e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89

Analysis

max time kernel
163s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe
Size

411KB
MD5

4b40b9ef59cc43e31c409e5ac11ea084
SHA1

5698567ef01390161a86dbb8e5bbd6ab2b1e0de4
SHA256

e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89
SHA512

237aafdbc59e98019f6d677f79dc7f6538832cc1ebb0eb9f9d9d1d44ea35727445fb84d0574e83cd89e9b0df1f2b73bb8885dcd9bcddd87f79d09130b402b18e
SSDEEP

12288:me3VUk7qBP038DEz85I07TmF6FaKTQRMjrd:m0Uk7T6hb0Rg

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

o9-wrd9h.exerm-4khvb.exesqlite.exerkj99c8n.exefd4ox2cj.exe_dvopjhg.exesqlite.exe

pid process

1760 o9-wrd9h.exe
2808 rm-4khvb.exe
940 sqlite.exe
4296 rkj99c8n.exe
3736 fd4ox2cj.exe
4836 _dvopjhg.exe
4476 sqlite.exe

pid	process
1760	o9-wrd9h.exe
2808	rm-4khvb.exe
940	sqlite.exe
4296	rkj99c8n.exe
3736	fd4ox2cj.exe
4836	_dvopjhg.exe
4476	sqlite.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2560-138-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2560-141-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2560-142-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2560-152-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2560-166-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4956-186-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4956-193-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4208-230-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1568-231-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4208-233-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1568-239-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4448-241-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4448-242-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4188-248-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4496-256-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4188-257-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/3480-263-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/4496-265-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/792-276-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/3480-279-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2008-288-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/792-289-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2008-290-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2208-296-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/2208-299-0x0000000000400000-0x0000000000495000-memory.dmp	upx
behavioral2/memory/1208-305-0x0000000000400000-0x0000000000495000-memory.dmp	upx

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exesqlite.exeo9-wrd9h.exetmp63C7.tmp.exefd4ox2cj.exesqlite.exetmpEAE9.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	sqlite.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	o9-wrd9h.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmp63C7.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fd4ox2cj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	sqlite.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	tmpEAE9.tmp.exe

Drops startup file 4 IoCs

Processes:

csc.execsc.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSC258.tmp	csc.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlite.exe	csc.exe
File opened for modification	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSC66A4.tmp	csc.exe
File created	\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlite.exe	csc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	cvtres.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_DefaultEx = "0"	cvtres.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exesqlite.exetmp63C7.tmp.exe

description	pid	process	target process
PID 4288 set thread context of 2560	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cvtres.exe
PID 940 set thread context of 4956	940	sqlite.exe	cvtres.exe
PID 3336 set thread context of 4208	3336	tmp63C7.tmp.exe	cvtres.exe
PID 940 set thread context of 1568	940	sqlite.exe	cvtres.exe
PID 3336 set thread context of 4448	3336	tmp63C7.tmp.exe	cvtres.exe
PID 940 set thread context of 4188	940	sqlite.exe	cvtres.exe
PID 3336 set thread context of 4496	3336	tmp63C7.tmp.exe	cvtres.exe
PID 940 set thread context of 3480	940	sqlite.exe	cvtres.exe
PID 3336 set thread context of 792	3336	tmp63C7.tmp.exe	cvtres.exe
PID 940 set thread context of 2008	940	sqlite.exe	cvtres.exe
PID 940 set thread context of 2208	940	sqlite.exe	cvtres.exe
PID 940 set thread context of 1208	940	sqlite.exe	cvtres.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1784 PING.EXE
2456 PING.EXE
2100 PING.EXE
1052 PING.EXE
4168 PING.EXE

pid	process
1784	PING.EXE
2456	PING.EXE
2100	PING.EXE
1052	PING.EXE
4168	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exeo9-wrd9h.exesqlite.exerkj99c8n.exetmp63C7.tmp.exefd4ox2cj.exe

pid	process
4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe
4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe
1760	o9-wrd9h.exe
1760	o9-wrd9h.exe
940	sqlite.exe
940	sqlite.exe
4296	rkj99c8n.exe
4296	rkj99c8n.exe
940	sqlite.exe
940	sqlite.exe
3336	tmp63C7.tmp.exe
3336	tmp63C7.tmp.exe
3736	fd4ox2cj.exe
3736	fd4ox2cj.exe
3336	tmp63C7.tmp.exe
3336	tmp63C7.tmp.exe
940	sqlite.exe
940	sqlite.exe
3336	tmp63C7.tmp.exe
3336	tmp63C7.tmp.exe
940	sqlite.exe
940	sqlite.exe
3336	tmp63C7.tmp.exe
3336	tmp63C7.tmp.exe
940	sqlite.exe
940	sqlite.exe
940	sqlite.exe
940	sqlite.exe
940	sqlite.exe
940	sqlite.exe

