Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
phorphiexquasarvidarxmrigxworme0c99e9ff0b95355e8ec19c548ab0f83office04credential_accessdiscoveryevasionexecutionloaderminerpersistenceratspywarestealertrojanupxworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://91.202.233.141/
Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd
Attributes
  • mutex

    l9ll8dd6x

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

Attributes
  • install_file

    USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.100.18:4782

Mutex

2cbe985c-9a4f-4f1f-a761-cd05d5feff4b

Attributes
  • encryption_key

    9493303F9F1D303190787B3D987F2DCB2BAF3CFD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

vidar

Version

10.6

Botnet

e0c99e9ff0b95355e8ec19c548ab0f83

C2

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a
Attributes
  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Signatures

  • Detect Vidar Stealer 1 IoCs
    stealer
  • Detect Xworm Payload 2 IoCs
  • Phorphiex family
    phorphiex
  • Phorphiex payload 3 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar family
    vidar
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • Xmrig family
    xmrig
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 27 IoCs
  • Loads dropped DLL 45 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 8 IoCs
  • Launches sc.exe 29 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies system certificate store 2 TTPs 16 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1100
      • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
        "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Users\Admin\AppData\Local\Temp\Files\Updatemmmm.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\Updatemmmm.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2356
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2448
            • C:\Windows\system32\wusa.exe
              wusa /uninstall /kb:890830 /quiet /norestart
              5⤵
              • Drops file in Windows directory
              PID:2608
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            4⤵
            • Launches sc.exe
            PID:2088
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            4⤵
            • Launches sc.exe
            PID:696
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            4⤵
            • Launches sc.exe
            PID:2108
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            4⤵
            • Launches sc.exe
            PID:3012
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            4⤵
            • Launches sc.exe
            PID:300
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe delete "WindowsUpdate"
            4⤵
            • Launches sc.exe
            PID:1504
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
            4⤵
            • Launches sc.exe
            PID:2808
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop eventlog
            4⤵
            • Launches sc.exe
            PID:2648
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start "WindowsUpdate"
            4⤵
            • Launches sc.exe
            PID:2528
        • C:\Users\Admin\AppData\Local\Temp\Files\m.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1816
          • C:\Windows\sysvplervcs.exe
            C:\Windows\sysvplervcs.exe
            4⤵
            • Windows security bypass
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:544
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2020
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1428
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1040
              • C:\Windows\SysWOW64\sc.exe
                sc stop UsoSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1956
              • C:\Windows\SysWOW64\sc.exe
                sc stop WaaSMedicSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1240
              • C:\Windows\SysWOW64\sc.exe
                sc stop wuauserv
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1940
              • C:\Windows\SysWOW64\sc.exe
                sc stop DoSvc
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1896
              • C:\Windows\SysWOW64\sc.exe
                sc stop BITS /wait
                6⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1828
        • C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2380
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 652
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:2924
        • C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:684
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 216
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:740
        • C:\Users\Admin\AppData\Local\Temp\Files\KinaruSogui.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\KinaruSogui.exe"
          3⤵
          • Executes dropped EXE
          PID:1764
        • C:\Users\Admin\AppData\Local\Temp\Files\fuag.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\fuag.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2852
        • C:\Users\Admin\AppData\Local\Temp\Files\client.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2192
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1876
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2320
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2848
        • C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1616
          • C:\Users\Admin\AppData\Local\Temp\1804424022.exe
            C:\Users\Admin\AppData\Local\Temp\1804424022.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:2620
            • C:\Windows\sysppvrdnvs.exe
              C:\Windows\sysppvrdnvs.exe
              5⤵
              • Windows security bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: SetClipboardViewer
              PID:1084
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1680
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2424
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1660
                • C:\Windows\SysWOW64\sc.exe
                  sc stop UsoSvc
                  7⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1408
                • C:\Windows\SysWOW64\sc.exe
                  sc stop WaaSMedicSvc
                  7⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1276
                • C:\Windows\SysWOW64\sc.exe
                  sc stop wuauserv
                  7⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2208
                • C:\Windows\SysWOW64\sc.exe
                  sc stop DoSvc
                  7⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1516
                • C:\Windows\SysWOW64\sc.exe
                  sc stop BITS /wait
                  7⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2932
              • C:\Users\Admin\AppData\Local\Temp\1887130316.exe
                C:\Users\Admin\AppData\Local\Temp\1887130316.exe
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2784
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                  7⤵
                    PID:308
                    • C:\Windows\system32\reg.exe
                      reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                      8⤵
                        PID:2416
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
                      7⤵
                        PID:2036
                        • C:\Windows\system32\schtasks.exe
                          schtasks /delete /f /tn "Windows Upgrade Manager"
                          8⤵
                            PID:1696
                      • C:\Users\Admin\AppData\Local\Temp\2466721592.exe
