57675d518613f20edc235c2975eadba7aa15d19aa460df03b443c99cff0d26d1

Analysis

max time kernel
149s
max time network
149s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seucartao0021 0iictl3q h6ozq5.msi
Size

4.0MB
MD5

04573ca4c50c5c352ec0859d6a14953a
SHA1

1a6780e61a658511f141fa8305ed9a9f318f5518
SHA256

57675d518613f20edc235c2975eadba7aa15d19aa460df03b443c99cff0d26d1
SHA512

d2ac8b26969f25b9c4da413a54118bcfc181dd2bffdabc771119fb5837825d560807862ea4a75f0985b0e2c261d9678fc18a4975bb8c24399e5e248362d9664d

Score

10^/10

evasion persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Ousaban Banker Checkin M1
suricata: ET MALWARE Ousaban Banker Checkin M1
suricata
suricata: ET MALWARE Ousaban Banker Checkin M2
suricata: ET MALWARE Ousaban Banker Checkin M2
suricata
suricata: ET MALWARE Ousaban Banker KeepAlive
suricata: ET MALWARE Ousaban Banker KeepAlive
suricata
suricata: ET MALWARE Ousaban Banker KeepAlive Response
suricata: ET MALWARE Ousaban Banker KeepAlive Response
suricata
suricata: ET MALWARE Ousaban Banker Server Response M1
suricata: ET MALWARE Ousaban Banker Server Response M1
suricata
suricata: ET MALWARE Ousaban Banker Server Response M2
suricata: ET MALWARE Ousaban Banker Server Response M2
suricata
Blocklisted process makes network request 2 IoCs

Processes:

MsiExec.exe

flow pid process

13 1120 MsiExec.exe
18 1120 MsiExec.exe
Executes dropped EXE 2 IoCs

Processes:

XvsLOegwgAvH.exeTLJTRGxbd.exe

pid process

2076 XvsLOegwgAvH.exe
1920 TLJTRGxbd.exe
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Drops startup file 1 IoCs

Processes:

MsiExec.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XIEAiogabmYY.lnk MsiExec.exe

flow	pid	process
13	1120	MsiExec.exe
18	1120	MsiExec.exe

pid	process
2076	XvsLOegwgAvH.exe
1920	TLJTRGxbd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XIEAiogabmYY.lnk	MsiExec.exe

Loads dropped DLL 23 IoCs

Processes:

MsiExec.exeXvsLOegwgAvH.exeTLJTRGxbd.exesvchost.exesvchost.exe

pid	process
1120	MsiExec.exe
1120	MsiExec.exe
1120	MsiExec.exe
1120	MsiExec.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
3176	svchost.exe
1988	svchost.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

TLJTRGxbd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	TLJTRGxbd.exe

Drops file in Program Files directory 2 IoCs

Processes:

TLJTRGxbd.exe

description	ioc	process
File created	C:\Program Files\Terminal Service 23122021\rdpwrap.ini	TLJTRGxbd.exe
File created	C:\Program Files\Terminal Service 23122021\rdpwrap.dll	TLJTRGxbd.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f75f667.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF742.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFEF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF52.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75f667.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2CF9BC1F-3B08-4ADD-99C9-AD880A202BE0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI538E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI549A.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1892 schtasks.exe

pid	process
1892	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msiexec.exeXvsLOegwgAvH.exesvchost.exe

pid process

1964 msiexec.exe
1964 msiexec.exe
2076 XvsLOegwgAvH.exe
2076 XvsLOegwgAvH.exe
1988 svchost.exe
1988 svchost.exe
1988 svchost.exe
1988 svchost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
1964	msiexec.exe
1964	msiexec.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe

pid	process
632

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	2620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2620	msiexec.exe
Token: SeSecurityPrivilege	1964	msiexec.exe
Token: SeCreateTokenPrivilege	2620	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2620	msiexec.exe
Token: SeLockMemoryPrivilege	2620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2620	msiexec.exe
Token: SeMachineAccountPrivilege	2620	msiexec.exe
Token: SeTcbPrivilege	2620	msiexec.exe
Token: SeSecurityPrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeLoadDriverPrivilege	2620	msiexec.exe
Token: SeSystemProfilePrivilege	2620	msiexec.exe
Token: SeSystemtimePrivilege	2620	msiexec.exe
Token: SeProfSingleProcessPrivilege	2620	msiexec.exe
Token: SeIncBasePriorityPrivilege	2620	msiexec.exe
Token: SeCreatePagefilePrivilege	2620	msiexec.exe
Token: SeCreatePermanentPrivilege	2620	msiexec.exe
Token: SeBackupPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeShutdownPrivilege	2620	msiexec.exe
Token: SeDebugPrivilege	2620	msiexec.exe
Token: SeAuditPrivilege	2620	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2620	msiexec.exe
Token: SeChangeNotifyPrivilege	2620	msiexec.exe
Token: SeRemoteShutdownPrivilege	2620	msiexec.exe
Token: SeUndockPrivilege	2620	msiexec.exe
Token: SeSyncAgentPrivilege	2620	msiexec.exe
Token: SeEnableDelegationPrivilege	2620	msiexec.exe
Token: SeManageVolumePrivilege	2620	msiexec.exe
Token: SeImpersonatePrivilege	2620	msiexec.exe
Token: SeCreateGlobalPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	376	WMIC.exe
Token: SeSecurityPrivilege	376	WMIC.exe
Token: SeTakeOwnershipPrivilege	376	WMIC.exe
Token: SeLoadDriverPrivilege	376	WMIC.exe
Token: SeSystemProfilePrivilege	376	WMIC.exe
Token: SeSystemtimePrivilege	376	WMIC.exe
Token: SeProfSingleProcessPrivilege	376	WMIC.exe
Token: SeIncBasePriorityPrivilege	376	WMIC.exe
Token: SeCreatePagefilePrivilege	376	WMIC.exe
Token: SeBackupPrivilege	376	WMIC.exe
Token: SeRestorePrivilege	376	WMIC.exe
Token: SeShutdownPrivilege	376	WMIC.exe
Token: SeDebugPrivilege	376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	376	WMIC.exe
Token: SeRemoteShutdownPrivilege	376	WMIC.exe
Token: SeUndockPrivilege	376	WMIC.exe
Token: SeManageVolumePrivilege	376	WMIC.exe
Token: 33	376	WMIC.exe
Token: 34	376	WMIC.exe
Token: 35	376	WMIC.exe
Token: 36	376	WMIC.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	376	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exeMsiExec.exe

pid process

2620 msiexec.exe
1120 MsiExec.exe
2620 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1280 LogonUI.exe

pid	process
2620	msiexec.exe
1120	MsiExec.exe
2620	msiexec.exe

pid	process
1280	LogonUI.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

msiexec.exeMsiExec.exeXvsLOegwgAvH.execmd.exeTLJTRGxbd.exenet.exenet.exe

description	pid	process	target process
PID 1964 wrote to memory of 1120	1964	msiexec.exe	MsiExec.exe
PID 1964 wrote to memory of 1120	1964	msiexec.exe	MsiExec.exe
PID 1964 wrote to memory of 1120	1964	msiexec.exe	MsiExec.exe
PID 1120 wrote to memory of 376	1120	MsiExec.exe	WMIC.exe
PID 1120 wrote to memory of 376	1120	MsiExec.exe	WMIC.exe
PID 1120 wrote to memory of 376	1120	MsiExec.exe	WMIC.exe
PID 2076 wrote to memory of 1672	2076	XvsLOegwgAvH.exe	cmd.exe
PID 2076 wrote to memory of 1672	2076	XvsLOegwgAvH.exe	cmd.exe
PID 2076 wrote to memory of 1672	2076	XvsLOegwgAvH.exe	cmd.exe
PID 1672 wrote to memory of 1892	1672	cmd.exe	schtasks.exe
PID 1672 wrote to memory of 1892	1672	cmd.exe	schtasks.exe
PID 1672 wrote to memory of 1892	1672	cmd.exe	schtasks.exe
PID 2076 wrote to memory of 1920	2076	XvsLOegwgAvH.exe	TLJTRGxbd.exe
PID 2076 wrote to memory of 1920	2076	XvsLOegwgAvH.exe	TLJTRGxbd.exe
PID 2076 wrote to memory of 1920	2076	XvsLOegwgAvH.exe	TLJTRGxbd.exe
PID 1920 wrote to memory of 1820	1920	TLJTRGxbd.exe	netsh.exe
PID 1920 wrote to memory of 1820	1920	TLJTRGxbd.exe	netsh.exe
PID 1920 wrote to memory of 2212	1920	TLJTRGxbd.exe	netsh.exe
PID 1920 wrote to memory of 2212	1920	TLJTRGxbd.exe	netsh.exe
PID 1920 wrote to memory of 1044	1920	TLJTRGxbd.exe	net.exe
PID 1920 wrote to memory of 1044	1920	TLJTRGxbd.exe	net.exe
PID 1044 wrote to memory of 4028	1044	net.exe	net1.exe
PID 1044 wrote to memory of 4028	1044	net.exe	net1.exe
PID 1920 wrote to memory of 3164	1920	TLJTRGxbd.exe	net.exe
PID 1920 wrote to memory of 3164	1920	TLJTRGxbd.exe	net.exe
PID 3164 wrote to memory of 884	3164	net.exe	net1.exe
PID 3164 wrote to memory of 884	3164	net.exe	net1.exe
PID 1920 wrote to memory of 1380	1920	TLJTRGxbd.exe	netsh.exe
PID 1920 wrote to memory of 1380	1920	TLJTRGxbd.exe	netsh.exe
PID 1920 wrote to memory of 3860	1920	TLJTRGxbd.exe	reg.exe
PID 1920 wrote to memory of 3860	1920	TLJTRGxbd.exe	reg.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\seucartao0021 0iictl3q h6ozq5.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 63C9AB2F4B38CFDA11DBD125E88C318F
2⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe
C:\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe /SC minute /MO 2 /IT /RU %USERNAME%
2⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe /SC minute /MO 2 /IT /RU Admin
3⤵
- Creates scheduled task(s)
PID:1892

