a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8

Analysis

max time kernel
187s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe
Size

17.9MB
MD5

eaf6e654d37346aa43649c6df3f1d113
SHA1

195ec2ec8c8009b133c07f61dac18c1af0f3d45c
SHA256

a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8
SHA512

c1d3fe6fe61d8b6de99aeaff6dc49ab2e67725de010ddfd62ea4ec6bf3998ec219dc4d450fbd81d5dc869402227a8091d1e99c17c8ac2c1b84597b14a47fbb7b
SSDEEP

393216:x2TIneyqLSQme9mBY1Fx5AeEJdqwqTO4/sq9CEDUV50nypJAK+uZ+K:x2TYjkLmVq53MdMTj/sU3Yf0nFH3

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

task_execute_exe.exetask_start.exetask_start.tmp

pid process

3784 task_execute_exe.exe
4288 task_start.exe
3580 task_start.tmp
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4116 takeown.exe
2052 icacls.exe
2932 takeown.exe
660 icacls.exe
1060 takeown.exe
3144 icacls.exe
Loads dropped DLL 2 IoCs

Processes:

task_start.tmp

pid process

3580 task_start.tmp
3580 task_start.tmp
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4116 takeown.exe
2052 icacls.exe
2932 takeown.exe
660 icacls.exe
1060 takeown.exe
3144 icacls.exe

pid	process
4116	takeown.exe
2052	icacls.exe
2932	takeown.exe
660	icacls.exe
1060	takeown.exe
3144	icacls.exe

pid	process
3580	task_start.tmp
3580	task_start.tmp

pid	process
4116	takeown.exe
2052	icacls.exe
2932	takeown.exe
660	icacls.exe
1060	takeown.exe
3144	icacls.exe

Drops file in System32 directory 7 IoCs

Processes:

task_execute_exe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	task_execute_exe.exe
File created	C:\Windows\SysWOW64\sxload.tmp	task_execute_exe.exe
File opened for modification	C:\Windows\SysWOW64\123DB1F.tmp	task_execute_exe.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	task_execute_exe.exe
File opened for modification	C:\Windows\SysWOW64\1232F99.tmp	task_execute_exe.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	task_execute_exe.exe
File opened for modification	C:\Windows\SysWOW64\1234871.tmp	task_execute_exe.exe

Drops file in Program Files directory 1 IoCs

Processes:

task_execute_exe.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxty.tmp task_execute_exe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

224 schtasks.exe
220 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3760 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

task_execute_exe.exe

pid process

3784 task_execute_exe.exe
3784 task_execute_exe.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxty.tmp	task_execute_exe.exe

pid	process
224	schtasks.exe
220	schtasks.exe

pid	process
3760	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

task_execute_exe.exetakeown.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3784	task_execute_exe.exe
Token: SeTakeOwnershipPrivilege	4116	takeown.exe
Token: SeTakeOwnershipPrivilege	2932	takeown.exe
Token: SeDebugPrivilege	3760	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

task_execute_exe.exe

pid	process
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe
3784	task_execute_exe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe

pid process

5044 a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe

pid	process
5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.execmd.execmd.execmd.execmd.exetask_start.exetask_execute_exe.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5044 wrote to memory of 4492	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 4492	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 4492	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 4360	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 4360	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 4360	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 360	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 360	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 360	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 2616	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 2616	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 5044 wrote to memory of 2616	5044	a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe	cmd.exe
PID 4492 wrote to memory of 220	4492	cmd.exe	schtasks.exe
PID 4492 wrote to memory of 220	4492	cmd.exe	schtasks.exe
PID 4492 wrote to memory of 220	4492	cmd.exe	schtasks.exe
PID 4360 wrote to memory of 224	4360	cmd.exe	schtasks.exe
PID 4360 wrote to memory of 224	4360	cmd.exe	schtasks.exe
PID 4360 wrote to memory of 224	4360	cmd.exe	schtasks.exe
PID 360 wrote to memory of 3784	360	cmd.exe	task_execute_exe.exe
PID 360 wrote to memory of 3784	360	cmd.exe	task_execute_exe.exe
PID 360 wrote to memory of 3784	360	cmd.exe	task_execute_exe.exe
PID 2616 wrote to memory of 4288	2616	cmd.exe	task_start.exe
PID 2616 wrote to memory of 4288	2616	cmd.exe	task_start.exe
PID 2616 wrote to memory of 4288	2616	cmd.exe	task_start.exe
PID 4288 wrote to memory of 3580	4288	task_start.exe	task_start.tmp
PID 4288 wrote to memory of 3580	4288	task_start.exe	task_start.tmp
PID 4288 wrote to memory of 3580	4288	task_start.exe	task_start.tmp
PID 3784 wrote to memory of 1552	3784	task_execute_exe.exe	cmd.exe
PID 3784 wrote to memory of 1552	3784	task_execute_exe.exe	cmd.exe
PID 3784 wrote to memory of 1552	3784	task_execute_exe.exe	cmd.exe
PID 1552 wrote to memory of 3724	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 3724	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 3724	1552	cmd.exe	cmd.exe
PID 3724 wrote to memory of 4116	3724	cmd.exe	takeown.exe
PID 3724 wrote to memory of 4116	3724	cmd.exe	takeown.exe
PID 3724 wrote to memory of 4116	3724	cmd.exe	takeown.exe
PID 1552 wrote to memory of 2052	1552	cmd.exe	icacls.exe
PID 1552 wrote to memory of 2052	1552	cmd.exe	icacls.exe
PID 1552 wrote to memory of 2052	1552	cmd.exe	icacls.exe
PID 3784 wrote to memory of 3012	3784	task_execute_exe.exe	cmd.exe
PID 3784 wrote to memory of 3012	3784	task_execute_exe.exe	cmd.exe
PID 3784 wrote to memory of 3012	3784	task_execute_exe.exe	cmd.exe
PID 3012 wrote to memory of 3156	3012	cmd.exe	cmd.exe
PID 3012 wrote to memory of 3156	3012	cmd.exe	cmd.exe
PID 3012 wrote to memory of 3156	3012	cmd.exe	cmd.exe
PID 3156 wrote to memory of 2932	3156	cmd.exe	takeown.exe
PID 3156 wrote to memory of 2932	3156	cmd.exe	takeown.exe
PID 3156 wrote to memory of 2932	3156	cmd.exe	takeown.exe
PID 3012 wrote to memory of 660	3012	cmd.exe	icacls.exe
PID 3012 wrote to memory of 660	3012	cmd.exe	icacls.exe
PID 3012 wrote to memory of 660	3012	cmd.exe	icacls.exe
PID 3784 wrote to memory of 3136	3784	task_execute_exe.exe	cmd.exe
PID 3784 wrote to memory of 3136	3784	task_execute_exe.exe	cmd.exe
PID 3784 wrote to memory of 3136	3784	task_execute_exe.exe	cmd.exe
PID 3136 wrote to memory of 4408	3136	cmd.exe	cmd.exe
PID 3136 wrote to memory of 4408	3136	cmd.exe	cmd.exe
PID 3136 wrote to memory of 4408	3136	cmd.exe	cmd.exe
PID 4408 wrote to memory of 1060	4408	cmd.exe	takeown.exe
PID 4408 wrote to memory of 1060	4408	cmd.exe	takeown.exe
PID 4408 wrote to memory of 1060	4408	cmd.exe	takeown.exe
PID 3136 wrote to memory of 3144	3136	cmd.exe	icacls.exe
PID 3136 wrote to memory of 3144	3136	cmd.exe	icacls.exe
PID 3136 wrote to memory of 3144	3136	cmd.exe	icacls.exe
PID 3784 wrote to memory of 3760	3784	task_execute_exe.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe
"C:\Users\Admin\AppData\Local\Temp\a781a227eec296276e99e0e1aa6dcc18d36ac6eb9f39b3c32bce992019670fe8.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\cmd.exe
cmd /c c: &cd C:\Users\Administrator &schtasks /create /sc minute /mo 5 /tn TestTask /tr c:\task_execute_exe.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 5 /tn TestTask /tr c:\task_execute_exe.exe
3⤵
- Creates scheduled task(s)
PID:220

