13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
Size

1.3MB
MD5

01151ab7fc3222021cbab67f27622e8a
SHA1

caf0c1ef61f2846fb527dcca0f58543c25bb7496
SHA256

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7
SHA512

4db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8
SSDEEP

24576:cxTAxn1eTrQj9JPc9H+XD6krOlfKtBX8y3xyh2h8Qr7Rdwm:cxO889J8MD6krOlfKtBXLz8Qr7Ram

Score

10^/10

agilenet evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exehknswc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hknswc.exe

Executes dropped EXE 3 IoCs

Processes:

AppMgnt.exehknswc.exeAppMgnt.exe

pid process

456 AppMgnt.exe
1592 hknswc.exe
1468 AppMgnt.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

568 attrib.exe
Loads dropped DLL 2 IoCs

Processes:

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exeAppMgnt.exe

pid process

1696 13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
456 AppMgnt.exe

pid	process
456	AppMgnt.exe
1592	hknswc.exe
1468	AppMgnt.exe

pid	process
568	attrib.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 myip.dnsomatic.com

flow	ioc
3	myip.dnsomatic.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exehknswc.exe

description	pid	process	target process
PID 1696 set thread context of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1592 set thread context of 664	1592	hknswc.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

696 schtasks.exe
2000 schtasks.exe

pid	process
696	schtasks.exe
2000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exeAppMgnt.exeAppMgnt.exehknswc.exe

pid	process
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
456	AppMgnt.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe
1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
1468	AppMgnt.exe
1592	hknswc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exeAppMgnt.exehknswc.exeAppMgnt.exe

description	pid	process
Token: SeDebugPrivilege	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
Token: SeDebugPrivilege	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
Token: SeDebugPrivilege	456	AppMgnt.exe
Token: SeDebugPrivilege	1592	hknswc.exe
Token: SeDebugPrivilege	1592	hknswc.exe
Token: SeDebugPrivilege	1468	AppMgnt.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exeAppMgnt.exeAppMgnt.exehknswc.exevbc.exeWScript.execmd.exe

description	pid	process	target process
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 1960	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	vbc.exe
PID 1696 wrote to memory of 456	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	AppMgnt.exe
PID 1696 wrote to memory of 456	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	AppMgnt.exe
PID 1696 wrote to memory of 456	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	AppMgnt.exe
PID 1696 wrote to memory of 456	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	AppMgnt.exe
PID 456 wrote to memory of 696	456	AppMgnt.exe	schtasks.exe
PID 456 wrote to memory of 696	456	AppMgnt.exe	schtasks.exe
PID 456 wrote to memory of 696	456	AppMgnt.exe	schtasks.exe
PID 456 wrote to memory of 696	456	AppMgnt.exe	schtasks.exe
PID 456 wrote to memory of 1592	456	AppMgnt.exe	hknswc.exe
PID 456 wrote to memory of 1592	456	AppMgnt.exe	hknswc.exe
PID 456 wrote to memory of 1592	456	AppMgnt.exe	hknswc.exe
PID 456 wrote to memory of 1592	456	AppMgnt.exe	hknswc.exe
PID 1696 wrote to memory of 1468	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	AppMgnt.exe
PID 1696 wrote to memory of 1468	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	AppMgnt.exe
PID 1696 wrote to memory of 1468	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	AppMgnt.exe
PID 1696 wrote to memory of 1468	1696	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe	AppMgnt.exe
PID 1468 wrote to memory of 2000	1468	AppMgnt.exe	schtasks.exe
PID 1468 wrote to memory of 2000	1468	AppMgnt.exe	schtasks.exe
PID 1468 wrote to memory of 2000	1468	AppMgnt.exe	schtasks.exe
PID 1468 wrote to memory of 2000	1468	AppMgnt.exe	schtasks.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1592 wrote to memory of 664	1592	hknswc.exe	vbc.exe
PID 1960 wrote to memory of 1992	1960	vbc.exe	WScript.exe
PID 1960 wrote to memory of 1992	1960	vbc.exe	WScript.exe
PID 1960 wrote to memory of 1992	1960	vbc.exe	WScript.exe
PID 1960 wrote to memory of 1992	1960	vbc.exe	WScript.exe
PID 1992 wrote to memory of 1884	1992	WScript.exe	cmd.exe
PID 1992 wrote to memory of 1884	1992	WScript.exe	cmd.exe
PID 1992 wrote to memory of 1884	1992	WScript.exe	cmd.exe
PID 1992 wrote to memory of 1884	1992	WScript.exe	cmd.exe
PID 1884 wrote to memory of 568	1884	cmd.exe	attrib.exe
PID 1884 wrote to memory of 568	1884	cmd.exe	attrib.exe
PID 1884 wrote to memory of 568	1884	cmd.exe	attrib.exe
PID 1884 wrote to memory of 568	1884	cmd.exe	attrib.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exehknswc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hknswc.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

568 attrib.exe

pid	process
568	attrib.exe

C:\Users\Admin\AppData\Local\Temp\13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe
"C:\Users\Admin\AppData\Local\Temp\13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\RealNetowrks
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:568

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:696

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
PID:664

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Hidden Files and Directories