                        C:\Users\Admin\AppData\Local\Temp\2466721592.exe
                        6⤵
                        • Executes dropped EXE
                        PID:2652
                      • C:\Users\Admin\AppData\Local\Temp\3314013228.exe
                        C:\Users\Admin\AppData\Local\Temp\3314013228.exe
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:3024
                        • C:\Users\Admin\AppData\Local\Temp\1619239294.exe
                          C:\Users\Admin\AppData\Local\Temp\1619239294.exe
                          7⤵
                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                          • Executes dropped EXE
                          PID:2220
                      • C:\Users\Admin\AppData\Local\Temp\143034557.exe
                        C:\Users\Admin\AppData\Local\Temp\143034557.exe
                        6⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:580
                • C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-24_23-16.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-24_23-16.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Checks processor information in registry
                  • Modifies system certificate store
                  PID:824
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-24_23-16.exe" & rd /s /q "C:\ProgramData\JKEGHDGHCGHD" & exit
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:296
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 10
                      5⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:2236
                • C:\Users\Admin\AppData\Local\Temp\Files\WaveWindows.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\WaveWindows.exe"
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1184
                • C:\Users\Admin\AppData\Local\Temp\Files\Meeting.sfx.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\Meeting.sfx.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2112
                  • C:\Users\Admin\AppData\Local\Temp\Files\Meeting.exe
                    "C:\Users\Admin\AppData\Local\Temp\Files\Meeting.exe"
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:2216
                • C:\Users\Admin\AppData\Local\Temp\Files\o.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
                  3⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:872
                  • C:\Windows\sysklnorbcv.exe
                    C:\Windows\sysklnorbcv.exe
                    4⤵
                    • Windows security bypass
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Windows security modification
                    • System Location Discovery: System Language Discovery
                    PID:924
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:1640
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                        6⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:572
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:2040
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop UsoSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:268
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop WaaSMedicSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:2700
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop wuauserv
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:1948
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop DoSvc
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:992
                      • C:\Windows\SysWOW64\sc.exe
                        sc stop BITS
                        6⤵
                        • Launches sc.exe
                        • System Location Discovery: System Language Discovery
                        PID:2720
                    • C:\Users\Admin\AppData\Local\Temp\2249329748.exe
                      C:\Users\Admin\AppData\Local\Temp\2249329748.exe
                      5⤵
                      • Executes dropped EXE
                      PID:2836
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
                        6⤵
                          PID:308
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
                  2⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:880
                  • C:\Windows\system32\schtasks.exe
                    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
                    3⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:344
                • C:\Windows\System32\schtasks.exe
                  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
                  2⤵
                    PID:2964
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2796
                    • C:\Windows\system32\schtasks.exe
                      "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2816
                  • C:\Windows\System32\conhost.exe
                    C:\Windows\System32\conhost.exe
                    2⤵
                      PID:3060
                    • C:\Windows\System32\dwm.exe
                      C:\Windows\System32\dwm.exe
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:1512
                  • C:\ProgramData\Windows11\Updater.exe
                    C:\ProgramData\Windows11\Updater.exe
                    1⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2836
                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                      2⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2852
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2720
                      • C:\Windows\system32\wusa.exe
                        wusa /uninstall /kb:890830 /quiet /norestart
                        3⤵
                        • Drops file in Windows directory
                        PID:2588
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop UsoSvc
                      2⤵
                      • Launches sc.exe
                      PID:2520
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop WaaSMedicSvc
                      2⤵
                      • Launches sc.exe
                      PID:2596
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop wuauserv
                      2⤵
                      • Launches sc.exe
                      PID:2472
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop bits
                      2⤵
                      • Launches sc.exe
                      PID:2192
                    • C:\Windows\system32\sc.exe
                      C:\Windows\system32\sc.exe stop dosvc
                      2⤵
                      • Launches sc.exe
                      PID:336
                    • C:\Windows\system32\conhost.exe
                      C:\Windows\system32\conhost.exe
                      2⤵
                        PID:604
                      • C:\Windows\system32\svchost.exe
                        svchost.exe
                        2⤵
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2832
                    • C:\Windows\SysWOW64\DllHost.exe
                      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
                      1⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:2788
                    • C:\Windows\system32\taskeng.exe
                      taskeng.exe {8CB713DD-34A4-4CD1-8279-6CB27332F217} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
                      1⤵
                      • Loads dropped DLL
                      PID:2440
                      • C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
                        "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
                        2⤵
                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:2224