C:\Windows\SysWOW64\cmd.exe
cmd /c c: &cd C:\Users\Administrator &schtasks /create /sc minute /mo 120 /tn AutoCloseTask /tr c:\task_auto_close.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 120 /tn AutoCloseTask /tr c:\task_auto_close.exe
3⤵
- Creates scheduled task(s)
PID:224

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\task_start.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2616

\??\c:\task_start.exe
c:\task_start.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\is-BHSAQ.tmp\task_start.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BHSAQ.tmp\task_start.tmp" /SL5="$601EC,18390177,52224,c:\task_start.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3580

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\task_execute_exe.exe execute_task_exe
2⤵
- Suspicious use of WriteProcessMemory
PID:360

\??\c:\task_execute_exe.exe
c:\task_execute_exe.exe execute_task_exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
5⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1060

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3144

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
4⤵
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
93B

MD5
87addc364c93566a55df87dc616b0c9f

SHA1
ef0dc551bba9c32bf57c212eb5c51688b0a16792

SHA256
b767544dc040cb8141eb42b325721f68fe7e7e4dcc6b79a92e312e390bb36b70

SHA512
3fc8f4b9c710cbcaeb6944fde2c9dd913e99114863f9905b9f5f07500e9312e86ef83b1469aedff8548f5eb197aab53b01b01e4db6836480e218a56ab258e874

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1S48L.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1S48L.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BHSAQ.tmp\task_start.tmp
Filesize
662KB

MD5
b45570ddb00885bfe9e878af91a90564

SHA1
66daf059333962a65735999e99eb868cf9d5e832

SHA256
29fedae831f5b1704e5b53351cd6b8d33a21b7971894a9d0385895d7662e264f

SHA512
84350f30f9372be749fa244190b7d35a02aa2ce1ded9b45d89c29135a384e1170a54ef1af7004836ab9c30770a44f7e085b0cb238786a6d93d7e8cdec993d768

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BHSAQ.tmp\task_start.tmp
Filesize
662KB

MD5
b45570ddb00885bfe9e878af91a90564

SHA1
66daf059333962a65735999e99eb868cf9d5e832

SHA256
29fedae831f5b1704e5b53351cd6b8d33a21b7971894a9d0385895d7662e264f

SHA512
84350f30f9372be749fa244190b7d35a02aa2ce1ded9b45d89c29135a384e1170a54ef1af7004836ab9c30770a44f7e085b0cb238786a6d93d7e8cdec993d768

Download Submit
C:\Windows\SysWOW64\123DB1F.tmp
Filesize
192KB

MD5
f6d9b897d17f7d7f3437e375aec0479c

SHA1
0fa5161d13e665968fe16a41721d85aa625a55bf

SHA256
b86007da2336816e6ac622e9a8c075b309d0db99d7424dbe88c7a82cfc159a4c

SHA512
7dbaac6ee57088afe22ad4c31bcb6b34119b26eb7cbccb096ee0b6dcaa7e1e84c50841f8b46f389672e7b6c2ab3d6064453aec9d205afdbd23589976b888ca39

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
aafe4cc189edd5a9808503eede104c85

SHA1
609dce661aff6d63e0a0f7bd8a4db024afeadfff

SHA256
fe52d53b0d9966276f312eb15da23a01db52da5b608086d6c4f3c41aa6209ef5

SHA512
cb464b41a3e85a53042ce13086f63b36b5fc44eeecac7244099cec0ebc7633f3705289ead6efd32d47f7467b8b2cd289f7c8f5c13806eb257a9f5025949d4eea

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
867c48a347666c56321d58f619355897

SHA1
7ddb891077ab743a8c921650b804042982793aaf

SHA256
29f1013890cc83362201972140f4bfae09cd09a228ad98e8817bfb80759a9f95

SHA512
6f4500f9f494f2a65f36eef6110d0c3ce4156fb865b9b55e8dd76be6eb24bae5378f97929430cb319a04da35cd229be3536742721ce3ae0aa69d47411bbd3881

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
867c48a347666c56321d58f619355897

SHA1
7ddb891077ab743a8c921650b804042982793aaf

SHA256
29f1013890cc83362201972140f4bfae09cd09a228ad98e8817bfb80759a9f95

SHA512
6f4500f9f494f2a65f36eef6110d0c3ce4156fb865b9b55e8dd76be6eb24bae5378f97929430cb319a04da35cd229be3536742721ce3ae0aa69d47411bbd3881

