dharma | dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584

Analysis

max time kernel
150s
max time network
36s
platform
windows7_x64
resource
win7v20201028
submitted
14-03-2021 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
Size

380KB
MD5

a1ef511c6b47307948465fe6e1af6997
SHA1

103f8cc1af6581b4be3f606fd86940d632a450d1
SHA256

dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584
SHA512

8cc28fc5e1e3e000e977f2f55fa9cf938dd29346e656d013c9ac126572d6eab469b3c3cac9d83683e37c3a220d1a12b22abb0d388483eab07a3ed92965be6821

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email GetDecoding@zimbabwe.su YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: getdecoding@msgsafe.io Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

GetDecoding@zimbabwe.su

getdecoding@msgsafe.io

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

NS2.exewinhost.exe

pid process

1904 NS2.exe
1980 winhost.exe
Deletes itself 1 IoCs

Processes:

winhost.exe

pid process

1980 winhost.exe

pid	process
1904	NS2.exe
1980	winhost.exe

pid	process
1980	winhost.exe

Drops startup file 5 IoCs

Processes:

winhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	winhost.exe

Loads dropped DLL 4 IoCs

Processes:

powershell.exe

pid process

1692 powershell.exe
1692 powershell.exe
1692 powershell.exe
1692 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	winhost.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

winhost.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	winhost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	winhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	winhost.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

NS2.exe

description ioc process

File opened (read-only) \??\A: NS2.exe
Drops file in System32 directory 2 IoCs

Processes:

winhost.exe

description ioc process

File created C:\Windows\System32\winhost.exe winhost.exe
File created C:\Windows\System32\Info.hta winhost.exe

description	ioc	process
File opened (read-only)	\??\A:	NS2.exe

description	ioc	process
File created	C:\Windows\System32\winhost.exe	winhost.exe
File created	C:\Windows\System32\Info.hta	winhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

winhost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3FR.LEX	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\System.AddIn.dll.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoCanary.png.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00273_.WMF	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_04.MID.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_ON.GIF	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\CAPSULES.ELM.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png	winhost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281630.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00417_.WMF	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_pt-BR.dll.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER32.DLL	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SketchPadTestSchema.xml.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx	winhost.exe
File opened for modification	C:\Program Files\ExportInitialize.tiff	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Thatch.thmx	winhost.exe
File created	C:\Program Files\Java\jre7\bin\zip.dll.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\COIN.WAV.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File created	C:\Program Files\VideoLAN\VLC\NEWS.txt.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\classes.jsa.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Pushpin.thmx.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	winhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)redStateIcon.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE06049_.WMF	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107722.WMF.id-B032E05E.[GetDecoding@zimbabwe.su].get	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF	winhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1088 vssadmin.exe
2076 vssadmin.exe
2504 vssadmin.exe

pid	process
1088	vssadmin.exe
2076	vssadmin.exe
2504	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exewinhost.exe

pid	process
1692	powershell.exe
800	powershell.exe
1980	winhost.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
1980	winhost.exe
1980	winhost.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

powershell.exepowershell.exevssvc.exevssvc.exepowershell.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeIncBasePriorityPrivilege	1692	powershell.exe
Token: SeBackupPrivilege	1108	vssvc.exe
Token: SeRestorePrivilege	1108	vssvc.exe
Token: SeAuditPrivilege	1108	vssvc.exe
Token: SeBackupPrivilege	2540	vssvc.exe
Token: SeRestorePrivilege	2540	vssvc.exe
Token: SeAuditPrivilege	2540	vssvc.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: 33	2080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2080	AUDIODG.EXE
Token: 33	2080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2080	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

mshta.exemshta.exe

pid process

2440 mshta.exe
2460 mshta.exe

pid	process
2440	mshta.exe
2460	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exepowershell.execsc.exewinhost.execmd.exeNS2.exepowershell.execmd.exe

