eternity | 45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

Analysis

max time kernel
162s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.exe
Size

1.7MB
MD5

4f24c94182a964c6706c1920a73822c0
SHA1

5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0
SHA256

45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3
SHA512

d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd
SSDEEP

49152:zsRpndZn496l3tGPHbbe2q6d5axY5zGbpSFUxTJ:zsRfZn4gVKeOwozwRv

Score

10^/10

eternity vidar 9bd43ccedb1e82a38795147b462c1fe9 collection discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

3.6

Botnet

9bd43ccedb1e82a38795147b462c1fe9

https://steamcommunity.com/profiles/76561199499188534

https://t.me/nutalse

Attributes

profile_id_v2
9bd43ccedb1e82a38795147b462c1fe9
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Bondage.exe.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	27190257267534049697.exe

Executes dropped EXE 9 IoCs

pid	Process
1316	Engine.exe
632	Bondage.exe.pif
5076	Bondage.exe.pif
2492	70084969812875037520.exe
1736	27190257267534049697.exe
3900	25296024279003352463.exe
748	32284483830396411833.exe
3908	51634006714444779330.exe
4160	05b5260c-3426-4994-a344-3028974a9f7e.exe

Loads dropped DLL 2 IoCs

pid	Process
5076	Bondage.exe.pif
5076	Bondage.exe.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51634006714444779330.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51634006714444779330.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51634006714444779330.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asdfasdlkfjsdkfasdfnkjlsadnfsadf = "C:\\Users\\Admin\\AppData\\Roaming\\asdfasdlkfjsdkfasdfnkjlsadnfsadf\\asdfasdlkfjsdkfasdfnkjlsadnfsadf.exe"	25296024279003352463.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	05b5260c-3426-4994-a344-3028974a9f7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	05b5260c-3426-4994-a344-3028974a9f7e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
96	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 632 set thread context of 5076	632	Bondage.exe.pif	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
448	2492	WerFault.exe	105

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bondage.exe.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bondage.exe.pif
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	51634006714444779330.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	51634006714444779330.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5032	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2180	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2805025096-2326403612-4231045514-1000\{873F99B2-1C96-4AAE-8011-6D7BEC0810EB}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2805025096-2326403612-4231045514-1000\{5BFCE008-243B-4BC4-9885-5A3FFFCF0F65}	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4176	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
1748	powershell.exe
1748	powershell.exe
1748	powershell.exe
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif
5076	Bondage.exe.pif
5076	Bondage.exe.pif
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
2492	70084969812875037520.exe
3900	25296024279003352463.exe
3900	25296024279003352463.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2492	70084969812875037520.exe
Token: SeDebugPrivilege	3900	25296024279003352463.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	3908	51634006714444779330.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
632	Bondage.exe.pif
632	Bondage.exe.pif
632	Bondage.exe.pif

