njrat | 20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-07-2022 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

edaf154b94f8808071e089661c89412e
SHA1

31b1c1eefe489f1f348002d5b01870b268b24ca0
SHA256

20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393
SHA512

8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Score

10^/10

njrat hacked by cobra 217 evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By CobrA 217

Y29icmFzc3Nzc3Nzc3Nzcy5kZG5zLm5ldAStrikStrik:MTE3Nw==

Mutex

3a080181c5938cd7611a562e79328fc0

Attributes

reg_key
3a080181c5938cd7611a562e79328fc0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Executes dropped EXE 48 IoCs

Processes:

server.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exe

pid	process
2396	server.exe
3588	svchost.exe
4316	server.exe
2100	svchost.exe
5020	server.exe
2096	svchost.exe
2112	server.exe
4964	svchost.exe
3660	server.exe
3836	svchost.exe
3908	server.exe
3724	svchost.exe
3688	server.exe
4676	svchost.exe
4544	server.exe
3220	svchost.exe
3188	server.exe
3092	svchost.exe
3196	server.exe
3524	svchost.exe
4512	server.exe
3180	svchost.exe
4132	server.exe
3540	svchost.exe
3924	server.exe
2324	svchost.exe
4092	server.exe
4468	svchost.exe
4460	server.exe
1768	svchost.exe
2556	server.exe
624	svchost.exe
684	server.exe
2632	svchost.exe
820	server.exe
3236	svchost.exe
392	server.exe
5104	svchost.exe
4248	server.exe
860	svchost.exe
2064	server.exe
4320	svchost.exe
4016	server.exe
1716	svchost.exe
4908	server.exe
1972	svchost.exe
2232	server.exe
2184	svchost.exe

Modifies Windows Firewall 1 TTPs 64 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
3600	netsh.exe
4124	netsh.exe
1248	netsh.exe
1624	netsh.exe
4868	netsh.exe
4420	netsh.exe
1524	netsh.exe
2200	netsh.exe
3164	netsh.exe
3304	netsh.exe
1164	netsh.exe
4724	netsh.exe
2240	netsh.exe
4876	netsh.exe
4804	netsh.exe
3840	netsh.exe
4500	netsh.exe
3096	netsh.exe
1848	netsh.exe
3672	netsh.exe
1764	netsh.exe
3860	netsh.exe
804	netsh.exe
820	netsh.exe
2736	netsh.exe
3740	netsh.exe
4224	netsh.exe
2448	netsh.exe
4368	netsh.exe
3612	netsh.exe
5012	netsh.exe
2028	netsh.exe
4356	netsh.exe
1308	netsh.exe
3260	netsh.exe
4092	netsh.exe
1520	netsh.exe
1756	netsh.exe
1384	netsh.exe
4972	netsh.exe
4584	netsh.exe
4920	netsh.exe
5092	netsh.exe
4396	netsh.exe
4544	netsh.exe
2124	netsh.exe
2576	netsh.exe
2816	netsh.exe
3216	netsh.exe
3428	netsh.exe
3648	netsh.exe
2784	netsh.exe
1756	netsh.exe
860	netsh.exe
1440	netsh.exe
2368	netsh.exe
3924	netsh.exe
4964	netsh.exe
4656	netsh.exe
4860	netsh.exe
3524	netsh.exe
4132	netsh.exe
4068	netsh.exe
624	netsh.exe

Checks computer location settings 2 TTPs 48 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeserver.exeserver.exesvchost.exeserver.exesvchost.exeserver.exeserver.exesvchost.exeserver.exeserver.exeserver.exesvchost.exesvchost.exesvchost.exeserver.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeserver.exeserver.exeserver.exesvchost.exeserver.exeserver.exesvchost.exeserver.exesvchost.exesvchost.exesvchost.exesvchost.exeserver.exesvchost.exesvchost.exeserver.exeserver.exeServer.exeserver.exeserver.exeserver.exeserver.exesvchost.exeserver.exesvchost.exesvchost.exeserver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	server.exe

Drops startup file 64 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe	server.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

server.exe

description ioc process

File created C:\autorun.inf server.exe
File opened for modification C:\autorun.inf server.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