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Execution

                    Command and Scripting Interpreter

                    1
                    T1059

                    PowerShell

                    1
                    T1059.001

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    System Services

                    2
                    T1569

                    Service Execution

                    2
                    T1569.002

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Create or Modify System Process

                    2
                    T1543

                    Windows Service

                    2
                    T1543.003

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Create or Modify System Process

                    2
                    T1543

                    Windows Service

                    2
                    T1543.003

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Defense Evasion

                    Impair Defenses

                    3
                    T1562

                    Disable or Modify Tools

                    2
                    T1562.001

                    Modify Registry

                    5
                    T1112

                    Subvert Trust Controls

                    1
                    T1553

                    Install Root Certificate

                    1
                    T1553.004

                    Credential Access

                    Unsecured Credentials

                    2
                    T1552

                    Credentials In Files

                    2
                    T1552.001

                    Discovery

                    Query Registry

                    3
                    T1012

                    System Information Discovery

                    2
                    T1082

                    System Location Discovery

                    1
                    T1614

                    System Language Discovery

                    1
                    T1614.001

                    Lateral Movement

                    Collection

                    Data from Local System

                    1
                    T1005

                    Command and Control

                    Web Service

                    1
                    T1102

                    Exfiltration

                    Impact

                    Service Stop

                    1
                    T1489

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      9c22fa67c78244d2c72de91fc728296d

                      SHA1

                      ccc458d528d049c26a42eb78d7d491e361a2a9f5

                      SHA256

                      52bd0fac14cd7b74d6ba245a00616e5a2dfff52bdc6a0291b89cb9fd351ac994

                      SHA512

                      c26528ead6d8342b86dd8d2ec45aae2814c0af6ef808d49d3ed349c9655e5be62c768b5d0bdc94e3a05e942fcf17b0705e85835c9c6ad382ee8c3588c565030c

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      c68a3bc9e061416bedc2b65456fe893e

                      SHA1

                      2fa2980997d316de2d12502c819fd7a6b5bede98

                      SHA256

                      d724e1fa3ac7f8fc880aac680a8eb5fe60967bcd5ba2a8a31e09824dd7715a46

                      SHA512

                      cbac49db52b39d3247243aa69512c33072513863f1a653cdb92353bf6ced431330ddd601f322fa3e23591b7a999ae7e62f0f68df85f831d64cca1ecff17b9e8a

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      bd15fb04a0f008f6fe85daffbdb351c0

                      SHA1

                      36420e031793bcaa7eed87e44356709fffef463a

                      SHA256

                      fe1dccbc454f103de9e4bbbc600c153310d78c39595bd9161da98856393e35e9

                      SHA512

                      6194875d543f2b63f6c11a615723fdd4cbc2f8bfc924a7d72a02472d489882ed0261b9ce9e4a283fa1ea07cc021097a40c12b31766b95394ca218a7b945b966d

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                      Filesize

                      342B

                      MD5

                      707c8d3f6338e4906350bea4bf247366

                      SHA1

                      51c4d480deb61742872bdee800ef803d980cc1db

                      SHA256

                      bd193b98b42099b1a2534467bb41120dd412e0f2bf14ec805ee5e7798d7c6353

                      SHA512

                      14371610189380121daa7618a9930b9ab1c6c3d91b8d97914b73e080c3cbcd4b01579b0ac86f308188e255105afde49d83ff40f8a0a77fcf41a87e7dbf9e366b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1804424022.exe
                      Filesize