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2232	OpenWith.exe
1736	27190257267534049697.exe
4160	05b5260c-3426-4994-a344-3028974a9f7e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 1316	4484	Output.exe	83
PID 4484 wrote to memory of 1316	4484	Output.exe	83
PID 4484 wrote to memory of 1316	4484	Output.exe	83
PID 1316 wrote to memory of 4392	1316	Engine.exe	87
PID 1316 wrote to memory of 4392	1316	Engine.exe	87
PID 1316 wrote to memory of 4392	1316	Engine.exe	87
PID 4392 wrote to memory of 4536	4392	cmd.exe	89
PID 4392 wrote to memory of 4536	4392	cmd.exe	89
PID 4392 wrote to memory of 4536	4392	cmd.exe	89
PID 4536 wrote to memory of 3452	4536	cmd.exe	92
PID 4536 wrote to memory of 3452	4536	cmd.exe	92
PID 4536 wrote to memory of 3452	4536	cmd.exe	92
PID 4536 wrote to memory of 1748	4536	cmd.exe	97
PID 4536 wrote to memory of 1748	4536	cmd.exe	97
PID 4536 wrote to memory of 1748	4536	cmd.exe	97
PID 4536 wrote to memory of 1808	4536	cmd.exe	98
PID 4536 wrote to memory of 1808	4536	cmd.exe	98
PID 4536 wrote to memory of 1808	4536	cmd.exe	98
PID 4536 wrote to memory of 632	4536	cmd.exe	99
PID 4536 wrote to memory of 632	4536	cmd.exe	99
PID 4536 wrote to memory of 632	4536	cmd.exe	99
PID 4536 wrote to memory of 4176	4536	cmd.exe	100
PID 4536 wrote to memory of 4176	4536	cmd.exe	100
PID 4536 wrote to memory of 4176	4536	cmd.exe	100
PID 632 wrote to memory of 5032	632	Bondage.exe.pif	101
PID 632 wrote to memory of 5032	632	Bondage.exe.pif	101
PID 632 wrote to memory of 5032	632	Bondage.exe.pif	101
PID 632 wrote to memory of 5076	632	Bondage.exe.pif	103
PID 632 wrote to memory of 5076	632	Bondage.exe.pif	103
PID 632 wrote to memory of 5076	632	Bondage.exe.pif	103
PID 632 wrote to memory of 5076	632	Bondage.exe.pif	103
PID 632 wrote to memory of 5076	632	Bondage.exe.pif	103
PID 5076 wrote to memory of 2492	5076	Bondage.exe.pif	105
PID 5076 wrote to memory of 2492	5076	Bondage.exe.pif	105
PID 5076 wrote to memory of 1736	5076	Bondage.exe.pif	110
PID 5076 wrote to memory of 1736	5076	Bondage.exe.pif	110
PID 5076 wrote to memory of 1736	5076	Bondage.exe.pif	110
PID 5076 wrote to memory of 3900	5076	Bondage.exe.pif	111
PID 5076 wrote to memory of 3900	5076	Bondage.exe.pif	111
PID 1736 wrote to memory of 3820	1736	27190257267534049697.exe	113
PID 1736 wrote to memory of 3820	1736	27190257267534049697.exe	113
PID 1736 wrote to memory of 3820	1736	27190257267534049697.exe	113
PID 5076 wrote to memory of 748	5076	Bondage.exe.pif	114
PID 5076 wrote to memory of 748	5076	Bondage.exe.pif	114
PID 5076 wrote to memory of 3908	5076	Bondage.exe.pif	115
PID 5076 wrote to memory of 3908	5076	Bondage.exe.pif	115
PID 5076 wrote to memory of 1016	5076	Bondage.exe.pif	116
PID 5076 wrote to memory of 1016	5076	Bondage.exe.pif	116
PID 5076 wrote to memory of 1016	5076	Bondage.exe.pif	116
PID 1016 wrote to memory of 2180	1016	cmd.exe	118
PID 1016 wrote to memory of 2180	1016	cmd.exe	118
PID 1016 wrote to memory of 2180	1016	cmd.exe	118
PID 3908 wrote to memory of 648	3908	51634006714444779330.exe	119
PID 3908 wrote to memory of 648	3908	51634006714444779330.exe	119
PID 648 wrote to memory of 760	648	cmd.exe	121
PID 648 wrote to memory of 760	648	cmd.exe	121
PID 648 wrote to memory of 2308	648	cmd.exe	122
PID 648 wrote to memory of 2308	648	cmd.exe	122
PID 648 wrote to memory of 3840	648	cmd.exe	123
PID 648 wrote to memory of 3840	648	cmd.exe	123
PID 3908 wrote to memory of 2296	3908	51634006714444779330.exe	124
PID 3908 wrote to memory of 2296	3908	51634006714444779330.exe	124
PID 2296 wrote to memory of 4776	2296	cmd.exe	126
PID 2296 wrote to memory of 4776	2296	cmd.exe	126

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51634006714444779330.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	51634006714444779330.exe

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\SETUP_25060\Engine.exe
  C:\Users\Admin\AppData\Local\Temp\SETUP_25060\Engine.exe /TH_ID=_2148 /OriginExe="C:\Users\Admin\AppData\Local\Temp\Output.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd < Yugoslavia
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^TiesHighsFridayPromisedOrganismsPromotedStronglyBannersTermExplainOrganisedPhpLastingMaritime$" Finding
        5⤵
        
        PID:1808
    - - C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27694\Bondage.exe.pif
        
        27694\\Bondage.exe.pif 27694\\M
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "dZVxEGlqbg" /tr "C:\Users\Admin\AppData\Roaming\claRXiEwVe\dZVxEGlqbg.exe.com C:\Users\Admin\AppData\Roaming\claRXiEwVe\H" /sc onlogon /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27694\Bondage.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27694\Bondage.exe.pif
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\ProgramData\70084969812875037520.exe
        