Drops file in System32 directory 25 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 25 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe
2396	server.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2396	server.exe
Token: SeDebugPrivilege	4316	server.exe
Token: SeDebugPrivilege	5020	server.exe
Token: SeDebugPrivilege	2112	server.exe
Token: SeDebugPrivilege	3660	server.exe
Token: SeDebugPrivilege	3908	server.exe
Token: SeDebugPrivilege	3688	server.exe
Token: SeDebugPrivilege	4544	server.exe
Token: SeDebugPrivilege	3188	server.exe
Token: SeDebugPrivilege	3196	server.exe
Token: SeDebugPrivilege	4512	server.exe
Token: SeDebugPrivilege	4132	server.exe
Token: SeDebugPrivilege	3924	server.exe
Token: SeDebugPrivilege	4092	server.exe
Token: SeDebugPrivilege	4460	server.exe
Token: SeDebugPrivilege	2556	server.exe
Token: SeDebugPrivilege	684	server.exe
Token: SeDebugPrivilege	820	server.exe
Token: SeDebugPrivilege	392	server.exe
Token: SeDebugPrivilege	4248	server.exe
Token: SeDebugPrivilege	2064	server.exe
Token: SeDebugPrivilege	4016	server.exe
Token: SeDebugPrivilege	4908	server.exe
Token: SeDebugPrivilege	2232	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Server.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exe

description	pid	process	target process
PID 4840 wrote to memory of 2396	4840	Server.exe	server.exe
PID 4840 wrote to memory of 2396	4840	Server.exe	server.exe
PID 4840 wrote to memory of 2396	4840	Server.exe	server.exe
PID 2396 wrote to memory of 3600	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 3600	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 3600	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 4500	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 4500	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 4500	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 4224	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 4224	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 4224	2396	server.exe	netsh.exe
PID 2396 wrote to memory of 3588	2396	server.exe	svchost.exe
PID 2396 wrote to memory of 3588	2396	server.exe	svchost.exe
PID 2396 wrote to memory of 3588	2396	server.exe	svchost.exe
PID 3588 wrote to memory of 4316	3588	svchost.exe	server.exe
PID 3588 wrote to memory of 4316	3588	svchost.exe	server.exe
PID 3588 wrote to memory of 4316	3588	svchost.exe	server.exe
PID 4316 wrote to memory of 4124	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 4124	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 4124	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 3648	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 3648	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 3648	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 3524	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 3524	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 3524	4316	server.exe	netsh.exe
PID 4316 wrote to memory of 2100	4316	server.exe	svchost.exe
PID 4316 wrote to memory of 2100	4316	server.exe	svchost.exe
PID 4316 wrote to memory of 2100	4316	server.exe	svchost.exe
PID 2100 wrote to memory of 5020	2100	svchost.exe	server.exe
PID 2100 wrote to memory of 5020	2100	svchost.exe	server.exe
PID 2100 wrote to memory of 5020	2100	svchost.exe	server.exe
PID 5020 wrote to memory of 2784	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 2784	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 2784	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 4544	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 4544	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 4544	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 2816	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 2816	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 2816	5020	server.exe	netsh.exe
PID 5020 wrote to memory of 2096	5020	server.exe	svchost.exe
PID 5020 wrote to memory of 2096	5020	server.exe	svchost.exe
PID 5020 wrote to memory of 2096	5020	server.exe	svchost.exe
PID 2096 wrote to memory of 2112	2096	svchost.exe	server.exe
PID 2096 wrote to memory of 2112	2096	svchost.exe	server.exe
PID 2096 wrote to memory of 2112	2096	svchost.exe	server.exe
PID 2112 wrote to memory of 2448	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 2448	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 2448	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 4092	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 4092	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 4092	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 3860	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 3860	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 3860	2112	server.exe	netsh.exe
PID 2112 wrote to memory of 4964	2112	server.exe	svchost.exe
PID 2112 wrote to memory of 4964	2112	server.exe	svchost.exe
PID 2112 wrote to memory of 4964	2112	server.exe	svchost.exe
PID 4964 wrote to memory of 3660	4964	svchost.exe	server.exe
PID 4964 wrote to memory of 3660	4964	svchost.exe	server.exe
PID 4964 wrote to memory of 3660	4964	svchost.exe	server.exe
PID 3660 wrote to memory of 4368	3660	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3600

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Modifies Windows Firewall
PID:4500

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4224

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:4124

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
5⤵
- Modifies Windows Firewall
PID:3648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:3524

