gh0strat | 96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Size

216KB
MD5

6b5087f85b7a37a302f18e1ba23d3300
SHA1

53a9ef2d5c02838aa7cfad9b6e34a8f1b2d6da9e
SHA256

96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91
SHA512

b0681de69259495ec96e4f34c1f5fa2b8b033350c884fac1b3ddab10ad9f82cb0649e5cbd217a885e05a75b4421b37d18cde02a2c1bca78df40fb7c0fa0097ff
SSDEEP

6144:XAVrnWFcfFtsFkVRTl0QdTmNPPYhGURPPD:XyrWFG+kV1KIo+HnD

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 42 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022de6-133.dat	family_gh0strat
behavioral2/files/0x0004000000022de6-134.dat	family_gh0strat
behavioral2/memory/4936-135-0x0000000000400000-0x0000000000436000-memory.dmp	family_gh0strat
behavioral2/files/0x0004000000022de6-136.dat	family_gh0strat
behavioral2/files/0x0004000000022de6-137.dat	family_gh0strat
behavioral2/files/0x0004000000022de6-138.dat	family_gh0strat
behavioral2/files/0x0004000000022de6-139.dat	family_gh0strat
behavioral2/files/0x0004000000022de6-140.dat	family_gh0strat
behavioral2/files/0x0004000000022de6-141.dat	family_gh0strat
behavioral2/files/0x0004000000022de6-142.dat	family_gh0strat
behavioral2/files/0x0004000000022de6-143.dat	family_gh0strat
behavioral2/files/0x0006000000022de6-144.dat	family_gh0strat
behavioral2/files/0x0006000000022de6-145.dat	family_gh0strat
behavioral2/files/0x0006000000022de6-146.dat	family_gh0strat
behavioral2/files/0x0006000000022de6-147.dat	family_gh0strat
behavioral2/files/0x0006000000022de6-148.dat	family_gh0strat
behavioral2/files/0x0006000000022de6-149.dat	family_gh0strat
behavioral2/files/0x0006000000022de6-150.dat	family_gh0strat
behavioral2/files/0x001e00000001f01a-151.dat	family_gh0strat
behavioral2/files/0x001e00000001f01a-152.dat	family_gh0strat
behavioral2/files/0x001e00000001f01a-153.dat	family_gh0strat
behavioral2/files/0x001e00000001f01a-154.dat	family_gh0strat
behavioral2/files/0x002000000001f01a-155.dat	family_gh0strat
behavioral2/files/0x002000000001f01a-156.dat	family_gh0strat
behavioral2/files/0x002000000001f01a-157.dat	family_gh0strat
behavioral2/files/0x002000000001f01a-158.dat	family_gh0strat
behavioral2/files/0x002000000001f01a-159.dat	family_gh0strat
behavioral2/files/0x002000000001f01a-160.dat	family_gh0strat
behavioral2/files/0x002000000001f01a-161.dat	family_gh0strat
behavioral2/files/0x001400000000071f-162.dat	family_gh0strat
behavioral2/files/0x001400000000071f-163.dat	family_gh0strat
behavioral2/files/0x001400000000071f-164.dat	family_gh0strat
behavioral2/files/0x001400000000071f-165.dat	family_gh0strat
behavioral2/files/0x001600000000071f-166.dat	family_gh0strat
behavioral2/files/0x001600000000071f-167.dat	family_gh0strat
behavioral2/files/0x001600000000071f-168.dat	family_gh0strat
behavioral2/files/0x001600000000071f-169.dat	family_gh0strat
behavioral2/files/0x001600000000071f-170.dat	family_gh0strat
behavioral2/files/0x001600000000071f-171.dat	family_gh0strat
behavioral2/files/0x001600000000071f-172.dat	family_gh0strat
behavioral2/files/0x001800000000071f-173.dat	family_gh0strat
behavioral2/files/0x001800000000071f-174.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 34 IoCs

