ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5

Analysis

max time kernel
47s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe
Size

7.6MB
MD5

7a3b036178be3af2d199e119abf83f8f
SHA1

28ee4138634cf74b088ffe28ac802aaa2a89d0ff
SHA256

ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5
SHA512

baa0521a42e4920708689c46c6f909581fa298b9bacf856d5c02e8053abd33ba14e3df630a42bd4aff1d29058ade8a48cf7bcb1834448fb8dcb1cbd8119a83bb
SSDEEP

196608:wcDE5xxyWRPQrnjGdTAdSwgbzERTY6+Z2vlyZHs7:wBpUGsbR0MsZHs7

Score

9^/10

discovery evasion

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Executes dropped EXE 3 IoCs

pid	Process
3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp
4536	gentlemjmp_ieu.exe
4004	gentlemjmp_ieu.tmp

Loads dropped DLL 5 IoCs

pid	Process
4004	gentlemjmp_ieu.tmp
4004	gentlemjmp_ieu.tmp
4004	gentlemjmp_ieu.tmp
4004	gentlemjmp_ieu.tmp
4004	gentlemjmp_ieu.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp

Enumerates processes with tasklist 1 TTPs 15 IoCs

Process Discovery

T1057

pid	Process
3324	tasklist.exe
5068	tasklist.exe
4520	tasklist.exe
4772	tasklist.exe
3716	tasklist.exe
400	tasklist.exe
1452	tasklist.exe
4328	tasklist.exe
2448	tasklist.exe
2332	tasklist.exe
2592	tasklist.exe
2808	tasklist.exe
3860	tasklist.exe
2164	tasklist.exe
4048	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4504	NETSTAT.EXE
4684	NETSTAT.EXE
1956	NETSTAT.EXE
3160	NETSTAT.EXE
3616	NETSTAT.EXE

