7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Size

1.8MB
MD5

f459a1531f07ce212119cf022161b60b
SHA1

60c19230829b1fc4b6dee0fc90172417b3fb864a
SHA256

7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332
SHA512

b6ebb2ab4f6cc2ba14bd71c0b5e4508fc93cc951520d40655128e43684637a72dc7a77637b7929a6d59043c18e027ae7da73f2285ef8e8e588cd9956491edc98
SSDEEP

24576:4hvO86HNJck3aKoH5xFBl006Wq59hT6/qinUVEXa+YqxRbw4mMNtJl5E+29wjqqT:EUmPWNF5f6OXoxWINthjmq

Score

10^/10

discovery execution persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Medal\\dwm.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\Medal\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2972	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2972	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
1928	powershell.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\AppData\\Local\\Medal\\dwm.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\AppData\\Local\\Medal\\dwm.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe\""	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC8EB5C26C576F47C7ACE6462A716AAC3.TMP	csc.exe
File created	\??\c:\Windows\System32\xwad3e.exe	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1992	PING.EXE
2140	PING.EXE
1524	PING.EXE
2816	PING.EXE
1352	PING.EXE
468	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1352	PING.EXE
468	PING.EXE
1992	PING.EXE
2140	PING.EXE
1524	PING.EXE
2816	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe
2108	schtasks.exe
2776	schtasks.exe
2604	schtasks.exe
2676	schtasks.exe
2704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
1928	powershell.exe
2700	powershell.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1036	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1536	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	984	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2832	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2144	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2952	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2128	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	2532	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1704	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
Token: SeDebugPrivilege	1536	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1940	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	35
PID 2712 wrote to memory of 1940	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	35
PID 2712 wrote to memory of 1940	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	35
PID 1940 wrote to memory of 1316	1940	csc.exe	37
PID 1940 wrote to memory of 1316	1940	csc.exe	37
PID 1940 wrote to memory of 1316	1940	csc.exe	37
PID 2712 wrote to memory of 2700	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	41
PID 2712 wrote to memory of 2700	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	41
PID 2712 wrote to memory of 2700	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	41
PID 2712 wrote to memory of 1928	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	42
PID 2712 wrote to memory of 1928	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	42
PID 2712 wrote to memory of 1928	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	42
PID 2712 wrote to memory of 1612	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	45
PID 2712 wrote to memory of 1612	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	45
PID 2712 wrote to memory of 1612	2712	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	45
PID 1612 wrote to memory of 2672	1612	cmd.exe	47
PID 1612 wrote to memory of 2672	1612	cmd.exe	47
PID 1612 wrote to memory of 2672	1612	cmd.exe	47
PID 1612 wrote to memory of 2240	1612	cmd.exe	48
PID 1612 wrote to memory of 2240	1612	cmd.exe	48
PID 1612 wrote to memory of 2240	1612	cmd.exe	48
PID 1612 wrote to memory of 344	1612	cmd.exe	49
PID 1612 wrote to memory of 344	1612	cmd.exe	49
PID 1612 wrote to memory of 344	1612	cmd.exe	49
PID 344 wrote to memory of 2084	344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	50
PID 344 wrote to memory of 2084	344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	50
PID 344 wrote to memory of 2084	344	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	50
PID 2084 wrote to memory of 2312	2084	cmd.exe	52
PID 2084 wrote to memory of 2312	2084	cmd.exe	52
PID 2084 wrote to memory of 2312	2084	cmd.exe	52
PID 2084 wrote to memory of 1992	2084	cmd.exe	53
PID 2084 wrote to memory of 1992	2084	cmd.exe	53
PID 2084 wrote to memory of 1992	2084	cmd.exe	53
PID 2084 wrote to memory of 1036	2084	cmd.exe	54
PID 2084 wrote to memory of 1036	2084	cmd.exe	54
PID 2084 wrote to memory of 1036	2084	cmd.exe	54
PID 1036 wrote to memory of 1596	1036	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	55
PID 1036 wrote to memory of 1596	1036	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	55
PID 1036 wrote to memory of 1596	1036	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	55
PID 1596 wrote to memory of 1752	1596	cmd.exe	57
PID 1596 wrote to memory of 1752	1596	cmd.exe	57
PID 1596 wrote to memory of 1752	1596	cmd.exe	57
PID 1596 wrote to memory of 832	1596	cmd.exe	58
PID 1596 wrote to memory of 832	1596	cmd.exe	58
PID 1596 wrote to memory of 832	1596	cmd.exe	58
PID 1596 wrote to memory of 1536	1596	cmd.exe	59
PID 1596 wrote to memory of 1536	1596	cmd.exe	59
PID 1596 wrote to memory of 1536	1596	cmd.exe	59
PID 1536 wrote to memory of 872	1536	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	60
PID 1536 wrote to memory of 872	1536	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	60
PID 1536 wrote to memory of 872	1536	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	60
PID 872 wrote to memory of 2052	872	cmd.exe	62
PID 872 wrote to memory of 2052	872	cmd.exe	62
PID 872 wrote to memory of 2052	872	cmd.exe	62
PID 872 wrote to memory of 2140	872	cmd.exe	63
PID 872 wrote to memory of 2140	872	cmd.exe	63
PID 872 wrote to memory of 2140	872	cmd.exe	63
PID 872 wrote to memory of 984	872	cmd.exe	64
PID 872 wrote to memory of 984	872	cmd.exe	64
PID 872 wrote to memory of 984	872	cmd.exe	64
PID 984 wrote to memory of 2364	984	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	65
PID 984 wrote to memory of 2364	984	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	65
PID 984 wrote to memory of 2364	984	7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe	65
PID 2364 wrote to memory of 3012	2364	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
"C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oiwftegu\oiwftegu.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3A2.tmp" "c:\Windows\System32\CSC8EB5C26C576F47C7ACE6462A716AAC3.TMP"
    3⤵
    PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Medal\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\glibu2iVWw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2672
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
    "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:344
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\81mmE0Ljqu.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2312
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aocknmtqfY.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\336zK5Rer1.bat"
        12⤵
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4U0fcSq6WH.bat"
        14⤵
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5tk1CddJ7G.bat"
        16⤵
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qlEmwzstBs.bat"
        18⤵
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat"
        20⤵
        