T1158

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
13KB

MD5
79e47af9db3d7ba538de0083c4fa0f90

SHA1
113e6053c02639704e764a04f907c8b764b51a7a

SHA256
4862813a48c006477fd4ed1bb053b6dbda9b812de36f221b1337f03c84f0aac1

SHA512
105476f74f137d8bb4e09c2dbb5eb72afda6aaadcec8ddb0f6d4cc5aca3674f88f6ca9db36d867c036c9deb111ef55a6b1b21be4838e6404770d03f32377e9aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
13KB

MD5
79e47af9db3d7ba538de0083c4fa0f90

SHA1
113e6053c02639704e764a04f907c8b764b51a7a

SHA256
4862813a48c006477fd4ed1bb053b6dbda9b812de36f221b1337f03c84f0aac1

SHA512
105476f74f137d8bb4e09c2dbb5eb72afda6aaadcec8ddb0f6d4cc5aca3674f88f6ca9db36d867c036c9deb111ef55a6b1b21be4838e6404770d03f32377e9aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
13KB

MD5
79e47af9db3d7ba538de0083c4fa0f90

SHA1
113e6053c02639704e764a04f907c8b764b51a7a

SHA256
4862813a48c006477fd4ed1bb053b6dbda9b812de36f221b1337f03c84f0aac1

SHA512
105476f74f137d8bb4e09c2dbb5eb72afda6aaadcec8ddb0f6d4cc5aca3674f88f6ca9db36d867c036c9deb111ef55a6b1b21be4838e6404770d03f32377e9aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
1.3MB

MD5
01151ab7fc3222021cbab67f27622e8a

SHA1
caf0c1ef61f2846fb527dcca0f58543c25bb7496

SHA256
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7

SHA512
4db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
1.3MB

MD5
01151ab7fc3222021cbab67f27622e8a

SHA1
caf0c1ef61f2846fb527dcca0f58543c25bb7496

SHA256
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7

SHA512
4db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8

Download Submit
C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.bat
Filesize
56B

MD5
4a55a5a5ca857637659220aeb1a91d92

SHA1
4c73b21f348ed194dec47bcb0c3a83071be864e8

SHA256
0aa9d5a6e2d224e57d44bd4267c6d98479e25b052c878e579cc5d2facbcc601f

SHA512
d7ea2948e2c5f60675c08d6a8308cd7c449e1efaef818a24bf0481b8f5a45412a04b5fd580035127bcd052cc754fb948dc947989528ee9a52ce64457ab2eac51

Download Submit
C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.vbs
Filesize
169B

MD5
3d987aec0fa7269c334d9d52676f7ae6

SHA1
c912e179bfcad6b0d10061cfe4eb84bfa069a5f5

SHA256
757a187de0343591d7d49a2fa71ef8a8f8325f61df8f2bff905c36d599bdd549

SHA512
8ff828024cfdb0db4bc0474ce4b5f00e691c0d9c4193ebd67bb57b4ba7907690e688c6c0a78863a8ece6e244ef21e89c0aa1b7f073146fad0a2b0e59beb58e63

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
Filesize
13KB

MD5
79e47af9db3d7ba538de0083c4fa0f90

SHA1
113e6053c02639704e764a04f907c8b764b51a7a

SHA256
4862813a48c006477fd4ed1bb053b6dbda9b812de36f221b1337f03c84f0aac1

SHA512
105476f74f137d8bb4e09c2dbb5eb72afda6aaadcec8ddb0f6d4cc5aca3674f88f6ca9db36d867c036c9deb111ef55a6b1b21be4838e6404770d03f32377e9aa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
Filesize
1.3MB

MD5
01151ab7fc3222021cbab67f27622e8a

SHA1
caf0c1ef61f2846fb527dcca0f58543c25bb7496

SHA256
13685be33cc36747f500c5b392ae8f221e8264e45e1c7ff52865bdcbd4ec9cc7

SHA512
4db207d0a06f7bfff31113e990082d33605c1afcc7f93128eb4b59293c3cb477c2293751fe8dcbbffb936142ccb1d783ceb154df69973ae5c6bac9210b21c7f8

Download Submit
memory/456-84-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/456-74-0x0000000000000000-mapping.dmp

Download
memory/568-121-0x0000000000000000-mapping.dmp

Download
memory/664-109-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/664-105-0x0000000000450701-mapping.dmp

Download
memory/696-78-0x0000000000000000-mapping.dmp

Download
memory/1468-92-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1468-88-0x0000000000000000-mapping.dmp

Download
memory/1468-115-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1592-86-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1592-81-0x0000000000000000-mapping.dmp

Download
memory/1592-114-0x0000000000415000-0x0000000000426000-memory.dmp

Filesize
68KB

Download
memory/1592-113-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1592-87-0x0000000000415000-0x0000000000426000-memory.dmp

Filesize
68KB

Download
memory/1696-56-0x00000000021A5000-0x00000000021B6000-memory.dmp

Filesize
68KB

Download
memory/1696-111-0x00000000021A5000-0x00000000021B6000-memory.dmp

Filesize
68KB

Download
memory/1696-110-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1696-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1884-120-0x0000000000000000-mapping.dmp

Download
memory/1960-62-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-58-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-85-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-112-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-60-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-72-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-64-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-57-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-66-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-68-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1960-69-0x0000000000450701-mapping.dmp

Download
memory/1992-116-0x0000000000000000-mapping.dmp

Download
memory/2000-91-0x0000000000000000-mapping.dmp

Download