warzonerat | 4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

Analysis

max time kernel
153s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
22-11-2022 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ 17253536373.exe
Size

1015KB
MD5

f8a2ad4544d211df3b2698e5cecaf2dc
SHA1

b2045de3aaa3c49ebb35f25771d762cf70c5a3fa
SHA256

4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641
SHA512

fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd
SSDEEP

24576:XM+L74mBfNUstzoxdpt3hvMCggcrf8PAqyU9YH3r8JN:qnt3hrgde9YHI

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

74.119.192.210:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

4784 images.exe
4560 images.exe

pid	process
4784	images.exe
4560	images.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

images.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	images.exe

Drops startup file 2 IoCs

Processes:

RFQ 17253536373.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	RFQ 17253536373.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	RFQ 17253536373.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4876 svchost.exe

pid	process
4876	svchost.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

images.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\wxcmupH = "0"	images.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	images.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	images.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	images.exe

Drops file in System32 directory 2 IoCs

Processes:

images.exe

description ioc process

File opened for modification C:\Windows\System32\rfxvmt.dll images.exe
File created C:\Windows\System32\rfxvmt.dll images.exe

description	ioc	process
File opened for modification	C:\Windows\System32\rfxvmt.dll	images.exe
File created	C:\Windows\System32\rfxvmt.dll	images.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RFQ 17253536373.exeimages.exe

description	pid	process	target process
PID 3060 set thread context of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 4784 set thread context of 4560	4784	images.exe	images.exe

Drops file in Program Files directory 2 IoCs

Processes:

images.exe

description ioc process

File created C:\Program Files\Microsoft DN1\sqlmap.dll images.exe
File created C:\Program Files\Microsoft DN1\rdpwrap.ini images.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1488 schtasks.exe
2096 schtasks.exe
NTFS ADS 1 IoCs

Processes:

RFQ 17253536373.exe

description ioc process

File created C:\ProgramData:ApplicationData RFQ 17253536373.exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	images.exe
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	images.exe

pid	process
1488	schtasks.exe
2096	schtasks.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	RFQ 17253536373.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

RFQ 17253536373.exepowershell.exepowershell.exepowershell.exeimages.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
3060	RFQ 17253536373.exe
3060	RFQ 17253536373.exe
3060	RFQ 17253536373.exe
4372	powershell.exe
1148	powershell.exe
4372	powershell.exe
1148	powershell.exe
1148	powershell.exe
4372	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
4784	images.exe
4784	images.exe
4784	images.exe
3884	powershell.exe
2036	powershell.exe
2036	powershell.exe
3884	powershell.exe
2036	powershell.exe
3884	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
4876	svchost.exe
4876	svchost.exe
4876	svchost.exe
4876	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

628

pid	process
628

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

RFQ 17253536373.exepowershell.exepowershell.exepowershell.exeimages.exepowershell.exepowershell.exepowershell.exeimages.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3060	RFQ 17253536373.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	4784	images.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	4560	images.exe
Token: SeAuditPrivilege	4876	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

