892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2

Analysis

max time kernel
20s
max time network
151s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Size

36KB
MD5

13f58c8322f1115e391ca4193d843107
SHA1

1e5e9780c26833ee9fb7707442291ddf4dcb2a9b
SHA256

892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2
SHA512

1e06e1ec7cf3f2776b556034dadc7bec6334c5203c16fcaa8ddb5ce7489bf83baf9399078e9d548ba2ca63ee3d0317fddc2f6281a2acd81c239f57f20bf67e91
SSDEEP

384:v9OJ84RJ/QPkZ+VBvKdMAUoHLXZW7O/daeA0FRh:1OJVDIPo+VV+MAhc0daK/

Score

10^/10

evasion trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Public\Documents\Class.dll	acprotect
\Users\Public\Documents\Class.dll	acprotect
C:\Users\Public\Documents\Class.dll	acprotect
\Users\Public\Documents\Class.dll	acprotect

Blocklisted process makes network request 2 IoCs

Processes:

wscript.exewscript.exe

flow pid process

2 1160 wscript.exe
2 1160 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

k4.exek4.exek4.exek4.exe

pid process

1848 k4.exe
1804 k4.exe
1848 k4.exe
1804 k4.exe

flow	pid	process
2	1160	wscript.exe
2	1160	wscript.exe

pid	process
1848	k4.exe
1804	k4.exe
1848	k4.exe
1804	k4.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Public\Documents\Class.dll	upx
\Users\Public\Documents\Class.dll	upx
behavioral1/memory/1720-60-0x0000000010000000-0x0000000010072000-memory.dmp	upx
C:\Users\Public\Documents\Class.dll	upx
\Users\Public\Documents\Class.dll	upx
behavioral1/memory/1720-60-0x0000000010000000-0x0000000010072000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

pid	process
1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1512 taskkill.exe
1512 taskkill.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

k4.exek4.exe

description pid process

Token: SeLoadDriverPrivilege 1804 k4.exe
Token: SeLoadDriverPrivilege 1804 k4.exe

pid	process
1512	taskkill.exe
1512	taskkill.exe

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	pid	process
Token: SeLoadDriverPrivilege	1804	k4.exe
Token: SeLoadDriverPrivilege	1804	k4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

pid	process
1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.execmd.exe892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.execmd.exe

description	pid	process	target process
PID 1720 wrote to memory of 1160	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	wscript.exe
PID 1720 wrote to memory of 1160	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	wscript.exe
PID 1720 wrote to memory of 1160	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	wscript.exe
PID 1720 wrote to memory of 1160	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	wscript.exe
PID 1720 wrote to memory of 1848	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1848	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1848	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1848	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1804	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1804	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1804	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1804	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1060	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	cmd.exe
PID 1720 wrote to memory of 1060	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	cmd.exe
PID 1720 wrote to memory of 1060	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	cmd.exe
PID 1720 wrote to memory of 1060	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	cmd.exe
PID 1060 wrote to memory of 1512	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 1512	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 1512	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 1512	1060	cmd.exe	taskkill.exe
PID 1720 wrote to memory of 1160	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	wscript.exe
PID 1720 wrote to memory of 1160	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	wscript.exe
PID 1720 wrote to memory of 1160	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	wscript.exe
PID 1720 wrote to memory of 1160	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	wscript.exe
PID 1720 wrote to memory of 1848	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1848	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1848	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1848	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1804	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1804	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1804	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1804	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	k4.exe
PID 1720 wrote to memory of 1060	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	cmd.exe
PID 1720 wrote to memory of 1060	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	cmd.exe
PID 1720 wrote to memory of 1060	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	cmd.exe
PID 1720 wrote to memory of 1060	1720	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe	cmd.exe
PID 1060 wrote to memory of 1512	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 1512	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 1512	1060	cmd.exe	taskkill.exe
PID 1060 wrote to memory of 1512	1060	cmd.exe	taskkill.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe

C:\Users\Admin\AppData\Local\Temp\892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
"C:\Users\Admin\AppData\Local\Temp\892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720

C:\Windows\SysWOW64\wscript.exe
wscript.exe C:\Users\Public\Documents\Class.vbs
2⤵
- Blocklisted process makes network request
PID:1160

C:\Users\Public\Documents\k4.exe
C:/Users/Public/Documents/k4.exe
2⤵
- Executes dropped EXE
PID:1848

C:\Users\Public\Documents\k4.exe
C:/Users/Public/Documents/k4.exe /D
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /t /im k4.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im k4.exe
3⤵
- Kills process with taskkill
PID:1512

C:\Users\Admin\AppData\Local\Temp\892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe
"C:\Users\Admin\AppData\Local\Temp\892c3026cd622fcc1cd6cbc814bc05e696984aaa60e6a914f9c575269d5421e2.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720

C:\Windows\SysWOW64\wscript.exe
wscript.exe C:\Users\Public\Documents\Class.vbs
2⤵
- Blocklisted process makes network request
PID:1160