Suspicious behavior: RenamesItself 2 IoCs

Processes:

e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exetmp63C7.tmp.exe

pid process

4288 e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe
3336 tmp63C7.tmp.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.execvtres.exesqlite.exeo9-wrd9h.exetmp63C7.tmp.execvtres.execvtres.exerkj99c8n.execvtres.exefd4ox2cj.execvtres.execvtres.execvtres.execvtres.exedw20.execvtres.exesqlite.exetmpEAE9.tmp.execvtres.execvtres.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe
Token: SeShutdownPrivilege	2560	cvtres.exe
Token: SeDebugPrivilege	2560	cvtres.exe
Token: SeTcbPrivilege	2560	cvtres.exe
Token: SeDebugPrivilege	940	sqlite.exe
Token: SeDebugPrivilege	1760	o9-wrd9h.exe
Token: SeDebugPrivilege	3336	tmp63C7.tmp.exe
Token: SeShutdownPrivilege	4956	cvtres.exe
Token: SeDebugPrivilege	4956	cvtres.exe
Token: SeTcbPrivilege	4956	cvtres.exe
Token: SeShutdownPrivilege	4208	cvtres.exe
Token: SeDebugPrivilege	4208	cvtres.exe
Token: SeTcbPrivilege	4208	cvtres.exe
Token: SeDebugPrivilege	4296	rkj99c8n.exe
Token: SeShutdownPrivilege	1568	cvtres.exe
Token: SeDebugPrivilege	1568	cvtres.exe
Token: SeTcbPrivilege	1568	cvtres.exe
Token: SeDebugPrivilege	3736	fd4ox2cj.exe
Token: SeShutdownPrivilege	4448	cvtres.exe
Token: SeDebugPrivilege	4448	cvtres.exe
Token: SeTcbPrivilege	4448	cvtres.exe
Token: SeShutdownPrivilege	4188	cvtres.exe
Token: SeDebugPrivilege	4188	cvtres.exe
Token: SeTcbPrivilege	4188	cvtres.exe
Token: SeShutdownPrivilege	4496	cvtres.exe
Token: SeDebugPrivilege	4496	cvtres.exe
Token: SeTcbPrivilege	4496	cvtres.exe
Token: SeShutdownPrivilege	3480	cvtres.exe
Token: SeDebugPrivilege	3480	cvtres.exe
Token: SeTcbPrivilege	3480	cvtres.exe
Token: SeBackupPrivilege	3460	dw20.exe
Token: SeBackupPrivilege	3460	dw20.exe
Token: SeShutdownPrivilege	792	cvtres.exe
Token: SeDebugPrivilege	792	cvtres.exe
Token: SeTcbPrivilege	792	cvtres.exe
Token: SeDebugPrivilege	4476	sqlite.exe
Token: SeDebugPrivilege	1992	tmpEAE9.tmp.exe
Token: SeShutdownPrivilege	2008	cvtres.exe
Token: SeDebugPrivilege	2008	cvtres.exe
Token: SeTcbPrivilege	2008	cvtres.exe
Token: SeShutdownPrivilege	2208	cvtres.exe
Token: SeDebugPrivilege	2208	cvtres.exe
Token: SeTcbPrivilege	2208	cvtres.exe
Token: SeShutdownPrivilege	1208	cvtres.exe
Token: SeDebugPrivilege	1208	cvtres.exe
Token: SeTcbPrivilege	1208	cvtres.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cvtres.exe

pid process

2560 cvtres.exe

pid	process
2560	cvtres.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.execmd.execsc.execsc.execsc.exesqlite.execmd.exeo9-wrd9h.exetmp63C7.tmp.execmd.exe