images.exe

pid process

4560 images.exe

pid	process
4560	images.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

RFQ 17253536373.exeRFQ 17253536373.execmd.exeimages.exeimages.exe

description	pid	process	target process
PID 3060 wrote to memory of 1148	3060	RFQ 17253536373.exe	powershell.exe
PID 3060 wrote to memory of 1148	3060	RFQ 17253536373.exe	powershell.exe
PID 3060 wrote to memory of 1148	3060	RFQ 17253536373.exe	powershell.exe
PID 3060 wrote to memory of 4372	3060	RFQ 17253536373.exe	powershell.exe
PID 3060 wrote to memory of 4372	3060	RFQ 17253536373.exe	powershell.exe
PID 3060 wrote to memory of 4372	3060	RFQ 17253536373.exe	powershell.exe
PID 3060 wrote to memory of 1488	3060	RFQ 17253536373.exe	schtasks.exe
PID 3060 wrote to memory of 1488	3060	RFQ 17253536373.exe	schtasks.exe
PID 3060 wrote to memory of 1488	3060	RFQ 17253536373.exe	schtasks.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3060 wrote to memory of 3152	3060	RFQ 17253536373.exe	RFQ 17253536373.exe
PID 3152 wrote to memory of 3784	3152	RFQ 17253536373.exe	powershell.exe
PID 3152 wrote to memory of 3784	3152	RFQ 17253536373.exe	powershell.exe
PID 3152 wrote to memory of 3784	3152	RFQ 17253536373.exe	powershell.exe
PID 3152 wrote to memory of 4772	3152	RFQ 17253536373.exe	cmd.exe
PID 3152 wrote to memory of 4772	3152	RFQ 17253536373.exe	cmd.exe
PID 3152 wrote to memory of 4772	3152	RFQ 17253536373.exe	cmd.exe
PID 3152 wrote to memory of 4784	3152	RFQ 17253536373.exe	images.exe
PID 3152 wrote to memory of 4784	3152	RFQ 17253536373.exe	images.exe
PID 3152 wrote to memory of 4784	3152	RFQ 17253536373.exe	images.exe
PID 4772 wrote to memory of 4252	4772	cmd.exe	reg.exe
PID 4772 wrote to memory of 4252	4772	cmd.exe	reg.exe
PID 4772 wrote to memory of 4252	4772	cmd.exe	reg.exe
PID 4784 wrote to memory of 3884	4784	images.exe	powershell.exe
PID 4784 wrote to memory of 3884	4784	images.exe	powershell.exe
PID 4784 wrote to memory of 3884	4784	images.exe	powershell.exe
PID 4784 wrote to memory of 2036	4784	images.exe	powershell.exe
PID 4784 wrote to memory of 2036	4784	images.exe	powershell.exe
PID 4784 wrote to memory of 2036	4784	images.exe	powershell.exe
PID 4784 wrote to memory of 2096	4784	images.exe	schtasks.exe
PID 4784 wrote to memory of 2096	4784	images.exe	schtasks.exe
PID 4784 wrote to memory of 2096	4784	images.exe	schtasks.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4784 wrote to memory of 4560	4784	images.exe	images.exe
PID 4560 wrote to memory of 3784	4560	images.exe	powershell.exe
PID 4560 wrote to memory of 3784	4560	images.exe	powershell.exe
PID 4560 wrote to memory of 3784	4560	images.exe	powershell.exe
PID 4560 wrote to memory of 1556	4560	images.exe	cmd.exe
PID 4560 wrote to memory of 1556	4560	images.exe	cmd.exe
PID 4560 wrote to memory of 1556	4560	images.exe	cmd.exe
PID 4560 wrote to memory of 1556	4560	images.exe	cmd.exe
PID 4560 wrote to memory of 1556	4560	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yOQsDFUUU.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yOQsDFUUU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41CC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.exe"
  2⤵
  - Drops startup file
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
      4⤵
      PID:4252
- - C:\ProgramData\images.exe
    "C:\ProgramData\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\images.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yOQsDFUUU.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2036
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yOQsDFUUU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21FA.tmp"
      4⤵
      Creates scheduled task(s)
      PID:2096
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      Sets DLL path for service in the registry
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        5⤵
        
        PID:1556

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\images.exe

Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\ProgramData\images.exe

Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\ProgramData\images.exe

Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3dee3facb0f5dbe325101ec554a63824

SHA1
c4345c0b96127d5f7e32861e3f2d1adaacee9978

SHA256
3cd6fb65bf0e0b664fa3fe149e429499ab5ee24d5856f7c4dd1bf63a23e1c08d

SHA512
a9237694a96ef08085dacb66cf49cca22fb7121fbd1a1ac719f129de41218bebc6a53e5bd2d8ca5c1f1e03d175d71d2fda00f81bd0ba1126c7d2b4a73fe4ecf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
796B