        "C:\ProgramData\70084969812875037520.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2492 -s 996
        8⤵
        Program crash
        
        PID:448
        
        C:\ProgramData\27190257267534049697.exe
        
        "C:\ProgramData\27190257267534049697.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\05b5260c-3426-4994-a344-3028974a9f7e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\05b5260c-3426-4994-a344-3028974a9f7e.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4160
        
        C:\Windows\SysWOW64\nslookup.exe
        
        nslookup dfslkdjfklhjsrhfgauiehruifghai
        9⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < 5
        9⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        10⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\ProgramData\25296024279003352463.exe
        
        "C:\ProgramData\25296024279003352463.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\ProgramData\32284483830396411833.exe
        
        "C:\ProgramData\32284483830396411833.exe"
        7⤵
        Executes dropped EXE
        
        PID:748
        
        C:\ProgramData\51634006714444779330.exe
        
        "C:\ProgramData\51634006714444779330.exe"
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        outlook_office_path
        outlook_win_path
        
        PID:3908
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:760
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        
        PID:2308
        
        C:\Windows\system32\findstr.exe
        
        findstr All
        9⤵
        
        PID:3840
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4776
        
        C:\Windows\system32\findstr.exe
        
        findstr Key
        9⤵
        
        PID:3608
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        9⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27694\Bondage.exe.pif" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:2180
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 18
        5⤵
        Runs ping.exe
        
        PID:4176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 2492 -ip 2492
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\25296024279003352463.exe

Filesize
33KB

MD5
7641caecd5021135bd5c03b4471715ff

SHA1
06ab473f6fcbd2af2fdc092ad464555ec4d209bb

SHA256
e53c407f87c47411d9b1d64c8ce8230705881c04514a30e8995c93853b7c4d16

SHA512
9a1eff8bb8ba7b42eda29446151c91065f10af19f231fb72525485fa0350f7ec39ad319e3e74671ceb6906307741c7097c14d4035322dffa3b7501218f0f3773

Download Submit
C:\ProgramData\25296024279003352463.exe

Filesize
33KB

MD5
7641caecd5021135bd5c03b4471715ff

SHA1
06ab473f6fcbd2af2fdc092ad464555ec4d209bb

SHA256
e53c407f87c47411d9b1d64c8ce8230705881c04514a30e8995c93853b7c4d16

SHA512
9a1eff8bb8ba7b42eda29446151c91065f10af19f231fb72525485fa0350f7ec39ad319e3e74671ceb6906307741c7097c14d4035322dffa3b7501218f0f3773

Download Submit
C:\ProgramData\25296024279003352463.exe

Filesize
33KB

MD5
7641caecd5021135bd5c03b4471715ff

SHA1
06ab473f6fcbd2af2fdc092ad464555ec4d209bb

SHA256
e53c407f87c47411d9b1d64c8ce8230705881c04514a30e8995c93853b7c4d16

SHA512
9a1eff8bb8ba7b42eda29446151c91065f10af19f231fb72525485fa0350f7ec39ad319e3e74671ceb6906307741c7097c14d4035322dffa3b7501218f0f3773

Download Submit
C:\ProgramData\27190257267534049697.exe

Filesize
9.4MB

MD5
718d69c7e8baa9b2fea5078ac9adf6b7

SHA1
b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

SHA256
21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

SHA512
ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

Download Submit
C:\ProgramData\27190257267534049697.exe

Filesize
9.4MB

MD5
718d69c7e8baa9b2fea5078ac9adf6b7

SHA1
b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

SHA256
21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

SHA512
ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

Download Submit
C:\ProgramData\27190257267534049697.exe

Filesize
9.4MB

MD5
718d69c7e8baa9b2fea5078ac9adf6b7

SHA1
b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

SHA256
21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

SHA512
ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

Download Submit
C:\ProgramData\32284483830396411833.exe

Filesize
5.8MB

MD5
67a388ee3e6e89fde50f780ecc5ca1fc

SHA1
c892ade7b8cdbbb573e88915c098809fb6a90325

SHA256
b7d4d61542c742b77631b7aef97c9fd6805ecb579c8bae8850097d7b51402544

SHA512
9b7f5054b4c2a25ffbb687c5e3ab41884bf6348ba06e0bb50be8bfa6a6413799a588539db761b32cde832c4c38eed22814c4fd1c5cb93d31826bbf23b6b74cb7

