blackmoon | 4bbf96786582defbde572b0ba76fcd5b39e1763e3abcee6114fedd4fd80a08c4

Analysis

max time kernel
13s
max time network
101s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
11-12-2023 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anydsk.exe
Size

108.7MB
MD5

18e74ae1487869042fb39721dca8b985
SHA1

6cfeebd522e410cfa3d3c5420f821f089f190b00
SHA256

4bbf96786582defbde572b0ba76fcd5b39e1763e3abcee6114fedd4fd80a08c4
SHA512

c57bf7cd4ea62850ea2f0bd53b3005c1ae1922c71068874205686db49900ad5dc4a6cac04a1502855279c305e6dd442315da11c114eb32ea35e93d1af4230cd7
SSDEEP

3145728:lBRPGw3RTT5Ej+1ejKQCF8VRrO97CUowYIw9f:l5tCj+AjK7FYu7Cymf

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/884-663-0x0000000000AB0000-0x0000000000AED000-memory.dmp	family_blackmoon
behavioral1/memory/1764-689-0x0000000000CA0000-0x0000000000CEF000-memory.dmp	family_blackmoon

Loads dropped DLL 5 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

2272 MsiExec.exe
2636 MsiExec.exe
2636 MsiExec.exe
2636 MsiExec.exe
2636 MsiExec.exe

pid	process
2272	MsiExec.exe
2636	MsiExec.exe
2636	MsiExec.exe
2636	MsiExec.exe
2636	MsiExec.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/884-666-0x0000000000290000-0x000000000029B000-memory.dmp	upx
behavioral1/memory/1764-698-0x0000000000300000-0x000000000030B000-memory.dmp	upx
behavioral1/memory/1764-692-0x0000000000300000-0x000000000030B000-memory.dmp	upx
behavioral1/memory/884-667-0x0000000000290000-0x000000000029B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeAnydsk.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	Anydsk.exe
File opened (read-only)	\??\P:	Anydsk.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	Anydsk.exe
File opened (read-only)	\??\V:	Anydsk.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	Anydsk.exe
File opened (read-only)	\??\U:	Anydsk.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	Anydsk.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	Anydsk.exe
File opened (read-only)	\??\W:	Anydsk.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	Anydsk.exe
File opened (read-only)	\??\L:	Anydsk.exe
File opened (read-only)	\??\Q:	Anydsk.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	Anydsk.exe
File opened (read-only)	\??\Y:	Anydsk.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	Anydsk.exe
File opened (read-only)	\??\X:	Anydsk.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	Anydsk.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	Anydsk.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	Anydsk.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	Anydsk.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	Anydsk.exe

Drops file in Windows directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2996 taskkill.exe

pid	process
2996	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeAnydsk.exe

description	pid	process
Token: SeRestorePrivilege	2692	msiexec.exe
Token: SeTakeOwnershipPrivilege	2692	msiexec.exe
Token: SeSecurityPrivilege	2692	msiexec.exe
Token: SeCreateTokenPrivilege	1788	Anydsk.exe
Token: SeAssignPrimaryTokenPrivilege	1788	Anydsk.exe
Token: SeLockMemoryPrivilege	1788	Anydsk.exe
Token: SeIncreaseQuotaPrivilege	1788	Anydsk.exe
Token: SeMachineAccountPrivilege	1788	Anydsk.exe
Token: SeTcbPrivilege	1788	Anydsk.exe
Token: SeSecurityPrivilege	1788	Anydsk.exe
Token: SeTakeOwnershipPrivilege	1788	Anydsk.exe
Token: SeLoadDriverPrivilege	1788	Anydsk.exe
Token: SeSystemProfilePrivilege	1788	Anydsk.exe
Token: SeSystemtimePrivilege	1788	Anydsk.exe
Token: SeProfSingleProcessPrivilege	1788	Anydsk.exe
Token: SeIncBasePriorityPrivilege	1788	Anydsk.exe
Token: SeCreatePagefilePrivilege	1788	Anydsk.exe
Token: SeCreatePermanentPrivilege	1788	Anydsk.exe
Token: SeBackupPrivilege	1788	Anydsk.exe
Token: SeRestorePrivilege	1788	Anydsk.exe
Token: SeShutdownPrivilege	1788	Anydsk.exe
Token: SeDebugPrivilege	1788	Anydsk.exe
Token: SeAuditPrivilege	1788	Anydsk.exe
Token: SeSystemEnvironmentPrivilege	1788	Anydsk.exe
Token: SeChangeNotifyPrivilege	1788	Anydsk.exe
Token: SeRemoteShutdownPrivilege	1788	Anydsk.exe
Token: SeUndockPrivilege	1788	Anydsk.exe
Token: SeSyncAgentPrivilege	1788	Anydsk.exe
Token: SeEnableDelegationPrivilege	1788	Anydsk.exe
Token: SeManageVolumePrivilege	1788	Anydsk.exe
Token: SeImpersonatePrivilege	1788	Anydsk.exe
Token: SeCreateGlobalPrivilege	1788	Anydsk.exe
Token: SeCreateTokenPrivilege	1788	Anydsk.exe
Token: SeAssignPrimaryTokenPrivilege	1788	Anydsk.exe
Token: SeLockMemoryPrivilege	1788	Anydsk.exe
Token: SeIncreaseQuotaPrivilege	1788	Anydsk.exe
Token: SeMachineAccountPrivilege	1788	Anydsk.exe
Token: SeTcbPrivilege	1788	Anydsk.exe
Token: SeSecurityPrivilege	1788	Anydsk.exe
Token: SeTakeOwnershipPrivilege	1788	Anydsk.exe
Token: SeLoadDriverPrivilege	1788	Anydsk.exe
Token: SeSystemProfilePrivilege	1788	Anydsk.exe
Token: SeSystemtimePrivilege	1788	Anydsk.exe
Token: SeProfSingleProcessPrivilege	1788	Anydsk.exe
Token: SeIncBasePriorityPrivilege	1788	Anydsk.exe
Token: SeCreatePagefilePrivilege	1788	Anydsk.exe
Token: SeCreatePermanentPrivilege	1788	Anydsk.exe
Token: SeBackupPrivilege	1788	Anydsk.exe
Token: SeRestorePrivilege	1788	Anydsk.exe
Token: SeShutdownPrivilege	1788	Anydsk.exe
Token: SeDebugPrivilege	1788	Anydsk.exe
Token: SeAuditPrivilege	1788	Anydsk.exe
Token: SeSystemEnvironmentPrivilege	1788	Anydsk.exe
Token: SeChangeNotifyPrivilege	1788	Anydsk.exe
Token: SeRemoteShutdownPrivilege	1788	Anydsk.exe
Token: SeUndockPrivilege	1788	Anydsk.exe
Token: SeSyncAgentPrivilege	1788	Anydsk.exe
Token: SeEnableDelegationPrivilege	1788	Anydsk.exe
Token: SeManageVolumePrivilege	1788	Anydsk.exe
Token: SeImpersonatePrivilege	1788	Anydsk.exe
Token: SeCreateGlobalPrivilege	1788	Anydsk.exe
Token: SeCreateTokenPrivilege	1788	Anydsk.exe
Token: SeAssignPrimaryTokenPrivilege	1788	Anydsk.exe
Token: SeLockMemoryPrivilege	1788	Anydsk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Anydsk.exemsiexec.exe