MD5
99c62d84cf61413f2c7945e5d5e034bd

SHA1
ba1b1237c432493a4ac755b129ffeac0fcd9b35e

SHA256
faa8fd5ca1bad9b04afc9d0a963ab4b2528b9f9515be416e29a5372a329ae7b0

SHA512
d32e2d8dfd61a0937bdaa4e13953905dcc79bf3d9194fdc7c225375ed0adcf7fc60a36439b64006b41cbc2c3edc2052f6accfe62d387cd7c6b70b3b75ff0387d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1c9ab00f7f4f44380d97067cfbbae52d

SHA1
d5a6675f2ef6b4ad53f27884ddb4808f340fd96f

SHA256
9b9b69070eb769e787a2683f21dc56e53dc8d8c2088ed7b99e5b5c8c6960a86f

SHA512
a0f2a46a1b4a4693313419ee2adc686eb8626973c3fced20f3596df87449bd7a4384837e80ec6b8731d0cfb7b1b44ac9c845abda013313b354e52840233846f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7ccf125221698dac25d3c79795f31c4a

SHA1
d7837320bf7f6689147bdf6f0570954e1082f2f5

SHA256
e4100fba58f6b3f8d7408534fe9fb974ec5cabe83e1e8d99acc40e1c0543bac4

SHA512
cdcd99bb7aa886427c787aedc7804ef4039f17a505d79788f9fee96c535e44b142cc2dbda440009007927a3f046b039aa71145adc593e053734f4eb9e5bcfdeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
2KB

MD5
efb5a739bbb2c387aee132f361d53f5a

SHA1
75b1a7ef45e366e1094a55c58b0126875dbdf1b4

SHA256
af527ea988c0abe32c3cfbaded0eb5f638ef919dc016c1daeb50cfb228bb751c

SHA512
cbaf8c7a86a57609d76ad546687ca87de020e74fe0c4f75952521b59c72efbc5d808c2b2086e98fc87fc9d96ea51f970a4f47e67e6e5b1687febfc2181908973

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp21FA.tmp

Filesize
1KB

MD5
cc1181c42bb1af864f05d9b609cf2ff1

SHA1
e219e2a1e4ea528ea29b70d441900178e594c73b

SHA256
0348fda9f9964d168c76a7488d7b2cf6b3b1f4e36a8e8936a4b406b147d910e8

SHA512
ea9f569bbaacc6c0abae2849faa7aeaa221678be8d4874cedefbcf377951203c8cf69565983b289934ff75e85798902879ba94617e848e7d15246e37b1f69c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41CC.tmp

Filesize
1KB

MD5
cc1181c42bb1af864f05d9b609cf2ff1

SHA1
e219e2a1e4ea528ea29b70d441900178e594c73b

SHA256
0348fda9f9964d168c76a7488d7b2cf6b3b1f4e36a8e8936a4b406b147d910e8

SHA512
ea9f569bbaacc6c0abae2849faa7aeaa221678be8d4874cedefbcf377951203c8cf69565983b289934ff75e85798902879ba94617e848e7d15246e37b1f69c0a

Download Submit
\??\c:\program files\microsoft dn1\rdpwrap.ini

Filesize
177KB

MD5
6bc395161b04aa555d5a4e8eb8320020

SHA1
f18544faa4bd067f6773a373d580e111b0c8c300

SHA256
23390dfcda60f292ba1e52abb5ba2f829335351f4f9b1d33a9a6ad7a9bf5e2be

SHA512
679ac80c26422667ca5f2a6d9f0e022ef76bc9b09f97ad390b81f2e286446f0658524ccc8346a6e79d10e42131bc428f7c0ce4541d44d83af8134c499436daae

Download Submit
\??\c:\program files\microsoft dn1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
memory/1148-460-0x0000000009120000-0x00000000091B4000-memory.dmp