Download Submit
C:\ProgramData\32284483830396411833.exe

Filesize
5.8MB

MD5
67a388ee3e6e89fde50f780ecc5ca1fc

SHA1
c892ade7b8cdbbb573e88915c098809fb6a90325

SHA256
b7d4d61542c742b77631b7aef97c9fd6805ecb579c8bae8850097d7b51402544

SHA512
9b7f5054b4c2a25ffbb687c5e3ab41884bf6348ba06e0bb50be8bfa6a6413799a588539db761b32cde832c4c38eed22814c4fd1c5cb93d31826bbf23b6b74cb7

Download Submit
C:\ProgramData\32284483830396411833.exe

Filesize
5.8MB

MD5
67a388ee3e6e89fde50f780ecc5ca1fc

SHA1
c892ade7b8cdbbb573e88915c098809fb6a90325

SHA256
b7d4d61542c742b77631b7aef97c9fd6805ecb579c8bae8850097d7b51402544

SHA512
9b7f5054b4c2a25ffbb687c5e3ab41884bf6348ba06e0bb50be8bfa6a6413799a588539db761b32cde832c4c38eed22814c4fd1c5cb93d31826bbf23b6b74cb7

Download Submit
C:\ProgramData\51634006714444779330.exe

Filesize
337KB

MD5
9869818cccb536da4d77e1f203b455eb

SHA1
fcee3d5b03bfe0197dcbf93aa260a80b56d5c28c

SHA256
47ed6ce229c263f88cf7f06dbd5262ad56177ce10245ab15b54612a523e91927

SHA512
1a53550d8df3a6240fe7a282ed07014645c67604d7a39a9831d5bdee0e4e375c8bff6287d8f2a7f5ad1c8ca641af5519ad20704af1ac913aa9d2e42daa27ec50

Download Submit
C:\ProgramData\51634006714444779330.exe

Filesize
337KB

MD5
9869818cccb536da4d77e1f203b455eb

SHA1
fcee3d5b03bfe0197dcbf93aa260a80b56d5c28c

SHA256
47ed6ce229c263f88cf7f06dbd5262ad56177ce10245ab15b54612a523e91927

SHA512
1a53550d8df3a6240fe7a282ed07014645c67604d7a39a9831d5bdee0e4e375c8bff6287d8f2a7f5ad1c8ca641af5519ad20704af1ac913aa9d2e42daa27ec50

Download Submit
C:\ProgramData\51634006714444779330.exe

Filesize
337KB

MD5
9869818cccb536da4d77e1f203b455eb

SHA1
fcee3d5b03bfe0197dcbf93aa260a80b56d5c28c

SHA256
47ed6ce229c263f88cf7f06dbd5262ad56177ce10245ab15b54612a523e91927

SHA512
1a53550d8df3a6240fe7a282ed07014645c67604d7a39a9831d5bdee0e4e375c8bff6287d8f2a7f5ad1c8ca641af5519ad20704af1ac913aa9d2e42daa27ec50

Download Submit
C:\ProgramData\70084969812875037520.exe

Filesize
9.7MB

MD5
1d9b67333e6b7513f6f1e5e37454993c

SHA1
afeeaf1b86e4b37528254aedc77d94db9d9dbfde

SHA256
21fd7af0b3046612bab9ca512bcafbe94643839137f46bb62f92efc2f6355d3c

SHA512
a08bf5ee1809f038c135c5e86e5aa5e006eb912f5fe8b7c49ba357fd70249dc559ab7e601d81cc32183329b8c6c1834af833db2aa308ca4dec2fa153ec498846

Download Submit
C:\ProgramData\70084969812875037520.exe

Filesize
9.7MB

MD5
1d9b67333e6b7513f6f1e5e37454993c

SHA1
afeeaf1b86e4b37528254aedc77d94db9d9dbfde

SHA256
21fd7af0b3046612bab9ca512bcafbe94643839137f46bb62f92efc2f6355d3c

SHA512
a08bf5ee1809f038c135c5e86e5aa5e006eb912f5fe8b7c49ba357fd70249dc559ab7e601d81cc32183329b8c6c1834af833db2aa308ca4dec2fa153ec498846