pid process

1788 Anydsk.exe
2880 msiexec.exe

pid	process
1788	Anydsk.exe
2880	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

msiexec.exeAnydsk.exe

description	pid	process	target process
PID 2692 wrote to memory of 2272	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2272	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2272	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2272	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2272	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2272	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2272	2692	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 2880	1788	Anydsk.exe	msiexec.exe
PID 1788 wrote to memory of 2880	1788	Anydsk.exe	msiexec.exe
PID 1788 wrote to memory of 2880	1788	Anydsk.exe	msiexec.exe
PID 1788 wrote to memory of 2880	1788	Anydsk.exe	msiexec.exe
PID 1788 wrote to memory of 2880	1788	Anydsk.exe	msiexec.exe
PID 1788 wrote to memory of 2880	1788	Anydsk.exe	msiexec.exe
PID 1788 wrote to memory of 2880	1788	Anydsk.exe	msiexec.exe
PID 2692 wrote to memory of 2636	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2636	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2636	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2636	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2636	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2636	2692	msiexec.exe	MsiExec.exe
PID 2692 wrote to memory of 2636	2692	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Anydsk.exe
"C:\Users\Admin\AppData\Local\Temp\Anydsk.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i C:\FOqfqgqgqegBX\anddesp.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Anydsk.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADE1B75FA581A171BDDBF11722A7D78E C
  2⤵
  - Loads dropped DLL
  PID:2272
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99D0F5157ACEED5EB624F80032932727 C
  2⤵
  - Loads dropped DLL
  PID:2636
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7B4E8F963831DF296354F359E99A1CDC
  2⤵
  PID:2892
- - C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe
    C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe x C:\Users\Default\Desktop\NEWASKDESP\f7755f48e847.CWM -oC:\Users\Admin\AppData -p807c6e2a72855f17AUN -aos
    3⤵
    PID:2716
- - C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe
    C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe x C:\Users\Default\Desktop\NEWASKDESP\185aebefe0e0.RNM -oC:\Users\Default\Desktop\NEWASKDESP\ -p158b49e5bc275316EOJ -aos
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe
    C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe x C:\Users\Default\Desktop\NEWASKDESP\070e9f980bd0.LHD -oC:\Users\Admin\AppData\Roaming\ -p8cc0deae16829cbcAFT -aos
    3⤵
    PID:680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2772

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "00000000000003AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2424

C:\Users\Default\Desktop\NEWASKDESP\yybob\Bor32-update-flase.exe
"C:\Users\Default\Desktop\NEWASKDESP\yybob\Bor32-update-flase.exe"
1⤵
PID:884
- C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\Haloonoroff.exe
  "C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\Haloonoroff.exe"
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im ipaip2.exe
    3⤵
    - Kills process with taskkill
    PID:2996

C:\Users\Admin\AppData\Roaming\CAS_BYBAnyDesk\AnyDesk.exe
"C:\Users\Admin\AppData\Roaming\CAS_BYBAnyDesk\AnyDesk.exe"
1⤵
PID:2660
- C:\Users\Admin\AppData\Roaming\CAS_BYBAnyDesk\AnyDesk.exe
  "C:\Users\Admin\AppData\Roaming\CAS_BYBAnyDesk\AnyDesk.exe" --local-control
  2⤵
  PID:1372
- C:\Users\Admin\AppData\Roaming\CAS_BYBAnyDesk\AnyDesk.exe
  "C:\Users\Admin\AppData\Roaming\CAS_BYBAnyDesk\AnyDesk.exe" --local-service
  2⤵
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76451d.rbs

Filesize
49KB

MD5
2a2e756adbbef0acd38b8708930ca142

SHA1
998315fd4675754811139cb45c1d487df4c08cfa

SHA256
9956d8849ed9d3b11da6b974267c59415e00dcbfcbf18ef854abf6fb995b3ff4

SHA512
7d110f797c99c262dd400e8d9ef8935cb317b781cd75a20e9581b24b3516edb4bed3b788f3c092b0288c2a61f6dbc7feebd8e4ca103ec5e44e629322afd14608

Download Submit
C:\FOqfqgqgqegBX\anddesp.msi

Filesize
783KB

MD5
bcdf050c5d555371d8076a8fbe594330

SHA1
b62581ec782af843aea97bcab269bd796892a6e8

SHA256
0e3cf139032023e72fcb91ff31e5e799af19b69245be0a284a3f924b8517cb36

SHA512
e63a532766169f4e5a95decb5480ce8c8d023acaca71a7f67c49d0794936ea75619bb3bfe4f182844695b861680c9a006b6d74edcadb34ce06bb75e654ff9cf8

Download Submit
C:\FOqfqgqgqegBX\anddesp.msi

Filesize
838KB

MD5
2db12e1efe9288e353e3cb5e3b061643

SHA1
2a49beb6013a1df1ff13f67a422b448468008fd9

SHA256
79c03f09cff3c9bac6fb9c83ce2d903dee77703c8fbdf806a9dd870e46109aeb

SHA512
4530729a0bfdb6957cf90c13146514d39e24c16b5b4eb4d532ffd11cad47ddee99ff383fabcb413fb17580550fe8f42bb062dc7ed4aaaceee5b72447eba6950c

Download Submit
C:\FOqfqgqgqegBX\anddesp1.cab

Filesize
3.5MB

MD5
08e35295ec417e3e54246a2560586a15

SHA1
f67e12f795f2be78e5745c18a86dde4d29f189ae

SHA256
09442b5afbe155b86a7728ef523b9ab56ad7825bdb1325819ee278a75a3b67d3

SHA512
2d90c26dd6b6ad8570d2367fe9599e2a7ba65a99d65728501d1f7abd4fc2e8c72bb0ea5d80cd2e082be18cb2db5e143cc2285f2e7f2fd2e42aebb7d87da440b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1719.tmp

Filesize
260KB

MD5
f0e3167159d38491b01a23bae32647ca

SHA1
6c385f0ceaaa591b40497ee522316a7987846ed1

SHA256
15fb0bda4e4644d5769b90108c87a469cc75f74113d03240236f272396aa49fb

SHA512
dce7ebec5f1a101805467536972f08505f7ebf0e01a276af1228ed6b2a0e424f17faf402fd3c0ae5e93cda95b8c78f1d5fe163dfe8d4ed2012da4491e1498b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1862.tmp

Filesize
207KB

MD5
933a675bc617962ba81dbf620b3352b2

SHA1
d364c3881cb744e8b43db9c129a9a7506208afde

SHA256
40f02f914fcd951cfc1f1bdb84a91e4294db4b91e245b55e882ac32b4587a07b

SHA512
05484c64891edc710d8a4482f85a24c379906a67cce7918fea4f37a7036e830c79e5b740228902665e3e4e2106b204a7d8eb94777bf7fb2de1b0aa63a8b70d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI18D0.tmp

Filesize
171KB

MD5
602954e3b7da84cd0dbc7bac887b5b90

SHA1
b3982af55fbafbdced422fbb58904e55bc66b9d1

SHA256
c92ce96f7c1c4f81adbc54154c7f9b26402e8af9f51fcc41fa0ae9a8ebb402d7

SHA512
62ea7ac331850ef08706bd66d7eff9ac58a76b3fb9d0344fd1479285ceb3db2720a201f97748e90e473c8bdd244a7f493299129349463bf250c6f6a1a177cb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI194E.tmp

Filesize
157KB

MD5
2c8e1d9e81b4e06a825b1c33c7800d48

SHA1
84e8f76f604048a977bb38f953cd26e02451f21c

SHA256
9e91f779975e592fcac02862791068d30172bfa6f920f55ee71178b215503d12

SHA512
5e211a4bde665ca201996438f207535a378a26d817fa6f83ac828c1f940a8100a721d9235ff73457e1dbb669bbaae4ba5a30790da5bb5e7ed94ae7e4d436eb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI57C5.tmp

Filesize
58KB

MD5
ea62eedfa8596ce9434195dd2de72771

SHA1
2d53e18f1a6d6884f93cc131cb7bc5c986fe968c

SHA256
b67b2ed7a0eaccca39cf7fede1d82c6ecae81aff65217c99ae68a25650bf4e36

SHA512
63597c8377fbb7d70a3e9fb09e1d8e100bf6f5153f907624bc0d1a1f4a607a60cb44e75d3d8a991ba8900f81b819a19d1ef25b869f4fe60045df6419dd67e8ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI57D5.tmp

Filesize
45KB

MD5
3de4108b96213730052c9f9b33ce153c

SHA1
116398ff5cf1bd79d7d30ea52427c1c716d64bbe

SHA256
99e2a1fdf84aecfcdaabed2b44b407fa2d818a6a7479527fc5a6f7ef95c4e6be

SHA512
0647137a7572f474b9328499c38c86c630f5ddda5802d96a198610dd8bae2e4687be9862aa7e7f50aedbe3239250fd02217daebec00867f611c2bc8a9843d97e

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\Haloonoroff.exe

Filesize
152KB

MD5
3215c24e70310bf1e4d1fb8d5613ac4d

SHA1
db2982b561a83eda3dda18095960b11ae3c28aa8

SHA256
955d282e1545c6f51b25c511b03f9d93073b669dd4d6db8f7a29c84fdfc23348

SHA512
cc26500ab26dd3523607c562bba10616a4c9ea8cd349b9e644ca262fae8d66a56baa849ea3b0dafb8dda158ae96adf0c7c7fb37622019d669d801ab55d03c895

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\Haloonoroff.exe

Filesize
84KB

MD5
2ff7623eaec071e403ef9396f2284b3d

SHA1
cc8f59c12699f5c4559ee3034cca2e2899b15520

SHA256
7763ffea5624718878771624a29c21a6259b70182e5e0acb7d3bdc3fd664a59f

SHA512
51e76b17bcec4ca50cd3c5996fd02eabdb375b07101f38c942f43f1f6511520a5a2c47e09aae6071a5a18b5d8bb8edc93cb39c0f629af9a2bbeadeb26dc5eb4d

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\SearchRun.exe

Filesize
89KB

MD5
1633f8768bbbb63c44beb519eca01c4f

SHA1
681f2e6f146f8d3b60bf8cc8823c03c17298d8a8

SHA256
9dbc7821dcd15241c8d057ab314abafb9fb9f2fa72f09cef2be55e48c7794f17

SHA512
ba4e38e47fe0ba796627fcf9a0ecc6af6204464b753e3f28e451ce8704a1141d017a07f99e984e7d203d7c815b79c1fac4d9588ebc58f777f69fd21e50adf4bd

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\TDPCONTROL.DLL

Filesize
94KB

MD5
8e63dbcb112069d0dcfcaa7f491d7467

SHA1
58c9a47ce58735a44d4d1d5008f1cdc97518ac3d

SHA256
2b9a33c414bebdc874adf33af43f56a8f65170dbb8f9690e3a976187f3ebceff

SHA512
e814c2be35b004b73500190bcf54f6be47594f5c2c2b812e8ab89d94f177b572c510cc63dd92010315d323ef852552c158767a44c283685a0c7aff1dba6b5026

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\TDPSTAT.DLL

Filesize
61KB

MD5
14b169e99993b1a9ea969368a3507f7f

SHA1
009fb5089f6a9f35e2620ee877f60e63d7233739

SHA256
3a04ef62338cb3de64e0564c035ed8c765b3eb5ddf4b53c7ad7f6f1fbef9640e

SHA512
6899f7140233259a55765dea32088bb11b83ca07391cd45b7f10aefbaba03c8073e97f6e63bd463fe9e78f7562bd23883d8fe6d24bdcf5d45f081f873265f2b2

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\UPSDK.DLL

Filesize
9KB

MD5
31ca00ddb3898b1d0272ab6e30afa896

SHA1
580a57631218e7ebebba342e98f7b123aacaa6c1

SHA256
cddf63ef7b5ddeaf9036e7c26236574a4326e902b99eb6296c155632882357fe

SHA512
a6e6b3ff2a20e429fb48903582a79d210894c891be4f321139eddc805a72f0270f71d7f0e05e6216de2b586fc2e744308bc663acf0bf0a125baf4fd0276d78a6

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\cefvidf.dll

Filesize
4KB

MD5
988999e9532d3804c7a336669ce69be8

SHA1
c3d0029ca0297ab1b6b303dfc4610247b31642df

SHA256
3d291d12b00e841f43c8a3f35f7e8b883ce77fd33c264abb7a5aba05a090f3d5

SHA512
5560eaea8e95fd9392df64344f0a41b99bbd61bb02e73cb56ef33e15ecc63086865f70487244a66934035e73c4d453f6c3c44cb011788be57fb584200554a141

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\libcurl.dll

Filesize
88KB

MD5
5aa71682e05a7e78d1d8cc254b50dd34

SHA1
b52122e44a36a6b1a48ea09774a58316a441e499

SHA256
2106f97f89b8dc248d42087fd04debf02345906b12837dfc0d23a12b07a8af20

SHA512
ddebcca3e5371b0a2d3d1b42011ea880b6366be5f0a63459eb3d463651b57823f0293564f649d7fa0f62c0687cf730cd56e310abc13d65a0003b5c14db34181b

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\plugins\Microsoft.VC80.ATL.manifest

Filesize
376B

MD5
0bc6649277383985213ae31dbf1f031c

SHA1
7095f33dd568291d75284f1f8e48c45c14974588

SHA256
c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158

SHA512
6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\plugins\Microsoft.VC80.CRT.manifest

Filesize
314B

MD5
710c54c37d7ec902a5d3cdd5a4cf6ab5

SHA1
9e291d80a8707c81e644354a1e378aeca295d4c7

SHA256
ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80

SHA512
4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

Download Submit
C:\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\plugins\version

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe

Filesize
48KB

MD5
34d655d253b1b6538b59b645091dbab9

SHA1
036e83287c9d674ceb591768009993e995d8feda

SHA256
6003e07da4c931a59e04deebcad8c4400213b353a036fd8b7ab6762f7600e785

SHA512
9319fbdf127ccbeb0956a772d42756142e210ef3c0fa68375a69ddc9e1928a4e806c50424fece4152cff7cdd1a36fc8a4466ec4b9e3a9929b9f08843c5a60a1f

Download Submit
C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe

Filesize
95KB

MD5
5e76ef063ec9af80682439efca624e22

SHA1
737d87db000adf2a85ee5773066e712948fc58f7

SHA256
030bdd14161b0a62805a5cf09663ea25fc3a111aaf6add5ad96218017ccc98c5

SHA512
bf54ef806511ed6a53e1f2d3eee8ffb06c599acdb72458c87e6b0c59d78de085b8564b6adc88afdce6b86b926733605e7dfba00458dd18bd7a96e99e10ea1078

Download Submit
C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe

Filesize
90KB

MD5
4dd77ff979179b5b2cb9b513d2bcaecc

SHA1
126a3f828da18f28f3d15ac1049ddcf9ff60fb62

SHA256
d522f350b4c82e74f66e725d938efb3724efa0bd7000224ada4f7baf927d4105

SHA512
34269bcaad478892ad47cfb9abe4ebdb9f0480adf43c9ceffa4289bbe1e351bd41ab1a4e4a1d4729056d13d5bebd114cfd82399e9f49156c0ea7bcfbbb396dab

Download Submit
C:\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe

Filesize
103KB

MD5
ac368850db342732875e8e3cbc0a89e1

SHA1
e49409c01c1ed82959ced0158a97bb65079bdd47

SHA256
30114803cc5812a35c48bb60182e030b8d3029e47ac2a9fe7fde5b84ae50ada5

SHA512
c5442961f0f48cf8d53f117c3daabff8686a0aa2e6eabee4ff7e55a260b5aaddad37d7f65609d4931ece8ee3783289dd601dfb7990a956aa32eced17442da02a

Download Submit
C:\Users\Admin\AppData\Roaming\7z.dll

Filesize
45KB

MD5
34ada5df1b0c1ffb6a5d8d4b5a1fb772

SHA1
65855e3fe9c9586a3c81a050d16b09a80dd72332

SHA256
622b8e53bb1cb75853573180be4fe2544d5f0879d954426553d32c3be1544af7

SHA512
35a60d52c851117894c738bfe7a5ef4204e0fdd4a69e40353df19802268267db7260d3fb82242b921d6fe7eb218347f888b01605ebe2f8fc9fa07dd7899360c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
849B

MD5
202ee0f009784ccd1d028fa68f3587ad

SHA1
6241d8a8a0f1401929f5a5eba3768fdba4d64b94

SHA256
17d2061e6338f17adca5822d4f71e7dfd859f2b332441d7c17579467203c83e1

SHA512
3864cad150f25494d993ab61dd51b752f6c4978b796ae1290de276240f1d65292d369b8d029938c8b7ef921358bcfb0514f8c95851be5d73fca49d28cb89bd9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0aac7a097dc827e27d42f85e13141a2d

SHA1
1f1cc36d6221677244100afe4e152b6723956913

SHA256
9c936f2c7c8111a437b4bea40e37ec9d2c8e2182ea0d2f408fb37b68bca06fc0

SHA512
6243f9b78265b38035db3ac84e1a6168faa2fc26b0645d2749b6104d0e555d79bfa7650f93a2c4737fb5e418af291dbba77426f6a76958281f5796a3fd400efa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
39637952e22f4201d7822d3f4064eced

SHA1
d68dd9a8268608c6199b59ffc471f367fb133076

SHA256
ab912c24df2a7468f44f289ee5625155f4b5c555eef93c0eed020d5ef66516f7

SHA512
09a43032252cdeba4fe969d75880d8589748426e5fd134c3f8614b3b51acf6b371e6b1970437e37ef92b58eafc1ba1ec36f3905a4d07e13fb533f0cdc0de5804

Download Submit
C:\Users\Admin\AppData\Roaming\CAS_BYBAnyDesk\gcapi.dll

Filesize
62KB

MD5
d0b94747595d19b15457adc9d0380d82

SHA1
744866e2305ae27de7ad1e4a74a286ede3cdfd50

SHA256
5bf7c47c861d039fbece65bc13cb11e0667fc6133fc674c14b31826e14f887a7

SHA512
cf19174c305ad18a1f2332049753d8db06932ad44b8bf5c01efda0bdf8a54ff67f85f338915b54bf0cd092ba83b6eded664e2d5075e30e67d8fee847533bd758

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
9c7c5fe2f155159cf843a8a5ebb89bbc

SHA1
5ce87aa90390858f4636b9dca56a878cd233a56f

SHA256
2d218df10c3f3d5f6568e8648c0e731ad61ebb73d9698cede94241b542c7840d

SHA512
556e7ba23aedaa404afbc124286987c48cd0db50911ec0518f0dec479f2b38a02304ec1f866f02d12734f537d778286523283f2d25f7a3e9874c4b41056bdeb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf777ea2.TMP

Filesize
3KB

MD5
3f6d3d7318bb8958b75f70ac98c2ea78

SHA1
ef746c1e0b5023e2179eb3b4c0c2ede4976c3992

SHA256
e0cec0e1ae4a5a98d8b3e19d9efe903c050752925fa775b125eb2cec34857fbb

SHA512
b69f30a319f23d77fb1dfd92438b59688d07309906273dc1830a2e5887c45af73529a97adedda77e00f09e31c936d47d8d9231369acfdb3d5f9f4eb7ebd8bd28

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\070e9f980bd0.LHD

Filesize
91KB

MD5
8650e85f8c4c1270e9fd5ad9b9cc1a2b

SHA1
ceffc24fa63b473042a09b0f195d12b6874808a0

SHA256
4dca301a995332636f5de190f389f502d0ec0062ce93bb94141f29c9c67692a9

SHA512
da905e16550ad01b9900a10fe1d8fb024f4630b7543f041254c9f1e382319bb8ec7bc0ff273953ae94d3690c6ed32f0021180e8bfc006b5199d6ec7959688b2d

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\185aebefe0e0.RNM

Filesize
126KB

MD5
87879cda6a691d92e9a73469fd911b9a

SHA1
2740cf3291c6150407948def7313c9902603d904

SHA256
5880209799b7d2351eb00a7602c80679247fb874ecc2e6732d42f0b333efd2c4

SHA512
967175dadd2595627d9610f206c20dfed52280598e917f0a35c2c50cd9e819a94982ef4afc39277ab2cd57a8afe2cf4122c5d3cc6a3bd4df5078c0a720eac83a

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\64ec398d95f983f8HWH.exe

Filesize
37KB

MD5
c885b99221bdabb987df910b85767a38

SHA1
0db4fea302d8f8ce0b18ab3cd8f64ce0ae3224b3

SHA256
af3c90b0867bf724e39294173303d664a7542003eee41aa724902607de603d18

SHA512
8876784b14483527e7e4dece41b63cf138768d6eea6050cc41738211bc06b5c0b238d070a170c5bee7d57b15fe4a5b3ef44207c8d79462fb4ffc5a311a05751a

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\7z.dll

Filesize
50KB

MD5
ebd23fdef2a8cb464aa721e583583a1a

SHA1
7f4d06914bc8b6c4041c5b07ce41991b826bf4cd

SHA256
8666c9b9b37cded48f60fd82e4d4151bad905906bdee3c8a87cf7099088e545a

SHA512
a863bcad463c401f8bb4b35745c4ad14de14e7f8eca7f10d5adb92f049de521fbfc0c01a134b50f7f1484fef88af7b42c1af1ab4b757b95e8ccb513b65bbe067

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\QKFJSGCGWGRQ

Filesize
1KB

MD5
d0c3b4c8deccb359e20bc082d26052ac

SHA1
e42993f1a14adbfd0331a4845cfcea1a030c5769

SHA256
c32692d5f4334206f5174cef2fb44aae26fb96806e679c87ceb386ef14a7afb4

SHA512
6a5184ecf1b2772009ad285368bb110da821d65879b508ea8168b2679cf67bcac2e3b974293d70c03ee1ccab900d9c5dbd37a1832ea759ed5998b28209a6f04c

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\WHelp.dll

Filesize
67KB

MD5
99f814c0296abdfcd819ba2d812ce70c

SHA1
25e5234c881fbdd71ceb35961285721f3b04d3bd

SHA256
ee1b8ee3da44f811bbc168c0011fe4b05956e113da07170512e62174abf877e4

SHA512
c72957733d48a96c99551cfedefeb01ada3afd055d5fb00c6f82bcb8d44ff5fc3cbd0aa9e0a73bc549dc13772e1ee283648f289f0f9b9fdd0294b59ba22cf485

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\f7755f48e847.CWM

Filesize
12KB

MD5
b1c41e447da69eea724fd6edfd812ef8

SHA1
edbd9492d8036e072043272c4eee9f7751d04b7d

SHA256
7415a32e796be2185693a38c5638e8ae4aa21421870d866fd3bd7776f4a43c67

SHA512
ef5fd644453902dfb9e805472a923c89185aca7b66d24c9857e71b2e539b25faaaa3fbebe1a078876304111c47f8f607f204b9ac8865f35c5ba31611dbf947e4

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\yybob\AC

Filesize
24KB

MD5
bc294eee3529c207f4aa50291d0a42c5

SHA1
5d533f14bef4af67eb0307927fea2ddd7f71c8e8

SHA256
afb50f7b9c253872e257b4ef433e69e44d21c665955433191e6cb1b11a3e73ba

SHA512
1a538a1e941ffe9a95d76b87f339a4adbde60a82526d9cfeeb5cb6da8d29be8c2586eade9d53199aee51b6eb87cfd864e7ac2711575575f5d4e8c5a6f6040f17

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\yybob\AF.dll

Filesize
18KB

MD5
796ddfa066d4b5df1aac6da343b20b5f

SHA1
a1690ed504fa78a656c1ac9c8805cd381382b5bf

SHA256
7ff35e2327d3b3500acf7378edb97a79982fd20b5133628567133127235d7081

SHA512
9941b9558793d3346180537414a738983b11f0f0464c20e14fff3808344fd18dbde18803c7fc0886baddc6600e3b45a3bb384020e48ab9d24c84ec3d8619facb

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\yybob\Bor32-update-flase.exe

Filesize
45KB

MD5
b238eba17b63a6f25bb2fe62792a7798

SHA1
5409bab65f3728d0a4a58f2b2f259db61ea16c64

SHA256
335f15f78bbd6a005c41d97864dd7ae536b846d6ba509c467c4a4b843ce4f12a

SHA512
60ba054796698a8f3c2ba68f59b57d68bb63b15c57fc81ad23f3c439f183c3f1a7859a280ff921ed802bde7a4e684ce6a5d810501ace1511f7367f078a96a8f3

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\yybob\Bor32-update-flase.exe

Filesize
55KB

MD5
046f993323a8de0a2bf4bdbca601b9ce

SHA1
72b8441d98abbe78a73e804f13fcc6985d111993

SHA256
2b5e3f2c2bb83cc288c358a5d047fdf4c04ad17de3d87cb5991ce1a3881dc750

SHA512
511eba6d5f6043c9d16e1f480a8719306b2ad2e59666917419cacd21245c2801a9781fa9929433a6baf7bbde6988aecf44549fd30c59db4c31c9bab7c9920d8b

Download Submit
C:\Users\Default\Desktop\NEWASKDESP\yybob\Plugins\qvlnk.dll

Filesize
88KB

MD5
db1f8076d6ad1153ee4c49435062f502

SHA1
8d9854274bc577232b64afddb9d69e152de9cdb0

SHA256
61dde2cd50bb54d871d603853297eadfe5f4b89e627ea993acbb2b95a8e09894

SHA512
2f05ecb0b119e008dfd0279e75ed474e6a4b306f0baf7fd2798b1a202320149b1aa67672482868b3a9ab4191469971c848bfaff852467db0247d530ed84cfa49

Download Submit
C:\Windows\Installer\MSI475E.tmp

Filesize
357KB

MD5
4cd9039af1161a3830f96d37af41500a

SHA1
f13faf46cf0a60aa2878c313cde77a5b393a35ba

SHA256
5ded079ad0ffbad2aa778c47d40b509dad70876c5c4aa6531deed5b700fb845a

SHA512
d66d5fafd62df962294e23003f3a2e356c85e04a47c4ae4da6abe624c1eeab84020bcb63d09c56871e3efbd0c6b91b03bbc09a37ab77f47daca00db2eaadfd6b

Download Submit
C:\Windows\Installer\MSI4906.tmp

Filesize
118KB

MD5
83687c645440c613b221386b93e3d0b7

SHA1
1004d67dac7eb5ebb8aac42e64d129c6850b5056

SHA256
5a6b71c759126fb7403a4c577ac8b95309ba03983490a6d144804995d57c71f4

SHA512
fff8ef19ce7aafde017d387241eb0729fc5050a45f760b749412d297c2a331294a4220791085d40f9d9d5d73aacdcd5e6e215b83cf0c07188959a130fcaa12b0

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1862.tmp

Filesize
253KB

MD5
d1344d80596655201488b4c9f2b29e34

SHA1
6a851ee960a0bb00a0d0400ed0dd6b1b92adfc05

SHA256
ceedc23ddb9c5e7564dda0941a76ae3fdc36b1a2dbc43502a10fbabea7f73111

SHA512
20c3a345a28714ff75007c04eb616cef241bdf71a75d0f02d4a9ca4155437b8ed20219acb674eda0c8c25e3a6ab0bf4367e184eea13e157ab099653da4c02658

Download Submit
\Users\Admin\AppData\Local\Temp\MSI18D0.tmp

Filesize
246KB

MD5
3ef100335c379fe4f85403f9849cb48b

SHA1
9f72dc1a2a489e1fe4441190b19849187535ea81

SHA256
c208c01413b729366f769fc9758698f04882234a81c27c5a39dfae5fa0e4ba4b

SHA512
7e0e4eb748a486df164e59f4ac7be599e593fef30df810fb2a0ac8383c13d7b509d2c9de364cbed24693128350f164d600c85f7d6094224962840f56e639fc83

Download Submit
\Users\Admin\AppData\Local\Temp\MSI194E.tmp

Filesize
217KB

MD5
744b10f133890b5cb1743a416051cab5

SHA1
423a35eecccc8f13baec3de913210b20b8fc709c

SHA256
4661e8d7e0c823fec749067f95bbedfd94474799b0d1fad932124a06b07e3f3f

SHA512
4f27faf01b5ede233e085d8cc73527eb277a8e690de48a92791ec898af92c639b491a4508d2a9f1fa022481fbe4a44e8d39f5b4e5d96c2d018c21dc8a0ef24f7

Download Submit
\Users\Admin\AppData\Local\Temp\MSI57C5.tmp

Filesize
21KB

MD5
1e4cfc32d9096d12ec2705e97fa4cce6

SHA1
de791802b1c674a3d18789975ac4cdde9a4d3883

SHA256
c74632808650da43830f1722fe8e8f0759137fbf26753f0318f172e73ca0d867

SHA512
4d7793b2355042f016f2ffc9838eb7642b97273bee3ce45a74185690949b1e92b70bd471db14e325bd173e71c978e74a02e3842e8e0bab9a6978f7eee179fd16

Download Submit
\Users\Admin\AppData\Local\Temp\MSI57D5.tmp

Filesize
46KB

MD5
69161a00c016b9653fed5fcf3f94e588

SHA1
2ea742b7675f574a74de5fff7c0ecc991dc20f7c

SHA256
c2b794bb76a546f538b295145ed517c38fa2e7644068eeb5a09aef99a9e2f5ac

SHA512
5dfe07f1723ce0479dae430b378213b7497e18a675ba1a8006059bc1eca3749d84f3eca72b44531e4c3e7c1e427e81f38fd66a20fd53eb39a81f005ce1af654e

Download Submit
\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\Haloonoroff.exe

Filesize
181KB

MD5
63cc36b09fe2a93fe4421fa758d6e4a8

SHA1
1297f356f3aedd178aa6008165d4463c3f689a48

SHA256
7b2aa75fbeceed5b986459db44fa864eda0fdb1ebdb8e4ca9724a48db45aeb3d

SHA512
169ae69a0ca3dc2389b4d34108b67549c2daa97fa4391e06e2a871b04ad823a46420d58196139f001c58966c1fa720bd5738a454e3ff93e7010c369c9be1b9a9

Download Submit
\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\Haloonoroff.exe

Filesize
10KB

MD5
7e14b87549c5949fa6dc712a1cd62bbe

SHA1
86ac6a2faafd438ccb588c033234087a4d844481

SHA256
a6ce1a9db38833e6e68997d6ffeab9376bd7c7cf1c934e820ac33ca8ccb98b14

SHA512
d229dc2fb991df6888c5a8237713e31c67f42878313da00536dc5a95218586e32c8c54ee39383c169e20506bfe8ea1fd644714eb83138330109edac4abc03424

Download Submit
\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\Haloonoroff.exe

Filesize
6KB

MD5
6cbc3cff58a6756ae64155bc62a284b4

SHA1
c6ca485677a9f7afad14b9854d2252ca580c7f77

SHA256
2c2f7426cab914fa340323b8bb021d54bb21638877735f7677190d3c989764f6

SHA512
7ce467450ef20c2a407389f850d41951563028570a294e01220070e54423051451dd2cb5303ab46d290ef7ad2356b22e37bf87432a860181970fb763e95cebb1

Download Submit
\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\TDPCONTROL.dll

Filesize
44KB

MD5
0d9ec98a44d3f63c5c30be7f60cfa289

SHA1
d267180be7aedb498b2a36c97422ac6a4b854a21

SHA256
b327df4ebcbb15b45fa56d7a6a87a3c526619650dd98feb098b2603bb6569bf2

SHA512
1cb917ebc18db1ba97b7225b67337df131de565a71bf6e5b0173e90f90a17779e5ab910d7d083c39145163e29530f249d03b6a2a807bffe916e60e2a2521c823

Download Submit
\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\TDPSTAT.dll

Filesize
68KB

MD5
7d18398633c54e8c76fd6ffdb9e2d676

SHA1
ef99560cedde8149ebf2d9ff6ec2b67c17556c97

SHA256
391ddbeeed3ee1eba59dab0aecc830c3ae8686d9d30481bb55859413e41b5334

SHA512
e5e3d8818b9fd272701cef9ac564a2d5ed7c37481f12c6a7886d22ac6b5f27bebf3c893a00ed1fcdd6e6579bf02aca44e2be96ef1c9d102943ef4b38c99a7390

Download Submit
\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\UPSDK.dll

Filesize
108KB

MD5
60c6fbe7afe4859b42ca5744dbc4b182

SHA1
219e468dc2305f3bf6fe2d6ec6e2d9f9ae9cfa79

SHA256
7ddedab0db6b26c08ac1e28c9b36329a3b1303a57c5ee35d61a67dab425cf948

SHA512
7645e877efe2169c921108883a50a77c6dad2eb8749777988228f71f10f47c241d796b02b2196d2f487959264052ca41e9ea8593d506d77a9fc5aa03bb11c65c

Download Submit
\Users\Admin\AppData\RoamingLocalLows\WPerceptionsimulation\AMPPL\ALGinfo\Run\libcurl.dll

Filesize
48KB

MD5
6e76f5b30af1d0cd251975cfc80e996f

SHA1
1714ca1b91dff1110ddf50de601575ead2f4c606

SHA256
8f8fe6d16eea029e4b2f4d675352c869ea5e3731eb26e3e4b3400b0439977316

SHA512
dec605fd88a0319df651a883310d6dd8eb1812d5da4993d84bf0ce1e726f36a10b6a1f9422da09762cdbe14d09dd5b3a714b5051cdec288a7133c9ef142c76f9

Download Submit
\Users\Admin\AppData\Roaming\64ec398d95f983f8HWH.exe

Filesize
69KB

MD5
554ecc6c43a3b8c3e27396cfab7bc037

SHA1
e189501a61ad17094bff789d4458ca3374afb45f

SHA256
268f6de2a2f2fba1aaf99c80ab486f285e31c2c1c66424121539196d953b3776

SHA512
8f6ac6876f8d4b4af74a8d1f1d19998a1ff965ef27c4fb6b5c7a0123be10a2e6b7117b4621ccd05744c681f5ed8f62e2631d4fd96c25655701677cc5c655df9f

Download Submit
\Users\Admin\AppData\Roaming\7z.dll

Filesize
15KB

MD5
20ca80180b3b907dd9143228e6e3b632

SHA1
c4ceafab0ccd57a0567b7f16d35b5e7d5ac72960

SHA256
e28d6737bbaa933b1b038cc8850265502897aec953ab300e8144e8a76668f1bc

SHA512
b944b8d2d4aceae7e1275ac03aea1fc8f7fceb164e498bff52c531d18ec932a0313201d0fa78cfe5d050e0752aa0c49cc7ebab2a45687141b07e703818ea7ca6

Download Submit
\Users\Admin\AppData\Roaming\7z.dll

Filesize
89KB

MD5
8adec8bffa28aed756ca81e6bcf6e84a

SHA1
bc4e91f1894b38131dc79c5757b8a8fdbc880f34

SHA256
1a3d8761f74a137aaa2face97e884f6573d6efb43e4a3be9db82c4f57feece0b

SHA512
fa80642fec2e64bf22bfc2d47f29aa6651b7b8e7357e566a463b6d6577585c128196ccc040155272f9e2aa24a1b356b06a7156316fa942861962d4c0bae0c65b

Download Submit
\Users\Admin\AppData\Roaming\7z.dll

Filesize
78KB

MD5
9e99d806bbe78ae8e42d0997310029cc

SHA1
39ed8ad8111628973369bdc83c521fea676b3690

SHA256
e7f3549d13cdf866b768cee2597203737227b331ada560710c6844ba3890fc5c

SHA512
1179d221d0379e3386357faaeaef187d8a761ca13e81e9af9be199de2c27325ba758c234c23c4216113c527f7d5857c20e6ebfe2875c57852977a8349414628f

Download Submit
\Users\Default\Desktop\NEWASKDESP\WHelp.dll

Filesize
28KB

MD5
3cb5c5f73677efabc22b37de8510b22e

SHA1
63c4a63d47d68fb2d6f6f54ffe13f0cbe0eb594e

SHA256
1bf5ce350dd2004be7232c4b00746335bc17e759c1a3075d995a3af5833ed9a2

SHA512
e673be08bf68d155c8cceec6e93835088818d3d8bb15695fcdbd351eb8938db3be2aa917f22aff98d4188b10a168b1a1800e63d965180989342af91c4d006ac7

Download Submit
\Users\Default\Desktop\NEWASKDESP\yybob\AF.dll

Filesize
13KB

MD5
23f5954bc8839a3907bfa5e2c230bb92

SHA1
01c5891972e5f1c1f0cccae9bb5d4fdc13df0266

SHA256
2a7e8e7d9159d28311dab4b92a4a0d3fd282bfee146c6c1906df3727564accf1

SHA512
d1b7531ca44c60258888094355b49dfbacad573ccd7a04c85769e036a54f4a1810de1aac9120c59ed0f367be5eaae7d0634a5f46d5b7a00a1b3f1c7568ae9645

Download Submit
\Users\Default\Desktop\NEWASKDESP\yybob\Bor32-update-flase.exe

Filesize
54KB

MD5
690e3a64c8aae2a80997143da805dc28

SHA1
ea07239948a91ec63c811a8977da8643829f25b7

SHA256
9c2ebaa171543c468195a09332252188698f16558c94dcd0cdd40652c107ddec

SHA512
a194a39a7784fa0db683490d3ea1720357eb15d4578a7316b453913208eb5a697a2cc65b2d7f17f92a53aa4ae2614bbe10484675e852a77a96b1d145fa61355a

Download Submit
\Users\Default\Desktop\NEWASKDESP\yybob\Bor32-update-flase.exe

Filesize
30KB

MD5
953c10a70ecde28f2d6aa5251775dafc

SHA1
e65a0a2ce0f4a6574d730f8fecda4ce14e162014

SHA256
15946e61e094982fea852c64d75bd2bb0565a1a1e5cb6d5c62d2ab88f2014a33

SHA512
00b90d19b6f4d60862fe2a18b72ff5b089e1f17de1e6b54645d77dcdeacf1f847e27a3b74134d9ed5ef9c3781dbae0cb6861050965004f6e38811824544ffb7c

Download Submit
\Users\Default\Desktop\NEWASKDESP\yybob\Bor32-update-flase.exe

Filesize
62KB

MD5
03d8475d912bd2846d31a3a2db72f3a6

SHA1
969b1fd9f5cc1bc4931d5144a2cf96daf0650ccf

SHA256
0ed4b412f10e635adca7a84dd8bb26ea50e49b55f7268ea00626474f58c8c903

SHA512
147d56319460f55ad341b4e7ed8c7b6ce8d03f8e98b374598a862ce6e0d847cbc91a2599f9c9184c519f228106d4dd50efc2863554745f511e0a0ba379cd20fd

Download Submit
\Users\Default\Desktop\NEWASKDESP\yybob\plugins\qvlnk.dll

Filesize
27KB

MD5
b8e478957fc07273715da9c1dfacbf22

SHA1
3a72e5c311caa093368523eae27d954cdaefea17

SHA256
ea506c52bf94f51a59707cb1cc0745b0d6c710c0f83c7c8b2993fe5a1cd18b53

SHA512
82824c96b02f8a5c045b697a4375ae8b3432b491a4b49b11ce698053730c02d643fd38d58011370bee0e7df6656d672db15e295e612c41c1a0326ce78d00fd30

Download Submit
\Windows\Installer\MSI475E.tmp

Filesize
332KB

MD5
04c4c3a265a0d551d57e61a0fc14c7e4

SHA1
749d354a050ec3ac1eae88c88ead2ecd024affbc

SHA256
bcea5faf14c1cff32931d23381ab54046a7de6a8ddd0c18e3d8510ef02f3fdd4

SHA512
63580cb9c95e61ad1e236fd202ca6764c5361a89663fa8c8630491c2ce40dbfca2adff1b2ef8db05a0324f3d3070fb341bb052eb60cc592ba02686b759f8d091

Download Submit
\Windows\Installer\MSI4906.tmp

Filesize
107KB

MD5
65fa0caa488fc468c0f41dd208b44201

SHA1
cc86d67f6a35cbb48ece1e65492b906ec513711f

SHA256
664a0039915515145bc22c3254033e0c8e75cae2eab3cb57b38fe4fe086ab0f2

SHA512
d3e2d7ddb97c2c8894c45bcc82f1c6c3e2f1c2adaf93bf9f02083d4635d216c583d3b5f67c1060c86acc6835b49da1014dc92aa490e94a8cfb40028a74c373cc

Download Submit
\Windows\Installer\MSI548B.tmp

Filesize
16KB

MD5
57554e63856f91cc3b19c1781a62bd49

SHA1
4bf74f032d68eded08537f241f4ef6dec5fdbf69

SHA256
96eb9e482ae504f18ec06c2dadccb12b17237f47ccd7d43ca3b8903973cf0bdb

SHA512
7fc5b37e5c0da16494251b1e6c633d79b0f1d7c64b402d2dfa59d5325bb2eeaa11d8a35ad6d1fd60a5462268f4a53616223d1a539dff6073a4e01e96dfc3df68

Download Submit
memory/884-667-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/884-663-0x0000000000AB0000-0x0000000000AED000-memory.dmp

Filesize
244KB

Download
memory/884-661-0x0000000000250000-0x0000000000263000-memory.dmp

Filesize
76KB

Download
memory/884-666-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/1372-918-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/1372-742-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1372-718-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/1640-715-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/1640-917-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/1640-720-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/1764-705-0x000000006B240000-0x000000006B29A000-memory.dmp

Filesize
360KB

Download
memory/1764-695-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1764-680-0x0000000000720000-0x000000000082A000-memory.dmp

Filesize
1.0MB

Download
memory/1764-689-0x0000000000CA0000-0x0000000000CEF000-memory.dmp

Filesize
316KB

Download
memory/1764-704-0x00000000004B0000-0x00000000005D2000-memory.dmp

Filesize
1.1MB

Download
memory/1764-675-0x00000000004B0000-0x00000000005D2000-memory.dmp

Filesize
1.1MB

Download
memory/1764-693-0x0000000000CF0000-0x0000000000D0D000-memory.dmp

Filesize
116KB

Download
memory/1764-706-0x0000000000720000-0x000000000082A000-memory.dmp

Filesize
1.0MB

Download
memory/1764-699-0x0000000000D10000-0x0000000000D2D000-memory.dmp

Filesize
116KB

Download
memory/1764-698-0x0000000000300000-0x000000000030B000-memory.dmp

Filesize
44KB

Download
memory/1764-692-0x0000000000300000-0x000000000030B000-memory.dmp

Filesize
44KB

Download
memory/1764-703-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1764-697-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1788-0-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2636-651-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2660-796-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2660-737-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/2660-732-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2660-916-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/2660-709-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2660-942-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/2660-953-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/2660-993-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download
memory/2660-707-0x0000000000E10000-0x0000000001E95000-memory.dmp

Filesize
16.5MB

Download