                      83KB

                      MD5

                      06560b5e92d704395bc6dae58bc7e794

                      SHA1

                      fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

                      SHA256

                      9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

                      SHA512

                      b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1887130316.exe
                      Filesize

                      8KB

                      MD5

                      cb8420e681f68db1bad5ed24e7b22114

                      SHA1

                      416fc65d538d3622f5ca71c667a11df88a927c31

                      SHA256

                      5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

                      SHA512

                      baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\201126761.exe
                      Filesize

                      108KB

                      MD5

                      1fcb78fb6cf9720e9d9494c42142d885

                      SHA1

                      fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

                      SHA256

                      84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

                      SHA512

                      cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Cab510F.tmp
                      Filesize

                      70KB

                      MD5

                      49aebf8cbd62d92ac215b2923fb1b9f5

                      SHA1

                      1723be06719828dda65ad804298d0431f6aff976

                      SHA256

                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                      SHA512

                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Files\Meeting.exe
                      Filesize

                      72KB

                      MD5

                      1ebcc328f7d1da17041835b0a960e1fa

                      SHA1

                      adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c

                      SHA256

                      6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a

                      SHA512

                      0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Files\build_2024-07-24_23-16.exe
                      Filesize

                      202KB

                      MD5

                      72bcb9136fde10fdddfaa593f2cdfe42

                      SHA1

                      17ef3b622d8a1c0cb0b4c0f2a41fdd1b4ac776dc

                      SHA256

                      bb38168a3222858c6b499dfceec3e3dc9055777b91869dbece107c241d97c436

                      SHA512

                      12f08e357049fdfcdd7dfe272d34b33926695383f201ba36041c3023872fe8679234668318244c2b91df95c65ec4a78c4fc4df651ffb061962c9732b0818cb06

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Files\fuag.exe
                      Filesize

                      59KB

                      MD5

                      704fc6581ce5b91c95110ba5607ff535

                      SHA1

                      f06dda23fab99f10435c4c9ca148b2b4950830e0

                      SHA256

                      eb243f6a889dc5af392ca649256cd8f5643e073e30fd3e7b26704e61ace4e97c

                      SHA512

                      6420fb2e93bba35924f262b8d4036ec5101626d1b3fcb1cfc3093791dd8ad770fd16e1b3ce47e877d0d1c93289f2245a808829bc690e6307c65ac63ca99acfd4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Files\o.exe
                      Filesize

                      84KB

                      MD5

                      a775d164cf76e9a9ff6afd7eb1e3ab2e

                      SHA1

                      0b390cd5a44a64296b592360b6b74ac66fb26026

                      SHA256

                      794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

                      SHA512

                      80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
                      Filesize

                      9KB

                      MD5

                      8d8e6c7952a9dc7c0c73911c4dbc5518

                      SHA1

                      9098da03b33b2c822065b49d5220359c275d5e94

                      SHA256

                      feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

                      SHA512

                      91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Tar5121.tmp
                      Filesize

                      181KB

                      MD5

                      4ea6026cf93ec6338144661bf1202cd1

                      SHA1

                      a1dec9044f750ad887935a01430bf49322fbdcb7

                      SHA256

                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                      SHA512

                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BYTWYX74TV4V5GZGRUZX.temp
                      Filesize

                      7KB

                      MD5

                      1d56ae2d77032fdd2638068e75e19457

                      SHA1

                      f73c71ad1a4570a0acb931e11081e9575e642790

                      SHA256

                      c6b011ca565530088cfc21032c59c521c65e2b424b34a002bedc0a41f7983adc

                      SHA512

                      a4c98867886394dc0ea786fa67fab3fcc56cd92d303c4434984752318cd25f174d605e2be09fc3205585c30ae6c9cb7a135b051e91c5e1060f7de383beaea9a3

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZFULOBYA17Q6SIFRZM6I.temp
                      Filesize

                      7KB

                      MD5

                      e1bee5d5b4b210515f9913e650adb41b

                      SHA1

                      9702acf11c171940bb7c6e9f4da2c0110d66a2ab

                      SHA256

                      99dc1ad5ed14f1c598a4ca8bf2e9dab62e3d0e8c4b5cd238c6d66fa5357c0380

                      SHA512

                      232e7f8d5ac7b9c62c72a6ada25fafd8b6c498b30c2f5710d5b1b9599b71f8204d5f112521a6c4ac2d71af28ce0e452afa465507a44bbb21ebdd7885739d4de9