pid	Process
1792	svchost.exe
724	svchost.exe
2204	svchost.exe
2396	svchost.exe
4448	svchost.exe
3964	svchost.exe
2936	svchost.exe
2036	svchost.exe
4228	svchost.exe
1840	svchost.exe
4120	svchost.exe
880	svchost.exe
4560	svchost.exe
4520	svchost.exe
4368	svchost.exe
1544	svchost.exe
2252	svchost.exe
2368	svchost.exe
1084	svchost.exe
1496	svchost.exe
808	svchost.exe
616	svchost.exe
1308	svchost.exe
2004	svchost.exe
3220	svchost.exe
2980	svchost.exe
380	svchost.exe
2076	svchost.exe
5004	svchost.exe
5092	svchost.exe
2772	svchost.exe
1576	svchost.exe
2280	svchost.exe
3904	svchost.exe

Program crash 33 IoCs

pid	pid_target	Process	procid_target
3520	1792	WerFault.exe	86
1084	724	WerFault.exe	92
1496	2204	WerFault.exe	95
2308	2396	WerFault.exe	96
3780	4448	WerFault.exe	101
3684	3964	WerFault.exe	104
4468	2936	WerFault.exe	108
5012	2036	WerFault.exe	111
2916	4228	WerFault.exe	114
1936	1840	WerFault.exe	117
3460	4120	WerFault.exe	120
4128	880	WerFault.exe	123
3556	4560	WerFault.exe	126
4940	4520	WerFault.exe	129
4816	4368	WerFault.exe	132
3392	1544	WerFault.exe	135
5112	2252	WerFault.exe	138
3948	2368	WerFault.exe	141
3952	1084	WerFault.exe	144
3960	1496	WerFault.exe	147
2388	808	WerFault.exe	150
2376	616	WerFault.exe	151
3684	1308	WerFault.exe	156
1984	2004	WerFault.exe	159
1232	3220	WerFault.exe	162
668	2980	WerFault.exe	165
3248	380	WerFault.exe	168
5104	2076	WerFault.exe	171
3104	5004	WerFault.exe	174
4356	5092	WerFault.exe	177
4176	2772	WerFault.exe	178
1500	1576	WerFault.exe	183
3556	2280	WerFault.exe	186

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeBackupPrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
Token: SeRestorePrivilege	4936	96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe

C:\Users\Admin\AppData\Local\Temp\96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe
"C:\Users\Admin\AppData\Local\Temp\96698447ddd51cf88f039611437fb113e47205ed62fd2f062a723b04602d2a91.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:1792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 592
  2⤵
  - Program crash
  PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1792 -ip 1792
1⤵
PID:2324

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 592
  2⤵
  - Program crash
  PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 724 -ip 724
1⤵
PID:3888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:2204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 592
  2⤵
  - Program crash
  PID:1496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:2396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 592
  2⤵
  - Program crash
  PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2204 -ip 2204
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2396 -ip 2396
1⤵
PID:4544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 432
  2⤵
  - Program crash
  PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4448 -ip 4448
1⤵
PID:4900

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:3964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 592
  2⤵
  - Program crash
  PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3964 -ip 3964
1⤵
PID:1288

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:2936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 604
  2⤵
  - Program crash
  PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2936 -ip 2936
1⤵
PID:2696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:2036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 592
  2⤵
  - Program crash
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2036 -ip 2036
1⤵
PID:2720

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:4228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 592
  2⤵
  - Program crash
  PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4228 -ip 4228
1⤵
PID:2488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:1840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 592
  2⤵
  - Program crash
  PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1840 -ip 1840
1⤵
PID:4328

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:4120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 592
  2⤵
  - Program crash
  PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4120 -ip 4120
1⤵
PID:1972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 432
  2⤵
  - Program crash
  PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 880 -ip 880
1⤵
PID:3596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:4560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 592
  2⤵
  - Program crash
  PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4560 -ip 4560
1⤵
PID:4580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 592
  2⤵
  - Program crash
  PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4520 -ip 4520
1⤵
PID:3868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:4368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 592
  2⤵
  - Program crash
  PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4368 -ip 4368
1⤵
PID:2508