description	pid	process	target process
PID 4288 wrote to memory of 3592	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cmd.exe
PID 4288 wrote to memory of 3592	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cmd.exe
PID 4288 wrote to memory of 3592	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cmd.exe
PID 3592 wrote to memory of 1052	3592	cmd.exe	PING.EXE
PID 3592 wrote to memory of 1052	3592	cmd.exe	PING.EXE
PID 3592 wrote to memory of 1052	3592	cmd.exe	PING.EXE
PID 4288 wrote to memory of 3008	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 4288 wrote to memory of 3008	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 4288 wrote to memory of 3008	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 4288 wrote to memory of 2560	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cvtres.exe
PID 4288 wrote to memory of 2560	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cvtres.exe
PID 4288 wrote to memory of 2560	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cvtres.exe
PID 4288 wrote to memory of 2560	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cvtres.exe
PID 4288 wrote to memory of 2560	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cvtres.exe
PID 4288 wrote to memory of 2560	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cvtres.exe
PID 4288 wrote to memory of 2560	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	cvtres.exe
PID 4288 wrote to memory of 1360	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 4288 wrote to memory of 1360	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 4288 wrote to memory of 1360	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 3008 wrote to memory of 2828	3008	csc.exe	cvtres.exe
PID 3008 wrote to memory of 2828	3008	csc.exe	cvtres.exe
PID 3008 wrote to memory of 2828	3008	csc.exe	cvtres.exe
PID 1360 wrote to memory of 1492	1360	csc.exe	cvtres.exe
PID 1360 wrote to memory of 1492	1360	csc.exe	cvtres.exe
PID 1360 wrote to memory of 1492	1360	csc.exe	cvtres.exe
PID 4288 wrote to memory of 2396	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 4288 wrote to memory of 2396	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 4288 wrote to memory of 2396	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	csc.exe
PID 4288 wrote to memory of 1760	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	o9-wrd9h.exe
PID 4288 wrote to memory of 1760	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	o9-wrd9h.exe
PID 2396 wrote to memory of 2732	2396	csc.exe	cvtres.exe
PID 2396 wrote to memory of 2732	2396	csc.exe	cvtres.exe
PID 2396 wrote to memory of 2732	2396	csc.exe	cvtres.exe
PID 4288 wrote to memory of 2808	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	rm-4khvb.exe
PID 4288 wrote to memory of 2808	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	rm-4khvb.exe
PID 4288 wrote to memory of 940	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	sqlite.exe
PID 4288 wrote to memory of 940	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	sqlite.exe
PID 4288 wrote to memory of 940	4288	e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe	sqlite.exe
PID 940 wrote to memory of 396	940	sqlite.exe	cmd.exe
PID 940 wrote to memory of 396	940	sqlite.exe	cmd.exe
PID 940 wrote to memory of 396	940	sqlite.exe	cmd.exe
PID 396 wrote to memory of 4168	396	cmd.exe	PING.EXE
PID 396 wrote to memory of 4168	396	cmd.exe	PING.EXE
PID 396 wrote to memory of 4168	396	cmd.exe	PING.EXE
PID 1760 wrote to memory of 3336	1760	o9-wrd9h.exe	tmp63C7.tmp.exe
PID 1760 wrote to memory of 3336	1760	o9-wrd9h.exe	tmp63C7.tmp.exe
PID 1760 wrote to memory of 3336	1760	o9-wrd9h.exe	tmp63C7.tmp.exe
PID 3336 wrote to memory of 3960	3336	tmp63C7.tmp.exe	cmd.exe
PID 3336 wrote to memory of 3960	3336	tmp63C7.tmp.exe	cmd.exe
PID 3336 wrote to memory of 3960	3336	tmp63C7.tmp.exe	cmd.exe
PID 3960 wrote to memory of 1784	3960	cmd.exe	PING.EXE
PID 3960 wrote to memory of 1784	3960	cmd.exe	PING.EXE
PID 3960 wrote to memory of 1784	3960	cmd.exe	PING.EXE
PID 940 wrote to memory of 4956	940	sqlite.exe	cvtres.exe
PID 940 wrote to memory of 4956	940	sqlite.exe	cvtres.exe
PID 940 wrote to memory of 4956	940	sqlite.exe	cvtres.exe
PID 940 wrote to memory of 4956	940	sqlite.exe	cvtres.exe
PID 940 wrote to memory of 4956	940	sqlite.exe	cvtres.exe
PID 940 wrote to memory of 4956	940	sqlite.exe	cvtres.exe
PID 940 wrote to memory of 4956	940	sqlite.exe	cvtres.exe
PID 940 wrote to memory of 628	940	sqlite.exe	csc.exe
PID 940 wrote to memory of 628	940	sqlite.exe	csc.exe
PID 940 wrote to memory of 628	940	sqlite.exe	csc.exe
PID 3336 wrote to memory of 1960	3336	tmp63C7.tmp.exe	csc.exe

C:\Users\Admin\AppData\Local\Temp\e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe
"C:\Users\Admin\AppData\Local\Temp\e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:1052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zydsvbm2.cmdline"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66A5.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSC66A4.tmp"
3⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o9-wrd9h.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES66A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC66A4.tmp"
3⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rm-4khvb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6945.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6944.tmp"
3⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\o9-wrd9h.exe
"C:\Users\Admin\AppData\Local\Temp\o9-wrd9h.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\tmp63C7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp63C7.tmp.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
4⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 10
5⤵
- Runs ping.exe
PID:1784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bl2267jf.cmdline"
4⤵
- Drops startup file
PID:1960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A7.tmp" "c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSC258.tmp"
5⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fd4ox2cj.cmdline"
4⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2F4.tmp"
5⤵
PID:4648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_dvopjhg.cmdline"
4⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3EE.tmp"
5⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\fd4ox2cj.exe
"C:\Users\Admin\AppData\Local\Temp\fd4ox2cj.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Users\Admin\AppData\Local\Temp\tmpEAE9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpEAE9.tmp.exe"
5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
6⤵
PID:2676

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 10
7⤵
- Runs ping.exe
PID:2100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Users\Admin\AppData\Local\Temp\_dvopjhg.exe
"C:\Users\Admin\AppData\Local\Temp\_dvopjhg.exe"
4⤵
- Executes dropped EXE
PID:4836

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 744
5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Users\Admin\Documents\sys\sqlite.exe
"C:\Users\Admin\Documents\sys\sqlite.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
5⤵
PID:4396

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 10
6⤵
- Runs ping.exe
PID:2456

C:\Users\Admin\AppData\Local\Temp\rm-4khvb.exe
"C:\Users\Admin\AppData\Local\Temp\rm-4khvb.exe"
2⤵
- Executes dropped EXE
PID:2808

C:\Users\Admin\Documents\sys\sqlite.exe
"C:\Users\Admin\Documents\sys\sqlite.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c PING 127.0.0.1 -n 10 > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 10
4⤵
- Runs ping.exe
PID:4168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rkj99c8n.cmdline"
3⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFF4A.tmp"
4⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\rkj99c8n.exe
"C:\Users\Admin\AppData\Local\Temp\rkj99c8n.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES20B.tmp
Filesize
1KB

MD5
d0041e174bbc36d13294dabeace9e0f6

SHA1
ff06b6aa3b9da4727884d518aed28c640b288ebc

SHA256
8aa9ccb304b3b98fd8d903758621957f9f7e96cf1747995384089baa3741e3e4

SHA512
2eedf326dbc0c3206d125a5c4407749944e8093d0078e63e52ee6fedae1c5defbdc1e77da2da670a18acd88dff61c8699620ec6aa7cebc4c9cb7552b73aecdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A7.tmp
Filesize
1KB

