pony | d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
Size

1.2MB
MD5

0dba0d1e7ef16defe25558459127884a
SHA1

a14cd530199651af5d734edf98e7aad24c0d4897
SHA256

d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c
SHA512

ebb69460175eaac2c347889eff68b32b232ba4eb2b2460ad6b922a790786c854ab8a88b89dc56146ecd2f7cf7af3bd5137846c850be1a0055a068ca99c50cc10
SSDEEP

24576:7GTPkoVS58mFzvcevFHxRPzs/Qyk0tXkRV9N:7GTsR5TFTvtHTPY/pk01CT

Score

10^/10

pony discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	3R2R.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
1788	Klein, Naomi - The Shock Doctrine.exe
1424	ic5.exe
524	2 Gansta.exe
1396	3R2R.exe
688	4tbp.exe
332	csrss.exe
580	3R2R.exe
1064	9F3D.tmp
1828	3R2R.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/524-93-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000700000001311a-75.dat	upx
behavioral1/files/0x000700000001311a-68.dat	upx
behavioral1/files/0x000700000001311a-66.dat	upx
behavioral1/files/0x000700000001311a-114.dat	upx
behavioral1/files/0x000700000001311a-113.dat	upx
behavioral1/files/0x000700000001311a-112.dat	upx
behavioral1/files/0x000700000001311a-111.dat	upx
behavioral1/memory/1396-143-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/524-151-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/580-166-0x0000000000400000-0x000000000046D000-memory.dmp	upx
behavioral1/memory/1828-193-0x0000000000400000-0x000000000046D000-memory.dmp	upx