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                      Filesize

                      7KB

                      MD5

                      26815966c7347139e1d8fb70ea8d9379

                      SHA1

                      85161481ceb4ed12a95e6ff62e72bce800c3715e

                      SHA256

                      68f5244cf65a2e903ae40630def44f453b8a1831949aa2e8a1257d3784e19513

                      SHA512

                      408625fcd35f8b507688d8b30df9528491abb7ed5d6154792d462376aad41143548f8dfd44f41f5fa8304af3530483ab2b22d25642993ad4bbfc1dbb103088d0

                      Download Submit

                    • C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
                      Filesize

                      5.6MB

                      MD5

                      13b26b2c7048a92d6a843c1302618fad

                      SHA1

                      89c2dfc01ac12ef2704c7669844ec69f1700c1ca

                      SHA256

                      1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

                      SHA512

                      d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\2466721592.exe
                      Filesize

                      15KB

                      MD5

                      0c37ee292fec32dba0420e6c94224e28

                      SHA1

                      012cbdddaddab319a4b3ae2968b42950e929c46b

                      SHA256

                      981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

                      SHA512

                      2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
                      Filesize

                      268KB

                      MD5

                      de45ebaf10bc27d47eb80a485d7b59f2

                      SHA1

                      ba534af149081e0d1b8f153287cd461dd3671ffd

                      SHA256

                      a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21

                      SHA512

                      9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\Files\KinaruSogui.exe
                      Filesize

                      702KB

                      MD5

                      5620e8e392c93a59e061ccdcc17896f9

                      SHA1

                      f73660ca09c967876e9ab88801f5231e84aba8ef

                      SHA256

                      bf7c5cf5ee017f8cb3df960d8be7bdad302bda9d2556d913d8c39c2766f5177a

                      SHA512

                      d03c7cf0a2a1581d52a89ee2cdc453fb712e32704864e1a4f4800f16e57ba37df43ccf01332a88d704ba997be4c4480a881d7c87ef788c1b42aef71bbf04f5c9

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe
                      Filesize

                      3.3MB

                      MD5

                      2bc7b5aee353a5df2817cadbf80e2909

                      SHA1

                      d97fbd5f88b3bff36cbdd0e522d32711d2e15a6d

                      SHA256

                      cae0cb2fa4321ec1b70bb7c3493171fc5e08c58c19aad829a6c09e6930efb27e

                      SHA512

                      60c77e6a91dbcb41dc8260ce1faf877027c110d16343a15e18746ff3a44fb631a46619d58fa3d0cf5ba5680bb19a6fe60635445a52814caa42b1971cf62395d8

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\Files\Updatemmmm.exe
                      Filesize

                      2.6MB

                      MD5

                      61d3abff46a6bd2946925542c7d30397

                      SHA1

                      1fed80a136e67a5b7b6846010a5853400886ee9c

                      SHA256

                      b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa

                      SHA512

                      e9e25995faff34da94d30394474471dba45f5993a2efd07f5fb8c15cfdf7b3efa7c89d6796c66323938a1c31b3b89bd7578bef7c4297c6a9b68811f00aa89975

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\Files\client.exe
                      Filesize

                      3.1MB

                      MD5

                      29de30606fa3cd9024d87066016d0351

                      SHA1

                      32af15b435a5f26655947612fe30da89b5a29370

                      SHA256

                      56a35f9bcb582449d44a4bed4fa36dcb140f04961f0f1fec1d96385569f72cac

                      SHA512

                      6fbe73cddab8a943d1ce060da1a3d26832616aefad76fe3b1dbd71991e4412a591133aee34df6a467a15acce8c587ea1420ca2f0dc4c8c77d54b8712a00a9355

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\Files\m.exe
                      Filesize

                      96KB

                      MD5

                      930c41bc0c20865af61a95bcf0c3b289

                      SHA1

                      cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

                      SHA256

                      1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

                      SHA512

                      fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

                      Download Submit

                    • memory/604-257-0x0000000140000000-0x000000014000E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/604-256-0x0000000140000000-0x000000014000E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/604-258-0x0000000140000000-0x000000014000E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/604-255-0x0000000140000000-0x000000014000E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/604-259-0x0000000140000000-0x000000014000E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/604-262-0x0000000140000000-0x000000014000E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/824-523-0x0000000000400000-0x0000000000643000-memory.dmp