C:\Users\Admin\dSzzT 66G8\TLJTRGxbd.exe
"C:\Users\Admin\dSzzT 66G8\TLJTRGxbd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3456 profile=any action=allow
3⤵
PID:1820

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=udp localport=3456 profile=any action=allow
3⤵
PID:2212

C:\Windows\system32\net.exe
net user Administrat0r "123mudar" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user Administrat0r "123mudar" /add
4⤵
PID:4028

C:\Windows\system32\net.exe
net localgroup Administradores Administrat0r /add
3⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administradores Administrat0r /add
4⤵
PID:884

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3456 profile=any action=allow
3⤵
PID:1380

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3456 /f
3⤵
PID:3860

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
- Loads dropped DLL
PID:3176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad5855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ZicJajftTbIk\Host.hst
MD5
4f061b2838fa597aef455991da265af6

SHA1
abc5304aade1375e2a263469b23d4fb7cc7374d3

SHA256
112339859ea55a6cd05b8071ec69d15f8dd59547120ba971ec2e6f4f45758022

SHA512
b39c3bfb4a6501d59fd6ed1f4de279498e0c487237bf900f39ef77632dcd973d2f20ace02e85014af600f031b43d7b57fcae7d0030b48daf8aff3671d9948d79

Download Submit
C:\Users\Admin\ZicJajftTbIk\MSVCP100.dll
MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Users\Admin\ZicJajftTbIk\MSVCR100.dll
MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe
MD5
5828ef796e249bc0ed7dbd98c5946393

SHA1
a0be6eced5f7d125d265749691dd597fa8cefdea

SHA256
7dfc162c156704589cd180d78e0b907429b5afcaa3f92867e54e7bfa97a47d41

SHA512
429a687134bea6d1260a4401c3848cb18ef80d4dadc33f4d4858adfbd7d3b31b5d4db86d9aa1b72d24df703915129c28c429aa0fb799bd70a064b6613d820e12

Download Submit
C:\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe
MD5
5828ef796e249bc0ed7dbd98c5946393

SHA1
a0be6eced5f7d125d265749691dd597fa8cefdea

SHA256
7dfc162c156704589cd180d78e0b907429b5afcaa3f92867e54e7bfa97a47d41

SHA512
429a687134bea6d1260a4401c3848cb18ef80d4dadc33f4d4858adfbd7d3b31b5d4db86d9aa1b72d24df703915129c28c429aa0fb799bd70a064b6613d820e12

Download Submit
C:\Users\Admin\ZicJajftTbIk\groceryc.dll
MD5
fb3461ac1e498033b08247f1ebaa5ade

SHA1
e8e46582973c7bbceb2af8edbd70dc11068c0918

SHA256
16eebcae164bf362f3fb4376fd791bc43bf42bd7f07f13924015f134cec74666

SHA512
46b66742b556b3ec94b35eef736a17b109239900cd3e84f9af34f459076aadab56b769e3fe461492c4ef36a8f636c55de0656f20402f17903a252271ac6e7667

Download Submit
C:\Users\Admin\ZicJajftTbIk\libBasic.dll
MD5
371f6c89ec30bd992fafdda05df9c516

SHA1
c0b903b78111fdcb8d81d067ad89cf00f8fb1146

SHA256
d32ddb8457cfd53ce1a51c91ad987421ac52f34a1db09e5fcc712505d0308b8b

SHA512
d49ca194bfbcef4c4d590a21caf5b95b7742b18ab6dcc7e207de031203d71e975d2118afa9c468f6862b76576fa227c4eb935b4ddb0ddabc4c2b9295baf9eeca