Loads dropped DLL 46 IoCs

pid	Process
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
1788	Klein, Naomi - The Shock Doctrine.exe
1788	Klein, Naomi - The Shock Doctrine.exe
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
1424	ic5.exe
1424	ic5.exe
1424	ic5.exe
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
688	4tbp.exe
688	4tbp.exe
688	4tbp.exe
524	2 Gansta.exe
524	2 Gansta.exe
524	2 Gansta.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1668	Process not Found
1576	DllHost.exe
1396	3R2R.exe
1396	3R2R.exe
580	3R2R.exe
580	3R2R.exe
580	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1364	rundll32.exe
1396	3R2R.exe
1364	rundll32.exe
1828	3R2R.exe
1828	3R2R.exe
1828	3R2R.exe
1064	9F3D.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hyajazu = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Nlsvitu.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\E59.exe = "C:\\Program Files (x86)\\LP\\7685\\E59.exe"	3R2R.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\7685\E59.exe	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\7685\9F3D.tmp	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\7685\E59.exe	3R2R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Klein, Naomi - The Shock Doctrine.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{7c04e45a-7eff-1ae5-5f05-3a4f471ab8fb}	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7c04e45a-7eff-1ae5-5f05-3a4f471ab8fb}\u = "860049491"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7c04e45a-7eff-1ae5-5f05-3a4f471ab8fb}\cid = "505668869458961588"	explorer.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1360	explorer.exe
1360	explorer.exe
1360	explorer.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1396	3R2R.exe
1988	rundll32.exe
1988	rundll32.exe
332	csrss.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
472	explorer.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	explorer.exe
Token: SeRestorePrivilege	1712	msiexec.exe
Token: SeTakeOwnershipPrivilege	1712	msiexec.exe
Token: SeSecurityPrivilege	1712	msiexec.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: 33	108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	108	AUDIODG.EXE
Token: 33	108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	108	AUDIODG.EXE
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeShutdownPrivilege	472	explorer.exe
Token: SeIncBasePriorityPrivilege	524	2 Gansta.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe
472	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1788	Klein, Naomi - The Shock Doctrine.exe
1788	Klein, Naomi - The Shock Doctrine.exe
688	4tbp.exe
1988	rundll32.exe
1364	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 1788	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	27
PID 360 wrote to memory of 1788	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	27
PID 360 wrote to memory of 1788	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	27
PID 360 wrote to memory of 1788	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	27
PID 360 wrote to memory of 1788	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	27
PID 360 wrote to memory of 1788	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	27
PID 360 wrote to memory of 1788	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	27
PID 360 wrote to memory of 1424	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	29
PID 360 wrote to memory of 1424	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	29
PID 360 wrote to memory of 1424	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	29
PID 360 wrote to memory of 1424	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	29
PID 360 wrote to memory of 1424	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	29
PID 360 wrote to memory of 1424	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	29
PID 360 wrote to memory of 1424	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	29
PID 360 wrote to memory of 524	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	30
PID 360 wrote to memory of 524	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	30
PID 360 wrote to memory of 524	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	30
PID 360 wrote to memory of 524	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	30
PID 360 wrote to memory of 524	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	30
PID 360 wrote to memory of 524	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	30
PID 360 wrote to memory of 524	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	30
PID 360 wrote to memory of 1396	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	32
PID 360 wrote to memory of 1396	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	32
PID 360 wrote to memory of 1396	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	32
PID 360 wrote to memory of 1396	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	32
PID 360 wrote to memory of 1396	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	32
PID 360 wrote to memory of 1396	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	32
PID 360 wrote to memory of 1396	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	32
PID 360 wrote to memory of 688	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	31
PID 360 wrote to memory of 688	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	31
PID 360 wrote to memory of 688	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	31
PID 360 wrote to memory of 688	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	31
PID 360 wrote to memory of 688	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	31
PID 360 wrote to memory of 688	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	31
PID 360 wrote to memory of 688	360	d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe	31
PID 1424 wrote to memory of 1360	1424	ic5.exe	33
PID 1424 wrote to memory of 1360	1424	ic5.exe	33
PID 1424 wrote to memory of 1360	1424	ic5.exe	33
PID 1424 wrote to memory of 1360	1424	ic5.exe	33
PID 1424 wrote to memory of 1360	1424	ic5.exe	33
PID 1424 wrote to memory of 1360	1424	ic5.exe	33
PID 688 wrote to memory of 1988	688	4tbp.exe	34
PID 688 wrote to memory of 1988	688	4tbp.exe	34
PID 688 wrote to memory of 1988	688	4tbp.exe	34
PID 688 wrote to memory of 1988	688	4tbp.exe	34
PID 688 wrote to memory of 1988	688	4tbp.exe	34
PID 688 wrote to memory of 1988	688	4tbp.exe	34
PID 688 wrote to memory of 1988	688	4tbp.exe	34
PID 1360 wrote to memory of 332	1360	explorer.exe	6
PID 332 wrote to memory of 1712	332	csrss.exe	36
PID 332 wrote to memory of 1712	332	csrss.exe	36
PID 332 wrote to memory of 1576	332	csrss.exe	37
PID 1396 wrote to memory of 580	1396	3R2R.exe	38
PID 1396 wrote to memory of 580	1396	3R2R.exe	38
PID 1396 wrote to memory of 580	1396	3R2R.exe	38
PID 1396 wrote to memory of 580	1396	3R2R.exe	38
PID 1396 wrote to memory of 580	1396	3R2R.exe	38
PID 1396 wrote to memory of 580	1396	3R2R.exe	38
PID 1396 wrote to memory of 580	1396	3R2R.exe	38
PID 1396 wrote to memory of 1064	1396	3R2R.exe	40
PID 1396 wrote to memory of 1064	1396	3R2R.exe	40
PID 1396 wrote to memory of 1064	1396	3R2R.exe	40
PID 1396 wrote to memory of 1064	1396	3R2R.exe	40
PID 1396 wrote to memory of 1064	1396	3R2R.exe	40

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3R2R.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3R2R.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe
"C:\Users\Admin\AppData\Local\Temp\d2f78d1bba5d66b7b8e70782ccf8374643c196522ff7c9b7521051f2be568b0c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\Klein, Naomi - The Shock Doctrine.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\Klein, Naomi - The Shock Doctrine.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1788
- C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\explorer.exe
    00000114*
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1360
- C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2GANST~1.EXE > nul
    3⤵
    PID:1348
- C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Nlsvitu.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1988
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Nlsvitu.dll",iep
      4⤵
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1364
- C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe startC:\Users\Admin\AppData\Roaming\5B475\5EE76.exe%C:\Users\Admin\AppData\Roaming\5B475
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:580
- - C:\Program Files (x86)\LP\7685\9F3D.tmp
    "C:\Program Files (x86)\LP\7685\9F3D.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1064
- - C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe startC:\Program Files (x86)\75741\lvvm.exe%C:\Program Files (x86)\75741
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:1576

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x590
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LP\7685\9F3D.tmp