description	pid	process	target process
PID 1908 wrote to memory of 1692	1908	dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe	powershell.exe
PID 1908 wrote to memory of 1692	1908	dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe	powershell.exe
PID 1908 wrote to memory of 1692	1908	dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe	powershell.exe
PID 1908 wrote to memory of 1692	1908	dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe	powershell.exe
PID 1692 wrote to memory of 988	1692	powershell.exe	csc.exe
PID 1692 wrote to memory of 988	1692	powershell.exe	csc.exe
PID 1692 wrote to memory of 988	1692	powershell.exe	csc.exe
PID 1692 wrote to memory of 988	1692	powershell.exe	csc.exe
PID 988 wrote to memory of 1140	988	csc.exe	cvtres.exe
PID 988 wrote to memory of 1140	988	csc.exe	cvtres.exe
PID 988 wrote to memory of 1140	988	csc.exe	cvtres.exe
PID 988 wrote to memory of 1140	988	csc.exe	cvtres.exe
PID 1692 wrote to memory of 800	1692	powershell.exe	powershell.exe
PID 1692 wrote to memory of 800	1692	powershell.exe	powershell.exe
PID 1692 wrote to memory of 800	1692	powershell.exe	powershell.exe
PID 1692 wrote to memory of 800	1692	powershell.exe	powershell.exe
PID 1692 wrote to memory of 1904	1692	powershell.exe	NS2.exe
PID 1692 wrote to memory of 1904	1692	powershell.exe	NS2.exe
PID 1692 wrote to memory of 1904	1692	powershell.exe	NS2.exe
PID 1692 wrote to memory of 1904	1692	powershell.exe	NS2.exe
PID 1692 wrote to memory of 1980	1692	powershell.exe	winhost.exe
PID 1692 wrote to memory of 1980	1692	powershell.exe	winhost.exe
PID 1692 wrote to memory of 1980	1692	powershell.exe	winhost.exe
PID 1692 wrote to memory of 1980	1692	powershell.exe	winhost.exe
PID 1980 wrote to memory of 1960	1980	winhost.exe	cmd.exe
PID 1980 wrote to memory of 1960	1980	winhost.exe	cmd.exe
PID 1980 wrote to memory of 1960	1980	winhost.exe	cmd.exe
PID 1980 wrote to memory of 1960	1980	winhost.exe	cmd.exe
PID 1960 wrote to memory of 532	1960	cmd.exe	mode.com
PID 1960 wrote to memory of 532	1960	cmd.exe	mode.com
PID 1960 wrote to memory of 532	1960	cmd.exe	mode.com
PID 1960 wrote to memory of 1088	1960	cmd.exe	vssadmin.exe
PID 1960 wrote to memory of 1088	1960	cmd.exe	vssadmin.exe
PID 1960 wrote to memory of 1088	1960	cmd.exe	vssadmin.exe
PID 1904 wrote to memory of 992	1904	NS2.exe	cmd.exe
PID 1904 wrote to memory of 992	1904	NS2.exe	cmd.exe
PID 1904 wrote to memory of 992	1904	NS2.exe	cmd.exe
PID 1904 wrote to memory of 992	1904	NS2.exe	cmd.exe
PID 800 wrote to memory of 2076	800	powershell.exe	vssadmin.exe
PID 800 wrote to memory of 2076	800	powershell.exe	vssadmin.exe
PID 800 wrote to memory of 2076	800	powershell.exe	vssadmin.exe
PID 800 wrote to memory of 2076	800	powershell.exe	vssadmin.exe
PID 1980 wrote to memory of 2412	1980	winhost.exe	cmd.exe
PID 1980 wrote to memory of 2412	1980	winhost.exe	cmd.exe
PID 1980 wrote to memory of 2412	1980	winhost.exe	cmd.exe
PID 1980 wrote to memory of 2412	1980	winhost.exe	cmd.exe
PID 1980 wrote to memory of 2440	1980	winhost.exe	mshta.exe
PID 1980 wrote to memory of 2440	1980	winhost.exe	mshta.exe
PID 1980 wrote to memory of 2440	1980	winhost.exe	mshta.exe
PID 1980 wrote to memory of 2440	1980	winhost.exe	mshta.exe
PID 1980 wrote to memory of 2460	1980	winhost.exe	mshta.exe
PID 1980 wrote to memory of 2460	1980	winhost.exe	mshta.exe
PID 1980 wrote to memory of 2460	1980	winhost.exe	mshta.exe
PID 1980 wrote to memory of 2460	1980	winhost.exe	mshta.exe
PID 2412 wrote to memory of 2488	2412	cmd.exe	mode.com
PID 2412 wrote to memory of 2488	2412	cmd.exe	mode.com
PID 2412 wrote to memory of 2488	2412	cmd.exe	mode.com
PID 2412 wrote to memory of 2504	2412	cmd.exe	vssadmin.exe
PID 2412 wrote to memory of 2504	2412	cmd.exe	vssadmin.exe
PID 2412 wrote to memory of 2504	2412	cmd.exe	vssadmin.exe
PID 800 wrote to memory of 2868	800	powershell.exe	powershell.exe
PID 800 wrote to memory of 2868	800	powershell.exe	powershell.exe
PID 800 wrote to memory of 2868	800	powershell.exe	powershell.exe
PID 800 wrote to memory of 2868	800	powershell.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
"C:\Users\Admin\AppData\Local\Temp\dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnezuizs\xnezuizs.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18BE.tmp" "c:\Users\Admin\AppData\Local\Temp\xnezuizs\CSC5565D917140D4A1EB3A045EEA049D494.TMP"
4⤵
PID:1140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File purgeMemory.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all
4⤵
- Interacts with shadow copies
PID:2076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Users\Admin\AppData\Local\Temp\NS2.exe
"C:\Users\Admin\AppData\Local\Temp\NS2.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\winhost.exe"
3⤵
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\mode.com
mode con cp select=1251
5⤵
PID:532