MD5
2e8121e76aebceab349299c2fff0c341

SHA1
677791177b459176ca0ae5c88a2b29fcb0f064ad

SHA256
9934efe0a35df98c9f87fd1e3177ddc908c0fdc59e7c97a3da678753866b9238

SHA512
0b9675e6d6c51e3780407abfd6b58f0e9df86721a7adce77182d8157601f592cbcdd224a4802a573a941caa8f56b0892f3564ef041d72fb712ba576941be0026

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2F5.tmp
Filesize
1KB

MD5
7b5646bc627820331f1c9d3198336a65

SHA1
bd1e76a580d6844738ff7e10924a603d058ada3d

SHA256
2a09de59fb56f4c14d04cff093240ffb64985b7215b268549d46de4dd98db945

SHA512
410731bcb08a06d5e2ccaac169cce9a9c4ba72b86b9eeb9c7ca988ae5003f4e2e1035bdc8e214307918b01b53df6013f41e3bbab41b91f6432a1d6f828ef49dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3FF.tmp
Filesize
1KB

MD5
ed4282b7df1a60952002b8b43aa94168

SHA1
65da9d7adfff75988747f6b406d95cb8580c672d

SHA256
2877821c178fe20b3bda0eea5b135c061a238ec2b527cf8a67c2511901f24863

SHA512
f4c968a58e7f503b81a6cf0cf26d4bd9b7f9dec1c21d4ee4ce630068d91fccddc9d73fd0309aea339c5df25a6010a82783b8db91c18bafc0c1cab495a0bf7fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES66A5.tmp
Filesize
1KB

MD5
b32b10de0dc3e55f38d9ddca0e235dbf

SHA1
bb9f08043be7491d6b4fb6566c258d2605ecfa14

SHA256
a97e6bc3c8e71a67c51a5ccec3f026b7de6fdebba17a8dcdbfb7a1f862600f95

SHA512
e9644864043658156f474d19c8e3f1ff5ddcfe6b3f8974b81f054bdff0a134f5c8e2a3b47cc410324a6bec2f81cce38d42668355ab969a4f841dc4b90e6af2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES66A6.tmp
Filesize
1KB

MD5
cf6e3deae925465c3e9c055c0a6ac95b

SHA1
b787b4eb78104a1aea7fafa6852564f87c9565c9

SHA256
462f5a8111d50ff59658a653eb2a07dd226d25615beae7065e46e43d14fa0e8a

SHA512
5191cfeb9ca2470637d0765e8578274e61e1432c552139394932da3b6087d6b427dde91c70797f121d52587672d4d8894317564849264d61ec226c693faca74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6945.tmp
Filesize
1KB

MD5
0e1ffa2c46abd5e98e7b6ea155bdd624

SHA1
f7e53a97a3fa470c66c1a4b00446910bf93cfab4

SHA256
ec370b37a213cde9237025e77fd164ccb8ec0a1572cddb7f35a186ca96d6a647

SHA512
56e1afb719c657552051b9467aa3c717fb782e18482ce3d811cfa97825267e366f9e8e3ce009e495d8c5c8a0b8572bc65613871807a24121ff02e1937729c851

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dvopjhg.exe
Filesize
3KB

MD5
b7ce3f998d084fefecbb5aaaad8ce0a0

SHA1
6e2d6793b918a50173b31fd00ba392117625f562

SHA256
8e501c22c0c9765f27432c84bda2d9511936fba2cda3acaa66f4813db0b90eaf

SHA512
5c0ba1370b58f42d8e213d92bd16b400e9a7658953054d0079e2e0d29172028df5921c6e79ed3285a4aa34e4d5abe5c0b50c06c1fcf72aee3185fe70bebf118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_dvopjhg.exe
Filesize
3KB

MD5
b7ce3f998d084fefecbb5aaaad8ce0a0

SHA1
6e2d6793b918a50173b31fd00ba392117625f562

SHA256
8e501c22c0c9765f27432c84bda2d9511936fba2cda3acaa66f4813db0b90eaf

SHA512
5c0ba1370b58f42d8e213d92bd16b400e9a7658953054d0079e2e0d29172028df5921c6e79ed3285a4aa34e4d5abe5c0b50c06c1fcf72aee3185fe70bebf118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd4ox2cj.exe
Filesize
3KB

MD5
a45593eef9db7fffe9281e18b00a2b09

SHA1
294fe1423466965d6bb07f3370d3f83232837613

SHA256
2bf78b872599cfb56a908a1a87333ae6951f8e01ec217333b6ea66c051143e1b

SHA512
d6ca1fcc5e67b8a1c400d6000ef0af844faf63171ee437ae2b4680afd40683db61d6b6157b54ffeda2556ffd77e52875d263b416e3a32261e6be474c0ea6e071

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd4ox2cj.exe
Filesize
3KB

MD5
a45593eef9db7fffe9281e18b00a2b09

SHA1
294fe1423466965d6bb07f3370d3f83232837613

SHA256
2bf78b872599cfb56a908a1a87333ae6951f8e01ec217333b6ea66c051143e1b

SHA512
d6ca1fcc5e67b8a1c400d6000ef0af844faf63171ee437ae2b4680afd40683db61d6b6157b54ffeda2556ffd77e52875d263b416e3a32261e6be474c0ea6e071