Script User-Agent 10 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	23	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	38	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4904	powershell.exe
4904	powershell.exe
4940	powershell.exe
4940	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	400	tasklist.exe
Token: SeDebugPrivilege	2332	tasklist.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	3616	NETSTAT.EXE
Token: SeDebugPrivilege	4504	NETSTAT.EXE
Token: SeDebugPrivilege	4684	NETSTAT.EXE
Token: SeDebugPrivilege	1956	NETSTAT.EXE
Token: SeDebugPrivilege	3160	NETSTAT.EXE
Token: SeDebugPrivilege	1452	tasklist.exe
Token: SeDebugPrivilege	4328	tasklist.exe
Token: SeDebugPrivilege	3324	tasklist.exe
Token: SeDebugPrivilege	3860	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	2448	tasklist.exe
Token: SeDebugPrivilege	4048	tasklist.exe
Token: SeDebugPrivilege	5068	tasklist.exe
Token: SeDebugPrivilege	2808	tasklist.exe
Token: SeDebugPrivilege	4520	tasklist.exe
Token: SeDebugPrivilege	3716	tasklist.exe
Token: SeDebugPrivilege	4772	tasklist.exe
Token: SeDebugPrivilege	4940	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 3440	2564	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe	81
PID 2564 wrote to memory of 3440	2564	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe	81
PID 2564 wrote to memory of 3440	2564	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe	81
PID 3440 wrote to memory of 3684	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	82
PID 3440 wrote to memory of 3684	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	82
PID 3440 wrote to memory of 3684	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	82
PID 3684 wrote to memory of 4904	3684	cmd.exe	84
PID 3684 wrote to memory of 4904	3684	cmd.exe	84
PID 3684 wrote to memory of 4904	3684	cmd.exe	84
PID 3440 wrote to memory of 4628	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	85
PID 3440 wrote to memory of 4628	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	85
PID 3440 wrote to memory of 4628	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	85
PID 4628 wrote to memory of 4232	4628	cmd.exe	87
PID 4628 wrote to memory of 4232	4628	cmd.exe	87
PID 4628 wrote to memory of 4232	4628	cmd.exe	87
PID 4232 wrote to memory of 400	4232	cmd.exe	88
PID 4232 wrote to memory of 400	4232	cmd.exe	88
PID 4232 wrote to memory of 400	4232	cmd.exe	88
PID 3440 wrote to memory of 112	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	89
PID 3440 wrote to memory of 112	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	89
PID 3440 wrote to memory of 112	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	89
PID 112 wrote to memory of 3188	112	cmd.exe	91
PID 112 wrote to memory of 3188	112	cmd.exe	91
PID 112 wrote to memory of 3188	112	cmd.exe	91
PID 3188 wrote to memory of 2332	3188	cmd.exe	92
PID 3188 wrote to memory of 2332	3188	cmd.exe	92
PID 3188 wrote to memory of 2332	3188	cmd.exe	92
PID 3440 wrote to memory of 3620	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	95
PID 3440 wrote to memory of 3620	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	95
PID 3440 wrote to memory of 3620	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	95
PID 3620 wrote to memory of 4612	3620	cmd.exe	97
PID 3620 wrote to memory of 4612	3620	cmd.exe	97
PID 3620 wrote to memory of 4612	3620	cmd.exe	97
PID 4612 wrote to memory of 2592	4612	cmd.exe	98
PID 4612 wrote to memory of 2592	4612	cmd.exe	98
PID 4612 wrote to memory of 2592	4612	cmd.exe	98
PID 3440 wrote to memory of 4200	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	99
PID 3440 wrote to memory of 4200	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	99
PID 3440 wrote to memory of 4200	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	99
PID 3440 wrote to memory of 1964	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	101
PID 3440 wrote to memory of 1964	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	101
PID 3440 wrote to memory of 1964	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	101
PID 1964 wrote to memory of 3616	1964	cmd.exe	103
PID 1964 wrote to memory of 3616	1964	cmd.exe	103
PID 1964 wrote to memory of 3616	1964	cmd.exe	103
PID 1964 wrote to memory of 640	1964	cmd.exe	104
PID 1964 wrote to memory of 640	1964	cmd.exe	104
PID 1964 wrote to memory of 640	1964	cmd.exe	104
PID 1964 wrote to memory of 2288	1964	cmd.exe	105
PID 1964 wrote to memory of 2288	1964	cmd.exe	105
PID 1964 wrote to memory of 2288	1964	cmd.exe	105
PID 3440 wrote to memory of 2560	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	106
PID 3440 wrote to memory of 2560	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	106
PID 3440 wrote to memory of 2560	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	106
PID 2560 wrote to memory of 4504	2560	cmd.exe	108
PID 2560 wrote to memory of 4504	2560	cmd.exe	108
PID 2560 wrote to memory of 4504	2560	cmd.exe	108
PID 2560 wrote to memory of 3716	2560	cmd.exe	109
PID 2560 wrote to memory of 3716	2560	cmd.exe	109
PID 2560 wrote to memory of 3716	2560	cmd.exe	109
PID 2560 wrote to memory of 1012	2560	cmd.exe	110
PID 2560 wrote to memory of 1012	2560	cmd.exe	110
PID 2560 wrote to memory of 1012	2560	cmd.exe	110
PID 3440 wrote to memory of 456	3440	ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp	112

C:\Users\Admin\AppData\Local\Temp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe
"C:\Users\Admin\AppData\Local\Temp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\is-D7H5A.tmp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D7H5A.tmp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp" /SL5="$A0046,7652844,56832,C:\Users\Admin\AppData\Local\Temp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:3440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\cmd.bat""
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3616
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5900 "
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5901 "
      4⤵
      PID:3716
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
    3⤵
    PID:456
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:4684
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5902 "
      4⤵
      PID:4496
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      PID:4420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
    3⤵
    PID:5096
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      PID:704
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5903 "
      4⤵
      PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:3160
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5904 "
      4⤵
      PID:3208
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
      4⤵
      PID:2764
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
      4⤵
      PID:3120
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
      4⤵
      PID:4584
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
      4⤵
      PID:3220
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
      4⤵
      PID:4888
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
      4⤵
      PID:4232
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
      4⤵
      PID:3188
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
      4⤵
      PID:1748
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
      4⤵
      PID:1148
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
- - C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\gentlemjmp_ieu.exe
    "C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD
    3⤵
    - Executes dropped EXE
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\is-N11JB.tmp\gentlemjmp_ieu.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-N11JB.tmp\gentlemjmp_ieu.tmp" /SL5="$1B01D6,7142274,56832,C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\gentlemjmp_ieu.exe" go=ofcourse product_id=UPD
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\ex.bat""
        5⤵
        
        PID:544
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

Software Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
0774a05ce5ee4c1af7097353c9296c62

SHA1
658ff96b111c21c39d7ad5f510fb72f9762114bb

SHA256
d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

SHA512
104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
74502846b60e11eab49b0be0c282d6c7