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\mode.com
mode con cp select=1251
5⤵
PID:2488

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2504

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2440

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:3056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
e9b70a6fa817904b13c197eae184c0b9

SHA1
79a9a0b29417e02ad71ea3bf78a3823d5893905f

SHA256
dc2873ca997c4cbd45cab5c3481288b1f72b31b37c40c1a47314a5118e3b2248

SHA512
91ba21e868794745668a4be6328077487643ebd339790ea149625a6acfca57ced282de991647b8da6554aae8c7c607d3042c6a2c727e9adf3eef88ee052e214b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0774aaaf-ad3d-4971-82df-c7b933915fe4
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0774aaaf-ad3d-4971-82df-c7b933915fe4.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
698e6d8be9b1286e7593edf4546cb232

SHA1
5015d194fa5604934848b75578d18fbbf59e4133

SHA256
6772487f62b8d39527150450ff0f95184e6c4313a0dec0a3e5541bc3babc5ae5

SHA512
71f83e0884260f7f6d34b0668757ec7102fd33552cb17261c1b4574c7a2d613e0ded9c316eb873e5cbfca7299dc7f66f89047305cd14dcf1d0e75ec46119a982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_16ed2cf3-dee0-4e54-8c87-93da676734f2
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_16ed2cf3-dee0-4e54-8c87-93da676734f2.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
52c1e0c3de45b2fb2938734799124fd4

SHA1
03c0d6b5076638eda8fda79e28e68f4decdeb03d

SHA256
f16b70fb278ba08ae9309f120eb017b6f3306f83c66fb4226484615d48a54d8e

SHA512
2b981fe93f862573e1f0593958d7f0de61f0ae4f3c5441c1afab7f55b6dda8e78df6ae5eb16662cc1b4e8de9e324f66c199e26aad7b627815306b1c7d854b2d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1744f9be-be80-4b18-9075-f153993b3fdf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1744f9be-be80-4b18-9075-f153993b3fdf.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
c1bb63c54df1a582bff76d37c6fe35e7