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:2784

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
7⤵
- Modifies Windows Firewall
PID:4544

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:2816

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
9⤵
- Modifies Windows Firewall
PID:2448

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
9⤵
- Modifies Windows Firewall
PID:4092

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
9⤵
- Modifies Windows Firewall
PID:3860

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
11⤵
- Modifies Windows Firewall
PID:4368

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
- Modifies Windows Firewall
PID:5012

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
11⤵
- Modifies Windows Firewall
PID:1164

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
11⤵
- Executes dropped EXE
- Checks computer location settings
PID:3836

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
13⤵
- Modifies Windows Firewall
PID:1520

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
13⤵
PID:3128

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
13⤵
PID:3932

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
13⤵
- Executes dropped EXE
- Checks computer location settings
PID:3724

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
15⤵
- Modifies Windows Firewall
PID:4132

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
15⤵
- Modifies Windows Firewall
PID:2124

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
15⤵
- Modifies Windows Firewall
PID:4724

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
15⤵
- Executes dropped EXE
- Checks computer location settings
PID:4676

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
16⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
17⤵
- Modifies Windows Firewall
PID:3924

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
17⤵
- Modifies Windows Firewall
PID:4972

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
17⤵
- Modifies Windows Firewall
PID:1248

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
17⤵
- Executes dropped EXE
- Checks computer location settings
PID:3220

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
18⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
19⤵
- Modifies Windows Firewall
PID:804

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
19⤵
- Modifies Windows Firewall
PID:4964

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
19⤵
- Modifies Windows Firewall
PID:1756

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
19⤵
- Executes dropped EXE
- Checks computer location settings
PID:3092

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
20⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
21⤵
- Modifies Windows Firewall
PID:3096

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
21⤵
- Modifies Windows Firewall
PID:2576

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
21⤵
- Modifies Windows Firewall
PID:860

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
21⤵
- Executes dropped EXE
- Checks computer location settings
PID:3524

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
22⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
23⤵
- Modifies Windows Firewall
PID:4068

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
23⤵
- Modifies Windows Firewall
PID:624

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
23⤵
- Modifies Windows Firewall
PID:2028

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
23⤵
- Executes dropped EXE
- Checks computer location settings
PID:3180

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
24⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
25⤵
- Modifies Windows Firewall
PID:1524

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
25⤵
- Modifies Windows Firewall
PID:820

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
25⤵
- Modifies Windows Firewall
PID:1848

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
25⤵
- Executes dropped EXE
- Checks computer location settings
PID:3540

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
26⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
27⤵
- Modifies Windows Firewall
PID:2200

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
27⤵
- Modifies Windows Firewall
PID:3612

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
27⤵
- Modifies Windows Firewall
PID:1440

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
27⤵
- Executes dropped EXE
- Checks computer location settings
PID:2324

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
28⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
29⤵
PID:4176

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
29⤵
PID:2396

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
29⤵
- Modifies Windows Firewall
PID:1756

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
29⤵
- Executes dropped EXE
- Checks computer location settings
PID:4468

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
30⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
31⤵
- Modifies Windows Firewall
PID:1624

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
31⤵
- Modifies Windows Firewall
PID:3672

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
31⤵
- Modifies Windows Firewall
PID:4656

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
31⤵
- Executes dropped EXE
- Checks computer location settings
PID:1768

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
32⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
33⤵
PID:2388

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
33⤵
- Modifies Windows Firewall
PID:4860

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
33⤵
PID:1464

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
33⤵
- Executes dropped EXE
- Checks computer location settings
PID:624

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
34⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
35⤵
- Modifies Windows Firewall
PID:2240

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
35⤵
- Modifies Windows Firewall
PID:4584

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
35⤵
- Modifies Windows Firewall
PID:2368

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
35⤵
- Executes dropped EXE
- Checks computer location settings
PID:2632

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
36⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
37⤵
- Modifies Windows Firewall
PID:2736

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
37⤵
PID:1168

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
37⤵
- Modifies Windows Firewall
PID:4876

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
37⤵
- Executes dropped EXE
- Checks computer location settings
PID:3236

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
38⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
39⤵
- Modifies Windows Firewall
PID:4920

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
39⤵
- Modifies Windows Firewall
PID:4804

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
39⤵
- Modifies Windows Firewall
PID:3164