SHA1
ac349fc2f79cfc4bd6f9ff62589e1f41134ed168

SHA256
12628c6c9a3f292f864940416615010774f4626e3ae632720f5607317b7b9cfc

SHA512
1e63c37789aaff68932442cbb9c11a2e3980e771d517eb452176b850a4b2a32033532626da0276d43cc3419cf2da0483f880bba313899c9201692c1ca5a61f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D7H5A.tmp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp

Filesize
690KB

MD5
1305181de520f125aeabf85dc24a89d6

SHA1
98b7548fede3f1468ccbdee405abdc4e5d2ec671

SHA256
0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf

SHA512
b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D7H5A.tmp\ab1363fec16b35b43359d203aacb4fe90e1110415efadf62484c01df235b28b5.tmp

Filesize
690KB

MD5
1305181de520f125aeabf85dc24a89d6

SHA1
98b7548fede3f1468ccbdee405abdc4e5d2ec671

SHA256
0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf

SHA512
b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\ex.bat

Filesize
786B

MD5
3b0db403b591addc563a25026ac5014b

SHA1
e95fff7db01128c6e07ca064184ea542c02c4f7c

SHA256
adca7abd28b7c4d82d59881f65a108ed6d31cb67f60df9b1af2de12ccaaca03e

SHA512
703832d7fb8e019021ebbee926889402a67af1319a051fc713388f89b42466dfa91233419f880dee3b8b6381a813a28f06a52cfaaf5f546d4de0e360a8055bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\isskin.dll

Filesize
385KB

MD5
92c2e247392e0e02261dea67e1bb1a5e

SHA1
db72fed8771364bf8039b2bc83ed01dda2908554

SHA256
25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68

SHA512
e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IPTQA.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
118B

MD5
f0315949ccc3d22d958503f5735cfbcc

SHA1
883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0

SHA256
201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d

SHA512
aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
144B

MD5
e902b4bcf5b531d057d091d00be3daee

SHA1
0cd058fcfab51dbfe91b139dc52245d5a4326f55

SHA256
9daadc1e6c019a712e5236eafc29e687ea79efd4de1310dc2eeb1ed165ea26c3

SHA512
5f7a84040b4bbf46173ff5404d970af5cb3e54c0dfc0d6ab6b161c2f417b6b1a023abe7b9f2b723b2985511894649c54c045204de01b2a52a51d7143e8f82c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
126B

MD5
110d64c0e450ff59542f81690a2d53b7

SHA1
7f2e989deb095a0530792989e5fa9d7279d5f3e7

SHA256
735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e

SHA512
00b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
120B

MD5
c842d438cebab4b876572a8bc032aabe

SHA1
e95c7d4e2f6246daba6f0baec8e1b94c91384c4d

SHA256
ef7d9a0d456e1901b0bdebdce961d480bcf8270a7d7646591bdc2886c8716218

SHA512
aa8a28a1b0a0b9b65db195863fec9b903ffa335ccee7d50dc514f5d9c63f2ca51b2bf52694879adf43021cedfc4c5f8e7c3c90bb6dc493114a700cd79cce183c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
126B

MD5
8fec1ab28e8ee7394915990458fb85dc

SHA1
c70e183a783a9621cd64584de99f8163deb40872

SHA256
b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd

SHA512
c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
132B

MD5
97cc4c6dda23b9631b8c9185859ad061

SHA1
5f912a6c094bd918afe5e9f0c70cd45b36dff722

SHA256
55b728e4cc0974b19641d1dc77df0f381f244b254d39e2566dcf525b9d106cd8

SHA512
cf82517f44425d402305129821cff7668c5db27d5427b8a8886e99146a1a56ef43b8055e6c62929fbfdf293a88664a760e49443ac89453fa3163ed1ebfb8469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
122B

MD5
b921f2f9f97a642d513e1307f7685e0f

SHA1
3489b63a484a6114f1828100908bbbc622b07ed1

SHA256
953998031a5ac3582232545f923b32f02587fb233791a0326b889f28af4cfabc

SHA512
1da42e0ed2dca9f2a559739c6a0c6b28a54e0d8d0617bec542729a362dd0f36f9287bcd4433c9cabd7db7430e7295f6879c7777a86035c4f3c86b3b05847ae0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
122B