Download Submit
C:\Users\Admin\ZicJajftTbIk\libI18n.dll
MD5
60c0f465dfd23344e9ad67cef6ef7ccb

SHA1
68de19bcdab5279af617b978f25d0f8391499461

SHA256
9cfd224ed08a300d1d19d5217b51ba05089fbf83c2dc33f5280266ff4e7d896f

SHA512
ea8c4742c120d46d6163959e15b5e544b9b008637d367a4153e86685d09f5397e1da0f729e9fbfdf0564cba625724261650869b25197b2e672718d4d79352755

Download Submit
C:\Users\Admin\ZicJajftTbIk\libRG.dll
MD5
28d3cd357afe7fb92de5c9da21d9847f

SHA1
c412d3f742f6d92092b002c0a09cc8fc7c8824ed

SHA256
27b69838e6cd434f678ab14ae2632cf503bf2c857de7bc3945b3936527261056

SHA512
931b94edf9d9d4a6d15796ac632229fe12dc526873907f31cdb6f58b7d2817543b4761dcd1bbfdcd0d09a8e5811f2b3d8c66a2283e99b7223bd504cdb9be271a

Download Submit
C:\Users\Admin\ZicJajftTbIk\libglog.dll
MD5
e384e66b1543ae6bf6ad5196b875a902

SHA1
f47e7693827a5f89680e250155362e620cb5bc8c

SHA256
a444930451e8bfc83d5a98d73da89d9350809fc939b21fcb74ed9b3db46d83b9

SHA512
56cafefcaaa705d81fbbddb52f6821b6cc3453991a1c864b050943156b1c6aabbe984b789d5322d4ab317f5a69b10db9528f989aafe2476ebbee4506d7e580eb

Download Submit
C:\Users\Admin\ZicJajftTbIk\libxml2-2.dll
MD5
d846fcef3669f657bac2081dff8b9a6e

SHA1
7f27542b885389554dba0d7d24228f5f1157f764

SHA256
022a970459ee81fd7b33ed34feab82f8b188d1df8f60b0757ae1b100867fdd2f

SHA512
7a70a22afa25c452504783c5377e373c312165cc2a130320ee683819a6fbbfeb3fb970283f725efbe0e8582b6b1c9041b528c0022abd60fce538782b01401177

Download Submit
C:\Users\Admin\ZicJajftTbIk\libzvc125.dll
MD5
6fb39a68c0c199866bf5e9ebfd30644e

SHA1
1039a686d7b39df59904e514f21e8832dee8611b

SHA256
bfd9c54035d0fd56b38c26352bc29af1b6ae6c867dac2e7a0ce1b5b517f90800

SHA512
f220a45d8e9d27aad574ee2208d12a1c01d7f18a38205d3528d854dab78591ebca98f7451a38440365a9f755f738178eb79e3b55ac542cd9495ca6fea2be32d0

Download Submit
C:\Users\Admin\ZicJajftTbIk\pthreadVC2.dll
MD5
01819c12d2b7a56ebc3cec57a59aee01

SHA1
554aa7bb916b7b6a754c3d60057a61de9eccde8b

SHA256
69a85cbb337aaf764d9c66d3035f0705def8818e64a2adf01b43b5eb54bd4953

SHA512
2647397f2d52a645d373d2170157ea4f718e9fe861c316f7b732fcdfac8b05b2f001acaf480cc8f4df0ce90c0254fbec5e02448377709746c9dbbca5c62cc00c

Download Submit
C:\Users\Admin\ZicJajftTbIk\win_sparkle_check_update_with_ui_and_install
MD5
7fb9eba5867190634a924adcf984e10d

SHA1
be9fe00d85e0f3db1a474671fb466678b9e854bc

SHA256
9a379c3abec8a6d334165b60134997ddd81d0d9f18020e3596ef94d02b8346c0

SHA512
24ad866e8e7d62ee6d0a051b62703bbc82d16107b2b0e03e8939ed61974e93c90d48088137afbb17a398c00477b915434509a6e3ee1ee8a6e68b5a61a316e6a9

Download Submit
C:\Users\Admin\dSzzT 66G8\TLJTRGxbd.exe
MD5
27d741ef21a179bd96a0b4effefb24de

SHA1
adc940a2c909a6c23363516e727a0e798da038b4

SHA256
72c0a43a65d36ae7def98075b948c4991ae0f24af1e1f3360abaf843471879a1

SHA512
14c743f98f794dda0b729c2fb80d3d16435bd9035641079b748c70f34a2ee30f72cb89d5763e6fe3a0f819e25e2ac6c23e3cdc7c21c2be4b489e1ca09c0db33f