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
39⤵
- Executes dropped EXE
- Checks computer location settings
PID:5104

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
40⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
41⤵
- Modifies Windows Firewall
PID:4356

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
41⤵
- Modifies Windows Firewall
PID:1308

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
41⤵
- Modifies Windows Firewall
PID:1384

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
41⤵
- Executes dropped EXE
- Checks computer location settings
PID:860

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
42⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
43⤵
- Modifies Windows Firewall
PID:3840

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
43⤵
- Modifies Windows Firewall
PID:4868

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
43⤵
- Modifies Windows Firewall
PID:5092

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
43⤵
- Executes dropped EXE
- Checks computer location settings
PID:4320

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
44⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
45⤵
- Modifies Windows Firewall
PID:4420

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
45⤵
- Modifies Windows Firewall
PID:3216

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
45⤵
- Modifies Windows Firewall
PID:3428

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
45⤵
- Executes dropped EXE
- Checks computer location settings
PID:1716

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
46⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
47⤵
- Modifies Windows Firewall
PID:3740

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
47⤵
- Modifies Windows Firewall
PID:4396

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
47⤵
PID:4440

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
47⤵
- Executes dropped EXE
- Checks computer location settings
PID:1972

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
48⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
49⤵
- Modifies Windows Firewall
PID:3260

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
49⤵
- Modifies Windows Firewall
PID:1764

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
49⤵
- Modifies Windows Firewall
PID:3304

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
49⤵
- Executes dropped EXE
PID:2184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Notepad.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Notepad.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Notepad.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Program Files (x86)\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Program Files (x86)\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Program Files (x86)\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
41B

MD5
964ddaa3491c746b5ef7e7fb6b653384

SHA1
1bb95b5f8f514d2840cf399812631f2838979452

SHA256
157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

SHA512
a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
41B

MD5
964ddaa3491c746b5ef7e7fb6b653384

SHA1
1bb95b5f8f514d2840cf399812631f2838979452

SHA256
157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

SHA512
a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a080181c5938cd7611a562e79328fc0Windows Update.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
3eb8a6afa534fadc147aa70dea76e863

SHA1
03b827d99098f69c9f126679598f7166c99d1624

SHA256
d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

SHA512
b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Desktop\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Desktop\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Desktop\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Documents\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Documents\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Documents\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Favorites\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Favorites\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Users\Admin\Favorites\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Windows\SysWOW64\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Windows\SysWOW64\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
C:\Windows\SysWOW64\Explower.exe
Filesize
93KB

MD5
edaf154b94f8808071e089661c89412e

SHA1
31b1c1eefe489f1f348002d5b01870b268b24ca0

SHA256
20184619a871dccba37b64770f1ce258c11b1406302b7d8f0a1c2957c4bcd393

SHA512
8461f866a721daf7d78e4b942f6c73a89db84edc3fdef34aa5e2fc4f5bb5d43c57bba9b7d164819cd2fd9f155e946439e9a9ab1ff9bcbc5f1dbedf406314c0ae

Download Submit
memory/624-289-0x0000000000000000-mapping.dmp

Download
memory/804-270-0x0000000000000000-mapping.dmp

Download
memory/820-298-0x0000000000000000-mapping.dmp

Download
memory/860-281-0x0000000000000000-mapping.dmp

Download
memory/1164-236-0x0000000000000000-mapping.dmp

Download
memory/1248-263-0x0000000000000000-mapping.dmp

Download
memory/1440-308-0x0000000000000000-mapping.dmp

Download
memory/1520-243-0x0000000000000000-mapping.dmp

Download
memory/1524-297-0x0000000000000000-mapping.dmp

Download
memory/1756-272-0x0000000000000000-mapping.dmp

Download
memory/1768-318-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1768-319-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/1848-299-0x0000000000000000-mapping.dmp

Download
memory/2028-290-0x0000000000000000-mapping.dmp

Download
memory/2096-205-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2096-200-0x0000000000000000-mapping.dmp

Download
memory/2096-209-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2100-176-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2100-180-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2100-170-0x0000000000000000-mapping.dmp

Download
memory/2112-206-0x0000000000000000-mapping.dmp

Download
memory/2112-211-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2112-229-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2124-253-0x0000000000000000-mapping.dmp