Download Submit
C:\ProgramData\70084969812875037520.exe

Filesize
9.7MB

MD5
1d9b67333e6b7513f6f1e5e37454993c

SHA1
afeeaf1b86e4b37528254aedc77d94db9d9dbfde

SHA256
21fd7af0b3046612bab9ca512bcafbe94643839137f46bb62f92efc2f6355d3c

SHA512
a08bf5ee1809f038c135c5e86e5aa5e006eb912f5fe8b7c49ba357fd70249dc559ab7e601d81cc32183329b8c6c1834af833db2aa308ca4dec2fa153ec498846

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dc1b29933ac3a01ece6261157bc48af5

SHA1
b150fe06dda32aa2f581518b29c2e48c72e7f806

SHA256
4939775fd6b2ba49bf52e671a834fe5d4c56e13ffe5bc020778d5d8e434f559b

SHA512
035beff15ed7ff2807a2d8313ddbbc77b300ff715cdb9e8fec38180b5874eee9de534c10e17947e5049703613124d1daf49ce6ab6de651d7939757ba90d78459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5503bada0a0036b33ca712323d7557c3

SHA1
5b2822b2fc26bd9aefaf9b5d9ec98d93a15b380c

SHA256
63806a3b0e87635477aec8e2cebba770fdff5eca1486217687e3cc64cd73f28c

SHA512
b6b02ed448c72680e6f83fcf9b336ae97cc4d2b9bcc3eae028800d7192dba91f55a03b310d9d560eccdad04b58f08c3051307cc241a5e511b79293dc02f43735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d96d335aea40ad24f22f43635393ba6e

SHA1
456c2811093dd4d5917705385fae3e65ed139002

SHA256
d3b51f1ce76ddfdb165f59d99bd7d785037acb6cce499817534ec267fa423c6b

SHA512
1f43b7c7d642f0ab769e09580453189c5f87c6ea6413393fc08fd0559bcb8842c722cad2cb9eb7f8b9bd3b604019c3031737227dfb01f02cd575773badc4b099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
78a34e224ee22298208aae168c750d82

SHA1
4828fa13d06cf783a5bba12267ba5ddcb1c46c3e

SHA256
edcad8dd719ed7a6e0e2dea55bb18a36e4e0a8d3543e8eba2bd0d41d2a675baa

SHA512
26e30a9b05ade576d371b4ea1c33bc4e977d25401521384916df4ffe197d045a8e4423c9c9a807f8911b4b1118c823f12ccd2834e8c4a6e60d012e9c7543db98

Download Submit
C:\Users\Admin\AppData\Local\Temp\05b5260c-3426-4994-a344-3028974a9f7e.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Local\Temp\05b5260c-3426-4994-a344-3028974a9f7e.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Local\Temp\05b5260c-3426-4994-a344-3028974a9f7e.exe

Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\0

Filesize
151KB

MD5
23545f48e8ae77155be81244d74fe69e

SHA1
22719b9794c4c5b01d6b5b31d3e6561deb39ed6d

SHA256
bd8f80f6b9acaea50a3002c2e7315740d70b9c873ba1cddf1c34067006433d7b

SHA512
fb2fc1cd94344ab67d0d2273086a6379e707e8abdc4dde6187e16754b5195bf68d491b51e33635dbb9813c2c20e70e6a7da97988055ec19e129148470ae432ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5

Filesize
12KB

MD5
05bb413f5ba120b0c746740c17c97fa2

SHA1
61716e2c9f375bfb9da6c36222890717eef4293e

SHA256
11cafc97516f7451af19bb5aa550003c28416580928b7f9abe430d743a1ed610

SHA512
133ca8be7349bac492476cc7cd9acbb6acde49cab191f07c6d7243e60ff0aac1ee81873d373075998765080068a149530ecc885610db25c6ba122f9e6e504518

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00000#Cancer

Filesize
101KB

MD5
d4c65e691f5a42538b02417f60c042be

SHA1
7726b2bd52dc94a9d3e79f2e82e92dd8820997ad

SHA256
d71b5a80bc3d6fce71c6fc6efb62542bd5536d7d3805d92067a29f512bd12c33

SHA512
e487f30b27b178a09d381802767f7425d63e6538bc9b0d5406ea39cf7f7c2c586d53850e460b897a49014b61e75ffbe817b4a93b9460a18ed89d223048dab62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00001#Foto