Download Submit
C:\Users\Admin\AppData\Local\Temp\o9-wrd9h.exe
Filesize
3KB

MD5
f633064800362c0533064195695af693

SHA1
7d5ada4c4bc582f15f082ad078e6158fd864d0e0

SHA256
ca08f25a221601d6ee20896fb4322201b7aba3b187fbdf19f42218eebf4b7f0e

SHA512
af151e9ccea4cf5437c26cd08de7b63113613346b90fd583d8a80abd2e19cc1111e5eac3a37269d6c12734b42fcc3030cc5e506d84a3cd974d67c12865998148

Download Submit
C:\Users\Admin\AppData\Local\Temp\o9-wrd9h.exe
Filesize
3KB

MD5
f633064800362c0533064195695af693

SHA1
7d5ada4c4bc582f15f082ad078e6158fd864d0e0

SHA256
ca08f25a221601d6ee20896fb4322201b7aba3b187fbdf19f42218eebf4b7f0e

SHA512
af151e9ccea4cf5437c26cd08de7b63113613346b90fd583d8a80abd2e19cc1111e5eac3a37269d6c12734b42fcc3030cc5e506d84a3cd974d67c12865998148

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkj99c8n.exe
Filesize
3KB

MD5
97fd44f08d895fb7247651066ca389d3

SHA1
4f0fbfc8227d2e71666a6156e55cb44ff3acd17e

SHA256
1614cd177053463b8617bf421ac0b1de4f5b945319379aafe88adbe73d3498a2

SHA512
0e05745772b7cea394b939037a9f22df87789a4e41e795a1fc4f6818f1acb5953956b387abbf6584b0535a70916f576ceeaaa89ace566a520e7ad204ef6b8d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkj99c8n.exe
Filesize
3KB

MD5
97fd44f08d895fb7247651066ca389d3

SHA1
4f0fbfc8227d2e71666a6156e55cb44ff3acd17e

SHA256
1614cd177053463b8617bf421ac0b1de4f5b945319379aafe88adbe73d3498a2

SHA512
0e05745772b7cea394b939037a9f22df87789a4e41e795a1fc4f6818f1acb5953956b387abbf6584b0535a70916f576ceeaaa89ace566a520e7ad204ef6b8d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm-4khvb.exe
Filesize
3KB

MD5
446e1417d2651d1e5aee00b94fa1767b

SHA1
104d5f42f71fc3024afdba98b880f4089d0eec33

SHA256
99b0eb2beea1298c4a506747a8ebdc947846bb0f9357dd9eb95e3fbcadd31da7

SHA512
f055c912104496c9b2e5280f03ae364bf5109c242fef73f47f23042efb15ad2b3f8b3d86621742ecf9ee5d0916e89dab92c8460347bad7cae434a5ccae67bfd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm-4khvb.exe
Filesize
3KB

MD5
446e1417d2651d1e5aee00b94fa1767b

SHA1
104d5f42f71fc3024afdba98b880f4089d0eec33

SHA256
99b0eb2beea1298c4a506747a8ebdc947846bb0f9357dd9eb95e3fbcadd31da7

SHA512
f055c912104496c9b2e5280f03ae364bf5109c242fef73f47f23042efb15ad2b3f8b3d86621742ecf9ee5d0916e89dab92c8460347bad7cae434a5ccae67bfd3

Download Submit
C:\Users\Admin\Documents\sys\sqlite.exe
Filesize
411KB

MD5
4b40b9ef59cc43e31c409e5ac11ea084

SHA1
5698567ef01390161a86dbb8e5bbd6ab2b1e0de4

SHA256
e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89

SHA512
237aafdbc59e98019f6d677f79dc7f6538832cc1ebb0eb9f9d9d1d44ea35727445fb84d0574e83cd89e9b0df1f2b73bb8885dcd9bcddd87f79d09130b402b18e

Download Submit
C:\Users\Admin\Documents\sys\sqlite.exe
Filesize
411KB

MD5
4b40b9ef59cc43e31c409e5ac11ea084

SHA1
5698567ef01390161a86dbb8e5bbd6ab2b1e0de4

SHA256
e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89

SHA512
237aafdbc59e98019f6d677f79dc7f6538832cc1ebb0eb9f9d9d1d44ea35727445fb84d0574e83cd89e9b0df1f2b73bb8885dcd9bcddd87f79d09130b402b18e

Download Submit
C:\Users\Admin\Documents\sys\sqlite.exe
Filesize
411KB

MD5
4b40b9ef59cc43e31c409e5ac11ea084

SHA1
5698567ef01390161a86dbb8e5bbd6ab2b1e0de4

SHA256
e52ef39ac5ac6160e7eadf26f9e417908a431075afe53650462fa0f8e79d3f89

SHA512
237aafdbc59e98019f6d677f79dc7f6538832cc1ebb0eb9f9d9d1d44ea35727445fb84d0574e83cd89e9b0df1f2b73bb8885dcd9bcddd87f79d09130b402b18e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2F4.tmp
Filesize
652B