        PID:1076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat"
        22⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7laNmMQDQm.bat"
        24⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Medal\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Medal\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Medal\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d43787783327" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d43787783327" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\7fdd6a81a4ef7bd5a4c04351d3e0149ad830bb1168f93101d4c95d4378778332.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\336zK5Rer1.bat

Filesize
278B

MD5
7a71e9f187596abd3f8b38e3a5b741e2

SHA1
b75dd5ffb66072b30dae8b40fba5cd358e651e16

SHA256
f93a26b5f803c6ae67a19e89a7077bd2808bfe0956093b33e5f16234a1ccc0df

SHA512
32db5f86819cb0f58e9a69a1727dc28e6d0cfa88616fca7391c4e8b50e27d661ba4df672dbeb9b90a7f1b1c11ad76a76901e986bb53aa50ecf4dda73164bdc97

Download Submit
C:\Users\Admin\AppData\Local\Temp\4U0fcSq6WH.bat

Filesize
230B

MD5
00d87fc25c9120e72d48f6d05dc7e171

SHA1
a48beaf811e09064bb3eb083d1bd81e0e041568a

SHA256
470fc47663f38709b87aa5da68b273f0cc01771ba71a846f52744b15eaa0bb0a

SHA512
5be2403b739d9cde475739be86bdf2e717a46e27740bc59971d9c8e5f23e78a5efc6e38f106539cdf09bf499dfaf2c67414b65dbcc1264314edc5c78da6d486e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5tk1CddJ7G.bat

Filesize
230B

MD5
970a492b39e0b29dd7b503f15d16a45f

SHA1
31eefb7e458d5661069c0c391848f15568853dfd

SHA256
36e05184cbd618d09b704c3fe7ddc574cb1e2f45ef6d6684d404a6b4307e9e4f

SHA512
10533d24bf199fb8b9bce8e911cc3d94711ce6288ab1e74735d7b87c0309f77ee452fedf9de3090c42dd17e310b25c92fbeb65cc5b0b365621f7b6d86153c886

Download Submit
C:\Users\Admin\AppData\Local\Temp\7laNmMQDQm.bat

Filesize
230B

MD5
b1a4e1ed0fdf8aecb48346ee3a551468

SHA1
9aff111f2cde02532377cda1fb79f6edd77e588a

SHA256
8ef1582a1b42039aeba71118fd244d41832d0cceb135108963d32b2d67b25b13

SHA512
6cb7c1fe949423d9bb7bf91e9fbbc312b4ba6cee01a31e9c1eb1e3afe39ef02634e2280c3f2b27a77398cc106debda84fdbf28e7a183db064ede719f11285998