Filesize
199KB

MD5
60ad6b661b7d878936b63c39e7d94555

SHA1
655ca3b2c75ad015a02470c92e8d7b9d58541524

SHA256
650f797d33d5ecf29e1876324de2507a3b97cad3cc00c1e25ff02420a2e4e70e

SHA512
f44b3d36f26666c079354085471d44b2838c24553fd0797e12c3c96b14794aa24073574379e1e0abce3b38aaaa179dd1bf05c51ca3831aff82c90fe6699cc606

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00002#Gp

Filesize
74KB

MD5
4f39ba8b1c907e52d53215ea79a1896f

SHA1
975c70c4973697cce66c149a00cc8b20e79526be

SHA256
ace9abce7314ca6736b6b6acf5a1f96c7d24f7764678f99ffb795a897a6e7bf2

SHA512
e862921fbad7a8118a1c12f1c9ca33b7f41251b69b0dc48dcbf3c40350174f5db8946c75797b0042e3d9633821b66e523212a1998a901f712bc8b0053d1e7572

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00003#Management

Filesize
154KB

MD5
b0525ab549845919679f78453f554c1f

SHA1
3d2179acba0634cc71003502923c3a4a52b31d14

SHA256
31c86eb615672da32e64560553d46cb18c25e7ea794e4637cfac3c4be0a9fb47

SHA512
b983c3517cf878e99ad94d0227c25edb52e82c5ead93c7cbfa6ea2543d483db20be2f210029237131e8e5517497e910abcdb119edf88cdb7eac9e61c4f2a3087

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00004#Piece

Filesize
43KB

MD5
bf7a0cdf40d3aa9fc94c9accd73298d2

SHA1
a049a7323a8468d1bbd3e96a1ace4266fce4429c

SHA256
96eab71166cc7df7ec1eae988487d76d463c080f1da98b194bc60a1701e5d3ae

SHA512
6a0eb5de2f23ff986c90835b7b24e5299fdb882186bcc88fece6a6a4363871dda00b8313ee729557778cf4c14456e9c25d79108be35f31df1d9b697f5d89009e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00005#Prototype

Filesize
33KB

MD5
ad1b6b16c6c6c23f01288183183ed0c1

SHA1
b60363ebd25d9953f202423b34e0c81fa24dafb6

SHA256
94fca15d4913ccc5955aef8942cb475306a6815190fe27ff742b40a808ff860e

SHA512
d461bf0dd5b20b1cb5dc07128be156b3ab144607c5794956635ca7ce90a2d643d539b2f6dd063c8889e01e074db74cacd41940a3d3bb53cd2406f77f0ccac6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00006#Stands

Filesize
1.2MB

MD5
4a1f67fc0cacc5cf1c9ab1ab05e25ec6

SHA1
e955600ae7c0f6bec15a4126f1be10acc6a6b875

SHA256
ed299bf8533de2b3f0965295aa5be53e8486dfa0887e20de0b4c6c2fd3b30b4b

SHA512
e0f1a52209c13937afcdb954e59daba04d80f82cba702788e1d6d359f2e4dd189d01455f32a167b6014c68e5d670686d2ace1bfea0b8c31b3c91f2f052669675

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00007#Sue

Filesize
157KB

MD5
f51e203d3f2ac1e4f6ed5a89f5805fcb

SHA1
76195a680f2e178c03d35719a0adc776fe901289

SHA256
c6a7beb722fefad0a7f6f2057cbfda9a8cec198e56f2946191aeb9de7578b2ca

SHA512
8c2ab71bf608066d3a63cdac2924d8a6d6c983e8257aed07691f5dace70442de5e72ba0f3bfe8b6395314178ddde219ca5005e65aed305165a06cae2dba16bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00008#Welfare

Filesize
54KB

MD5
f5802553964d59c3874a7ea7f0313c68

SHA1
106f605a2e7704cb8341b27ca982f5f70d09bc0f

SHA256
35cc1497dc397cf46815bfb41953a134170bbea3fd0d5178ca45b6bbb01084f9

SHA512
8f495fc3ceda40788b3dc7a2eec223e3d40b5edf1ff4ed159f20a256f1ba71d8baba135b3b1bf9f6f07851dc99bd4e29fd2af1bc7984bccca4fc390c0fc83b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00009#Wines