MD5
e7e3f5bbaf373166d47c208ccabe1a99

SHA1
7039b2697cf2e499462fd91439e55b677310e29e

SHA256
abe512a3990259f8e79ff97432d50540d35f4fd17bf1b4d0620bf845c6d18206

SHA512
53400a27eb3e226ac6405c07908ca4ef2382879a9095e041b56dac68427fdaaecf259471b2b63dc85c649404e0c93b9b7edc24af9b8a7cf03f8530605c021626

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3EE.tmp
Filesize
652B

MD5
c548b393d96013782f31f905a4f89bc5

SHA1
982ce78941c718958bbfc8504888812976843dd3

SHA256
0314889446226c7cb26ffa714e88aaa696d91970028f6f7ea499edb79953b089

SHA512
504907ecc5ccd063b8c79b6cb6036254be4e841668c2fb5c03cbaa05bbbc8432d0578070ec042114160c0f066643a9f1e4a82f171ad90c8abd93ffdca736d12f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC66A4.tmp
Filesize
652B

MD5
5216e6cd1fb2a8c1b98fda385416de14

SHA1
f09fab42b775aa94f9c98de40090cd27e875a12b

SHA256
9cf198bbd9acddca9b3c4bba36d62cc9575c03910b15761516b652d8d91c04f7

SHA512
a3b9ccc09da3ae4a937a2968240c4121ac9da873204e244c5d11c2317510a900c4759f6f60151ae9a63a2a59cea01389b701b6ae4ea57d76fe3debbc15bb7336

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6944.tmp
Filesize
652B

MD5
49071546248834a221158f90e46bae40

SHA1
ea0faf9d44113370add204c0b70039aff3c8d99e

SHA256
e30415e6b959ec310d7db9767688765156bb81d59711253ae80068ad848b51f8

SHA512
bc06f05949d17e090519c71fffe53bd0c054b01011e8d43814659058d460faaecaac94b0c92101fc71496f6adaf79a7425f2141b58ed9afcc8426cceef85a9e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFF4A.tmp
Filesize
652B

MD5
9bac2f0c75af707131b96819d6866288

SHA1
6361680542d516d25f727c3e8f21e5809b23fce6

SHA256
f2dbf953614ce8950e24bfe4b1c47b7ebbff18965793be28544b36b326cc3595

SHA512
42441f0ed8308e4aeb36f7b36cc5da3d97e9b3eb260b9b2d4791ca5e85fd8d593bf7fa823fad606c34de0cdd8afbfed6c783ed9ef0a974885b5da7e827f2f742

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_dvopjhg.0.cs
Filesize
154B

MD5
49d019d64097dca67cc3f0bab4415c8b

SHA1
c5b97d145cf3c63306820896a25f95629ec3e477

SHA256
cb7c4951b2c972218859bffbd85f4e4a9a1682d2335ce9dbfbed1d8d4d443775

SHA512
e1f048b08c2e4bca6ffd72c075a895b2fb105e56fa1c843e77e88e701c15abeb133c1d7606138805856c7180cd0be7685cfe1666e25496191c6364520dd96eab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_dvopjhg.cmdline
Filesize
187B

MD5
1a95fa5c10a69c53cda73a07e5b72122

SHA1
2b8517d94fae21970444067c4738cd7026d1bba9

SHA256
b3ff9f8d514708be9dcab41db278e819e2e8c0fda1dfdbfa064f93b7b787632c

SHA512
f4c502a6a163ad65871b0268109209f86baf5e22ee992c977f3a9a2c8adfb06206be67715758f590b71330106289f4a74d90c3dfc5cf657ce4672bf8f3b1d17e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bl2267jf.0.cs
Filesize
109B

MD5
6bc30640b3bd4db051d5226fbb0a6bde

SHA1
4feae4f472e6037a800435b266d72ef2dd99c034

SHA256
7c624e5d659573d0de0cea7b27fbe8251d58107273bf1f40fa202a1282a6e78e

SHA512
6a952bd65eb0c7d1ff1c3077da4c538df53a1025cedd58874f9943d3d7a946224f2bb5bcdd5257e2b88fe978a2e642bee40bdd5eb6496749b674ebf555f7cd46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bl2267jf.cmdline
Filesize
228B

MD5
1eb66f8d210dfff4cf64409a4c2b5b84

SHA1
d85b558271c73d50017b3adfc784f9cbe583b249

SHA256
af5440f4beb8d0464d6e13b856f50020fbbe87b9f228c08dc02ea614049a9c2d

SHA512
ee54e99048ccfecc96cd2da58c76e4b9ff4fdff467afc48c8ebf684fe5479f7802307daa68d519de8baab626d07f89dbaf4f45bbe4578f47e505308547343b62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fd4ox2cj.0.cs
Filesize
219B

MD5
3edaca23bb7704521d761555fd577c1a

SHA1
d584d9c127bb27195e34f7e59d07b95452ebf700

SHA256
da59304bf1c50011dffe04926c6413ab9419acfa4763f6ce051bf1e7142e802e

SHA512
c7e7108ca40ac6e7745e54b47d0743ab4a9c38ed3ac87c2c6c866d464f8758d3c5bc836381958ab4441b4767e7230cd8a121d8fe27847e4ae9a83581fedd0724

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fd4ox2cj.cmdline
Filesize
187B