Download Submit
C:\Users\Admin\AppData\Local\Temp\81mmE0Ljqu.bat

Filesize
230B

MD5
9baefab6188e45dd59191fceec209305

SHA1
673b888c68898df2e842935c7e3d6995394173fd

SHA256
54a36f79f0be7df24425267fbfa3ce981432ec36e38db0aee8b8c1e5b3c4d459

SHA512
2df850fa40888b1c484ddd64ad4d614c7bf9e115d583a16471a4c2d8171d483624a47944dbf9d8f3464aac3e3a45c3673d024296e57c67fa86822ed7185f336d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Phxc9FejmL.bat

Filesize
278B

MD5
5383edde5712d5e0fb2b286d21a30ffd

SHA1
37a92ec62caee14962445b2d8ed2c394ad9f487f

SHA256
99404fb0b85e7d75fa8839aad1af78ae2f6e7c7c037ce0089020a200ee5ad0e1

SHA512
476cebf2f16392d5eddcc7990b6c7e70934c2670e09ba8984f6e0920279afd920d5ce53b66b956c8901f7a1c79d53f59fb4cccb20ecf9869603ab65c4cb11651

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF3A2.tmp

Filesize
1KB

MD5
bd51712d70fa113f9a19aa5ace6d733e

SHA1
136c54e4ddcbe4d00c3e7b6578ae0bde6d72c707

SHA256
fc6e139ed6c62d979372ec0e911e8ea1d6f0e8481ee70dfa9c6a321523ad181c

SHA512
2dbb3907be305393306009ad66c0591bfa87be3e155e542fc411fdb0e5a72b9331385ad461f7df110d53c64296dd10e5e527fd74ba126acbda8310a4c9693fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aocknmtqfY.bat

Filesize
230B

MD5
9ad40b149eb1dc5fd560427fbc44c81e

SHA1
bcedb4ee6729090933b8aafdbf7f9d192f6c8a35

SHA256
52f498794780d50e9f33ef2e0ccce7b7e47253f87963c9e50712153c3fb3c0ea

SHA512
9ab1414478f95667f45ea7219fd1006e03d3c1fcc59c063577b170ea2d453b83867ae1030a89a8817303d5cc4f818dfdafd365a890f8b59db41ba51afc926b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat

Filesize
230B

MD5
2f216fd0aaa1cbf4904fbc765bdd267b

SHA1
0e80c8d23a067609e5daca780e81d225e9175466

SHA256
c8de38c5d17417ca8125573d182fd6601d941377f16b41f1fe5005166138caa3

SHA512
8eee64e42deb7a7449ce975b97f7822860f9e90ce0554e03e162262fb5b05630650c4288e05ee0f0b0a6d62a5d705df8bd2d78cc831b3d14abc93c7380b48757

Download Submit
C:\Users\Admin\AppData\Local\Temp\glibu2iVWw.bat

Filesize
278B

MD5
851b05a38068e2ae3566bd655dbf68ce

SHA1
be8e65142fdf156a54d7c5f190bc3449fffefe09

SHA256
9fcf98d185347f69784a5c7e3b622dd7d5fbcb8e79996499edf67913c1a3f106

SHA512
f1b838269a19999d5ca964905bde8ef9b40d8ce4243292b6dbe9620507bbbdbf8193e52227db0291b575e69d4bad68df58eedac80c354b527ce4457780afeb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat

Filesize
278B

MD5
9e1c09ad7966a0760dac4e3f78195edf

SHA1
8299357d679cd386fa3177a145e688585d887d32

SHA256
3c3d8f8e9ca8e32f8a91b304adab2326b4ff3baa8db4f8bd4b28380b4ef9a7fb

SHA512
884ac5639db1410d2db15588add71ca688a8536799b43796f7f14b5e6c23dfc6eb651c2462756f319e2c609f02d3e43c006d57ef731722b1a1f1a3091c58eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlEmwzstBs.bat

Filesize
278B

MD5
80e0e91149c88d7b5c89b4b5d23b8aee

SHA1
e9fdf06c4def0a9b173c4aec6ace42e5d38bd68e

SHA256
c175ab4bc4db8d2629011ce008e1c10c2def17520392a1436442723cdddfc6e7

SHA512
ba850f0736b21116d896ec032be487a61411eed3dcc8969235a978474eb1ed38652f57c576011304f62d6420119a9b298839d3e903ffb61b2ec5de43bebd1e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoP5fBU7F9.bat

