93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa

Analysis

max time kernel
153s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
Size

3.4MB
MD5

cd1a116cef3032943798c17f6ebf2f74
SHA1

bfea3bcb3d518d827301c311925b35b60ec4b352
SHA256

93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa
SHA512

7c0baa6b99a13e50da48eebb7cf8db03cfb4327cabba3612ce344618deefba0eb0af0720e0606520d37b93eadc236d13765749b6698e5067417b050904395248
SSDEEP

98304:FVgqGGSuHqxoBHFZvPyp0HQsCht6oxp0vEMgM:WGJIoBHFRLHQsCG

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\System.exe"	reg.exe

Executes dropped EXE 10 IoCs

pid	Process
1324	tmp.exe
732	svhost.exe
2944	tmp.exe
1476	tmp.exe
3596	tmp.exe
5056	.exe
4876	.exe
5092	.exe
4604	tmp.exe
1140	tmp.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	svhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1324 set thread context of 5056	1324	tmp.exe	100
PID 2944 set thread context of 4876	2944	tmp.exe	105
PID 732 set thread context of 5092	732	svhost.exe	110

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
File created	C:\Windows\assembly\Desktop.ini	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1324	tmp.exe
1324	tmp.exe
732	svhost.exe
732	svhost.exe
1324	tmp.exe
1324	tmp.exe
1324	tmp.exe
2944	tmp.exe
2944	tmp.exe
732	svhost.exe
732	svhost.exe
732	svhost.exe
2944	tmp.exe
2944	tmp.exe
2944	tmp.exe
1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
1324	tmp.exe
3596	tmp.exe
1476	tmp.exe
3596	tmp.exe
1476	tmp.exe
2944	tmp.exe
1476	tmp.exe
1476	tmp.exe
1476	tmp.exe
3596	tmp.exe
3596	tmp.exe
3596	tmp.exe
732	svhost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
Token: SeDebugPrivilege	1324	tmp.exe
Token: SeDebugPrivilege	732	svhost.exe
Token: SeDebugPrivilege	2944	tmp.exe
Token: SeDebugPrivilege	3596	tmp.exe
Token: SeDebugPrivilege	1476	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 4720	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	80
PID 1196 wrote to memory of 4720	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	80
PID 1196 wrote to memory of 4720	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	80
PID 4720 wrote to memory of 1112	4720	cmd.exe	82
PID 4720 wrote to memory of 1112	4720	cmd.exe	82
PID 4720 wrote to memory of 1112	4720	cmd.exe	82
PID 1112 wrote to memory of 4944	1112	wscript.exe	83
PID 1112 wrote to memory of 4944	1112	wscript.exe	83
PID 1112 wrote to memory of 4944	1112	wscript.exe	83
PID 1196 wrote to memory of 1324	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	86
PID 1196 wrote to memory of 1324	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	86
PID 1196 wrote to memory of 1324	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	86
PID 1196 wrote to memory of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1196 wrote to memory of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1196 wrote to memory of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1196 wrote to memory of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1324 wrote to memory of 1636	1324	tmp.exe	87
PID 1324 wrote to memory of 1636	1324	tmp.exe	87
PID 1324 wrote to memory of 1636	1324	tmp.exe	87
PID 1196 wrote to memory of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1196 wrote to memory of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1196 wrote to memory of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1636 wrote to memory of 4676	1636	cmd.exe	89
PID 1636 wrote to memory of 4676	1636	cmd.exe	89
PID 1636 wrote to memory of 4676	1636	cmd.exe	89
PID 4676 wrote to memory of 4664	4676	wscript.exe	90
PID 4676 wrote to memory of 4664	4676	wscript.exe	90
PID 4676 wrote to memory of 4664	4676	wscript.exe	90
PID 1196 wrote to memory of 732	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	85
PID 1324 wrote to memory of 2944	1324	tmp.exe	92
PID 1324 wrote to memory of 2944	1324	tmp.exe	92
PID 1324 wrote to memory of 2944	1324	tmp.exe	92
PID 732 wrote to memory of 3472	732	svhost.exe	93
PID 732 wrote to memory of 3472	732	svhost.exe	93
PID 732 wrote to memory of 3472	732	svhost.exe	93
PID 2944 wrote to memory of 3644	2944	tmp.exe	95
PID 2944 wrote to memory of 3644	2944	tmp.exe	95
PID 2944 wrote to memory of 3644	2944	tmp.exe	95
PID 732 wrote to memory of 1476	732	svhost.exe	97
PID 732 wrote to memory of 1476	732	svhost.exe	97
PID 732 wrote to memory of 1476	732	svhost.exe	97
PID 2944 wrote to memory of 3596	2944	tmp.exe	98
PID 2944 wrote to memory of 3596	2944	tmp.exe	98
PID 2944 wrote to memory of 3596	2944	tmp.exe	98
PID 4664 wrote to memory of 4336	4664	cmd.exe	99
PID 4664 wrote to memory of 4336	4664	cmd.exe	99
PID 4664 wrote to memory of 4336	4664	cmd.exe	99
PID 1196 wrote to memory of 4376	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	101
PID 1196 wrote to memory of 4376	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	101
PID 1196 wrote to memory of 4376	1196	93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe	101
PID 1324 wrote to memory of 5056	1324	tmp.exe	100
PID 1324 wrote to memory of 5056	1324	tmp.exe	100
PID 1324 wrote to memory of 5056	1324	tmp.exe	100
PID 1324 wrote to memory of 5056	1324	tmp.exe	100
PID 1324 wrote to memory of 5056	1324	tmp.exe	100
PID 1324 wrote to memory of 5056	1324	tmp.exe	100
PID 1324 wrote to memory of 5056	1324	tmp.exe	100
PID 1324 wrote to memory of 5056	1324	tmp.exe	100
PID 1324 wrote to memory of 2500	1324	tmp.exe	103
PID 1324 wrote to memory of 2500	1324	tmp.exe	103
PID 1324 wrote to memory of 2500	1324	tmp.exe	103
PID 2944 wrote to memory of 4876	2944	tmp.exe	105
PID 2944 wrote to memory of 4876	2944	tmp.exe	105
PID 2944 wrote to memory of 4876	2944	tmp.exe	105