Filesize
100KB

MD5
bc4366d0a577f23038c4078b9daa6529

SHA1
057b8992c93e8eb027190cddf22b4953b2038418

SHA256
a5b375d932be3fa254012d6a15047dbdde68744fb323cada056bf1056a36a627

SHA512
e29f546c1d978e3663872c8a532ec8f4c05c06b14554f06f6403cd049d202a9c6cdc73f8955ba0e8215e5ef1dbdbf40f61d6ed6ccdfaa70f8033c18c346ca274

Download Submit
C:\Program Files (x86)\LP\7685\9F3D.tmp

Filesize
100KB

MD5
bc4366d0a577f23038c4078b9daa6529

SHA1
057b8992c93e8eb027190cddf22b4953b2038418

SHA256
a5b375d932be3fa254012d6a15047dbdde68744fb323cada056bf1056a36a627

SHA512
e29f546c1d978e3663872c8a532ec8f4c05c06b14554f06f6403cd049d202a9c6cdc73f8955ba0e8215e5ef1dbdbf40f61d6ed6ccdfaa70f8033c18c346ca274

Download Submit
C:\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\Klein, Naomi - The Shock Doctrine.exe

Filesize
830KB

MD5
62c9b5a3f0a525bf441815e7849ac1c4

SHA1
3325765380c0b1b5560085e62637b6a912c7e032

SHA256
0f988fc05d7075583dcaf6f7b7bb3f17d9818f8bf289f3d10f4808d9dbe09632

SHA512
830b601e6b68cfff49ac945b640eef41bff44cf967d3b724e48864d1bd74ddc357b200a41bab910182de5434f70367c16dd3ef17462bc3a76e4697e53499b701

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\Klein, Naomi - The Shock Doctrine.exe

Filesize
830KB

MD5
62c9b5a3f0a525bf441815e7849ac1c4

SHA1
3325765380c0b1b5560085e62637b6a912c7e032

SHA256
0f988fc05d7075583dcaf6f7b7bb3f17d9818f8bf289f3d10f4808d9dbe09632

SHA512
830b601e6b68cfff49ac945b640eef41bff44cf967d3b724e48864d1bd74ddc357b200a41bab910182de5434f70367c16dd3ef17462bc3a76e4697e53499b701

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
C:\Windows\system32\consrv.DLL

Filesize
52KB

MD5
c7570a7e24b29ee04a48c2c99da2587b

SHA1
b6e3635a8de44b1635e8d362ac131e14281feb24

SHA256
717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b

SHA512
57479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
eae8fbe13167903161b975673b9750ee

SHA1
d078bb4dcb719bf158a62228b4f6661a4fa857cc

SHA256
6c19e5709b5f4adf75da6d03ff06e9caec53a03a9bbb5ca5584d416308de257b

SHA512
ce2ee33fd36dbbceeccc663f218dc95cf953c0d689c547d2eea5e533e0cfb5f0903ad005f1052b43a9a2157135a1cd3365f73bcfee897d9ca5f2add750c46bbb

Download Submit
\Program Files (x86)\LP\7685\9F3D.tmp

Filesize
100KB

MD5
bc4366d0a577f23038c4078b9daa6529

SHA1
057b8992c93e8eb027190cddf22b4953b2038418

SHA256
a5b375d932be3fa254012d6a15047dbdde68744fb323cada056bf1056a36a627

SHA512
e29f546c1d978e3663872c8a532ec8f4c05c06b14554f06f6403cd049d202a9c6cdc73f8955ba0e8215e5ef1dbdbf40f61d6ed6ccdfaa70f8033c18c346ca274

Download Submit
\Program Files (x86)\LP\7685\9F3D.tmp

Filesize
100KB

MD5
bc4366d0a577f23038c4078b9daa6529

SHA1
057b8992c93e8eb027190cddf22b4953b2038418

SHA256
a5b375d932be3fa254012d6a15047dbdde68744fb323cada056bf1056a36a627

SHA512
e29f546c1d978e3663872c8a532ec8f4c05c06b14554f06f6403cd049d202a9c6cdc73f8955ba0e8215e5ef1dbdbf40f61d6ed6ccdfaa70f8033c18c346ca274

Download Submit
\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Nlsvitu.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\3R2R.exe

Filesize
281KB

MD5
f25c5ce835570548f56fb76d200e5a85

SHA1
4546ff42a0124ddce6fba8c741f243a13ea62070

SHA256
c2e7735af27176afe00cf5b13b8340517fd01299691a54427ce5fd7591db9759

SHA512
2cc92b646241f3bdcd5d9ffd546574c3d2bf36fff08a54b4dc29284f855c3b47928f7bc40bc174bc3b68d0805fe8a6f4739a17aef07b7e0af4903a19133b59a9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\Klein, Naomi - The Shock Doctrine.exe