Filesize
592KB

Download
memory/1148-1120-0x00000000068E0000-0x00000000068E8000-memory.dmp

Filesize
32KB

Download
memory/1148-398-0x0000000007F30000-0x0000000007F7B000-memory.dmp

Filesize
300KB

Download
memory/1148-410-0x0000000007D10000-0x0000000007D86000-memory.dmp

Filesize
472KB

Download
memory/1148-307-0x0000000006D60000-0x0000000007388000-memory.dmp

Filesize
6.2MB

Download
memory/1148-435-0x0000000008E30000-0x0000000008E63000-memory.dmp

Filesize
204KB

Download
memory/1148-453-0x0000000008F60000-0x0000000009005000-memory.dmp

Filesize
660KB

Download
memory/1148-1111-0x00000000068F0000-0x000000000690A000-memory.dmp

Filesize
104KB

Download
memory/1148-193-0x0000000000000000-mapping.dmp

Download
memory/1148-285-0x00000000065D0000-0x0000000006606000-memory.dmp

Filesize
216KB

Download
memory/1488-201-0x0000000000000000-mapping.dmp

Download
memory/1556-1684-0x0000000000000000-mapping.dmp

Download
memory/2036-1568-0x0000000009D70000-0x0000000009E15000-memory.dmp

Filesize
660KB

Download
memory/2036-1514-0x0000000008D40000-0x0000000008D8B000-memory.dmp

Filesize
300KB

Download
memory/2036-1320-0x0000000000000000-mapping.dmp

Download
memory/2096-1322-0x0000000000000000-mapping.dmp

Download
memory/3060-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-148-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-150-0x0000000000C30000-0x0000000000D32000-memory.dmp

Filesize
1.0MB

Download
memory/3060-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-152-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-153-0x0000000005B70000-0x000000000606E000-memory.dmp

Filesize
5.0MB

Download
memory/3060-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-155-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/3060-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-162-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-163-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-167-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-169-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-170-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-171-0x0000000005570000-0x000000000557A000-memory.dmp

Filesize
40KB

Download
memory/3060-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-175-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-178-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-179-0x0000000005900000-0x0000000005918000-memory.dmp

Filesize
96KB

Download
memory/3060-180-0x0000000005B40000-0x0000000005B4C000-memory.dmp

Filesize
48KB

Download
memory/3060-181-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-182-0x0000000007DC0000-0x0000000007E62000-memory.dmp

Filesize
648KB

Download
memory/3060-183-0x0000000007F00000-0x0000000007F9C000-memory.dmp

Filesize
624KB

Download
memory/3060-184-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-185-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-186-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-187-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-275-0x0000000008B10000-0x0000000008B7A000-memory.dmp

Filesize
424KB

Download
memory/3060-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-120-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-123-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

Filesize
1.6MB

Download
memory/3152-406-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3152-519-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3152-282-0x0000000000405E28-mapping.dmp

Download
memory/3784-1681-0x0000000000000000-mapping.dmp

Download
memory/3784-480-0x0000000000000000-mapping.dmp

Download
memory/3884-1318-0x0000000000000000-mapping.dmp

Download
memory/4252-628-0x0000000000000000-mapping.dmp

Download
memory/4372-370-0x0000000007430000-0x0000000007496000-memory.dmp

Filesize
408KB

Download
memory/4372-436-0x0000000008E10000-0x0000000008E2E000-memory.dmp

Filesize
120KB

Download
memory/4372-396-0x00000000073A0000-0x00000000073BC000-memory.dmp

Filesize
112KB

Download
memory/4372-378-0x0000000007610000-0x0000000007960000-memory.dmp

Filesize
3.3MB

Download
memory/4372-374-0x00000000075A0000-0x0000000007606000-memory.dmp

Filesize
408KB

Download
memory/4372-366-0x0000000007310000-0x0000000007332000-memory.dmp

Filesize
136KB

Download
memory/4372-199-0x0000000000000000-mapping.dmp

Download
memory/4560-1522-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4560-1404-0x0000000000405E28-mapping.dmp

Download
memory/4560-1798-0x00000000048E0000-0x0000000004A1C000-memory.dmp

Filesize
1.2MB

Download
memory/4560-1966-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4772-485-0x0000000000000000-mapping.dmp

Download
memory/4784-494-0x0000000000000000-mapping.dmp

Download