MD5
660d266764b1952b43431d6c7dc0dfa9

SHA1
809794738d6ca580d6ec14e77a717e831b0d0e5c

SHA256
e3c86ead8667eac8c9ea88e2ee5f5f14f0f0be59a54864f99cbee17d554f74e5

SHA512
6fc27ec6f453c2791aa9d0c38817128ed8e2fff26748fbe0cfee6411d8a120970494b3504078a3079c90d409434f22b35974efd5cbbaf14ce3657715fc18f4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
122B

MD5
59a8010aab7eb203cd9fda8f6be1beca

SHA1
b9a07636b921183c88880320294e279c935cddd7

SHA256
2a5b80a6a1522b75fda6e7f99ceb912bc7db1bd6be11995fdcbde1ab7d836dba

SHA512
26ae700f89e827f9d5f8d29c7f393eb3e5885d32266591d61b20ffd7ba1d08dfbc0e6e9368c94288185a01960cbd0a8ce96b063187396465e640e963e9b3666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
122B

MD5
a59dd0f9883ea39c5119831b0eed46cc

SHA1
8c9354051f7d92310636f0f17e5770aede9d1ad3

SHA256
ff1f1293c860b0709d0244a8c6a29294543efdc698a70469e1cd388c0db84493

SHA512
4a07eac5507fc174879eb960becf19b3a20b224232f74dfeb28d393bed3f181a0d4020efb9b656000d4ce756491c44f4f5a86dec184feca593c9bf6bd8700dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
122B

MD5
32b997a9d994996a4369a580e6541b7d

SHA1
d61b48404dd6f6dd43d90858ffb7ddb967ecb1f1

SHA256
39863141871b63880b4282066451321a902a7e6b97264c9ffdfd8128ac8293b8

SHA512
f3ff262b5986436671b4cf970d2ab4eb0dfd3d70651e7e84c8ae38788ef12032db825b81e6e1d8c4f20f0aa5a8067e6e7943b7e3e3c9817e97f0ab227f3fbe1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
146B

MD5
f0b99c1273d3787f7769feb4d56e6803

SHA1
6105232df9585072be8ca04712f8760812943cbf

SHA256
176a95493ca3bbfc9a68b4283b53a291faef0f9a7c413b43e1bdad86834a820d

SHA512
73b313c0046f6fcec974f2af64859c0af122e9f86503c7427519b7d2aaaf67e2f8cc68de17b93f24604aff815b843fce9a01571c1db48d3c12867e49daab0133

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
138B

MD5
755c6764b8ecbb83798450705f51510f

SHA1
deb141c4fc3220f0ff5c16eabf1adf850bf55610

SHA256
cfe680c9896cade2f5163ee0a463a7f7dbae7ee4aadf8de15c6c119a1d582016

SHA512
a6292b9416cbbc4a407d143acd502b6a726abb5411309e292f6696a7e55ecb5b78b4bdc764dc3484e85a5a40f21d410018172544b00882759b251aa9dce5df89

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
132B

MD5
410515fbd7d2a2b4fab0fb80c76c2a74

SHA1
f32bd4fc7ade9efdc92b99e79a0b2f95edfc5893

SHA256
6b398a1053c39530e13afb3bad98900d9a5a6d27523a0c5d44c746afb539fe99

SHA512
f301aaeb96aa848eb6823830397c9fb12086db558663235c8b0882cefe2ae105cc75e2cc70315ce2fdfa17d3538427f4afa6a9cf24834a884a10cb4cb87652aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\CheckProc.cmd

Filesize
130B

MD5
0cbb771b9f9523adb96d5bae77154a05

SHA1
528330a335047039ab012b01bb7a3f585e6f5a8d

SHA256
4b6e256fc13fdb04ac97e583dda99f6ade2356f9c692f5150b262d3e464bd71e

SHA512
41f44acafb84b24e15ebee4a18c2ae39c06ad401db2272939ad1d650c27e1a219d7c05df63a7ec2ab0676c7ed34ca5c7ed1d4cfaa143998e90ce12f13875f0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\av.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\cmd.bat

Filesize
81B

MD5
784d0dec1b75b73bfb86095f4aa9a1b4

SHA1
3ce5a6f9822e596a6056cfea3f1bc6bfc281a4c8

SHA256
7967c55836683f221e6aa10e59fa519d2186125f299bebfa5febbdbfd8ea7306

SHA512
8c18aa559866fd8d625c0042c71c9496cbbf63b76e553109f6e13f24a1dff4aea11ffa665ad7b182b72ad5ac5c57e26e63e78f628bfbf240208b76eea4bbb1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\ex.bat

