Overview

overview

10

Static

static

3

b99cc58b45...a4.exe

windows7-x64

10

b99cc58b45...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b99cc58b450cf68801e301eaea9927a4.exe

  • Size

    6.3MB

  • MD5

    b99cc58b450cf68801e301eaea9927a4

  • SHA1

    eba28bca7e8920f42717e8b0e52611fc9708fc66

  • SHA256

    7307d795569537cef259606c48234c9db61ed7786eefe8151e89d369408308a1

  • SHA512

    0924f89ca33cf794f8188f8232781c4f9b59be1e9e812e379b1923a9eebcae3fa1a7e7dc3e387c47dda2786eaafb3298ee72a10fa4b8d9e9f6294973cbb5af16

  • SSDEEP

    196608:owCqdWR0aKaljq/ypGt65iRJMWSZUXnFTHxP:Sq4aHadpGs5iRJMvMnJV

Score
10/10
fabookiegluptebastealcdiscoverydropperevasionloaderpersistencerootkitspywarestealerupx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.79

Attributes
  • url_path

    /3886d2276f6914c4.php

rc4.plain

Signatures

  • Detect Fabookie payload 2 IoCs
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 13 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b99cc58b450cf68801e301eaea9927a4.exe
    "C:\Users\Admin\AppData\Local\Temp\b99cc58b450cf68801e301eaea9927a4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\SysWOW64\chcp.com
            chcp 1251
            5⤵
              PID:2808
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
              5⤵
              • Creates scheduled task(s)
              PID:3292
        • C:\Users\Admin\AppData\Local\Temp\nsd8203.tmp
          C:\Users\Admin\AppData\Local\Temp\nsd8203.tmp
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3668
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsd8203.tmp" & del "C:\ProgramData\*.dll"" & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4864
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 2408
            4⤵
            • Program crash
            PID:664
      • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
        "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3508
        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5092
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4512
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4892
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              5⤵
              • Modifies Windows Firewall
              PID:4976
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4416
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1440
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Manipulates WinMonFS driver.
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1756
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              5⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1680
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              5⤵
              • Creates scheduled task(s)
              PID:1704
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn ScheduledUpdate /f
              5⤵
                PID:1632
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3420
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                5⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2784
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:4896
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                5⤵
                • Creates scheduled task(s)
                PID:4980
              • C:\Windows\windefender.exe
                "C:\Windows\windefender.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4992
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2128
                  • C:\Windows\SysWOW64\sc.exe
                    sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                    7⤵
                    • Launches sc.exe
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2140
        • C:\Users\Admin\AppData\Local\Temp\rty25.exe
          "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
          2⤵
          • Executes dropped EXE
          PID:3996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3668 -ip 3668
        1⤵
          PID:1756
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          1⤵
          • Delays execution with timeout.exe
          PID:1976
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:1816

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Are.docx
          Filesize

          11KB

          MD5

          a33e5b189842c5867f46566bdbf7a095

          SHA1

          e1c06359f6a76da90d19e8fd95e79c832edb3196

          SHA256

          5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

          SHA512

          f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

          Download Submit

        • C:\ProgramData\mozglue.dll
          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

          Download Submit

        • C:\ProgramData\nss3.dll
          Filesize

          1.1MB

          MD5

          2265a18c65c53b557486057e32e18ec2

          SHA1

          428f2b339e59d0b25606e3c472c56045e45fec46

          SHA256

          3bb4117865930dc307e78ba1a49c1d6c3d6fa6d0ed894cf614904bd76b52a395

          SHA512

          f3cbd134dc7ef0f33f65171b467d166e8e29c5e8046f60a377a87cc6025ccefdadb24a48b2b599f97144cfa09316cb8361676a94943c171a8a8cb0222453afaf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          Filesize

          462KB

          MD5

          9d4d63768ccdb1f5b512dce7a3d7f7e1

          SHA1

          62da587713bf7e80d3422d0b9900beeafb667dce

          SHA256

          5d2f0a97688fe4091cc5f1fe7195cca5564c0087bb8779705768088fc1414f90

          SHA512

          642282cff12286b2a836bfedb54aec0e0474dbaf22d5b8c404b657783dd37841fbf7f69056ae11243c82d198e73ce3cfcd3e1ce158127e691fb3742e5e10048a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          Filesize