MD5
a5454d4026afa11bba613ef25f41ffb8

SHA1
7e5f405a711ac6853f0a9d277f5935eee3cf2da0

SHA256
c4b00115ccff8ddb61a4e6ce937f0f8bd0f29f9b6dd30bbc95f8fbb93cda8f74

SHA512
7ec942251a7dc77ca618b2c6ee3dd30fca5ceb9f95e12e71eb8e96033f1da5c6600a0516de9380e0ac67d683c2246827808dee42f2f79ed4e235f04031736530

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o9-wrd9h.0.cs
Filesize
219B

MD5
337683383b92b3b09867b2c98d573287

SHA1
a3fd8e34c131bbf30fd6319bbc49944d2bae4715

SHA256
7257d5c90a033345eb8e2497c1708e849d5a4419e0be3318c34796ab32f212a1

SHA512
ff88f1b479016145f52533fd27080396d53807a8fb99ac5f7c9cfac4b47d14fab67110c9bbcf7c053c21890d17b044d579e50bf73a60190ab6203fea40ef2c63

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o9-wrd9h.cmdline
Filesize
187B

MD5
589b946308b9c1edb05e0a599d5c4226

SHA1
b230ca85aff588b6ac6568abe4981011e1513e81

SHA256
b9770e33ef74278a8b577f70032a64117b150b24138dfd48c80944164fd14cb8

SHA512
a43e9cb56fc5b18f98e619ade7388e3bebc5748ef145cbdf93735aa8ff002458191620ee15757729f1421add2b2b50a3f263c153feea03a13de0d1439e8d6b18

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rkj99c8n.0.cs
Filesize
208B

MD5
26aba61ddf39769fe6958bae8d13247c

SHA1
f42d79ab80732319a51f03d9375767e57792d8f7

SHA256
7a171c84ea62e06f18aed5fa928ef95fcdef19d19a84f1ec2af415ee61cf6b5b

SHA512
751818ccdad3dfffbfa6b0680f86111fb1bcc4e9823604dc46011db6eb8fc79b8ee6ac6b7508e8e8dfbb77e41a4831a415aef8405d8a5b18e4446286fee7794c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rkj99c8n.cmdline
Filesize
187B

MD5
3202291293a3c4c7c1dffce4a27ede90

SHA1
c5ff9cd270c73c4ed0f34d11e22f226383e0d31f

SHA256
d3c3739915ba66d48c3d1e5f9f115352b5082da465546f759dd41cdc13bf794a

SHA512
2d4f492457301779199a4f75e62c741bc3c455295e66b61256c203a1e51d1a8bcc0a5a28001bf25ca644a40dbb47348d002df2a05ece1fa6da5f95d975e656cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rm-4khvb.0.cs
Filesize
154B

MD5
4f552a7d6c0ac2fb571e27cbf52bbb51

SHA1
e67f05289c004cfdaa0be9d7191de6e2945c21ec

SHA256
b8bd61b46c00802feac389e3805696437aa8e85e140496c7b4e505fe7786c5d6

SHA512
cc5b3472dbcbb87253e0a1fa90fa2bdee3227d9d126c61a09f2b085640c31765591f6167c61fcf84d0a34e7f4d5b878bcb10b5927f3221c243a9b84b52bee58b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rm-4khvb.cmdline
Filesize
187B

MD5
40cb9e32ffef93d15659a13afc6f9063

SHA1
a78e588a7401b977c2c533a624dd57e8af6495de

SHA256
031ce9fb5b10a9271eddb78fbeee0f242dd55415c81888742e67c6fc93908d6f

SHA512
f50a485f6a155ab664cfb84b7af288edad5044812305b6b830c42852f8977d3d067e7bf8d2bc82ab926f2f70ff3576c4df312bd5d618e8b76c29fc7a22cc25f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zydsvbm2.0.cs
Filesize
109B

MD5
6bc30640b3bd4db051d5226fbb0a6bde

SHA1
4feae4f472e6037a800435b266d72ef2dd99c034

SHA256
7c624e5d659573d0de0cea7b27fbe8251d58107273bf1f40fa202a1282a6e78e

SHA512
6a952bd65eb0c7d1ff1c3077da4c538df53a1025cedd58874f9943d3d7a946224f2bb5bcdd5257e2b88fe978a2e642bee40bdd5eb6496749b674ebf555f7cd46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zydsvbm2.cmdline
Filesize
228B

MD5
ebe6f0516c86eef6673c0cd73c540ab6

SHA1
685732974f19b7644ea18bd704fbccd03b814f9d

SHA256
74c07b2b217f25983a4b103b9d3b0f7a7982d0919313c6c0f14ec2374e0f2e0d

SHA512
3a08751871fb09bb5557d8fd800b43ca4531de4306a11f97d1ecd5228fbe687474061517695c922b2196591899309321659ce91f340822532cca52a01e478096

Download Submit
\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSC258.tmp
Filesize
644B

MD5
d992e7563278a1dc369e329a478aca56

SHA1
fcaeae25cf1c4df7365b3bb2ff36ffaef3c5ae55

SHA256
d024e2a5a5f45364f0b732c2833443aa740953467cc5ae03db989ba1233e2438

SHA512
b563ed64032e1f51869e0e4f09e4564fbe95a580d9ff0ca7321c14a800b4d61ed0736e8677f0f00f5abf1f9214f18c2f556a3f6db0dcbbf97c80aff7fa3553ab