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:1544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 600
  2⤵
  - Program crash
  PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1544 -ip 1544
1⤵
PID:4376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:2252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 592
  2⤵
  - Program crash
  PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2252 -ip 2252
1⤵
PID:3492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:2368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 600
  2⤵
  - Program crash
  PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2368 -ip 2368
1⤵
PID:3616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 592
  2⤵
  - Program crash
  PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1084 -ip 1084
1⤵
PID:4496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:1496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 592
  2⤵
  - Program crash
  PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1496 -ip 1496
1⤵
PID:3364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
- Loads dropped DLL
PID:808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 592
  2⤵
  - Program crash
  PID:2388

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 596
  2⤵
  - Program crash
  PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 808 -ip 808
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 616 -ip 616
1⤵
PID:4848

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:1308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 596
  2⤵
  - Program crash
  PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1308 -ip 1308
1⤵
PID:3176

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
- Loads dropped DLL
PID:2004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 592
  2⤵
  - Program crash
  PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2004 -ip 2004
1⤵
PID:4612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:3220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 592
  2⤵
  - Program crash
  PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3220 -ip 3220
1⤵
PID:4008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:2980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 592
  2⤵
  - Program crash
  PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2980 -ip 2980
1⤵
PID:4196

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
- Loads dropped DLL
PID:380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 592
  2⤵
  - Program crash
  PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 380 -ip 380
1⤵
PID:3308

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:2076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 600
  2⤵
  - Program crash
  PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 2076 -ip 2076
1⤵
PID:2220

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:5004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 592
  2⤵
  - Program crash
  PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 5004 -ip 5004
1⤵
PID:5024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
- Loads dropped DLL
PID:5092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 592
  2⤵
  - Program crash
  PID:4356

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:2772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 592
  2⤵
  - Program crash
  PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 5092 -ip 5092
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2772 -ip 2772
1⤵
PID:2332

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 604
  2⤵
  - Program crash
  PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1576 -ip 1576
1⤵
PID:4460

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s pcaudit
1⤵
- Loads dropped DLL
PID:2280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 592
  2⤵
  - Program crash
  PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 2280 -ip 2280
1⤵
PID:2312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc
1⤵
- Loads dropped DLL
PID:3904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
19.0MB

MD5
e54dfc896ef039c55892fb58fe948201

SHA1
5c940292a868c441d85f552ee3622081debfedc7

SHA256
d0b715b35751c3c3415631d6db455a936e1bac0121fc7d664e993d32ffa580df

SHA512
f6fe85d8847b6126564a9eb535247c6b33b1787305b33506e2063d040c4b30261442f9c21501aed369c3d030e76095a504f8acb72e4d0701b7f9e72c457471d7

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
19.0MB

MD5
e54dfc896ef039c55892fb58fe948201

SHA1
5c940292a868c441d85f552ee3622081debfedc7

SHA256
d0b715b35751c3c3415631d6db455a936e1bac0121fc7d664e993d32ffa580df

SHA512
f6fe85d8847b6126564a9eb535247c6b33b1787305b33506e2063d040c4b30261442f9c21501aed369c3d030e76095a504f8acb72e4d0701b7f9e72c457471d7

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
19.0MB

MD5
e54dfc896ef039c55892fb58fe948201

SHA1
5c940292a868c441d85f552ee3622081debfedc7

SHA256
d0b715b35751c3c3415631d6db455a936e1bac0121fc7d664e993d32ffa580df

SHA512
f6fe85d8847b6126564a9eb535247c6b33b1787305b33506e2063d040c4b30261442f9c21501aed369c3d030e76095a504f8acb72e4d0701b7f9e72c457471d7