C:\Users\Public\Documents\k4.exe
C:/Users/Public/Documents/k4.exe
2⤵
- Executes dropped EXE
PID:1848

C:\Users\Public\Documents\k4.exe
C:/Users/Public/Documents/k4.exe /D
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /t /im k4.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im k4.exe
3⤵
- Kills process with taskkill
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\Class.dll
Filesize
164KB

MD5
f1703098d7b3dd8a63b71a9b86f1a7de

SHA1
accaf416729123839b5d91556e0edb3980e72e7a

SHA256
53e9e04b769a462c1bcc7a2d52a667eaa2e103af11667202618a5d66515c5c0c

SHA512
b8ca6f3f0f8d22ba74e07a4cead893bd83445231a91e45bfb9ad44e92ee80a85053986cee853f3325e66d417977597ea641e749ae4a6ee32ac7e38eb0c90d465

Download Submit
C:\Users\Public\Documents\Class.dll
Filesize
164KB

MD5
f1703098d7b3dd8a63b71a9b86f1a7de

SHA1
accaf416729123839b5d91556e0edb3980e72e7a

SHA256
53e9e04b769a462c1bcc7a2d52a667eaa2e103af11667202618a5d66515c5c0c

SHA512
b8ca6f3f0f8d22ba74e07a4cead893bd83445231a91e45bfb9ad44e92ee80a85053986cee853f3325e66d417977597ea641e749ae4a6ee32ac7e38eb0c90d465

Download Submit
C:\Users\Public\Documents\Class.vbs
Filesize
783B

MD5
1e5feb038a8e3d84b9a49284ed5af666

SHA1
0cabcbee2351ed74e42b2245649001e60fe29c83

SHA256
5cd2b20227f705a6b35045927f0191a77678c025ad17fa6b2d0a367c3d1311b7

SHA512
0d26a38b9b5385892b92b3ff27ac66dff7e785a6d8fbe2925e4141a91e249c6fa181d5860fcdb56673f6d7d7b93601a2adeee8315092c382bcbcac7f5f1bd6c0

Download Submit
C:\Users\Public\Documents\Class.vbs
Filesize
783B

MD5
1e5feb038a8e3d84b9a49284ed5af666

SHA1
0cabcbee2351ed74e42b2245649001e60fe29c83

SHA256
5cd2b20227f705a6b35045927f0191a77678c025ad17fa6b2d0a367c3d1311b7

SHA512
0d26a38b9b5385892b92b3ff27ac66dff7e785a6d8fbe2925e4141a91e249c6fa181d5860fcdb56673f6d7d7b93601a2adeee8315092c382bcbcac7f5f1bd6c0

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
C:\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
\Users\Public\Documents\Class.dll
Filesize
164KB

MD5
f1703098d7b3dd8a63b71a9b86f1a7de

SHA1
accaf416729123839b5d91556e0edb3980e72e7a

SHA256
53e9e04b769a462c1bcc7a2d52a667eaa2e103af11667202618a5d66515c5c0c

SHA512
b8ca6f3f0f8d22ba74e07a4cead893bd83445231a91e45bfb9ad44e92ee80a85053986cee853f3325e66d417977597ea641e749ae4a6ee32ac7e38eb0c90d465

Download Submit
\Users\Public\Documents\Class.dll
Filesize
164KB

MD5
f1703098d7b3dd8a63b71a9b86f1a7de

SHA1
accaf416729123839b5d91556e0edb3980e72e7a

SHA256
53e9e04b769a462c1bcc7a2d52a667eaa2e103af11667202618a5d66515c5c0c

SHA512
b8ca6f3f0f8d22ba74e07a4cead893bd83445231a91e45bfb9ad44e92ee80a85053986cee853f3325e66d417977597ea641e749ae4a6ee32ac7e38eb0c90d465

Download Submit
\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
\Users\Public\Documents\k4.exe
Filesize
892KB

MD5
33e29221e2825001d32f78632217d250

SHA1
9122127fc91790a1edb78003e9b58a9b00355ed5

SHA256
65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

SHA512
01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

Download Submit
memory/1060-69-0x0000000000000000-mapping.dmp

Download
memory/1060-69-0x0000000000000000-mapping.dmp

Download
memory/1160-55-0x0000000000000000-mapping.dmp

Download
memory/1160-55-0x0000000000000000-mapping.dmp

Download
memory/1512-70-0x0000000000000000-mapping.dmp

Download
memory/1512-70-0x0000000000000000-mapping.dmp

Download
memory/1720-60-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download
memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1720-60-0x0000000010000000-0x0000000010072000-memory.dmp

Filesize
456KB

Download
memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download
memory/1804-66-0x0000000000000000-mapping.dmp

Download
memory/1804-66-0x0000000000000000-mapping.dmp

Download
memory/1848-62-0x0000000000000000-mapping.dmp

Download
memory/1848-64-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1848-62-0x0000000000000000-mapping.dmp

Download
memory/1848-64-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download