Download Submit
C:\Users\Admin\dSzzT 66G8\bass.dll
MD5
c5b3059004e2c7631915ec044f4e6c63

SHA1
dbcdc0aba1d9cf3396ba8ae00bb3671c85047fb2

SHA256
3cd00f456f51829eda119e0e133acc1e45a5930d61fc335a2e9aa688a836a24d

SHA512
3ed914fbfa4ff78fe98ade848e79c3e1e3b66eae83159b45725bf946f2b3cb9d4f805f719901928d9b52c20bc121b0552645fa6aba11ac0fcd5ade672f14f5ee

Download Submit
C:\Users\Admin\dSzzT 66G8\bass_fx.dll
MD5
01014a27781bad31a61ed2ae6b6d7309

SHA1
f44962a6f21d0e1f0414dd8fcfdc4b979f13045a

SHA256
31956481457f559eaa0c1df3e1671c4e796ad9462dbacc9d4289bafc545ec42c

SHA512
edfeeeca88b71b39ee8cba371d9231aa648efd30c0fd0868044d4807596b5002721db449dcfddbbebedf1c91b43990c70225eab2c141523c5b67f9814a1493a5

Download Submit
C:\Users\Admin\dSzzT 66G8\bassasio.dll
MD5
f50f353390a644effac1571168aa4ae2

SHA1
fe8659dfea0102bbcabf42a6c9f34a47094688e9

SHA256
ca912b59ff2ee3300c324959949e93ec99f997f907d708c2c4ce83eda2dcf087

SHA512
f10a127d0c8eca05eaf797eced80749967b23a0afbef9db86bcd25f9b8058125f1da2b9e970d6eb103c92927783da77af3aead74bc25f53d40e3493dd3823e24

Download Submit
C:\Users\Admin\dSzzT 66G8\bassmix.dll
MD5
b47858d3d3147f64756e6cc8f187683b

SHA1
e8bbebf61ade86a1396e5c5cdaf38531a05d09b6

SHA256
441ca8e10de3624916aca5e962be3900955c14e2ade98b63c1ed246eb07034d7

SHA512
75e4728dd86cee07c183a58d8075638b55ee22b861e9ce0b3f3a987b799f6a13dc9d3d25ce719ca4de3dadb50aa87eb290dd73b0aeaaa8381431a7b078f3bb39

Download Submit
C:\Users\Admin\dSzzT 66G8\basswasapi.dll
MD5
f807bb3e88dd976a641ebb743e1b398d

SHA1
231e49284b4d7d3c91c60aed93a98d75d1ca633f

SHA256
0e953a58f456a7a80cc551aaa67edfd7920c5e47441a8635654eaaab33ef606e

SHA512
9ae21899a9329e6762fa6ee173b75451693e9d8449085346fd66337337d109d516747a1274d65f91a88399b25c339f8864c07ae65f4bf345468be504fb3e44c0

Download Submit
C:\Users\Admin\dSzzT 66G8\radioboss_taglib.dll
MD5
a2d06bdc0878c1fb72a488d2eda501fe

SHA1
410314dd5308397d234f162e2dd8ee1a5e9eb070

SHA256
1d6a37e98c564bbf225c296ce6ec99ba6c123319fc575317a04875874e721aa3

SHA512
367c1ae2d75ee0af74c4d417c96d50cf2434de8f5201436fa6cac6cc79d9515963212a8d5c28c8e24b064b10336f64dd5d88adf8454d62e2dc393187ec311495

Download Submit
C:\Users\Admin\dSzzT 66G8\win_sparkle_check_updatel
MD5
04a1af8fc372f2f5a18f4d61da3fbc11

SHA1
63dac44ee7991af912f97c025937c2f554bda56e

SHA256
14def3471b4d6ca61b5c8b201e7b0b37158df40c312fddc7fcc7ddd358bb6f2e

SHA512
2f0c62e7977ea779ef8eabdcfacb528962e8b35d8c1c3ac14153be123e0b11e5f94f927bdea8f16ae9e2af96ba818117b19cee2e49d904b934ebe90d98b8a446

Download Submit
C:\Windows\Installer\MSI549A.tmp
MD5
0872fc86ddb1c0c51beab1deaaa80218

SHA1
abe143cfe0053d6e93c042815f020ff4714794bc

SHA256
99f2f155dfed73c33416e82ca6cd8f6dc66abbf50513a5e2a857d12e49504c60

SHA512
1b15ea0122d5adef9098381a2dc9659257ba13704fc4b51105c535044c94e370b9ea24e70c836e85cd0b4c9cc4dab63522c74af2ab913619984e86c27888a346