          539KB

          MD5

          7952d3f07673886048c99cc70f917b25

          SHA1

          a331ddd73f35ff3bc7b306bb72a27c7118fa5b03

          SHA256

          8680b9188583ee4dcedaaf4fe930a336b40913da66c5e5cab553aedd2f7a0073

          SHA512

          dc927d5d43c552db9804032b60d4793c07cbf9214c005d4804769573d6588e8310e55b17ff2dfe796be7eeb83552152bfc85cf8d36b382006413a1d87bf5592b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          Filesize

          529KB

          MD5

          8058d36e1f9e892927fc9e3c5de219c5

          SHA1

          2f09767a40f37a0e2e8e79341777d51d4714c2c9

          SHA256

          dd36e0f7d60f6c17871e738d1c61a10dc2ccc4f01fdf71a38bdf2cc8c7b29bb1

          SHA512

          98fa553b3bda29f35c1da1f652b3c7490baaf8b83f304c7895bdbcaa2a7c971b79df3443ea34e9438708900a6d9fe01d94f5008ca40d7246bdaab214e9b4ff11

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          Filesize

          310KB

          MD5

          d2c1f3f18ee1ae45216f2e4e0eb9ef9a

          SHA1

          95e406d6389585602066d5d68ce80b181f0a6648

          SHA256

          1b3970ba7fd2fcc3bdc9f08f9224305415672de20ee8011eba47d2d52ddc25ba

          SHA512

          13b47350a021f11d075a20a92d11830e222e86f69f56ec38b83d7613d6c98146be84958fb21514d3c4a378faae7ba519e4059f0b6f6a8f172edbc8a8f00bc4ae

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
          Filesize

          449KB

          MD5

          b5b9a565d9b2bf81def0869b82bcfc1e

          SHA1

          588a3983c31ef80445303c33e695cdac360936fc

          SHA256

          b88bfd05004c6ebc0ddd54d01dfc568979d54e068e94dff24e1122db0fbc6caa

          SHA512

          172fc23f7ceb2c4ad6121a131564c1ca40d4d0aad3b97247656f7586affbafb71eb534c9a6cdc5ffb8468a72f8112676926095ba9c7329d123d39355eac86f34

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
          Filesize

          508KB

          MD5

          51986a2ca83725de58c6be9c7e0c0416

          SHA1

          8e2bfca7c812ba5fee1f39d02335f6dc7e4281e7

          SHA256

          926066035a70295aac5f9133ae4e211bf0b706a4a6c6088d0b9ad2e1966e651f

          SHA512

          b6ed088f6c9c85cd82b2c0b8f292181861a80ffa0f8af493ad473ee9a5b86cfb2396eb0613b8675a34a4e214ba073fd58aa3122e86ca0b10bb29622cd7e152ef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
          Filesize

          41KB

          MD5

          b4f65954dcfd132337f8a98ae535c677

          SHA1

          c0d42a808cc7a9486e43c5c86afd087182f269b0

          SHA256

          1fa2cd8e2735712d8e92c54cb65102244c6e2d76c4c7e3412130c1fb4c744c6c

          SHA512

          efd4ba30d982fa65a5dd81c210e1020b263cc5125b6c0d43e5e37155c9bc50f5d106736a81ce6615124c2360bb3d7e970646d003d4651068eacd08a9c1ec4007

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
          Filesize

          1KB

          MD5

          82c871aac975646153099d4674fecb35

          SHA1

          4ae76029b1284ccbf52e0061e276d26617669b3b

          SHA256

          d2079cbea9120e495783f27393b3aa486a3b25e6e9650bb70af526168903f5d2

          SHA512

          3b660c39e3b0ace1ea67c8daa347ba115ceb0039580091a2257b7a120664427f2dda940acbdc1b9cb0a4ed64081a72c8fc295eeb8f07dbf73fb6ef22584f3f49