Download Submit
C:\task_execute_exe.exe
Filesize
22KB

MD5
2dce3283e142518ede8f0b8523a53f5f

SHA1
5399a074ce961c8b9cf0f057abf14f0b90a43da3

SHA256
e648f056186188bbb5f8b25389f1ba1dc678443070cb5dbaf5bf965ce65a86e7

SHA512
acafab8de106885803a4f564c5eb0b7268a26347ed36611e0ede5b821cb390e1f40bb28dc77c8151ec7c2b5878ba75d5ffb55a86e8a5958e4fb3d84a107efdee

Download Submit
C:\task_start.exe
Filesize
17.9MB

MD5
adf1a560759cb0d74be40799c923949f

SHA1
a8ff592f47f970f73006908380c5b13843412bad

SHA256
09050d6ff27fbb041173321359f255f1971ec14764a87acfcb21de7144ba2aa0

SHA512
0726e2bcdafa164a12e6c2e661a35fa9e4bc32014f14e7aa5db90f2fdea24fb434ecf1227d53103e727123d19299321659842f7f258a1ab332ab6f84d8f7cf3c

Download Submit
\??\c:\task_execute_exe.exe
Filesize
22KB

MD5
2dce3283e142518ede8f0b8523a53f5f

SHA1
5399a074ce961c8b9cf0f057abf14f0b90a43da3

SHA256
e648f056186188bbb5f8b25389f1ba1dc678443070cb5dbaf5bf965ce65a86e7

SHA512
acafab8de106885803a4f564c5eb0b7268a26347ed36611e0ede5b821cb390e1f40bb28dc77c8151ec7c2b5878ba75d5ffb55a86e8a5958e4fb3d84a107efdee

Download Submit
\??\c:\task_start.exe
Filesize
17.9MB

MD5
adf1a560759cb0d74be40799c923949f

SHA1
a8ff592f47f970f73006908380c5b13843412bad

SHA256
09050d6ff27fbb041173321359f255f1971ec14764a87acfcb21de7144ba2aa0

SHA512
0726e2bcdafa164a12e6c2e661a35fa9e4bc32014f14e7aa5db90f2fdea24fb434ecf1227d53103e727123d19299321659842f7f258a1ab332ab6f84d8f7cf3c

Download Submit
memory/220-138-0x0000000000000000-mapping.dmp

Download
memory/224-139-0x0000000000000000-mapping.dmp

Download
memory/360-136-0x0000000000000000-mapping.dmp

Download
memory/660-164-0x0000000000000000-mapping.dmp

Download
memory/1060-171-0x0000000000000000-mapping.dmp

Download
memory/1460-176-0x0000000000000000-mapping.dmp

Download
memory/1552-152-0x0000000000000000-mapping.dmp

Download
memory/2052-159-0x0000000000000000-mapping.dmp

Download
memory/2616-137-0x0000000000000000-mapping.dmp

Download
memory/2932-163-0x0000000000000000-mapping.dmp

Download
memory/3012-160-0x0000000000000000-mapping.dmp

Download
memory/3136-168-0x0000000000000000-mapping.dmp

Download
memory/3144-172-0x0000000000000000-mapping.dmp

Download
memory/3156-162-0x0000000000000000-mapping.dmp

Download
memory/3580-155-0x0000000000811000-0x0000000000813000-memory.dmp

Filesize
8KB

Download
memory/3580-148-0x0000000000000000-mapping.dmp

Download
memory/3724-157-0x0000000000000000-mapping.dmp

Download
memory/3760-175-0x0000000000000000-mapping.dmp

Download
memory/3784-140-0x0000000000000000-mapping.dmp

Download
memory/4116-158-0x0000000000000000-mapping.dmp

Download
memory/4288-143-0x0000000000000000-mapping.dmp

Download
memory/4288-165-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4288-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4288-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4360-135-0x0000000000000000-mapping.dmp

Download
memory/4408-170-0x0000000000000000-mapping.dmp

Download
memory/4492-134-0x0000000000000000-mapping.dmp

Download