845ffaad6e938786381d1c32763940f8bb33108c0bcf595da5c0072fb179b521ea2888ec2759a6c5d68c1ea63b8f1eed3c14d8aa8a9c655cde900d717

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Hash\_MD5.pyd

Filesize
19KB

MD5
9c1d023df1ebd7283fad0ac51c56a2ea

SHA1
13be52fb274d94f9f418cf0f4c763d966d60ddf2

SHA256
3c61c844bc8d8229f029ac45f54c6d6a4b6e0cf321f70df14540f6349e0ea360

SHA512
c868b5a8c10da7d0699a05d04ea8dfa10029056ad8bd0a957d2704c2ec7cffbf568e1e10e99d009ddaf31c603180bb2e495501ed0c4a6fa46a79a2605e4041c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Hash\_SHA1.pyd

Filesize
22KB

MD5
402ee9711aa64d5a01f7e45037b5280f

SHA1
862a2c9252a3eb3e07eda4fc7ddcf818f7c57a47

SHA256
1fa13a0054b541ce3220dd858ea140068904c08641e32dbbe888f785ccf1555b

SHA512
f338080c949b54589a9abdfd762b71a5a19a04e343425ffaf7b0ae1577e63cfa3bd92e2a060928def7e1c7f844a2526b5b3554c8d597ecaf79b4d152ae405e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Hash\_SHA256.pyd

Filesize
25KB

MD5
e3c65ee7c914c17b71659168425ad0ba

SHA1
a4b12e0f5eb73e280723dca2a477c9fe217ddc46

SHA256
8b9e0af341677ef6a709113ac7ffaa29f27688895df2420d0ffecfda87cf7291

SHA512
a27885823244f396f1338fa2314e1179fec11ef9ba3511463c171c9acc9274bebc431505909172e9a6a7741fc5ab902b5066466f8c7a24ac23d254536d122014

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Hash\_ghash_clmul.pyd

Filesize
16KB

MD5
56d68daf3061e0d460990ab6a6c2ca91

SHA1
e3d4cf490e33a7141f1b604a682a45224f675d4f

SHA256
2fd296768e5d13d935fe785a58a0081a44c1c59a90b4ab4d3247ed9f2c3928ff

SHA512
297e8c2de26057edf0f0f549987060bdb8dd89a6c15a613897d0c526d820cd9ccdba14a12331c7138d728edb6c9b24248ebf0264894348e607123c7596033c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Hash\_ghash_portable.pyd

Filesize
17KB

MD5
4e0c3350e5341e717a99ef3fd8a08dc5

SHA1
ce20e5d219d16d6a0639a45bf430137aed9554e6

SHA256
66187f12635ccd6f4e66a412f8ac63f5e2ed94c39775f9feebb1eef06a20360e

SHA512
6ee1c236925ac5c4f47c5c7ae0e53ddf6d5ab04c9026ea020162993f37e7a684782bdc8acd7e7f44af5942436fcae55e3921b560152f47dd930a1b353d30247c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Math\_modexp.pyd

Filesize
38KB

MD5
9679c229d04bda9e908bd7cbb82bc559

SHA1
a103cc2a23e49abf8a824c7f381cf4b319fe7ab7

SHA256
4e7e18bb452f1ef4abfe6d498d143eb76b0b6b61c9b6580e883e6d33041d66ec

SHA512
82de9e6d430d3615968d480a6f897d1a6aa8c0c16011995a8fe5a52ba93ec69fb87004cc4b4ea64d5ab40cfbf82eb9eafc9f51c5793c0a44c7caecf54ed30a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Protocol\_scrypt.pyd

Filesize
17KB

MD5
928dacff8c4ffbaefaed750f5e194c56

SHA1
a745e2fa252486b2749f3f021ba1276bb15842ec

SHA256
2651a730e2e54c263e8ccf98035d2d4e0e2087a33d6179785fe815281b3f5db7

SHA512
cba420b4bdf830b7079709f6ee27d2f583b360389637f7c118c25abb7c4c5afdb207287c331747d18e147d4d2d20aa6ab8f1c275a5fbc616c48463abb8e8c1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Util\_cpuid_c.pyd

Filesize
15KB

MD5
ddd51457ec06e8df96fa9c6fe3366357

SHA1
f62a75feda74970db00a0b8ba3fbe55919d5b477

SHA256
5012c198825652b9af8d8349ea06fc4d25b70accc9373fcc16674f068154a06f

SHA512
74afb380610a9cfc9474ca31dbdfc5dccb3e0c1bbf00dacf51d3dcb3c2f473cc5c76299233b1cb419ff4e84d93c9ee56e7bd9f0de261b5381b407e8a619d4195

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\Crypto\Util\_strxor.pyd

Filesize
15KB

MD5
1db8fde2e2bfc341e1f856e50d41c39d

SHA1
748d8fa9c747fc2de5ef64537dd87219292a3f46

SHA256
44abba55c306c418da1b72f4664a486795e7e7467a848360de0248e402107145

SHA512
a17ebc16d03ab9daadff0a3727ef1802c2d956f763059a3b1e05d39cdbc5432e08d773d16823553111c669a64beb291938a26af6dedf7c2b6c644064fa6b5c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\VCRUNTIME140.dll