                      Filesize

                      2.3MB

                      Download

                    • memory/880-614-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/880-615-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1184-552-0x0000000000B60000-0x0000000000B68000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1184-548-0x00000000051A0000-0x0000000005216000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/1184-543-0x0000000005080000-0x0000000005132000-memory.dmp

                      Filesize

                      712KB

                      Download

                    • memory/1184-544-0x0000000000640000-0x00000000006E0000-memory.dmp

                      Filesize

                      640KB

                      Download

                    • memory/1184-545-0x0000000000210000-0x0000000000218000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1184-546-0x00000000003E0000-0x00000000003E8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1184-547-0x0000000000490000-0x000000000049A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/1184-542-0x00000000012D0000-0x0000000001AD2000-memory.dmp

                      Filesize

                      8.0MB

                      Download

                    • memory/1184-549-0x00000000004A0000-0x00000000004AA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/1184-550-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

                      Filesize

                      200KB

                      Download

                    • memory/1184-551-0x0000000001290000-0x00000000012B6000-memory.dmp

                      Filesize

                      152KB

                      Download

                    • memory/1184-554-0x0000000000D40000-0x0000000000D56000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/1184-557-0x0000000005020000-0x000000000502A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/1512-636-0x0000000140000000-0x00000001407EF000-memory.dmp

                      Filesize

                      7.9MB

                      Download

                    • memory/1592-247-0x0000000001E20000-0x0000000001E28000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/1592-246-0x000000001B480000-0x000000001B762000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/1764-432-0x0000000000250000-0x0000000000306000-memory.dmp

                      Filesize

                      728KB

                      Download

                    • memory/2076-0-0x00000000741DE000-0x00000000741DF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2076-1-0x0000000000830000-0x0000000000838000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2076-58-0x00000000741D0000-0x00000000748BE000-memory.dmp

                      Filesize

                      6.9MB

                      Download

                    • memory/2076-57-0x00000000741DE000-0x00000000741DF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2076-2-0x00000000741D0000-0x00000000748BE000-memory.dmp

                      Filesize

                      6.9MB

                      Download

                    • memory/2112-594-0x00000000036B0000-0x00000000036B2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2192-439-0x0000000000970000-0x0000000000C94000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2220-617-0x000000013FE30000-0x00000001403C7000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/2224-634-0x000000013F440000-0x000000013F9D7000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/2320-445-0x0000000000BD0000-0x0000000000EF4000-memory.dmp

                      Filesize

                      3.1MB

                      Download

                    • memory/2380-292-0x000000000B220000-0x000000000C0B8000-memory.dmp

                      Filesize

                      14.6MB

                      Download

                    • memory/2380-291-0x0000000001030000-0x0000000001378000-memory.dmp

                      Filesize

                      3.3MB

                      Download

                    • memory/2784-520-0x000000013FED0000-0x000000013FED6000-memory.dmp

                      Filesize

                      24KB

                      Download

                    • memory/2788-595-0x00000000000C0000-0x00000000000C2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2796-629-0x0000000001F00000-0x0000000001F08000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2796-628-0x000000001B680000-0x000000001B962000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2832-278-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-279-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-271-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-272-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-267-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-265-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-283-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-266-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-273-0x0000000000250000-0x0000000000270000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/2832-282-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-270-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-275-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-276-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-269-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2832-277-0x0000000140000000-0x0000000140848000-memory.dmp

                      Filesize

                      8.3MB

                      Download

                    • memory/2836-649-0x000000013F3F0000-0x000000013F3F6000-memory.dmp

                      Filesize

                      24KB

                      Download

                    • memory/2852-253-0x0000000019E80000-0x000000001A162000-memory.dmp

                      Filesize

                      2.9MB

                      Download

                    • memory/2852-254-0x0000000000920000-0x0000000000928000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2852-431-0x00000000011D0000-0x00000000011E6000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/3060-635-0x0000000140000000-0x0000000140029000-memory.dmp

                      Filesize

                      164KB

                      Download