Download Submit
C:\Windows\Installer\MSIF742.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSIFEF3.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSIFF52.tmp
MD5
0872fc86ddb1c0c51beab1deaaa80218

SHA1
abe143cfe0053d6e93c042815f020ff4714794bc

SHA256
99f2f155dfed73c33416e82ca6cd8f6dc66abbf50513a5e2a857d12e49504c60

SHA512
1b15ea0122d5adef9098381a2dc9659257ba13704fc4b51105c535044c94e370b9ea24e70c836e85cd0b4c9cc4dab63522c74af2ab913619984e86c27888a346

Download Submit
\??\c:\program files\terminal service 23122021\rdpwrap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\??\c:\program files\terminal service 23122021\rdpwrap.ini
MD5
36d24116e87f7eeef937820b92fc9771

SHA1
530230a01d048dc7923c67d3aacba797da1379c6

SHA256
9ad298ddadbfdcc1267267ff1427d5af9676cdde8b234114f69149f12c41eaa1

SHA512
695561b1791615f4c5da0e2527cea59705a82ba3ffb7932228f8cf071c4d33a12225667655fcdd08ce4cb31896f5fa8c6f024185bc5c760aae5e2cbb35d9677d

Download Submit
\Program Files\Terminal Service 23122021\rdpwrap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Program Files\Terminal Service 23122021\rdpwrap.dll
MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\ZicJajftTbIk\groceryc.dll
MD5
fb3461ac1e498033b08247f1ebaa5ade

SHA1
e8e46582973c7bbceb2af8edbd70dc11068c0918

SHA256
16eebcae164bf362f3fb4376fd791bc43bf42bd7f07f13924015f134cec74666

SHA512
46b66742b556b3ec94b35eef736a17b109239900cd3e84f9af34f459076aadab56b769e3fe461492c4ef36a8f636c55de0656f20402f17903a252271ac6e7667

Download Submit
\Users\Admin\ZicJajftTbIk\libBasic.dll
MD5
371f6c89ec30bd992fafdda05df9c516

SHA1
c0b903b78111fdcb8d81d067ad89cf00f8fb1146

SHA256
d32ddb8457cfd53ce1a51c91ad987421ac52f34a1db09e5fcc712505d0308b8b

SHA512
d49ca194bfbcef4c4d590a21caf5b95b7742b18ab6dcc7e207de031203d71e975d2118afa9c468f6862b76576fa227c4eb935b4ddb0ddabc4c2b9295baf9eeca

Download Submit
\Users\Admin\ZicJajftTbIk\libI18n.dll
MD5
60c0f465dfd23344e9ad67cef6ef7ccb

SHA1
68de19bcdab5279af617b978f25d0f8391499461

SHA256
9cfd224ed08a300d1d19d5217b51ba05089fbf83c2dc33f5280266ff4e7d896f

SHA512
ea8c4742c120d46d6163959e15b5e544b9b008637d367a4153e86685d09f5397e1da0f729e9fbfdf0564cba625724261650869b25197b2e672718d4d79352755

Download Submit
\Users\Admin\ZicJajftTbIk\libRG.dll
MD5
28d3cd357afe7fb92de5c9da21d9847f

SHA1
c412d3f742f6d92092b002c0a09cc8fc7c8824ed

SHA256
27b69838e6cd434f678ab14ae2632cf503bf2c857de7bc3945b3936527261056

SHA512
931b94edf9d9d4a6d15796ac632229fe12dc526873907f31cdb6f58b7d2817543b4761dcd1bbfdcd0d09a8e5811f2b3d8c66a2283e99b7223bd504cdb9be271a

Download Submit
\Users\Admin\ZicJajftTbIk\libglog.dll
MD5
e384e66b1543ae6bf6ad5196b875a902

SHA1
f47e7693827a5f89680e250155362e620cb5bc8c

SHA256
a444930451e8bfc83d5a98d73da89d9350809fc939b21fcb74ed9b3db46d83b9

SHA512
56cafefcaaa705d81fbbddb52f6821b6cc3453991a1c864b050943156b1c6aabbe984b789d5322d4ab317f5a69b10db9528f989aafe2476ebbee4506d7e580eb

Download Submit
\Users\Admin\ZicJajftTbIk\libxml2-2.dll
MD5
d846fcef3669f657bac2081dff8b9a6e