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
19.0MB

MD5
e54dfc896ef039c55892fb58fe948201

SHA1
5c940292a868c441d85f552ee3622081debfedc7

SHA256
d0b715b35751c3c3415631d6db455a936e1bac0121fc7d664e993d32ffa580df

SHA512
f6fe85d8847b6126564a9eb535247c6b33b1787305b33506e2063d040c4b30261442f9c21501aed369c3d030e76095a504f8acb72e4d0701b7f9e72c457471d7

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
19.0MB

MD5
e54dfc896ef039c55892fb58fe948201

SHA1
5c940292a868c441d85f552ee3622081debfedc7

SHA256
d0b715b35751c3c3415631d6db455a936e1bac0121fc7d664e993d32ffa580df

SHA512
f6fe85d8847b6126564a9eb535247c6b33b1787305b33506e2063d040c4b30261442f9c21501aed369c3d030e76095a504f8acb72e4d0701b7f9e72c457471d7

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
19.0MB

MD5
e54dfc896ef039c55892fb58fe948201

SHA1
5c940292a868c441d85f552ee3622081debfedc7

SHA256
d0b715b35751c3c3415631d6db455a936e1bac0121fc7d664e993d32ffa580df

SHA512
f6fe85d8847b6126564a9eb535247c6b33b1787305b33506e2063d040c4b30261442f9c21501aed369c3d030e76095a504f8acb72e4d0701b7f9e72c457471d7

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.0MB

MD5
8686a329e6fe29d6602647273f7c0757

SHA1
dbab347f4a1db9b1e828ae0566bed677783d1a29

SHA256
2432a1c11c9e7bbd44d8abf6d3a30983ebc4a07fa80475ea56c370c72c2c3a32

SHA512
3c324ca466a521365070e5aafb0d96e07562ff3a512c7a162958dc30480006c22e8c96e623f5c46510c6f38d1da003a1266d73e112ad09f597d896b41ee3f320

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.0MB

MD5
8686a329e6fe29d6602647273f7c0757

SHA1
dbab347f4a1db9b1e828ae0566bed677783d1a29

SHA256
2432a1c11c9e7bbd44d8abf6d3a30983ebc4a07fa80475ea56c370c72c2c3a32

SHA512
3c324ca466a521365070e5aafb0d96e07562ff3a512c7a162958dc30480006c22e8c96e623f5c46510c6f38d1da003a1266d73e112ad09f597d896b41ee3f320

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.0MB

MD5
8686a329e6fe29d6602647273f7c0757

SHA1
dbab347f4a1db9b1e828ae0566bed677783d1a29

SHA256
2432a1c11c9e7bbd44d8abf6d3a30983ebc4a07fa80475ea56c370c72c2c3a32

SHA512
3c324ca466a521365070e5aafb0d96e07562ff3a512c7a162958dc30480006c22e8c96e623f5c46510c6f38d1da003a1266d73e112ad09f597d896b41ee3f320

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
24.0MB

MD5
3442d0ce2e1eb02f71a0b43ee63f4eb4

SHA1
ef9b198905003a6e9977142f19a222eed5da3903

SHA256
abf73aa758b9af0d3782c851ce7c1aea5c4c8200145528a522369bd795abea90

SHA512
b7a44d032e71b7bc4ca69ffe5cb756127f2928631ecdcb57abb4f2ea4e867d0b7b6d25a56c7c68a9da0f8b3370609cf4d29e57d5ec090d3db958378050d5e27a

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
24.0MB

MD5
3442d0ce2e1eb02f71a0b43ee63f4eb4

SHA1
ef9b198905003a6e9977142f19a222eed5da3903

SHA256
abf73aa758b9af0d3782c851ce7c1aea5c4c8200145528a522369bd795abea90

SHA512
b7a44d032e71b7bc4ca69ffe5cb756127f2928631ecdcb57abb4f2ea4e867d0b7b6d25a56c7c68a9da0f8b3370609cf4d29e57d5ec090d3db958378050d5e27a