Filesize
110KB

MD5
31ae6922272bfd6c6a863b679940d005

SHA1
df93b1021c3bb2087b249a82d4cbcd599659fcd6

SHA256
77031c9bf9a778abef4672a2b749dd7fb662a29b3e69ea391fe04dd4944601d8

SHA512
f0765279accdefbf611088e92433d258700bc97d28468b6cbd34c1be5b7cf27a54763009214bd4ce052c4bec87debd9464e2f040028fba40fb32da20d82669bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\00010#Yugoslavia

Filesize
15KB

MD5
9852c7adb40127bf8e29ae2346482129

SHA1
d5decd97f329dc62f824a17b204a214a83a1292b

SHA256
85ad2b1fd775ecd859922d5550f76f87f8e8e9dd84d878ee786450a8aefee1ac

SHA512
0a89fa89340df63de408b106ac4503a649ac2bf60978f40452263b8690d81cedf9d812e4b71988a84e6fdb36fdd8dfc0ec30a78d1df2f0cb044b7afa3accc56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\Engine.exe

Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\Engine.exe

Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_25060\Setup.txt

Filesize
2KB

MD5
9f82e028a899fe0dded45d76ed1ed06f

SHA1
fc0e0f3e34451087e28d8c51c486a52934e59d4a

SHA256
3dd4285197d7ad7004789eee6464594666ae8e5d913bec23e57151608bd3b109

SHA512
22d4ad271965c8c5fbe038ead00cb374c299e89f7d669ea7657064e5b3c18f4dc7f9d51b102dc388c6f79e805c7196c085edf6e990e6bb33c41ac36854192b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wl4yjkn3.0rh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27694\Bondage.exe.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27694\Bondage.exe.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27694\Bondage.exe.pif

Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\Finding

Filesize
925KB

MD5
f39dff6e12fa4e21277d39149fa7da7e

SHA1
804aa8256d1a98311d737e13ef62db0fa7d15ec0

SHA256
27deb687c50fe4c33b19f43ccb0d4cbdaa8292511df2a93c138d6740862e9fd0

SHA512
cceca80987fcfad926734a7c2ed16919a237ceb02f391fe9de667405f014498b10bcf735547e5ee53f9b146ed56b24db025be285422c53dac2770f1885d31f5c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/632-230-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1316-221-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1316-232-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1316-231-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1316-153-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1736-501-0x00000000007F0000-0x0000000001159000-memory.dmp

Filesize
9.4MB

Download
memory/1736-531-0x00000000007F0000-0x0000000001159000-memory.dmp

Filesize
9.4MB

Download
memory/1748-205-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1748-204-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/2184-604-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2184-605-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2492-380-0x0000000000B80000-0x0000000000C10000-memory.dmp

Filesize
576KB

Download
memory/2492-386-0x0000000001FE0000-0x000000000207B000-memory.dmp

Filesize
620KB

Download
memory/2492-352-0x00000000231B0000-0x00000000231C0000-memory.dmp

Filesize
64KB

Download
memory/2492-354-0x00000000231B0000-0x00000000231C0000-memory.dmp

Filesize
64KB

Download
memory/2492-376-0x0000000000A30000-0x0000000000A95000-memory.dmp

Filesize
404KB

Download
memory/2492-353-0x00000000231B0000-0x00000000231C0000-memory.dmp

Filesize
64KB

Download
memory/2492-378-0x0000000000AA0000-0x0000000000B5E000-memory.dmp

Filesize
760KB

Download
memory/2492-379-0x0000000001C70000-0x0000000001F39000-memory.dmp

Filesize
2.8MB

Download
memory/2492-382-0x0000000001AC0000-0x0000000001B6C000-memory.dmp

Filesize
688KB

Download
memory/2492-408-0x0000000003A40000-0x0000000003B4B000-memory.dmp

Filesize
1.0MB

Download
memory/2492-383-0x0000000001F40000-0x0000000001FDE000-memory.dmp

Filesize
632KB

Download
memory/2492-339-0x0000000000C10000-0x00000000015CE000-memory.dmp

Filesize
9.7MB

Download
memory/2492-388-0x00000000025A0000-0x00000000026CA000-memory.dmp

Filesize
1.2MB

Download
memory/2492-384-0x0000000000AA0000-0x0000000000B5E000-memory.dmp

Filesize
760KB

Download
memory/2492-390-0x00000000026D0000-0x000000000277A000-memory.dmp

Filesize
680KB

Download
memory/2492-393-0x0000000002500000-0x0000000002555000-memory.dmp

Filesize
340KB

Download
memory/2492-395-0x00000000020A0000-0x00000000020B2000-memory.dmp

Filesize
72KB

Download
memory/2492-398-0x00000000007D0000-0x00000000007DA000-memory.dmp

Filesize
40KB

Download
memory/2492-400-0x0000000002C20000-0x00000000036E1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-403-0x00000000036F0000-0x0000000003891000-memory.dmp