SHA1
7f27542b885389554dba0d7d24228f5f1157f764

SHA256
022a970459ee81fd7b33ed34feab82f8b188d1df8f60b0757ae1b100867fdd2f

SHA512
7a70a22afa25c452504783c5377e373c312165cc2a130320ee683819a6fbbfeb3fb970283f725efbe0e8582b6b1c9041b528c0022abd60fce538782b01401177

Download Submit
\Users\Admin\ZicJajftTbIk\libzvc125.dll
MD5
6fb39a68c0c199866bf5e9ebfd30644e

SHA1
1039a686d7b39df59904e514f21e8832dee8611b

SHA256
bfd9c54035d0fd56b38c26352bc29af1b6ae6c867dac2e7a0ce1b5b517f90800

SHA512
f220a45d8e9d27aad574ee2208d12a1c01d7f18a38205d3528d854dab78591ebca98f7451a38440365a9f755f738178eb79e3b55ac542cd9495ca6fea2be32d0

Download Submit
\Users\Admin\ZicJajftTbIk\msvcp100.dll
MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
\Users\Admin\ZicJajftTbIk\msvcr100.dll
MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
\Users\Admin\ZicJajftTbIk\pthreadVC2.dll
MD5
01819c12d2b7a56ebc3cec57a59aee01

SHA1
554aa7bb916b7b6a754c3d60057a61de9eccde8b

SHA256
69a85cbb337aaf764d9c66d3035f0705def8818e64a2adf01b43b5eb54bd4953

SHA512
2647397f2d52a645d373d2170157ea4f718e9fe861c316f7b732fcdfac8b05b2f001acaf480cc8f4df0ce90c0254fbec5e02448377709746c9dbbca5c62cc00c

Download Submit
\Users\Admin\dSzzT 66G8\bass.dll
MD5
c5b3059004e2c7631915ec044f4e6c63

SHA1
dbcdc0aba1d9cf3396ba8ae00bb3671c85047fb2

SHA256
3cd00f456f51829eda119e0e133acc1e45a5930d61fc335a2e9aa688a836a24d

SHA512
3ed914fbfa4ff78fe98ade848e79c3e1e3b66eae83159b45725bf946f2b3cb9d4f805f719901928d9b52c20bc121b0552645fa6aba11ac0fcd5ade672f14f5ee

Download Submit
\Users\Admin\dSzzT 66G8\bass_fx.dll
MD5
34e4e661211ce4e6f4bc2a53972fb3bf

SHA1
bf2a13d8cc14fe6e6a71139d37c6e6d668429233

SHA256
cf385774b76ebc4bd215b67bee392355702785b278828e5e31bb430b12811a7d

SHA512
f112ac0c4f33f0dbf6bada86893729dcfecd71cbf0fb9fb46b75b65219f5bab2a64ac84f7b9e27668063397418d90a5a1f66f3152e938b68e706191994723c58

Download Submit
\Users\Admin\dSzzT 66G8\bass_fx.dll
MD5
34e4e661211ce4e6f4bc2a53972fb3bf

SHA1
bf2a13d8cc14fe6e6a71139d37c6e6d668429233

SHA256
cf385774b76ebc4bd215b67bee392355702785b278828e5e31bb430b12811a7d

SHA512
f112ac0c4f33f0dbf6bada86893729dcfecd71cbf0fb9fb46b75b65219f5bab2a64ac84f7b9e27668063397418d90a5a1f66f3152e938b68e706191994723c58

Download Submit
\Users\Admin\dSzzT 66G8\bassasio.dll
MD5
f50f353390a644effac1571168aa4ae2

SHA1
fe8659dfea0102bbcabf42a6c9f34a47094688e9

SHA256
ca912b59ff2ee3300c324959949e93ec99f997f907d708c2c4ce83eda2dcf087

SHA512
f10a127d0c8eca05eaf797eced80749967b23a0afbef9db86bcd25f9b8058125f1da2b9e970d6eb103c92927783da77af3aead74bc25f53d40e3493dd3823e24

Download Submit
\Users\Admin\dSzzT 66G8\bassmix.dll
MD5
b47858d3d3147f64756e6cc8f187683b

SHA1
e8bbebf61ade86a1396e5c5cdaf38531a05d09b6

SHA256
441ca8e10de3624916aca5e962be3900955c14e2ade98b63c1ed246eb07034d7

SHA512
75e4728dd86cee07c183a58d8075638b55ee22b861e9ce0b3f3a987b799f6a13dc9d3d25ce719ca4de3dadb50aa87eb290dd73b0aeaaa8381431a7b078f3bb39

Download Submit
\Users\Admin\dSzzT 66G8\basswasapi.dll
MD5
f807bb3e88dd976a641ebb743e1b398d