Download Submit
\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CSC66A4.tmp
Filesize
644B

MD5
d992e7563278a1dc369e329a478aca56

SHA1
fcaeae25cf1c4df7365b3bb2ff36ffaef3c5ae55

SHA256
d024e2a5a5f45364f0b732c2833443aa740953467cc5ae03db989ba1233e2438

SHA512
b563ed64032e1f51869e0e4f09e4564fbe95a580d9ff0ca7321c14a800b4d61ed0736e8677f0f00f5abf1f9214f18c2f556a3f6db0dcbbf97c80aff7fa3553ab

Download Submit
\??\c:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlite.exe
Filesize
3KB

MD5
d49bf135e51e23bc335382b485da2c50

SHA1
74ee461c41a6b7120409b0ab8eeffb57d44d5d3b

SHA256
b714f9987c260bc4eea00bfa8ff921b7c7219cb0d094ee3195c7710ec8935879

SHA512
7c69c2c8fc22a1ffa609e90f3f97ee27a19946bc58b61c338627e22b7954edd554e5f145ec11e95b45f8c511992e84d2ee24143520ab72f48d689c515daad389

Download Submit
memory/396-173-0x0000000000000000-mapping.dmp

Download
memory/628-187-0x0000000000000000-mapping.dmp

Download
memory/792-276-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/792-266-0x0000000000000000-mapping.dmp

Download
memory/792-289-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/940-172-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/940-179-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/940-169-0x0000000000000000-mapping.dmp

Download
memory/1052-134-0x0000000000000000-mapping.dmp

Download
memory/1208-305-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1208-300-0x0000000000000000-mapping.dmp

Download
memory/1360-140-0x0000000000000000-mapping.dmp

Download
memory/1472-222-0x0000000000000000-mapping.dmp

Download
memory/1492-148-0x0000000000000000-mapping.dmp

Download
memory/1568-231-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1568-217-0x0000000000000000-mapping.dmp

Download
memory/1568-239-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1760-167-0x000000001C4B0000-0x000000001CEE6000-memory.dmp

Filesize
10.2MB

Download
memory/1760-156-0x0000000000000000-mapping.dmp

Download
memory/1784-178-0x0000000000000000-mapping.dmp

Download
memory/1840-197-0x0000000000000000-mapping.dmp

Download
memory/1960-188-0x0000000000000000-mapping.dmp

Download
memory/1992-298-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1992-278-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1992-274-0x0000000000000000-mapping.dmp

Download
memory/2008-280-0x0000000000000000-mapping.dmp

Download
memory/2008-290-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2008-288-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2100-287-0x0000000000000000-mapping.dmp

Download
memory/2208-291-0x0000000000000000-mapping.dmp

Download
memory/2208-296-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2208-299-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2292-214-0x0000000000000000-mapping.dmp

Download
memory/2396-154-0x0000000000000000-mapping.dmp

Download
memory/2456-286-0x0000000000000000-mapping.dmp

Download
memory/2560-166-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2560-141-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2560-152-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2560-137-0x0000000000000000-mapping.dmp

Download
memory/2560-142-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2560-138-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2676-282-0x0000000000000000-mapping.dmp

Download
memory/2732-160-0x0000000000000000-mapping.dmp

Download
memory/2808-164-0x0000000000000000-mapping.dmp

Download
memory/2828-147-0x0000000000000000-mapping.dmp

Download
memory/3008-136-0x0000000000000000-mapping.dmp

Download
memory/3164-196-0x0000000000000000-mapping.dmp

Download
memory/3336-180-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3336-177-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3336-175-0x0000000000000000-mapping.dmp

Download
memory/3336-273-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3460-264-0x0000000000000000-mapping.dmp

Download
memory/3480-263-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3480-258-0x0000000000000000-mapping.dmp

Download
memory/3480-279-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3592-133-0x0000000000000000-mapping.dmp

Download
memory/3736-223-0x0000000000000000-mapping.dmp

Download
memory/3736-227-0x000000001B0A0000-0x000000001BAD6000-memory.dmp

Filesize
10.2MB

Download
memory/3960-176-0x0000000000000000-mapping.dmp

Download
memory/4168-174-0x0000000000000000-mapping.dmp

Download
memory/4188-257-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4188-248-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4188-240-0x0000000000000000-mapping.dmp

Download
memory/4208-233-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4208-189-0x0000000000000000-mapping.dmp

Download
memory/4208-230-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4288-171-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4288-135-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4288-132-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4296-215-0x000000001B490000-0x000000001BEC6000-memory.dmp

Filesize
10.2MB

Download
memory/4296-211-0x0000000000000000-mapping.dmp

Download
memory/4396-277-0x0000000000000000-mapping.dmp

Download
memory/4412-202-0x0000000000000000-mapping.dmp

Download
memory/4448-242-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4448-234-0x0000000000000000-mapping.dmp

Download
memory/4448-241-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4476-297-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4476-271-0x0000000000000000-mapping.dmp

Download
memory/4476-275-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4496-243-0x0000000000000000-mapping.dmp

Download
memory/4496-256-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4496-265-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4648-209-0x0000000000000000-mapping.dmp

Download
memory/4836-252-0x0000000000000000-mapping.dmp

Download
memory/4956-186-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4956-181-0x0000000000000000-mapping.dmp

Download
memory/4956-193-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download