Filesize
830KB

MD5
62c9b5a3f0a525bf441815e7849ac1c4

SHA1
3325765380c0b1b5560085e62637b6a912c7e032

SHA256
0f988fc05d7075583dcaf6f7b7bb3f17d9818f8bf289f3d10f4808d9dbe09632

SHA512
830b601e6b68cfff49ac945b640eef41bff44cf967d3b724e48864d1bd74ddc357b200a41bab910182de5434f70367c16dd3ef17462bc3a76e4697e53499b701

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\Klein, Naomi - The Shock Doctrine.exe

Filesize
830KB

MD5
62c9b5a3f0a525bf441815e7849ac1c4

SHA1
3325765380c0b1b5560085e62637b6a912c7e032

SHA256
0f988fc05d7075583dcaf6f7b7bb3f17d9818f8bf289f3d10f4808d9dbe09632

SHA512
830b601e6b68cfff49ac945b640eef41bff44cf967d3b724e48864d1bd74ddc357b200a41bab910182de5434f70367c16dd3ef17462bc3a76e4697e53499b701

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\Klein, Naomi - The Shock Doctrine.exe

Filesize
830KB

MD5
62c9b5a3f0a525bf441815e7849ac1c4

SHA1
3325765380c0b1b5560085e62637b6a912c7e032

SHA256
0f988fc05d7075583dcaf6f7b7bb3f17d9818f8bf289f3d10f4808d9dbe09632

SHA512
830b601e6b68cfff49ac945b640eef41bff44cf967d3b724e48864d1bd74ddc357b200a41bab910182de5434f70367c16dd3ef17462bc3a76e4697e53499b701

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi14EA.tmp\ic5.exe

Filesize
150KB

MD5
58ab20cd01024368a62cc6501c663a89

SHA1
6e156412ab82920aae95bb375a5efc8c82436f54

SHA256
cde043a40ee019077541e722b0d120395997c0bf944444966da691b10dfd8937

SHA512
9feed6407c64afcbd52c59faccbf9d1f51b6447144f5404c2b6a51c3ee07c99896af04c2a309daa3682adf0bd2ff4be0cce5427f6d7e1e7744bc8cf1fe9be19f

Download Submit
\Windows\System32\consrv.dll

Filesize
52KB

MD5
c7570a7e24b29ee04a48c2c99da2587b

SHA1
b6e3635a8de44b1635e8d362ac131e14281feb24

SHA256
717cd7661c09701ee39c505d8b604ea3dd6c1151ef18e7ed1cab3832552ac34b

SHA512
57479d2f5386ace8cc5e5ed543e6ad2c2b7b58accc849807d804a8cf0d03080f328f7b42442422fa1483a01ad473ca302f9eca97b9eb24e699e22db56641c572

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
80dbc7d15fdf94f16bb4a739cd9c3f98

SHA1
c0f3f20b360ce78cc153fa514e5f62c06f68feb7

SHA256
20b2d1e1b5348ed92f7e2eaedba4348e446970c13c6226f34a816503aa956c91

SHA512
cf8d820104ee3db4a103fb19d38267fe2f5095a29777bf3bcde95d4299360681cedd421251af92038da3f8709e68f101f7326ad9abdd087a59ca83adec87bc48

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
80dbc7d15fdf94f16bb4a739cd9c3f98

SHA1
c0f3f20b360ce78cc153fa514e5f62c06f68feb7

SHA256
20b2d1e1b5348ed92f7e2eaedba4348e446970c13c6226f34a816503aa956c91

SHA512
cf8d820104ee3db4a103fb19d38267fe2f5095a29777bf3bcde95d4299360681cedd421251af92038da3f8709e68f101f7326ad9abdd087a59ca83adec87bc48

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
80dbc7d15fdf94f16bb4a739cd9c3f98

SHA1
c0f3f20b360ce78cc153fa514e5f62c06f68feb7

SHA256
20b2d1e1b5348ed92f7e2eaedba4348e446970c13c6226f34a816503aa956c91

SHA512
cf8d820104ee3db4a103fb19d38267fe2f5095a29777bf3bcde95d4299360681cedd421251af92038da3f8709e68f101f7326ad9abdd087a59ca83adec87bc48