SHA1
231e49284b4d7d3c91c60aed93a98d75d1ca633f

SHA256
0e953a58f456a7a80cc551aaa67edfd7920c5e47441a8635654eaaab33ef606e

SHA512
9ae21899a9329e6762fa6ee173b75451693e9d8449085346fd66337337d109d516747a1274d65f91a88399b25c339f8864c07ae65f4bf345468be504fb3e44c0

Download Submit
\Users\Admin\dSzzT 66G8\radioboss_taglib.dll
MD5
a2d06bdc0878c1fb72a488d2eda501fe

SHA1
410314dd5308397d234f162e2dd8ee1a5e9eb070

SHA256
1d6a37e98c564bbf225c296ce6ec99ba6c123319fc575317a04875874e721aa3

SHA512
367c1ae2d75ee0af74c4d417c96d50cf2434de8f5201436fa6cac6cc79d9515963212a8d5c28c8e24b064b10336f64dd5d88adf8454d62e2dc393187ec311495

Download Submit
\Windows\Installer\MSI549A.tmp
MD5
0872fc86ddb1c0c51beab1deaaa80218

SHA1
abe143cfe0053d6e93c042815f020ff4714794bc

SHA256
99f2f155dfed73c33416e82ca6cd8f6dc66abbf50513a5e2a857d12e49504c60

SHA512
1b15ea0122d5adef9098381a2dc9659257ba13704fc4b51105c535044c94e370b9ea24e70c836e85cd0b4c9cc4dab63522c74af2ab913619984e86c27888a346

Download Submit
\Windows\Installer\MSIF742.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIFEF3.tmp
MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSIFF52.tmp
MD5
0872fc86ddb1c0c51beab1deaaa80218

SHA1
abe143cfe0053d6e93c042815f020ff4714794bc

SHA256
99f2f155dfed73c33416e82ca6cd8f6dc66abbf50513a5e2a857d12e49504c60

SHA512
1b15ea0122d5adef9098381a2dc9659257ba13704fc4b51105c535044c94e370b9ea24e70c836e85cd0b4c9cc4dab63522c74af2ab913619984e86c27888a346

Download Submit
memory/376-128-0x0000000000000000-mapping.dmp

Download
memory/884-196-0x0000000000000000-mapping.dmp

Download
memory/1044-193-0x0000000000000000-mapping.dmp

Download
memory/1120-121-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1120-120-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1120-119-0x0000000000000000-mapping.dmp

Download
memory/1380-197-0x0000000000000000-mapping.dmp

Download
memory/1672-156-0x0000000000000000-mapping.dmp

Download
memory/1820-191-0x0000000000000000-mapping.dmp

Download
memory/1892-157-0x0000000000000000-mapping.dmp

Download
memory/1920-176-0x0000000072701000-0x0000000072705000-memory.dmp

Filesize
16KB

Download
memory/1920-172-0x0000000001030000-0x000000000136E000-memory.dmp

Filesize
3.2MB

Download
memory/1920-180-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/1920-177-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/1920-181-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/1920-182-0x0000000000CE0000-0x0000000000D04000-memory.dmp

Filesize
144KB

Download
memory/1920-178-0x0000000072640000-0x0000000072668000-memory.dmp

Filesize
160KB

Download
memory/1920-159-0x0000000000000000-mapping.dmp

Download
memory/1920-186-0x0000000003461000-0x00000000036BD000-memory.dmp

Filesize
2.4MB

Download
memory/1920-175-0x00000000726F0000-0x00000000726FC000-memory.dmp

Filesize
48KB

Download
memory/1920-173-0x0000000072690000-0x00000000726E7000-memory.dmp

Filesize
348KB

Download
memory/1920-179-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

Filesize
16KB

Download
memory/1964-118-0x00000144CAD50000-0x00000144CAD52000-memory.dmp

Filesize
8KB

Download
memory/1964-117-0x00000144CAD50000-0x00000144CAD52000-memory.dmp

Filesize
8KB

Download
memory/2076-155-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/2076-154-0x00000000033E1000-0x0000000003867000-memory.dmp

Filesize
4.5MB

Download
memory/2212-192-0x0000000000000000-mapping.dmp

Download
memory/2620-115-0x000001CB0C430000-0x000001CB0C432000-memory.dmp

Filesize
8KB

Download
memory/2620-116-0x000001CB0C430000-0x000001CB0C432000-memory.dmp

Filesize
8KB

Download
memory/3164-195-0x0000000000000000-mapping.dmp

Download
memory/3860-198-0x0000000000000000-mapping.dmp

Download
memory/4028-194-0x0000000000000000-mapping.dmp

Download