Download
memory/2200-306-0x0000000000000000-mapping.dmp

Download
memory/2324-311-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2324-310-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2396-131-0x0000000000000000-mapping.dmp

Download
memory/2396-137-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2396-144-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2448-212-0x0000000000000000-mapping.dmp

Download
memory/2556-320-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2556-321-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/2576-280-0x0000000000000000-mapping.dmp

Download
memory/2784-183-0x0000000000000000-mapping.dmp

Download
memory/2816-198-0x0000000000000000-mapping.dmp

Download
memory/3092-275-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3092-273-0x0000000000000000-mapping.dmp

Download
memory/3092-277-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3096-279-0x0000000000000000-mapping.dmp

Download
memory/3128-244-0x0000000000000000-mapping.dmp

Download
memory/3180-295-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3180-293-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3180-291-0x0000000000000000-mapping.dmp

Download
memory/3188-267-0x0000000000000000-mapping.dmp

Download
memory/3188-269-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3188-274-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3196-278-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3196-276-0x0000000000000000-mapping.dmp

Download
memory/3196-283-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3220-268-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3220-266-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3220-264-0x0000000000000000-mapping.dmp

Download
memory/3524-286-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3524-282-0x0000000000000000-mapping.dmp

Download
memory/3524-168-0x0000000000000000-mapping.dmp

Download
memory/3524-284-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3540-304-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3540-300-0x0000000000000000-mapping.dmp

Download
memory/3540-302-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3588-146-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3588-141-0x0000000000000000-mapping.dmp

Download
memory/3588-150-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3600-138-0x0000000000000000-mapping.dmp

Download
memory/3612-307-0x0000000000000000-mapping.dmp

Download
memory/3648-167-0x0000000000000000-mapping.dmp

Download
memory/3660-231-0x0000000000000000-mapping.dmp

Download
memory/3660-238-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3660-233-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3688-249-0x0000000000000000-mapping.dmp

Download
memory/3688-251-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3688-256-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3724-250-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3724-248-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3724-246-0x0000000000000000-mapping.dmp

Download
memory/3836-241-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3836-237-0x0000000000000000-mapping.dmp

Download
memory/3836-239-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3860-227-0x0000000000000000-mapping.dmp

Download
memory/3908-247-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3908-240-0x0000000000000000-mapping.dmp

Download
memory/3908-242-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3924-309-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3924-261-0x0000000000000000-mapping.dmp

Download
memory/3924-303-0x0000000000000000-mapping.dmp

Download
memory/3924-305-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/3932-245-0x0000000000000000-mapping.dmp

Download
memory/4068-288-0x0000000000000000-mapping.dmp

Download
memory/4092-312-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4092-313-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4092-226-0x0000000000000000-mapping.dmp

Download
memory/4124-153-0x0000000000000000-mapping.dmp

Download
memory/4132-294-0x0000000000000000-mapping.dmp

Download
memory/4132-301-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4132-252-0x0000000000000000-mapping.dmp

Download
memory/4132-296-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4224-140-0x0000000000000000-mapping.dmp

Download
memory/4316-174-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4316-152-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4316-147-0x0000000000000000-mapping.dmp

Download
memory/4368-234-0x0000000000000000-mapping.dmp

Download
memory/4460-317-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4460-316-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4468-315-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4468-314-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4500-139-0x0000000000000000-mapping.dmp

Download
memory/4512-292-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4512-285-0x0000000000000000-mapping.dmp

Download
memory/4512-287-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4544-258-0x0000000000000000-mapping.dmp

Download
memory/4544-197-0x0000000000000000-mapping.dmp

Download
memory/4544-265-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4544-260-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4676-259-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4676-255-0x0000000000000000-mapping.dmp

Download
memory/4676-257-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4724-254-0x0000000000000000-mapping.dmp

Download
memory/4840-135-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4840-130-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4964-230-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4964-271-0x0000000000000000-mapping.dmp

Download
memory/4964-228-0x0000000000000000-mapping.dmp

Download
memory/4964-232-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/4972-262-0x0000000000000000-mapping.dmp

Download
memory/5012-235-0x0000000000000000-mapping.dmp

Download
memory/5020-203-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/5020-182-0x0000000074E80000-0x0000000075431000-memory.dmp

Filesize
5.7MB

Download
memory/5020-177-0x0000000000000000-mapping.dmp

Download