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
24.0MB

MD5
3442d0ce2e1eb02f71a0b43ee63f4eb4

SHA1
ef9b198905003a6e9977142f19a222eed5da3903

SHA256
abf73aa758b9af0d3782c851ce7c1aea5c4c8200145528a522369bd795abea90

SHA512
b7a44d032e71b7bc4ca69ffe5cb756127f2928631ecdcb57abb4f2ea4e867d0b7b6d25a56c7c68a9da0f8b3370609cf4d29e57d5ec090d3db958378050d5e27a

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
24.0MB

MD5
3442d0ce2e1eb02f71a0b43ee63f4eb4

SHA1
ef9b198905003a6e9977142f19a222eed5da3903

SHA256
abf73aa758b9af0d3782c851ce7c1aea5c4c8200145528a522369bd795abea90

SHA512
b7a44d032e71b7bc4ca69ffe5cb756127f2928631ecdcb57abb4f2ea4e867d0b7b6d25a56c7c68a9da0f8b3370609cf4d29e57d5ec090d3db958378050d5e27a

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
24.0MB

MD5
3442d0ce2e1eb02f71a0b43ee63f4eb4

SHA1
ef9b198905003a6e9977142f19a222eed5da3903

SHA256
abf73aa758b9af0d3782c851ce7c1aea5c4c8200145528a522369bd795abea90

SHA512
b7a44d032e71b7bc4ca69ffe5cb756127f2928631ecdcb57abb4f2ea4e867d0b7b6d25a56c7c68a9da0f8b3370609cf4d29e57d5ec090d3db958378050d5e27a

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
24.0MB

MD5
3442d0ce2e1eb02f71a0b43ee63f4eb4

SHA1
ef9b198905003a6e9977142f19a222eed5da3903

SHA256
abf73aa758b9af0d3782c851ce7c1aea5c4c8200145528a522369bd795abea90

SHA512
b7a44d032e71b7bc4ca69ffe5cb756127f2928631ecdcb57abb4f2ea4e867d0b7b6d25a56c7c68a9da0f8b3370609cf4d29e57d5ec090d3db958378050d5e27a

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
8.3MB

MD5
2ccd93bd89d8147928c39ed93e4a664f

SHA1
77a06e6814add63b7df77d7d5ff7775a3903c763

SHA256
582ec0209b886c9983988bf4a288d68e4a4c12492fb37888f908e813bac710f5

SHA512
5c6e9ed700cb1d1d7aedcc68920bcc07c823e917a8d6bf02d80d51a7c88f9238015642a9ecb992bdd9e9e18704a1faa29708b06d335e8de9c73062b71dac60d0

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.0MB

MD5
e2603789ef001dff3e13efbd2f638fd8

SHA1
094ff3c56ccf06cdb3881be5e6964bc40c45124a

SHA256
7f497347b00b662a4c9ca452f333d40f6f497008d2210fb0ca2443fc9b3e1af6

SHA512
cd4da97e44b2c6e7664ba848755803322061339c238a86aff95f102f72fad6c7eb98bfb6b6c168bafc1337d8e075b623abed2cbd942385014bd28f31b1c4e2c0

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.0MB

MD5
e2603789ef001dff3e13efbd2f638fd8

SHA1
094ff3c56ccf06cdb3881be5e6964bc40c45124a

SHA256
7f497347b00b662a4c9ca452f333d40f6f497008d2210fb0ca2443fc9b3e1af6

SHA512
cd4da97e44b2c6e7664ba848755803322061339c238a86aff95f102f72fad6c7eb98bfb6b6c168bafc1337d8e075b623abed2cbd942385014bd28f31b1c4e2c0