Filesize
74KB

MD5
afa8fb684eded0d4ca6aa03aebea446f

SHA1
98bbb8543d4b3fbecebb952037adb0f9869a63a5

SHA256
44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

SHA512
6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\_bz2.pyd

Filesize
76KB

MD5
ca6b245fecc69cad34201edd4be8cc3a

SHA1
c9954f6254130a6615375cc2540f0c4680665f4b

SHA256
e445fc0acf42299f4d5fe25d7fac76f14635ce0cd980dffc528924e59aa5c4f8

SHA512
805a4a53f0425e9083499d95793cb1c6aa590d8bdc2603c7562714198bd968e194f220e56c33633fb65dcb4881877339428fe9166ceb48a3035ddf469fe4d843

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\_ctypes.pyd

Filesize
114KB

MD5
21e301d58c481660af1efdebc4ad63fe

SHA1
ec10719afcbd6317355bbe0de04beb3d5c067651

SHA256
003429b4e119dc08798aada64c13002b210507291afae8cace5eb0032754e78e

SHA512
fe06fcb3f6f3f76b7de0ea92ea4fb286c6f8643cbe0f34a9df9b354434aabe3941a3bf2028f3a2e61183f4c39ee2f80ec5dfdcd9854416423142142508a71493

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\_lzma.pyd

Filesize
158KB

MD5
a8b44e968ad48a7931e6121ce8b7ebf3

SHA1
26ea3b101f72c9e1ef376e9339a309cf62c662ca

SHA256
49a7db86b3b500a5d45c6c6c97a7d019f6e44c8b862d24fa4347e4e0aa06c5e1

SHA512
7b0ff7c257d5b5d658b4dcee3ee6e1aab83d11cc0fe8159685a9a9cb301a91e9071d3951ec64a879eb7ff81228f1ae70a75c88a9e481a5d00f17fdc73389ca8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\_socket.pyd

Filesize
69KB

MD5
2df573607b053e4d8ba0eba9be96541c

SHA1
d41b40c468898c9a2e4d6be434c7eea57724b546

SHA256
a591d3054c741496889e1a427516d8aab89bb94636b96467213fa6449df9eb26

SHA512
21fb191b49092abf5bc0ab029fdff0a63b7b77ed4edbf13b0c74eb8d3e5a9ebd5ba8314c0f8293ad5c922c5ad0849a23d1fa05e1c6e3104c23aab85dcd095e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\base_library.zip

Filesize
781KB

MD5
29ed38d37f51d143ce49e29460f22cb5

SHA1
4c0fd208b88ce7ac66497c966e8a049e5daa383c

SHA256
3377e3349f83ee34f1aca1244951580d675ba57b886a7c71781b67e8fd2a0b70

SHA512
5c4e6b75fa01e6ae3f936393c069394ea2c9ca153061dff61b8c11b83be1339ed73b4a2653c347580217e094b60a6a10a7c909384bc92d8b0844ba7037a79cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\python39.dll

Filesize
4.3MB

MD5
84741db3367d6998108d22e03eaf2a71

SHA1
6564ab918223d0074dfbf9bc5d062fd3a2003079

SHA256
3e0c22d1451c3f3578850990f54916eb276bb45b951649d6478523566dfa8059

SHA512
1a6aa94ec97df73b23b0d5079bafa92c13f9786f5c488046e95804f4701baeecb1beb9fd96824a6009355321adb7319ac643af40ff0c6b01733050dab2b648c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\pytransform.pyd

Filesize
1.2MB

MD5
17c338f19037c2ff5c8b6e34a7710985

SHA1
362f14d39ba2518ad50970eddfd0f9f12ea97f84

SHA256
3e6988e591bdd8a67006d458e8a58fa7eb3ab212437bf00917b38b9ac4d492ea

SHA512
7aab66b9edfd26dd883fbc52c158410e7826234a7272371769c6a5542dd1b9eb135a8cad43f895f0af31b59705fbcbbd0551196bab8ba59f01a80b72415ab4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\select.pyd

Filesize
24KB

MD5
e2642d30be324bd86d711ada36797b85

SHA1
c474699a4853f0157708901213d3165530c45a69

SHA256
bb87be114067ab856067dbe74ba421c21cb0f36ad1960af0f5d61bda2e753fa2

SHA512
b2bb79f229d86e74d04bae5ef4813909afeaac530ce71f384c2ce1e1c690d792b413255c35e97b0ef9ff72c68d779dc044a03646d35777a40f1a427eafc14666

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI22042\tinyaes.cp39-win32.pyd

Filesize
30KB

MD5
8c4a64f321707eac9ac3501199801460

SHA1
eef5ce1e30b6e5b72794609c8244b7500f03486f

SHA256
700a523d573d040566935b7e60b086d21edfbc537cc562e1e6041cc9bd72edd4

SHA512
1a01a355d23381b745bdaa1c9e2162b8a028fc31cf3ccca128e2be17a5ceda6c44efe298789c00a5cdc8498f5d83a380a83022bcaaeb9dcd46219fcb15f4cfe3

Download Submit
memory/3612-118-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-80-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-140-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-138-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-136-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-134-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-132-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-78-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-77-0x0000000003940000-0x0000000003941000-memory.dmp

Filesize
4KB

Download
memory/3612-82-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-84-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-86-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-88-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-92-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-94-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-96-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-98-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-100-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-102-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-104-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-106-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-108-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-110-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-112-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-114-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-116-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-122-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-124-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-126-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-128-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-130-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-120-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download
memory/3612-90-0x0000000003950000-0x0000000003951000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads