mystic | 8cdab8eb3259b1b70b20f670156493bd0c2f4dbe6991a69b35e3108078134146

Analysis

max time kernel
78s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2023 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e43fa8ce95bed50cf3462f28316f67d.exe
Size

1.3MB
MD5

8e43fa8ce95bed50cf3462f28316f67d
SHA1

0513253c45cb183ba90a114a7eda2ff512ef9b4d
SHA256

8cdab8eb3259b1b70b20f670156493bd0c2f4dbe6991a69b35e3108078134146
SHA512

5a8942f9cb03e7da6b498a1d00ce55da42af5e1bda7b9c7836567e4931cc0ae9a2c05e8d7e1abb594f56abf2ca8273e3e540ec2691c7ec8faf75ac2f6870a4db
SSDEEP

24576:GyuH6RXXPrNPW3RT+Kt/oibuoZafAcwdpEiMQY4l/3hSSo59b8ipFq5Wov0eq:VPhPWVjgxIcw3EiM/4lmJbqH

Score

10^/10

mystic redline sectoprat smokeloader zgrat @ytlogsbot pixelfresh taiga up3 backdoor discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

pixelfresh

194.49.94.11:80

Extracted

Family

redline

Botnet

@ytlogsbot

194.169.175.235:42691

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3908-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3908-29-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3908-30-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3908-32-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Detect ZGRat V1 14 IoCs

resource	yara_rule
behavioral1/memory/3940-453-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-455-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-459-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-462-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-467-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-471-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-473-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-476-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-479-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-465-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-483-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-485-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-481-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1
behavioral1/memory/3940-487-0x0000000005560000-0x00000000055DD000-memory.dmp	family_zgrat_v1

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/memory/1960-36-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x0009000000022c12-121.dat	family_redline
behavioral1/files/0x0009000000022c12-122.dat	family_redline
behavioral1/memory/3564-124-0x0000000000B40000-0x0000000000B5E000-memory.dmp	family_redline
behavioral1/files/0x000a000000022d09-385.dat	family_redline
behavioral1/files/0x000a000000022d09-386.dat	family_redline
behavioral1/memory/2216-425-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000022c12-121.dat	family_sectoprat
behavioral1/files/0x0009000000022c12-122.dat	family_sectoprat
behavioral1/memory/3564-124-0x0000000000B40000-0x0000000000B5E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2448	netsh.exe

.NET Reactor proctector 14 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/3940-453-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-455-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-459-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-462-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-467-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-471-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-473-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-476-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-479-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-465-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-483-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-485-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-481-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor
behavioral1/memory/3940-487-0x0000000005560000-0x00000000055DD000-memory.dmp	net_reactor

Executes dropped EXE 9 IoCs

pid	Process
4004	oC3Bg50.exe
1904	va9wz17.exe
4524	FJ8jA88.exe
1028	3UP32kl.exe
1808	4bT775Fz.exe
3816	5GJ3nX1.exe
4112	6ur9rz1.exe
3340	7Il1Uc74.exe
2016	C54F.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	va9wz17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	FJ8jA88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8e43fa8ce95bed50cf3462f28316f67d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oC3Bg50.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1028 set thread context of 3908	1028	3UP32kl.exe	102
PID 1808 set thread context of 1960	1808	4bT775Fz.exe	109

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3656	3908	WerFault.exe	102
1160	4500	WerFault.exe	140

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ur9rz1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ur9rz1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6ur9rz1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3816	5GJ3nX1.exe
3816	5GJ3nX1.exe
4112	6ur9rz1.exe
4112	6ur9rz1.exe
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found
3280	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4112	6ur9rz1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3280	Process not Found
Token: SeCreatePagefilePrivilege	3280	Process not Found

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4004	4784	8e43fa8ce95bed50cf3462f28316f67d.exe	91
PID 4784 wrote to memory of 4004	4784	8e43fa8ce95bed50cf3462f28316f67d.exe	91
PID 4784 wrote to memory of 4004	4784	8e43fa8ce95bed50cf3462f28316f67d.exe	91
PID 4004 wrote to memory of 1904	4004	oC3Bg50.exe	92
PID 4004 wrote to memory of 1904	4004	oC3Bg50.exe	92
PID 4004 wrote to memory of 1904	4004	oC3Bg50.exe	92
PID 1904 wrote to memory of 4524	1904	va9wz17.exe	93
PID 1904 wrote to memory of 4524	1904	va9wz17.exe	93
PID 1904 wrote to memory of 4524	1904	va9wz17.exe	93
PID 4524 wrote to memory of 1028	4524	FJ8jA88.exe	94
PID 4524 wrote to memory of 1028	4524	FJ8jA88.exe	94
PID 4524 wrote to memory of 1028	4524	FJ8jA88.exe	94
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 1028 wrote to memory of 3908	1028	3UP32kl.exe	102
PID 4524 wrote to memory of 1808	4524	FJ8jA88.exe	104
PID 4524 wrote to memory of 1808	4524	FJ8jA88.exe	104
PID 4524 wrote to memory of 1808	4524	FJ8jA88.exe	104
PID 1808 wrote to memory of 1960	1808	4bT775Fz.exe	109
PID 1808 wrote to memory of 1960	1808	4bT775Fz.exe	109
PID 1808 wrote to memory of 1960	1808	4bT775Fz.exe	109
PID 1808 wrote to memory of 1960	1808	4bT775Fz.exe	109
PID 1808 wrote to memory of 1960	1808	4bT775Fz.exe	109
PID 1808 wrote to memory of 1960	1808	4bT775Fz.exe	109
PID 1808 wrote to memory of 1960	1808	4bT775Fz.exe	109
PID 1808 wrote to memory of 1960	1808	4bT775Fz.exe	109
PID 1904 wrote to memory of 3816	1904	va9wz17.exe	110
PID 1904 wrote to memory of 3816	1904	va9wz17.exe	110
PID 1904 wrote to memory of 3816	1904	va9wz17.exe	110
PID 4004 wrote to memory of 4112	4004	oC3Bg50.exe	118
PID 4004 wrote to memory of 4112	4004	oC3Bg50.exe	118
PID 4004 wrote to memory of 4112	4004	oC3Bg50.exe	118
PID 4784 wrote to memory of 3340	4784	8e43fa8ce95bed50cf3462f28316f67d.exe	120
PID 4784 wrote to memory of 3340	4784	8e43fa8ce95bed50cf3462f28316f67d.exe	120
PID 4784 wrote to memory of 3340	4784	8e43fa8ce95bed50cf3462f28316f67d.exe	120
PID 3280 wrote to memory of 2016	3280	Process not Found	121
PID 3280 wrote to memory of 2016	3280	Process not Found	121
PID 3280 wrote to memory of 2016	3280	Process not Found	121

C:\Users\Admin\AppData\Local\Temp\8e43fa8ce95bed50cf3462f28316f67d.exe
"C:\Users\Admin\AppData\Local\Temp\8e43fa8ce95bed50cf3462f28316f67d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oC3Bg50.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oC3Bg50.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\va9wz17.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\va9wz17.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ8jA88.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ8jA88.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3UP32kl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3UP32kl.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1028
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 540
        7⤵
        Program crash
        
        PID:3656
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bT775Fz.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bT775Fz.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5GJ3nX1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5GJ3nX1.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ur9rz1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ur9rz1.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Il1Uc74.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Il1Uc74.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3908 -ip 3908
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\C54F.exe
C:\Users\Admin\AppData\Local\Temp\C54F.exe
1⤵
- Executes dropped EXE
PID:2016
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    PID:3524
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:2136
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2772
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:1212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:236
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2448
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2160
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:3564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2328

C:\Users\Admin\AppData\Local\Temp\1D24.exe
C:\Users\Admin\AppData\Local\Temp\1D24.exe
1⤵
PID:5080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:4840

C:\Users\Admin\AppData\Local\Temp\1F48.exe
C:\Users\Admin\AppData\Local\Temp\1F48.exe
1⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\6868.exe
C:\Users\Admin\AppData\Local\Temp\6868.exe
1⤵
PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:2228

C:\Users\Admin\AppData\Local\Temp\6B66.exe
C:\Users\Admin\AppData\Local\Temp\6B66.exe
1⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\750C.exe
C:\Users\Admin\AppData\Local\Temp\750C.exe
1⤵
PID:4500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:2972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1180
  2⤵
  - Program crash
  PID:1160

C:\Users\Admin\AppData\Local\Temp\7BD3.exe
C:\Users\Admin\AppData\Local\Temp\7BD3.exe
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\7D5B.exe
C:\Users\Admin\AppData\Local\Temp\7D5B.exe
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4500 -ip 4500
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D24.exe

Filesize
2.9MB

MD5
89f0de53b30c88624b3ac4b710d255bf

SHA1
71a5525b5675c7c03bf9e9196ef2601da25ac365

SHA256
be54ca2e9059d679cf47de358e290ee55febc850eb654a3507fbd2a57b3f6217

SHA512
a39e5399f45f9478641f4f64ff4e3535935f50cf4079d73053a2a727e86abd031197dbee880d9987beb96bc535331a50bab6fc1a4c71520099427d7d49c48886

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D24.exe

Filesize
3.1MB

MD5
06570b95b39613813b910562b32fa5ba

SHA1
f947087e0294fda93aae3aafbf89a73fae75b111

SHA256
24a331cd45d5829dabd16977e9323ee00e9e0be2ead09618a0a1e8d7bb386a96

SHA512
3b10279b7ababbbe97a13e6ff70ada2a84866db74248891cf8648763912c66060b0dd4a6367a69e46f0f3ef2add0de6d98665fa817d8074e3c1922a0c81fda79

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F48.exe

Filesize
95KB

MD5
a2687e610dad6bcf4359bf2a5953e10a

SHA1
8320fd92e757ab42f8429a9e3b43dec909add268

SHA256
439cc980ba48e5f62a043f0e923221e90a58bb20812b48569a223a562ade571a

SHA512
b16e6a6453ae5d18461aba546436f038070a4708116c0079cae27c9a9113efe61a750b8547f2911615cd07b350b9d857c474c4b3407093aec40ada71b2e76adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F48.exe

Filesize
95KB

MD5
a2687e610dad6bcf4359bf2a5953e10a

SHA1
8320fd92e757ab42f8429a9e3b43dec909add268

SHA256
439cc980ba48e5f62a043f0e923221e90a58bb20812b48569a223a562ade571a

SHA512
b16e6a6453ae5d18461aba546436f038070a4708116c0079cae27c9a9113efe61a750b8547f2911615cd07b350b9d857c474c4b3407093aec40ada71b2e76adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
2.2MB

MD5
1e1af7b2b49564cacf8e50f7a1ab4553

SHA1
3b96a2c6b74df641c33d3aab1c8cd8d5306ca05f

SHA256
254128af93bdd99f393d2aae1977ea1dadd792fa1ece5e5bf1af27c781e58300

SHA512
f44ff51b7648ed74d4aacd0a9173f006574bef2e727d303e2602f2f081b3970fd6d7df76eedaf45d0a013e030df1605f72dd4a3ab7bdb068416ab762a971eadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
678d96ed3b847d538803bbab728646f4

SHA1
2ab98c0bea2169560e6bafc5fc613027a5683504

SHA256
55689805dbe6d94feacbc6c863e4fa0dc0d9b4612db3497f731cd64b64b9346d

SHA512
6c69359ad731d991feb895685df1549b75b0f73b55eb852bb70cb36cf22e06af52e4b89038672b15532a32673b4b77a2acbe88e1068ab0a8c066a52341c01245

Download Submit
C:\Users\Admin\AppData\Local\Temp\6868.exe

Filesize
2.6MB

MD5
c704c07c549dc75c8c2e602a6d90f878

SHA1
78a794e1e70b70666303aed17066fca9b1eb2c44

SHA256
ead1be16576fbaaf39e3231f15a658689356181ce774373d940e2c6f50a295c1

SHA512
aba63f15306bf2b5752fe58e44974921ee386b3535a48a5eb88aea06b3a3edb408ada39d92d2bcacd068e20ec39a1e513bb28de549ebb7105816dc7e1480d159

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B66.exe

Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B66.exe

Filesize
222KB

MD5
9e41d2cc0de2e45ce74e42dd3608df3b

SHA1
a9744a4b76e2f38a0b3b287ef229cbeb8c9e4ba6

SHA256
1081d313fe627ca22ce02c7bd8d33ece52b1e2cc8978f99653671f94175caf8f

SHA512
849673924bdb3db9a08c2ff4a510af599539531e052847caaf8a2d47f91497bedaf48714a3a6cdee1c0f5b8a8b53054c91564267be2c02de63446e207a78f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\750C.exe

Filesize
1.6MB

MD5
1e2c3cbe5e1a4db9022120859e8d4648

SHA1
48a4117475be0fa1a9a21a8c5c472686c371ab46

SHA256
f953f4bc71989e66ca03a5b168911752b47865f27cf875aa2ed992e3e53efdc4

SHA512
53c2b7525911d128875b555f232fbe3180ebb88561a1f5aee3ed6784e5c28c7c7c13df1478ee195dbe8591f8c3d4a593b01eb9753308595efff622908d831184

Download Submit
C:\Users\Admin\AppData\Local\Temp\750C.exe

Filesize
1.6MB

MD5
e5e2c5be4c2964fa8c1325861e7a833f

SHA1
5f10234c21dc89418ed842629db682b9695c8f04

SHA256
5da615019e78d9b16f8c6768604ff25234de99bd26e76e069fac38e62a0c0669

SHA512
771f22e03d2f384dda2d0c4b11dedd3621d5d756d598835d3007ba306494d2933a9263df58f2c60c13a49f5818d8729218afdb981f307219afbbb8c815923533

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BD3.exe

Filesize
399KB

MD5
1bb7721e9262db1fd4f9b7cedae730b0

SHA1
e0f58302e87d4da8cafc2e6b454e88a2fab005c2

SHA256
bb3ea9c2b4b2523ef2628dd64ec9b2fc2db3eac89d8b315bfdb055fa5a386d13

SHA512
c28d4b0d140938c59fdee4e46fb2cdb1266d375c84d7f470d313b637411f81a19b4a89ec3663a560dea719ac07df1bd6a7c22461f589a4cc06b3a193ff750233

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BD3.exe

Filesize
399KB

MD5
1bb7721e9262db1fd4f9b7cedae730b0

SHA1
e0f58302e87d4da8cafc2e6b454e88a2fab005c2

SHA256
bb3ea9c2b4b2523ef2628dd64ec9b2fc2db3eac89d8b315bfdb055fa5a386d13

SHA512
c28d4b0d140938c59fdee4e46fb2cdb1266d375c84d7f470d313b637411f81a19b4a89ec3663a560dea719ac07df1bd6a7c22461f589a4cc06b3a193ff750233

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D5B.exe

Filesize
460KB

MD5
17c8b1be1c8c7812785bbb6defd10b87

SHA1
9beeb094b86af6b7d43a144c43b7173c60cebf5d

SHA256
37bdb80672fbdb644974eb46f5b7f8a8a074712f5687cdeb416f15dbe825ab6a

SHA512
6772165edbb4468bc613a0ae59a83f1f27a955bf020a4d144140689175b5b9c1fae76e24ae56fefd438955879525f269a8d4f139ca8de6280986477135897b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7D5B.exe

Filesize
460KB

MD5
17c8b1be1c8c7812785bbb6defd10b87

SHA1
9beeb094b86af6b7d43a144c43b7173c60cebf5d

SHA256
37bdb80672fbdb644974eb46f5b7f8a8a074712f5687cdeb416f15dbe825ab6a

SHA512
6772165edbb4468bc613a0ae59a83f1f27a955bf020a4d144140689175b5b9c1fae76e24ae56fefd438955879525f269a8d4f139ca8de6280986477135897b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.2MB

MD5
5470018d6869afd037507959afaba86d

SHA1
8af6f13f66325250f92812b9d4491e16b003fe08

SHA256
3535fad72c844e2ccf4c909d0228bf1a59c100f1c69262f4b478cefa9c1e8d43

SHA512
54ede46c54570c511524fd095d1bb29d958c09a9c9cd99e763e81eff307afa80307ebd9c9daeab1d282e87d5b7325cec6eb5e7c7ea866f707f1e12e3e3acb6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C54F.exe

Filesize
5.8MB

MD5
c2d4814d8826162a674a1080fa365429

SHA1
fd71b3cacef9a1c01147c3eaa39c743d4ec5d6a9

SHA256
ebae249621d524b6d0852fc876c6402fbd266ad654a2af79612a2be237055144

SHA512
6f15f52a5505149fcb827d01c223ac90ddd6213b5106940aa1928ca1b6f2c9f951cec7b68f1eff21dc63042b276e501e7bf845f281dcecd5c61e1c7a34a8f112

Download Submit
C:\Users\Admin\AppData\Local\Temp\C54F.exe

Filesize
5.1MB

MD5
377c4b69e23765d4cae7236a57fc593a

SHA1
bb91edd67d811f40e6e9edfa99aaaab4b5181237

SHA256
17f1f0dcc10e660f952001257feb4290005388bdfb48b5704a7d12b0df6f33dc

SHA512
f9675776b56626dd2d7d876019a0fc0ce956bef18a522392acd9b2a313dc1d64593368ae271bbe10327b5771b5994eb3f7c0bc2d579f1a4dbbf814938fc13c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Il1Uc74.exe

Filesize
717KB

MD5
e39d1dd228f12fecc5e49d0fe773ff3a

SHA1
37bca0f20db407f5b513c9c5266375dbed7b20e3

SHA256
7e606dd072802818b03731c9aa0aa59f7cafe268f0b45c7843c719fca3e52b26

SHA512
4b16cb49fec6e59f31627b82009c8b38e33298484a5609c0c82e7956e78cad48c0d01a5e7113fdf7a12eab0d381425fd4c8183543ca98992b0a51984f1ae5943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Il1Uc74.exe

Filesize
717KB

MD5
e39d1dd228f12fecc5e49d0fe773ff3a

SHA1
37bca0f20db407f5b513c9c5266375dbed7b20e3

SHA256
7e606dd072802818b03731c9aa0aa59f7cafe268f0b45c7843c719fca3e52b26

SHA512
4b16cb49fec6e59f31627b82009c8b38e33298484a5609c0c82e7956e78cad48c0d01a5e7113fdf7a12eab0d381425fd4c8183543ca98992b0a51984f1ae5943

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oC3Bg50.exe

Filesize
913KB

MD5
fdd56a8f7d2b46091c3638218594e31d

SHA1
2595f19d54da4e6451f704e4a8073481c32cd9c7

SHA256
a124fb73bf0185271002dcd97e3521e35c0ee7b4847a7ce58b8505845ae19fbc

SHA512
e59004731fd710e342d90ec63cef1b9120a5814e7f945fb259e9ea7e7d03a634b4c8c4c28fd8eb21db29f460ccc2e36195cf35a1252b89b069bd87f7f0c47a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oC3Bg50.exe

Filesize
913KB

MD5
fdd56a8f7d2b46091c3638218594e31d

SHA1
2595f19d54da4e6451f704e4a8073481c32cd9c7

SHA256
a124fb73bf0185271002dcd97e3521e35c0ee7b4847a7ce58b8505845ae19fbc

SHA512
e59004731fd710e342d90ec63cef1b9120a5814e7f945fb259e9ea7e7d03a634b4c8c4c28fd8eb21db29f460ccc2e36195cf35a1252b89b069bd87f7f0c47a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ur9rz1.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ur9rz1.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\va9wz17.exe

Filesize
788KB

MD5
3324f1a227a4a632ebc7668c881ded1c

SHA1
45fc20c86d61406f00b552f564f4ead8110f6ae0

SHA256
c6bd9146b484aac712fff93ce99aff6a009f13f250b7b4894351629487de38fb

SHA512
c81927f367850fc09a7948d364b47b375bffc56c7a7442cdf05209217ccd74ee13873ab96ff0f2f2da928acdd78adb7436c9c4305d20ff8017d068fde84bd51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\va9wz17.exe

Filesize
788KB

MD5
3324f1a227a4a632ebc7668c881ded1c

SHA1
45fc20c86d61406f00b552f564f4ead8110f6ae0

SHA256
c6bd9146b484aac712fff93ce99aff6a009f13f250b7b4894351629487de38fb

SHA512
c81927f367850fc09a7948d364b47b375bffc56c7a7442cdf05209217ccd74ee13873ab96ff0f2f2da928acdd78adb7436c9c4305d20ff8017d068fde84bd51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5GJ3nX1.exe

Filesize
529KB

MD5
f5753fbbd7e5e53e6217934ec7ac9305

SHA1
fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53

SHA256
ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24

SHA512
4942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5GJ3nX1.exe

Filesize
529KB

MD5
f5753fbbd7e5e53e6217934ec7ac9305

SHA1
fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53

SHA256
ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24

SHA512
4942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ8jA88.exe

Filesize
426KB

MD5
f558a6ec6d1f355a3393f4a80d25cd30

SHA1
a5b71f6606754c422953a4f2c80894f969d846bb

SHA256
2e222525996fa4b048da25ef9acbc08ff1de4b360c9048d9fe69fab6d034e566

SHA512
4c44b06827eb8494eb60133bcba4e06df7cc9297779e9282efdf506ff83dc1126b7eed7cfe6f1ca718717d8b26115e30a403a168d0bad8671161b8475f1d7f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FJ8jA88.exe

Filesize
426KB

MD5
f558a6ec6d1f355a3393f4a80d25cd30

SHA1
a5b71f6606754c422953a4f2c80894f969d846bb

SHA256
2e222525996fa4b048da25ef9acbc08ff1de4b360c9048d9fe69fab6d034e566

SHA512
4c44b06827eb8494eb60133bcba4e06df7cc9297779e9282efdf506ff83dc1126b7eed7cfe6f1ca718717d8b26115e30a403a168d0bad8671161b8475f1d7f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3UP32kl.exe

Filesize
369KB

MD5
ebbbfcf56012da92781d4e957895dbfd

SHA1
da2272ef5f08bb73a21a9dcc2cb81d087447cf2d

SHA256
6db5415086402fc49dc6fa6ef28e0d2f53f66788dfdbb23f3fbad658df94020a

SHA512
2cd23d1f1777c110f7e2e4dd56ba35cdffdb20ca217c2c42d089dfb3a140d09d5a0857c3ce2b518265d6995056c39f141e3f46274129bf863b04925221c0c89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3UP32kl.exe

Filesize
369KB

MD5
ebbbfcf56012da92781d4e957895dbfd

SHA1
da2272ef5f08bb73a21a9dcc2cb81d087447cf2d

SHA256
6db5415086402fc49dc6fa6ef28e0d2f53f66788dfdbb23f3fbad658df94020a

SHA512
2cd23d1f1777c110f7e2e4dd56ba35cdffdb20ca217c2c42d089dfb3a140d09d5a0857c3ce2b518265d6995056c39f141e3f46274129bf863b04925221c0c89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bT775Fz.exe

Filesize
408KB

MD5
bb6a832bf26e91ddcf78821d34a53102

SHA1
5f867b0d5c42e900fbc0455048e58f185cfefbbb

SHA256
e22251ce626be5bd7708b3be9c517a4c973aa57b07608b385ef3a7179fc949ac

SHA512
26e6bcb73ddcdd77721de40cd4b049fd33266238e2e4cb801c85b30ad14f7d6fd9d6daf0ada1e3ec8514d8443d9cd894e717deff982d74c75fdf65b135f7aa8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bT775Fz.exe

Filesize
408KB

MD5
bb6a832bf26e91ddcf78821d34a53102

SHA1
5f867b0d5c42e900fbc0455048e58f185cfefbbb

SHA256
e22251ce626be5bd7708b3be9c517a4c973aa57b07608b385ef3a7179fc949ac

SHA512
26e6bcb73ddcdd77721de40cd4b049fd33266238e2e4cb801c85b30ad14f7d6fd9d6daf0ada1e3ec8514d8443d9cd894e717deff982d74c75fdf65b135f7aa8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
f13cf6c130d41595bc96be10a737cb18

SHA1
6b14ea97930141aa5caaeeeb13dd4c6dad55d102

SHA256
dd7aaf7ef0e5b3797eaf5182e7b192fa014b735e129e00e0c662829ce0c2515f

SHA512
ccd4f57b1af1f348fcf9f519a4789c04b499ac5e02ccb7333d0a42fa1cb1fdf9f969103b3a5467e278cd5c6cbbbbebaac4577d0c220e13335575a13408c79b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1bnknok.bjo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4195.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41AA.tmp

Filesize
92KB

MD5
44d2ab225d5338fedd68e8983242a869

SHA1
98860eaac2087b0564e2d3e0bf0d1f25e21e0eeb

SHA256
217c293b309195f479ca76bf78898a98685ba2854639dfd1293950232a6c6695

SHA512
611eb322a163200b4718f0b48c7a50a5e245af35f0c539f500ad9b517c4400c06dd64a3df30310223a6328eeb38862be7556346ec14a460e33b5c923153ac4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4204.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp421A.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4220.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp426A.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
217KB

MD5
aec6574d82d7e5f96a01f9f048192490

SHA1
0286b5d6fa5fb8c17fcab11648857e91fbba803f

SHA256
4502fe32e39a7351336cde70507ee3f07eaad121a4dda4757608fc7354c7d157

SHA512
53848861e058547c4ad7faa29afe33b1df2382ab28689627c70e3ea8fd39014244a093d6e49294663e669becd3251126fb3e72f05f5e136a25c0aafb46aa755c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
079e498c5b44057e8bdbaa87892f0c74

SHA1
02bad2c4597399321c11f2a240839f2dc576adb1

SHA256
135929f0e52975505f7c2b21c2e18c4839b576200190355f834bb6fa3816907a

SHA512
a7cdcabb2aa350cdf212f9093ee990269e6feabf46eb0035f79ca2ebe78bf9203b59cdd1426c32628d5c080b939a5f775849168bcdfcc52a90d3aff708e9a09b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d729d4db81594eb38a71b1ce709027eb

SHA1
7b9d138f496805eaf52c6b18e28f7534314a4185

SHA256
de649df803627118d06504b51ed4701547a1405b70f96365388e59da8c9c1e25

SHA512
a03d24aa1248a5fb6d220162a5eeb720c8e53e52745025bf0db46fc5bcb5a392bf68d747f75317dba5ca3a195902a354bbb5bd849847aad00593fba88767ff34

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6d4a3edfb2cfb37b7939869eb1c18094

SHA1
5d5495352004f0f040635cfffd50d0fd4c347e97

SHA256
3238cfaec39664b96fbf30b9c3ceaa338c2a4ede313b5515267a2f067f012bbb

SHA512
2f040bac9d4ac73bd63b1811b82d362912b85400930fb0d993897db9361e9c2061f49f38e1de286ce36bbff6c30813e51133652a5ce2e61eba45c7686635b33d

Download Submit
C:\Windows\rss\csrss.exe

Filesize
661KB

MD5
2f51e6b9cf4f1c510c42ed7a1919e002

SHA1
995fc66eb810380dfb77eee290f754b70bfe88ff

SHA256
97db12cd0e06dee397dd2ff2e18af294525fe628bd7d68d5e6b869df77b1983e

SHA512
4033e45b9f4566e13c23b2243ac4dd34338291eaa2d2423b3ba33a593ddec461eafc3c9ff7da847005d419ee69456588761d550015565be062a7dedd3f9bfed3

Download Submit
C:\Windows\rss\csrss.exe

Filesize
614KB

MD5
62f99a527a0090617445e08f966fc1e2

SHA1
bcd5b1c439c768dea8070357e0fdb62ae3366f93

SHA256
103f4ff06fbb7be4d2d43303776dacd60f637a95b43f4f80f0ad69e65d92af5b

SHA512
cd345485362a629f9539d67f13072355919921dc1caec7caaf0e2ec3139f218e2d881b96255187e80df94f7fe3595fbafe0ee2386c0427565581c017d7709862

Download Submit
memory/1156-444-0x00007FF7537E0000-0x00007FF754795000-memory.dmp

Filesize
15.7MB

Download
memory/1212-365-0x0000000002C00000-0x0000000003001000-memory.dmp

Filesize
4.0MB

Download
memory/1212-412-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1280-361-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1280-125-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1280-154-0x0000000002C10000-0x0000000003014000-memory.dmp

Filesize
4.0MB

Download
memory/1280-109-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1280-108-0x0000000003020000-0x000000000390B000-memory.dmp

Filesize
8.9MB

Download
memory/1280-107-0x0000000002C10000-0x0000000003014000-memory.dmp

Filesize
4.0MB

Download
memory/1280-339-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1280-341-0x0000000003020000-0x000000000390B000-memory.dmp

Filesize
8.9MB

Download
memory/1960-54-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-41-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/1960-62-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download
memory/1960-49-0x0000000007FF0000-0x000000000803C000-memory.dmp

Filesize
304KB

Download
memory/1960-43-0x0000000007C40000-0x0000000007C50000-memory.dmp

Filesize
64KB

Download
memory/1960-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1960-40-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-42-0x0000000007C80000-0x0000000007D12000-memory.dmp

Filesize
584KB

Download
memory/1960-44-0x0000000007E70000-0x0000000007E7A000-memory.dmp

Filesize
40KB

Download
memory/1960-45-0x0000000008D20000-0x0000000009338000-memory.dmp

Filesize
6.1MB

Download
memory/1960-46-0x0000000008700000-0x000000000880A000-memory.dmp

Filesize
1.0MB

Download
memory/1960-47-0x0000000007F50000-0x0000000007F62000-memory.dmp

Filesize
72KB

Download
memory/1960-48-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

Filesize
240KB

Download
memory/2016-68-0x00000000007C0000-0x0000000000EA6000-memory.dmp

Filesize
6.9MB

Download
memory/2016-67-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2016-98-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2136-104-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2136-111-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2136-106-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2216-425-0x0000000000540000-0x000000000059A000-memory.dmp

Filesize
360KB

Download
memory/2684-126-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-128-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-132-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2684-129-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2772-151-0x0000000005920000-0x0000000005C74000-memory.dmp

Filesize
3.3MB

Download
memory/2772-158-0x0000000007140000-0x000000000715A000-memory.dmp

Filesize
104KB

Download
memory/2772-162-0x000000006C490000-0x000000006C7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-172-0x00000000072D0000-0x00000000072EE000-memory.dmp

Filesize
120KB

Download
memory/2772-173-0x0000000007330000-0x00000000073D3000-memory.dmp

Filesize
652KB

Download
memory/2772-160-0x000000007F780000-0x000000007F790000-memory.dmp

Filesize
64KB

Download
memory/2772-159-0x00000000072F0000-0x0000000007322000-memory.dmp

Filesize
200KB

Download
memory/2772-174-0x0000000007420000-0x000000000742A000-memory.dmp

Filesize
40KB

Download
memory/2772-175-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/2772-176-0x0000000007440000-0x0000000007451000-memory.dmp

Filesize
68KB

Download
memory/2772-140-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/2772-139-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/2772-179-0x0000000007480000-0x000000000748E000-memory.dmp

Filesize
56KB

Download
memory/2772-180-0x0000000007490000-0x00000000074A4000-memory.dmp

Filesize
80KB

Download
memory/2772-157-0x00000000077C0000-0x0000000007E3A000-memory.dmp

Filesize
6.5MB

Download
memory/2772-137-0x0000000004EF0000-0x0000000005518000-memory.dmp

Filesize
6.2MB

Download
memory/2772-134-0x0000000002790000-0x00000000027C6000-memory.dmp

Filesize
216KB

Download
memory/2772-161-0x000000006DCB0000-0x000000006DCFC000-memory.dmp

Filesize
304KB

Download
memory/2772-335-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/2772-135-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-156-0x0000000006E90000-0x0000000006F06000-memory.dmp

Filesize
472KB

Download
memory/2772-336-0x00000000074D0000-0x00000000074D8000-memory.dmp

Filesize
32KB

Download
memory/2772-136-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2772-155-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2772-138-0x0000000002880000-0x0000000002890000-memory.dmp

Filesize
64KB

Download
memory/2772-153-0x00000000062B0000-0x00000000062F4000-memory.dmp

Filesize
272KB

Download
memory/2772-344-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-152-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/2772-141-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/2820-102-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2820-103-0x0000000000900000-0x0000000000909000-memory.dmp

Filesize
36KB

Download
memory/3280-55-0x00000000029E0000-0x00000000029F6000-memory.dmp

Filesize
88KB

Download
memory/3280-110-0x0000000002E00000-0x0000000002E16000-memory.dmp

Filesize
88KB

Download
memory/3524-387-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3524-94-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3524-443-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3524-133-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3524-101-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/3564-363-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3564-337-0x00000000076F0000-0x000000000770E000-memory.dmp

Filesize
120KB

Download
memory/3564-124-0x0000000000B40000-0x0000000000B5E000-memory.dmp

Filesize
120KB

Download
memory/3564-130-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/3564-127-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3564-177-0x00000000069C0000-0x0000000006B82000-memory.dmp

Filesize
1.8MB

Download
memory/3564-178-0x00000000070C0000-0x00000000075EC000-memory.dmp

Filesize
5.2MB

Download
memory/3908-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-462-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-483-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-467-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-471-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-453-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-473-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-476-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-479-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-465-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-455-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-485-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-481-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-487-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/3940-459-0x0000000005560000-0x00000000055DD000-memory.dmp

Filesize
500KB

Download
memory/4112-53-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4112-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5080-447-0x00007FF655190000-0x00007FF656406000-memory.dmp

Filesize
18.5MB

Download
memory/5080-340-0x00007FF655190000-0x00007FF656406000-memory.dmp

Filesize
18.5MB

Download
memory/5080-389-0x00007FF655190000-0x00007FF656406000-memory.dmp

Filesize
18.5MB

Download