SHA1
2591b6636753cfccb7306b049ace401742f3212d

SHA256
90702212068011e1695b3343f3bf959bccb66579d244fa1ec7e5696b1a3ab896

SHA512
9776b885cdf83561ee50834232d47f387d48ba15f48ccf72c740adc987bac77bccbe525f24decfc1c9bf01854a32b200f68355b949a6530ab956625fcd65c63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1aaead85-2f36-4a17-b80c-eed95aa5a426
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1aaead85-2f36-4a17-b80c-eed95aa5a426.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
6fd279ae3a52bbb2ed40bf17936c77f4

SHA1
fb77e6a345cabbc087ab935a4bdc6cbf02820cc2

SHA256
2230c982828fa8ecf32c87029627bf255b035c9b35e5e1b9b93f5f1cc131cfa1

SHA512
cc6c9de926a5b6f6602e87e516491c244a213da3e2fbac83a66e08ea4c6db8eb272f8a543d18a6caf4b615890737168668e10e02e0d2c1c5318790b5551b349e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
5b28f6b7236f5c9d3150098ab9eaf0a4

SHA1
7205c2865b5fd93d94fce1e5acde0ab91fc3abcb

SHA256
72c428622fc5f608adaf564ea14c6a4f50de1a5a331a37d57cc8cadd63144ea3

SHA512
7229a887e66f670269bd1880cea63e073d12db9cb0c951266eddcf096df7f13c7fb6f6df6c673db526c5b3c2f261d3a4371cef286f854cf9dfdf2983b687658a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
37219cc1e0f43afaef74e748e3e6194a

SHA1
87bf47b45e5bbb262f8a20d3013ff836a35b44cf

SHA256
d56f21fc75c11dd93083365f1a45068ee04a55bcfd41d3a762a839bdb9295ef5

SHA512
ec835a42f221fee2cea90d58ac05eaebd883975c5de3713ba265122f0437fafd1fab6dd617ea406f594e606c3b299b874473da8a985bffc1515cce82f6490658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_447c808c-a6c4-4283-8471-4016ee37c753
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_447c808c-a6c4-4283-8471-4016ee37c753.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
9d42ee9a9f0285561be16564c473635a

SHA1
746214cdcd01984667854141b4bbea5577b9ed44

SHA256
d6f848eeb4403e7ea46a4547587709c22d6d60f75e9e8c221d162720fab17e43

SHA512
4cc5ab74cc58f3fe0f41b89c41569f52257210bcf3f1d071bb469048231aaa582cc7dd21bd16e7f5100c20854d5d8f8f3648b302914ee9164c617bc5ebd5f6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
9f093562700acc7960b4ff093d056dcf

SHA1
fc860b38c9bbb3e8432d29ccbb3ea86c2396fb04

SHA256
7eaecf2b66edee5a73d726eb5dbaae4833f599084ec301fd6cbf4bdb1ee36cdb

SHA512
9ee6aa139458d00cb6fc42c72d28fb9c1f6e63e6f10c3acc6567482826534dfffab9fe6d718410a6d1012796578a953348008500a154273e6911a4790107bc2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
db869af9d108f94d9a821b7b31b33b01

SHA1
814d99d530580b5633c082498916c878f7b2ab9e

SHA256
ff9d6043158156313bce8728f158886721484b5bc960424d07c05bc96a9ea543

SHA512
c44c71931193079dd02d0ec9796307ecb0042fcb4bd55edc7198b12da9599f4460408af4718100017fef6f4f931f8fbc4111d7305cf8d0b0c475defeae389318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
1036121a1b63eb50bff85f53358be458

SHA1
43932ac30cbc45efe17cc526c08c6917496eb3ba

SHA256
debbf3a60eb5f406906d6c1be4f38456a614d0fd6cf6863eb2e055381e2a96ea

SHA512
139684addc0ee31349f1cb83a0203d8d63941ca0766bc9b7f1df3e9db2b4bf766fc1abadb54c13a4accbe0ead1d750cea892901fab5bb82fb71c4d96987ad0b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
7fd149182223058fa17be06c0807d0f0

SHA1
eece7bfa62aac78fcd8c6a085bc874e2fc56279e

SHA256
88ebd61175cc9f715659db6829517ed5d6ea6eb91f10f62a7cd18b3b57cf40e2

SHA512
aec4837e4d2a26ce698bd4ba29a58b49ad0924da82496403248b4c2f8a204cf01b7ae644a35cc85f0ab5493ee823ef962f7630b63629d0bd81b5f0b4f2d3b9bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9eb5ee50-de32-4d4a-92aa-a36bb04401ff
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9eb5ee50-de32-4d4a-92aa-a36bb04401ff.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
c80ea91a75b453b80fc7554dca378d35

SHA1
afdec822e505c05f94c363571f1f81a05425f4e6

SHA256
35ccc53c7cdf4edf1217e92bb3041f17b6de6f1bc8fe986ee9f32efa2107d9ca

SHA512
fa30285258a004d66990deeb255472b1460a3f1b1bdea8fdd26b186c81b24662c26fb883808b3ca588c5313dae30043b3c5829ae66dcc2a4a1e7e18eaa5dd537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_aacd219d-c7ba-43ff-a67c-9ddc2f632d63.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
03d2395af5a9624bff9d25dc4d22e6ab

SHA1
bcd7a463fc23702c0508b5392912e2e41a8335a1

SHA256
66bb212c12c1549a8c7882021a5cd634742849f2a9c64c0f13a69066d7f0cf61

SHA512
1043dc390c632ac353965ff5cca6593278234bf21a94dde7d01bde5b7513e27a48c093946fa6584052e376c493700e2e941fcbdad9c11305e3aad5a383fc08a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9362bc9-9a59-457a-b4a5-e21eef6e7d55
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9362bc9-9a59-457a-b4a5-e21eef6e7d55.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
92f8dd0f2b3ea9471f35b93f99fb4397

SHA1
471e213d534437e1291a1ce770a1768181bf1e39

SHA256
910573b0222fd3a449558df317be731b2b024b34ad136872ba4de768cac47510

SHA512
c5500f268d8c1b1fbb51ce99c9268e37fd6ebbfc9c0ae5c33f0c6edc58dfa178546e078530e22c7023f2569b71862a00be4d799cd455730bcf9a0ac3acc5406c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134.id-B032E05E.[GetDecoding@zimbabwe.su].get
MD5
7f8152a3132786653837b619fab9e45d

SHA1
553b2e0752c0a461fc7e7753e3583bb055df43ba

SHA256
77084fda786f0cf3583293d5fa8b19dfe140f70396aeda365d584a4236e47dc2

SHA512
ef8e708708527d9ef02c6a94959b06d00de055dbb65a934a257cdd97c10c116cdc0e75924a986a5ad915ed428bb77c48fd840a74085f137127ff3a32eb7c21e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
3b7fc1b161371b85783c6472581fd086

SHA1
3f8b7332eee444d4010bde96cea48b37d1639027

SHA256
b5c4b215818cff31e7220d947e06ba71ee8759c37c037a76421cbf34476cc65b

SHA512
490f62004f3759a81ace400d8fab42bcb6dcf506411cb550a8f8181f98a9dd9db41db0a9fef18ddcced3f20012ea47002d80ef596e4f3fc9118b56932e368c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NS2.exe
MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NS2.exe
MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES18BE.tmp
MD5
b79724b82c8ac7d0c2b8a49b1d66d62d

SHA1
07d7ba8bf46b0af7fbd8966321fe5d259e1983cd

SHA256
c59d61dfac69e07aa35cf62870204abb84eebd30d097fa6f56c4b726a10af2d0

SHA512
da147e08cc5a49e2680b84042786abc2a674355797192510bd9dfda3d285725486e1c3bf4112d515bab8a892a834c15edf49eb408e01c96dac53f7eee3acb384