C:\Users\Admin\AppData\Local\Temp\93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe
"C:\Users\Admin\AppData\Local\Temp\93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
      4⤵
      PID:4944
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
    3⤵
    PID:3472
- - C:\Users\Admin\AppData\Roaming\tmp.exe
    "C:\Users\Admin\AppData\Roaming\tmp.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
      4⤵
      PID:8
  - - C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      4⤵
      Executes dropped EXE
      PID:4604
- - C:\Users\Admin\AppData\Roaming\.exe
    C:\Users\Admin\AppData\Roaming\.exe
    3⤵
    - Executes dropped EXE
    PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
    3⤵
    PID:2092
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4664
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\System.exe" /f
        6⤵
        Modifies WinLogon for persistence
        
        PID:4336
- - C:\Users\Admin\AppData\Roaming\tmp.exe
    "C:\Users\Admin\AppData\Roaming\tmp.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
      4⤵
      PID:3644
  - - C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\mata.bat
        5⤵
        
        PID:4140
      - C:\Windows\SysWOW64\wscript.exe
        
        wscript.exe "C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs" "C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat"
        6⤵
        
        PID:4180
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:1140
  - - C:\Users\Admin\AppData\Roaming\.exe
      C:\Users\Admin\AppData\Roaming\.exe
      4⤵
      Executes dropped EXE
      PID:4876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
      4⤵
      PID:5064
- - C:\Users\Admin\AppData\Roaming\.exe
    C:\Users\Admin\AppData\Roaming\.exe
    3⤵
    - Executes dropped EXE
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\FolderName\melt.bat
  2⤵
  PID:4376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\tmp.exe.log

Filesize
493B

MD5
e3e3d6e200cc6f4deb10e1f320ac3411

SHA1
28229b341256b6b2cad0e998061382181178da13

SHA256
8195f4a4d2d19858807bb02b3182faf526d4963e8068264eb7359ac3add4690c

SHA512
0e5f423967aa39c58bcec3031ff06ddbaa367657ad462fd5ea0f918d99fc158c38570976f225b82e92efdd63e1d86f9fe5c541ab24f768d49bd955420be31466

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\.bat

Filesize
196B

MD5
b868ce693a3068f91c7f8868712a30bf

SHA1
5c7f0272d9a059dfacf45219870f8e36f933d827

SHA256
302d297f64081fce79e2ecf142c182d8baddb431f59d36669c8856a168817d15

SHA512
151de146ce6d6ac0937cbd379aa7ce06c8e5329ec3d6e300474921f44ae866f1b8e9e59391efa51e3551f11b875903586a895dfc263b8024555bc824f13a27bb

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\.bat

Filesize
196B

MD5
b868ce693a3068f91c7f8868712a30bf

SHA1
5c7f0272d9a059dfacf45219870f8e36f933d827

SHA256
302d297f64081fce79e2ecf142c182d8baddb431f59d36669c8856a168817d15

SHA512
151de146ce6d6ac0937cbd379aa7ce06c8e5329ec3d6e300474921f44ae866f1b8e9e59391efa51e3551f11b875903586a895dfc263b8024555bc824f13a27bb