Filesize
1.6MB

Download
memory/2492-405-0x0000000003980000-0x0000000003A3D000-memory.dmp

Filesize
756KB

Download
memory/2492-406-0x00000000038C0000-0x00000000038E2000-memory.dmp

Filesize
136KB

Download
memory/2492-407-0x00000000038F0000-0x000000000391B000-memory.dmp

Filesize
172KB

Download
memory/2492-404-0x00000000038A0000-0x00000000038B6000-memory.dmp

Filesize
88KB

Download
memory/3452-200-0x0000000007C40000-0x00000000081E4000-memory.dmp

Filesize
5.6MB

Download
memory/3452-186-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/3452-181-0x0000000002B40000-0x0000000002B76000-memory.dmp

Filesize
216KB

Download
memory/3452-182-0x0000000005870000-0x0000000005E98000-memory.dmp

Filesize
6.2MB

Download
memory/3452-199-0x0000000006A00000-0x0000000006A22000-memory.dmp

Filesize
136KB

Download
memory/3452-198-0x00000000069B0000-0x00000000069CA000-memory.dmp

Filesize
104KB

Download
memory/3452-183-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/3452-197-0x0000000006A30000-0x0000000006AC6000-memory.dmp

Filesize
600KB

Download
memory/3452-196-0x00000000064C0000-0x00000000064DE000-memory.dmp

Filesize
120KB

Download
memory/3452-184-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/3452-185-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/3792-602-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/3792-601-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/3820-521-0x0000000007940000-0x000000000794A000-memory.dmp

Filesize
40KB

Download
memory/3820-525-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

Filesize
32KB

Download
memory/3820-503-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/3820-507-0x0000000006B80000-0x0000000006BB2000-memory.dmp

Filesize
200KB

Download
memory/3820-508-0x000000006F210000-0x000000006F25C000-memory.dmp

Filesize
304KB

Download
memory/3820-504-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/3820-518-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/3820-520-0x0000000007F00000-0x000000000857A000-memory.dmp

Filesize
6.5MB

Download
memory/3820-506-0x0000000002C50000-0x0000000002C60000-memory.dmp

Filesize
64KB

Download
memory/3820-522-0x000000007F170000-0x000000007F180000-memory.dmp

Filesize
64KB

Download
memory/3820-523-0x0000000007930000-0x000000000793E000-memory.dmp

Filesize
56KB

Download
memory/3820-524-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/3900-530-0x000002969B1B0000-0x000002969B1C0000-memory.dmp

Filesize
64KB

Download
memory/3900-502-0x000002969B1B0000-0x000002969B1C0000-memory.dmp

Filesize
64KB

Download
memory/3900-377-0x0000029680BB0000-0x0000029680BBE000-memory.dmp

Filesize
56KB

Download
memory/3900-534-0x0000029682740000-0x0000029682752000-memory.dmp

Filesize
72KB

Download
memory/3900-560-0x000002969B110000-0x000002969B132000-memory.dmp

Filesize
136KB

Download
memory/3900-432-0x00000296826F0000-0x00000296826FA000-memory.dmp

Filesize
40KB

Download
memory/3908-505-0x0000024E3DEC0000-0x0000024E3DED0000-memory.dmp

Filesize
64KB

Download
memory/3908-519-0x0000024E58200000-0x0000024E58250000-memory.dmp

Filesize
320KB

Download
memory/3908-498-0x0000024E3DAD0000-0x0000024E3DB2A000-memory.dmp

Filesize
360KB

Download
memory/4484-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-237-0x0000000000E50000-0x0000000000EC2000-memory.dmp

Filesize
456KB

Download
memory/5076-240-0x0000000000E50000-0x0000000000EC2000-memory.dmp

Filesize
456KB

Download
memory/5076-250-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5076-318-0x0000000000E50000-0x0000000000EC2000-memory.dmp

Filesize
456KB

Download