Download Submit
C:\Users\Admin\AppData\Local\Temp\purgeMemory.ps1
MD5
31e22820cba11f6c7670854ed65f09ed

SHA1
9ab447c539234e75b56b3e180f3541580ffa0cea

SHA256
6a808299703119635c68fcadb14b7301775b49eb5948aeb319b6728f1686f035

SHA512
fbc97b21f9627687070edf9727f68062e8d5d71447497a0a0bd63bbe2ea3b0e753849226cb4cd9688f838e103e348dc070dc8360937e2662ff23291c4b2910fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\takeaway.ps1
MD5
08c0963ddf483e5c233026380de1b6d0

SHA1
1e3a06d038a48c76a6ad0c400cf145109e7179b7

SHA256
488590a74e0ab3e1a8942146d3b0f1ce1c0a0841fede177406635bb68cc7ba59

SHA512
a73d58c5881468d504dc67b6ff1830d2147394717ef3ed8dd8489ae060d1d3a12eac7c500d7d5f0f915e6497a19f43c08ada089f5b9855f34a99898fc772317f

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhost.exe
MD5
c24f6144e905b717a372c529d969611e

SHA1
0a297e9e5c807c06ad10f4f746f4f9e256df6743

SHA256
94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

SHA512
f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhost.exe
MD5
c24f6144e905b717a372c529d969611e

SHA1
0a297e9e5c807c06ad10f4f746f4f9e256df6743

SHA256
94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

SHA512
f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xnezuizs\xnezuizs.dll
MD5
d2896c83493920a4fa596afae84d32d2

SHA1
b35acefe280db6b417af5a24c86754e23c306b3e

SHA256
1d19ab82e647221ed1c80e643c3653c89816945edd2301296cea90c75ea2e489

SHA512
4e0cab8525eef93bb86541175be434a611dfd7e8dbf5b62ec46e11b8292bc958a2f06455a940142ff4600e11ca0794832d71462ccaa0441b78825f95d4fdbd5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
07a09cb0319bb22f93e8d35d78d9c3b4

SHA1
7d2cebde4f5738c03d807a01bbd455e7550e84eb

SHA256
dd7476a592c5bc67de1fa918d40602dc04877f1c8fafc0943c42e5d56632496a

SHA512
d847d75bb3bb671e83ac3406128230245920f750231a11713beaabe238501f6391387976c4ac309383b18370b1c84ebacc3f39ff10f80e4046354641a5f34cca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
e9b70a6fa817904b13c197eae184c0b9

SHA1
79a9a0b29417e02ad71ea3bf78a3823d5893905f

SHA256
dc2873ca997c4cbd45cab5c3481288b1f72b31b37c40c1a47314a5118e3b2248

SHA512
91ba21e868794745668a4be6328077487643ebd339790ea149625a6acfca57ced282de991647b8da6554aae8c7c607d3042c6a2c727e9adf3eef88ee052e214b

Download Submit
C:\Users\Public\Desktop\FILES ENCRYPTED.txt
MD5
87761d2bf23b219659cb56b7287c1730

SHA1
831cbef878557dc4eea66525b5fe3c5e388306b6

SHA256
a5a738622a9e9d47eb2cebba4daf4acb3e4f4ccf1d7777a66dd0d9edbc21e29d

SHA512
057e08f023fa690510f76b59eb5acb678eefbfd654e288597d96d6e4d7dcfe686b25036f3bcde166e0ca240c34dc092b0b9ad6d328ab43eac80e29fc5baa2734

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnezuizs\CSC5565D917140D4A1EB3A045EEA049D494.TMP
MD5
45456985bfa8a634777bb87bb20f4627