Filesize
278B

MD5
20e3f82b81163f5be3df4c3f3e3707f5

SHA1
ccbcebeaa0eea55960fbd6842b058624af52cbe7

SHA256
9ba8b1f8572cbec2f3147ddbda4ab5945932372359fbda0ad3b734d96faee050

SHA512
3a19ad940f20cd5398da623feb1c34de023bc2e38efa9f54eb06775c3bd2bbe87e2ca81babc92c5fb4314dc89968ec0b96bf1b447dcf25cf9799be2d749e9ef3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WU82CTPZO3XVSOZEH2MO.temp

Filesize
7KB

MD5
5e7dd2c9daccbb88a3566b5f60289fac

SHA1
d3020e16744007db71b4e8ceae5f7892f2ba697c

SHA256
b8c996aafa4c1d9eb79ac0ac4d151cfc72df00a04c7cbcb5cb51ed2febc4385d

SHA512
2fc0f6901e16ca90d4e53d565fca0d59b9797f63b9e2a74552e01d7b4f61ce72ca7b5cf2b131288ffeedf3639bc31f36663c7c1c9da7320137a28e87f6151d37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oiwftegu\oiwftegu.0.cs

Filesize
374B

MD5
735d01630d886b752c1087007e5a8f2d

SHA1
1ffc1dcfefd8f258b253b3f73d89ff752b20b4c1

SHA256
a3fcb23b481c8f7c517eecab8e3c34acd98f1ed72d8339fe12bd7e6533c92d10

SHA512
d59248ddad01dd91ff86232c03cadd4fc5635e1f4177290f476e5b03b72fde83da4bfe0fdc7b1f113cde1cdebf8f6c0fb6bd94f6edfcb2af7fc19aa93d7f346a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oiwftegu\oiwftegu.cmdline

Filesize
235B

MD5
d47fbf4461c2429693d6991f89c9a031

SHA1
6fc9041e584dff5dcfe7e348d7ebd6d9d161f310

SHA256
094bc02d498c3793217addf1b68b505f1d8d199a6bf7c3834d6429be05b23094

SHA512
ac9e46dbef94f6fdd7c0de5ed9f510ff456e12c2fa04cb01b7b2d7c5e1920116411ed24f5ffe528d30e300e871bd451e638fd3edb304b231114cf3837e0368ab

Download Submit
\??\c:\Windows\System32\CSC8EB5C26C576F47C7ACE6462A716AAC3.TMP

Filesize
1KB

MD5
3d2f3f47c36dc04995c17d874f4fcb7c

SHA1
8a1f462548260463a7d173506ef374d7e837d21c

SHA256
3b8d9d9aa24fd8e148c38cb84c7a2beb50ef021bdd45d435e2861b738519f6fa

SHA512
07e4f4ee221e08be2b557b1687a791e93574998e58bd1b7db912ab4521536f4b8ec783918f68ff9d87716814e8df6598a46efeb4d50b82f0b9dc4ae9482e9262

Download Submit
memory/344-49-0x0000000000870000-0x0000000000A4C000-memory.dmp

Filesize
1.9MB

Download
memory/1036-59-0x0000000000040000-0x000000000021C000-memory.dmp

Filesize
1.9MB

Download
memory/1536-70-0x0000000000EC0000-0x000000000109C000-memory.dmp

Filesize
1.9MB

Download
memory/1536-147-0x0000000000EF0000-0x00000000010CC000-memory.dmp

Filesize
1.9MB

Download
memory/1704-136-0x0000000000020000-0x00000000001FC000-memory.dmp

Filesize
1.9MB

Download
memory/1928-42-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1928-40-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2712-13-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2712-2-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-0-0x000007FEF51D3000-0x000007FEF51D4000-memory.dmp

Filesize
4KB

Download
memory/2712-7-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-48-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-6-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/2712-9-0x00000000006B0000-0x00000000006CC000-memory.dmp

Filesize
112KB

Download
memory/2712-3-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-4-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-14-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-1-0x0000000000190000-0x000000000036C000-memory.dmp

Filesize
1.9MB

Download
memory/2712-11-0x0000000002180000-0x0000000002198000-memory.dmp

Filesize
96KB

Download
memory/2712-19-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2712-18-0x000007FEF51D0000-0x000007FEF5BBC000-memory.dmp

Filesize
9.9MB

Download
memory/2952-108-0x0000000001150000-0x000000000132C000-memory.dmp

Filesize
1.9MB

Download