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
21.0MB

MD5
e2603789ef001dff3e13efbd2f638fd8

SHA1
094ff3c56ccf06cdb3881be5e6964bc40c45124a

SHA256
7f497347b00b662a4c9ca452f333d40f6f497008d2210fb0ca2443fc9b3e1af6

SHA512
cd4da97e44b2c6e7664ba848755803322061339c238a86aff95f102f72fad6c7eb98bfb6b6c168bafc1337d8e075b623abed2cbd942385014bd28f31b1c4e2c0

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.1MB

MD5
aa6d908983bb9672b74741e4fff14419

SHA1
8d032c81d7c3f601e6cd3f7ceb79ebea738f918e

SHA256
bc1d1c6e86c2adadc84807b867e32c328ddfc76344c26efba291aef2628de9de

SHA512
4f0136e3c1afaf5f284ca284915aae0e45916b2b342600b3c2a2f774de1be0bbfbe512a9b83d6fc30a042950da5ee007269cc1a237ce701d4d89bc7dcbe8d8df

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.1MB

MD5
aa6d908983bb9672b74741e4fff14419

SHA1
8d032c81d7c3f601e6cd3f7ceb79ebea738f918e

SHA256
bc1d1c6e86c2adadc84807b867e32c328ddfc76344c26efba291aef2628de9de

SHA512
4f0136e3c1afaf5f284ca284915aae0e45916b2b342600b3c2a2f774de1be0bbfbe512a9b83d6fc30a042950da5ee007269cc1a237ce701d4d89bc7dcbe8d8df

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.1MB

MD5
aa6d908983bb9672b74741e4fff14419

SHA1
8d032c81d7c3f601e6cd3f7ceb79ebea738f918e

SHA256
bc1d1c6e86c2adadc84807b867e32c328ddfc76344c26efba291aef2628de9de

SHA512
4f0136e3c1afaf5f284ca284915aae0e45916b2b342600b3c2a2f774de1be0bbfbe512a9b83d6fc30a042950da5ee007269cc1a237ce701d4d89bc7dcbe8d8df

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.1MB

MD5
aa6d908983bb9672b74741e4fff14419

SHA1
8d032c81d7c3f601e6cd3f7ceb79ebea738f918e

SHA256
bc1d1c6e86c2adadc84807b867e32c328ddfc76344c26efba291aef2628de9de

SHA512
4f0136e3c1afaf5f284ca284915aae0e45916b2b342600b3c2a2f774de1be0bbfbe512a9b83d6fc30a042950da5ee007269cc1a237ce701d4d89bc7dcbe8d8df

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.1MB

MD5
aa6d908983bb9672b74741e4fff14419

SHA1
8d032c81d7c3f601e6cd3f7ceb79ebea738f918e

SHA256
bc1d1c6e86c2adadc84807b867e32c328ddfc76344c26efba291aef2628de9de

SHA512
4f0136e3c1afaf5f284ca284915aae0e45916b2b342600b3c2a2f774de1be0bbfbe512a9b83d6fc30a042950da5ee007269cc1a237ce701d4d89bc7dcbe8d8df

Download Submit
C:\Users\Admin\AppData\Roaming\%SESSIONNAME%\mndkn.pic

Filesize
20.1MB

MD5
aa6d908983bb9672b74741e4fff14419

SHA1
8d032c81d7c3f601e6cd3f7ceb79ebea738f918e

SHA256
bc1d1c6e86c2adadc84807b867e32c328ddfc76344c26efba291aef2628de9de

SHA512
4f0136e3c1afaf5f284ca284915aae0e45916b2b342600b3c2a2f774de1be0bbfbe512a9b83d6fc30a042950da5ee007269cc1a237ce701d4d89bc7dcbe8d8df

Download Submit
\??\c:\users\admin\application data\%sessionname%\mndkn.pic

Filesize
21.1MB

MD5
ed0e6ae8e6c8e0d16943acbac39b8e50

SHA1
329923d4156b7194991d17cbde1a2724ecaf7307

SHA256
5bd2292733c757fa0a4418a7c658fc18a029067a530d3bee71be0766fa0fa1be

SHA512
b181333162dd3a834235d631a84bc8d22f01c1c6fd908bdab0bd57ef31db5509463ee8a653a8666b980ee272051d756502046509456db108c9fb290d27ec3281