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
78ab98fd9228277f2638fd93cd703016

SHA1
1640ee7f500074c155a5af431e9d125a4ec2cea5

SHA256
e0517a9584af6cfd4f1e6d280e086b20fd576b90b32f9ddac916de03a53b766c

SHA512
d98ed49a83d5b50737a674e4421cea4cbe353f80234d2d5a8df82995a0d81e9524f23919ca600afb98bc676a8f93e7c0df73c22cae9b3fc624027800ba9dcc76

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
78ab98fd9228277f2638fd93cd703016

SHA1
1640ee7f500074c155a5af431e9d125a4ec2cea5

SHA256
e0517a9584af6cfd4f1e6d280e086b20fd576b90b32f9ddac916de03a53b766c

SHA512
d98ed49a83d5b50737a674e4421cea4cbe353f80234d2d5a8df82995a0d81e9524f23919ca600afb98bc676a8f93e7c0df73c22cae9b3fc624027800ba9dcc76

Download Submit
memory/332-149-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/360-87-0x0000000002A00000-0x0000000002A44000-memory.dmp

Filesize
272KB

Download
memory/360-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/360-90-0x0000000002A00000-0x0000000002A44000-memory.dmp

Filesize
272KB

Download
memory/524-155-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/524-69-0x0000000000000000-mapping.dmp

Download
memory/524-142-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/524-93-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/524-141-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/524-151-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/524-140-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/524-153-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/524-154-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/580-159-0x0000000000000000-mapping.dmp

Download
memory/580-166-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/688-136-0x0000000001F61000-0x0000000001F6E000-memory.dmp

Filesize
52KB

Download
memory/688-82-0x0000000000000000-mapping.dmp

Download
memory/688-101-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/880-196-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/880-204-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/880-200-0x0000000000840000-0x000000000084B000-memory.dmp

Filesize
44KB

Download
memory/880-206-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/880-207-0x0000000000850000-0x000000000085B000-memory.dmp

Filesize
44KB

Download
memory/880-213-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/880-214-0x0000000000850000-0x000000000085B000-memory.dmp

Filesize
44KB

Download
memory/1064-177-0x000000000059F000-0x00000000005AE000-memory.dmp

Filesize
60KB

Download
memory/1064-210-0x000000000059F000-0x00000000005AE000-memory.dmp

Filesize
60KB

Download
memory/1064-195-0x000000000059F000-0x00000000005AE000-memory.dmp

Filesize
60KB

Download
memory/1064-170-0x0000000000000000-mapping.dmp

Download
memory/1064-175-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1064-194-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1064-209-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1348-211-0x0000000000000000-mapping.dmp

Download
memory/1360-116-0x00000000002F0000-0x0000000000309000-memory.dmp

Filesize
100KB

Download
memory/1360-122-0x00000000002F0000-0x0000000000309000-memory.dmp

Filesize
100KB

Download
memory/1360-103-0x00000000002F0000-0x0000000000309000-memory.dmp

Filesize
100KB

Download
memory/1360-100-0x0000000000000000-mapping.dmp

Download
memory/1360-139-0x0000000000060000-0x0000000000075000-memory.dmp

Filesize
84KB

Download
memory/1364-174-0x0000000000000000-mapping.dmp

Download
memory/1364-183-0x0000000002071000-0x000000000207E000-memory.dmp

Filesize
52KB

Download
memory/1396-77-0x0000000000000000-mapping.dmp

Download
memory/1396-143-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1396-144-0x0000000001E10000-0x0000000001F10000-memory.dmp

Filesize
1024KB

Download
memory/1396-156-0x0000000001E10000-0x0000000001F10000-memory.dmp

Filesize
1024KB

Download
memory/1424-64-0x0000000000000000-mapping.dmp

Download
memory/1424-94-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1424-105-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1424-91-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1424-92-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1424-95-0x0000000000310000-0x0000000000354000-memory.dmp

Filesize
272KB

Download
memory/1424-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-147-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1788-56-0x0000000000000000-mapping.dmp

Download
memory/1828-185-0x0000000000000000-mapping.dmp

Download
memory/1828-193-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1988-104-0x0000000000000000-mapping.dmp

Download
memory/1988-145-0x0000000000C51000-0x0000000000C5E000-memory.dmp

Filesize
52KB

Download
memory/1988-128-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download