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\.bat

Filesize
196B

MD5
b868ce693a3068f91c7f8868712a30bf

SHA1
5c7f0272d9a059dfacf45219870f8e36f933d827

SHA256
302d297f64081fce79e2ecf142c182d8baddb431f59d36669c8856a168817d15

SHA512
151de146ce6d6ac0937cbd379aa7ce06c8e5329ec3d6e300474921f44ae866f1b8e9e59391efa51e3551f11b875903586a895dfc263b8024555bc824f13a27bb

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\System.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata.bat

Filesize
76B

MD5
5e57f6f4e3242ad9719ed5e65346e83e

SHA1
72346d0208c5edeb69f41ddb4374d56d87221dad

SHA256
4ffb3e764dfbc48145231f19e2217f666bc88a44c6f29adec6a5728223048d0c

SHA512
7dcd8a5a95965b94bf26ec02ab68b8f854f399d41fb713e4387f6fddb9914c465ccf909f92ee6704e9c0397a77f11f2ca803d68184aa414651988d95824a209f

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
274B

MD5
fff58d09806eac008467f4b7dc958f44

SHA1
05f992f37571c991baa822dd24c64ac9311cbcad

SHA256
718a21a6d4d06bfe6d9b1f5b5ed4f1f57b9789eaac0a175de61f93c515b55705

SHA512
9c06734e6020634bbe209a8f5c1f3a19adf79f7e275e3397eafc49994d458fb769d17827699f290a7d7b452fbb48a70c1184d0d297ce707e561cbf05c581d6d3

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\mata2.bat

Filesize
210B

MD5
05176b571a0fd0930d1db2ab726a2bab

SHA1
aad674874d591fa136ec7a373ad71803125dd843

SHA256
887465aba2fffa9607b428a2535a3fb46dcfec39186aef31ae5a43f08e2c5c77

SHA512
d71d4af44a25d1da09b6b00c650039691a885b6d707ec45213507675ac4c8f483acad1231bb63ba1efa0d7c6d57aff5c4878c581190e49031288232a11f29cb6

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\melt.bat

Filesize
120B

MD5
382ce614c807f0158023ca4b26ddbdcc

SHA1
76c3e60fa4c6e9f8497acf8b17625ab93d28ddd7

SHA256
313a0e4a537224cf215f6e90a97b265aba906871c8180d8e2ffadb01a24dc64f

SHA512
19ed4e6f81067fa268253fec6eb93c7a0143590dc7885318f60aabaa86aff6d6d1ad7aca68689672929e97692f6294846ea1e5c23da56a7d9f89269a97dd6015

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\melt.bat

Filesize
56B

MD5
8d5014ff984d6c3cf360bbe5e123d773

SHA1
b201ade1192d2891060f88903bb0dcd07cae6039

SHA256
1ec28a38e7e53314983708fc58e59f32fb576503c8b0fdad0a3b513576009500

SHA512
4d9975b965b7f61f6966f8cc4aa6bbc40fd3fdd87d7c7c026881511184aaddd02d64cd26681b73e3b5170ad21d95d5a890e1c4835ecf7af98e68185efc9bb92b

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\melt.bat

Filesize
56B

MD5
8d5014ff984d6c3cf360bbe5e123d773

SHA1
b201ade1192d2891060f88903bb0dcd07cae6039

SHA256
1ec28a38e7e53314983708fc58e59f32fb576503c8b0fdad0a3b513576009500

SHA512
4d9975b965b7f61f6966f8cc4aa6bbc40fd3fdd87d7c7c026881511184aaddd02d64cd26681b73e3b5170ad21d95d5a890e1c4835ecf7af98e68185efc9bb92b

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\svhost.exe

Filesize
3.4MB

MD5
cd1a116cef3032943798c17f6ebf2f74

SHA1
bfea3bcb3d518d827301c311925b35b60ec4b352

SHA256
93d1ef3f52272415f18f9a24bead784795fa244631ae129a0c33babd8e1b1caa

SHA512
7c0baa6b99a13e50da48eebb7cf8db03cfb4327cabba3612ce344618deefba0eb0af0720e0606520d37b93eadc236d13765749b6698e5067417b050904395248

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1.1MB

MD5
64b72d546742f69bdecd9bc4fea2eb62

SHA1
10abcaaba0eb34dcef13dfbeff898299581750f7

SHA256
af0dc6012d8a7a9c5e4b78fc0e61f0e951fccdde45aa81ea2485c95bdc9ffda0

SHA512
f8d28419f9165a9ca397a8b2b42a868b47408f3d7bfa2d3cf38fa6ecb6e277f0c816c0eb56364c14243371514d3af603e9f1e37fdddae7d605c3c6d106dca885

Download Submit
memory/732-152-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/732-155-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/732-163-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1196-132-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1196-200-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1196-133-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1324-201-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1324-144-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1324-145-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1476-179-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/2944-210-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/2944-182-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/2944-160-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/3596-180-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4604-217-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4876-221-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4876-197-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/5056-177-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5056-220-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/5056-196-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/5092-218-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download