SHA1
689e705a7da7e393f722f1a08e4ca1c90ed98144

SHA256
452caaa78de72d720c4dca1ba760680507522cb649b6c2f1f08f291394e45c88

SHA512
c29423e32ddb5bb8fd55d6e81d6e383cbecddfb68ae857fd37d902ffde0d8d7e7b71c0745f22521554266282d03b879faa2ed26c62110a2b009a3b79ba08bed6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnezuizs\xnezuizs.0.cs
MD5
9c478287d8b4ad6cd34ac20bdac9577c

SHA1
73965974950d1be20682abc2f716e5070f2c7097

SHA256
8bb1e373d78c7c750ac20b5b0ec3dfcd1e8e74ca8d6accde1e02aa2c205c776f

SHA512
b0c435e194b5a72c50ddccf2bc84d178e5e1872f4ed3f630a661d187f77f4eb095a08303e4d243c45384a84b717fd2d5c76c5c4274cade5ad1a09dcdcd4ca6a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xnezuizs\xnezuizs.cmdline
MD5
8d4222b3e497d47f6b22416c7d48a082

SHA1
b2a790e29a3073a0609c33354e59804e26bf8ced

SHA256
518c219129e47898cd924fa3fa2cc1519de2697b2abce8ff45c5f071008d92e7

SHA512
00b9f2f85a751ddcfa9d35504048133dc8cfd426589be8f84343089f6c77e8a57b8f3cbf0ea5e1b428b2e489803a09a72e1f18140379914ecfb7cdc20411112f

Download Submit
\Users\Admin\AppData\Local\Temp\NS2.exe
MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
\Users\Admin\AppData\Local\Temp\NS2.exe
MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
\Users\Admin\AppData\Local\Temp\winhost.exe
MD5
c24f6144e905b717a372c529d969611e

SHA1
0a297e9e5c807c06ad10f4f746f4f9e256df6743

SHA256
94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

SHA512
f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

Download Submit
\Users\Admin\AppData\Local\Temp\winhost.exe
MD5
c24f6144e905b717a372c529d969611e

SHA1
0a297e9e5c807c06ad10f4f746f4f9e256df6743

SHA256
94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

SHA512
f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

Download Submit
memory/532-80-0x0000000000000000-mapping.dmp

Download
memory/800-41-0x0000000000000000-mapping.dmp

Download
memory/800-49-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/800-58-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/800-62-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/988-33-0x0000000000000000-mapping.dmp

Download
memory/992-93-0x0000000000000000-mapping.dmp

Download
memory/1088-81-0x0000000000000000-mapping.dmp

Download
memory/1140-36-0x0000000000000000-mapping.dmp

Download
memory/1692-5-0x0000000000000000-mapping.dmp

Download
memory/1692-23-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1692-13-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1692-22-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/1692-32-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/1692-7-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/1692-17-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/1692-65-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/1692-64-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/1692-40-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1692-43-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/1692-11-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/1692-31-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/1692-12-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/1692-10-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1692-9-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1692-24-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/1692-8-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1904-69-0x0000000000000000-mapping.dmp

Download
memory/1908-2-0x0000000076271000-0x0000000076273000-memory.dmp

Filesize
8KB

Download
memory/1908-3-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1960-79-0x0000000000000000-mapping.dmp

Download
memory/1980-76-0x0000000000000000-mapping.dmp

Download
memory/2076-94-0x0000000000000000-mapping.dmp

Download
memory/2412-103-0x0000000000000000-mapping.dmp

Download
memory/2440-107-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/2440-104-0x0000000000000000-mapping.dmp

Download
memory/2460-105-0x0000000000000000-mapping.dmp

Download
memory/2488-106-0x0000000000000000-mapping.dmp

Download
memory/2504-108-0x0000000000000000-mapping.dmp

Download
memory/2688-111-0x000007FEF6270000-0x000007FEF64EA000-memory.dmp

Filesize
2.5MB

Download
memory/2868-131-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2868-135-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/2868-137-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/2868-141-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2868-142-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/2868-134-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/2868-128-0x0000000000000000-mapping.dmp

Download