Filesize
786B

MD5
5bbc3e493fde32a885d3402d8400b522

SHA1
47eb2afd66f2fd9760781812979226e79f055803

SHA256
31e9bb47344cf27f767a28693bf3f96852610d5e3c33bfa9bcde40598c69da47

SHA512
fd0c19e441321c3958e3652dbd03e1ac12a6e03ec3c15f0eaa09ee582338eec0e7780ca51ba8f2fc8855dbbc327c94f8a2ea76476e251b34de4e0e8e1ab89685

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\favicon.ico

Filesize
10B

MD5
f0b81e3ecd1b5d144558da07bece8803

SHA1
9ee5bf12a207859d89dc893b8d02bd5c739edb52

SHA256
dd7aaa38192189cbf2adfc9416289be6ea3c2e10f2ca08bae453cb1df66babc1

SHA512
774a7485d316be62ca6a2303cf0e8f59611b804eb2d518dd76bcdbf755544818032be367d9c2d5ad778059b0c2da2d5a0e46e2a5420d6fd2da3cc0b2bcbe34a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\gentlemjmp_ieu.exe

Filesize
7.1MB

MD5
2826b1bfca3a87c68fdcfa6afafb9b9f

SHA1
6b1a78a5299dd1ad8242606c9477494d128f4d6a

SHA256
4c95a4306acdec394f3dfa1e0b682a2c6faa2e71b1c4ff92f909695c4743b48d

SHA512
e78daeb6ec86322be00d9caf674f2725491d39f545b03e6ef39de71c219c6a2867bbdbb313da16ab0145a2a8f25c6da9b782ac42a481524895df08e9b4b17028

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K3PV4.tmp\gentlemjmp_ieu.exe

Filesize
7.1MB

MD5
2826b1bfca3a87c68fdcfa6afafb9b9f

SHA1
6b1a78a5299dd1ad8242606c9477494d128f4d6a

SHA256
4c95a4306acdec394f3dfa1e0b682a2c6faa2e71b1c4ff92f909695c4743b48d

SHA512
e78daeb6ec86322be00d9caf674f2725491d39f545b03e6ef39de71c219c6a2867bbdbb313da16ab0145a2a8f25c6da9b782ac42a481524895df08e9b4b17028

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N11JB.tmp\gentlemjmp_ieu.tmp

Filesize
690KB

MD5
1305181de520f125aeabf85dc24a89d6

SHA1
98b7548fede3f1468ccbdee405abdc4e5d2ec671

SHA256
0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf

SHA512
b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N11JB.tmp\gentlemjmp_ieu.tmp

Filesize
690KB

MD5
1305181de520f125aeabf85dc24a89d6

SHA1
98b7548fede3f1468ccbdee405abdc4e5d2ec671

SHA256
0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf

SHA512
b0bfa9749a6a5a18c1926e6c5ebb4cdb156df1652cb822f067422a1cd21583340f32e4a1fc2f4c21a09343d73a55651972edbd2dec98ce44641a1097c16bc793

Download Submit
memory/2564-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2564-137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2564-251-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2564-132-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4004-242-0x00000000031E0000-0x000000000321C000-memory.dmp

Filesize
240KB

Download
memory/4004-245-0x0000000003230000-0x0000000003245000-memory.dmp

Filesize
84KB

Download
memory/4536-234-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4536-250-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4536-239-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4904-143-0x0000000005560000-0x0000000005582000-memory.dmp

Filesize
136KB

Download
memory/4904-141-0x0000000004E30000-0x0000000004E66000-memory.dmp

Filesize
216KB

Download
memory/4904-150-0x0000000007A60000-0x0000000008004000-memory.dmp

Filesize
5.6MB

Download
memory/4904-144-0x0000000005C40000-0x0000000005CA6000-memory.dmp

Filesize
408KB

Download
memory/4904-152-0x0000000008690000-0x0000000008D0A000-memory.dmp

Filesize
6.5MB

Download
memory/4904-148-0x0000000006910000-0x000000000692A000-memory.dmp

Filesize
104KB

Download
memory/4904-142-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/4904-145-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4904-146-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/4904-149-0x0000000006960000-0x0000000006982000-memory.dmp

Filesize
136KB

Download
memory/4904-147-0x00000000073C0000-0x0000000007456000-memory.dmp

Filesize
600KB

Download