Download Submit
\??\c:\users\admin\application data\%sessionname%\mndkn.pic

Filesize
19.0MB

MD5
e54dfc896ef039c55892fb58fe948201

SHA1
5c940292a868c441d85f552ee3622081debfedc7

SHA256
d0b715b35751c3c3415631d6db455a936e1bac0121fc7d664e993d32ffa580df

SHA512
f6fe85d8847b6126564a9eb535247c6b33b1787305b33506e2063d040c4b30261442f9c21501aed369c3d030e76095a504f8acb72e4d0701b7f9e72c457471d7

Download Submit
\??\c:\users\admin\application data\%sessionname%\mndkn.pic

Filesize
20.0MB

MD5
8686a329e6fe29d6602647273f7c0757

SHA1
dbab347f4a1db9b1e828ae0566bed677783d1a29

SHA256
2432a1c11c9e7bbd44d8abf6d3a30983ebc4a07fa80475ea56c370c72c2c3a32

SHA512
3c324ca466a521365070e5aafb0d96e07562ff3a512c7a162958dc30480006c22e8c96e623f5c46510c6f38d1da003a1266d73e112ad09f597d896b41ee3f320

Download Submit
\??\c:\users\admin\application data\%sessionname%\mndkn.pic

Filesize
24.0MB

MD5
3442d0ce2e1eb02f71a0b43ee63f4eb4

SHA1
ef9b198905003a6e9977142f19a222eed5da3903

SHA256
abf73aa758b9af0d3782c851ce7c1aea5c4c8200145528a522369bd795abea90

SHA512
b7a44d032e71b7bc4ca69ffe5cb756127f2928631ecdcb57abb4f2ea4e867d0b7b6d25a56c7c68a9da0f8b3370609cf4d29e57d5ec090d3db958378050d5e27a

Download Submit
\??\c:\users\admin\application data\%sessionname%\mndkn.pic

Filesize
9.9MB

MD5
8bcf964be309aece8314e3e721bea620

SHA1
c4dbc0d89dbe597ea837c476d987ba248ea3f09e

SHA256
434578d8f2d1d0dc24b5b56f433e2a76a82589638f50519013f72dba34f14c76

SHA512
d084191d1b471b52f65a31558ca6328dddf72fb23591001f11ca96510034384081514217cd41f57ad6827223ff1568d1e7163221295562cddd91d0e3375ce4ab

Download Submit
\??\c:\users\admin\application data\%sessionname%\mndkn.pic

Filesize
21.0MB

MD5
e2603789ef001dff3e13efbd2f638fd8

SHA1
094ff3c56ccf06cdb3881be5e6964bc40c45124a

SHA256
7f497347b00b662a4c9ca452f333d40f6f497008d2210fb0ca2443fc9b3e1af6

SHA512
cd4da97e44b2c6e7664ba848755803322061339c238a86aff95f102f72fad6c7eb98bfb6b6c168bafc1337d8e075b623abed2cbd942385014bd28f31b1c4e2c0

Download Submit
\??\c:\users\admin\application data\%sessionname%\mndkn.pic

Filesize
20.1MB

MD5
aa6d908983bb9672b74741e4fff14419

SHA1
8d032c81d7c3f601e6cd3f7ceb79ebea738f918e

SHA256
bc1d1c6e86c2adadc84807b867e32c328ddfc76344c26efba291aef2628de9de

SHA512
4f0136e3c1afaf5f284ca284915aae0e45916b2b342600b3c2a2f774de1be0bbfbe512a9b83d6fc30a042950da5ee007269cc1a237ce701d4d89bc7dcbe8d8df

Download Submit
memory/4936-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download