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sw0hsgkm.dd3.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsd8203.tmp
          Filesize

          38KB

          MD5

          8b05da378c550806793ab27206f6e020

          SHA1

          8a62cb5145ee9fbb84876accd85dbd5fac4ab6d0

          SHA256

          34a7f10b64630f2a0df3ce8c3dc88078d833cfb78f990e93d9e9b98e76363490

          SHA512

          8a1f0759e3b934fa2e09aa6e057fb739ec363e4bbd65f60a404cd63fb4abae82600382d3ba6a008f734126aa8f17f824c065e5c3f045a4bb4c25e77b5cd4805d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsd8203.tmp
          Filesize

          217KB

          MD5

          7a3bc653edf7e2b50130bf92d1922852

          SHA1

          1fed17f3d505c676bf3e646d3fc1dc1d54b6d497

          SHA256

          884768eb920404c61293ca5e899aa0bcff8186f04c3d459c84bb502c5339255d

          SHA512

          a6c50264319a94aaf9448f28c314bd27ae8382cc8f332816ef278ed6c775ddfa85c5bbbee95c22b3868e737ae7a526c62bcffdfc9240623e1bd673abd2ab0f6d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nso762B.tmp\INetC.dll
          Filesize

          25KB

          MD5

          40d7eca32b2f4d29db98715dd45bfac5

          SHA1

          124df3f617f562e46095776454e1c0c7bb791cc7

          SHA256

          85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

          SHA512

          5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rty25.exe
          Filesize

          369KB

          MD5

          766f223bfc10876ac9d479a69ae2146f

          SHA1

          89dac02805d1527e18b1e7a4b11cec3749086528

          SHA256

          149e5c04e1aa481ff8438ba6f2734195a01853ecbd109063b3a1101bf5102002

          SHA512

          cb8cf96263116ba840a1eec81811274b00b3ad5de9f46062b991538dc8ebadac0a7cfbc804deecaab4ef38a0cd30c99ce83e4e025078a7f581c05eb5f181b4df

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Temp\Task.bat
          Filesize

          128B

          MD5

          11bb3db51f701d4e42d3287f71a6a43e

          SHA1

          63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

          SHA256

          6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

          SHA512

          907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          fc66d04569c031b16f0af97e9a29e614

          SHA1

          b2341acbc0c114abc30348a37a49cf270f5781dd

          SHA256

          b57e93e35a746a402c87bc4aa816f1da9cc70e20b8fd2b0343541ec01d41173c

          SHA512

          d8a95da77ade96bea20f51ec9b498c22b69db9b0d1162c54a7204ba1cc56507dd2ef048ab745803fc2b4ad29ab2a459548b4331161787e7a3e8d1766ca6632fe

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          944d589757c654ff10f1ac3b3040709c

          SHA1

          8c8cc9b2c3c9040e8ebc33b7f6ece03a5b073e3f

          SHA256

          0cd72dbebfaf5cb9e757b5dfc23f153b7fbddf3cf6e738389a8207508fb54952

          SHA512

          17ae95880ca35ef37d599d628cdae296306b870c2b02b6f65f82e0aa38df5eb5d86a889571f490b198327441a5bff621ec7d650e611955c87949f6f20f4c67ec

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          08ba4582f59212f75bb70be06fab72a0

          SHA1

          cc466606e0983c82990f481ada5f2e537858568c

          SHA256

          4f6419de3fe5e8f1f4f711e25095ba7e5c798a9184d887fc9ac9056c24f93943

          SHA512

          d1b953c19566292bbc070f06393f314bffda6a52719be8a33b933af2f6aeae4882c2a24f3192fee18da2c21a34da39e7be31a3dc30ce39c6eb3d3b47cd66836a

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          f789ae116fef3e9c10c3b3176bd9ad7b

          SHA1

          be961e0a5c6dec4dded9bd000bdc5f39cc5570c6

          SHA256

          b84dd8b47193bbff00d5a0c48ea5f3af20826e80d2f3ad06516572b116c18c9a

          SHA512

          7f7baba07b580a24482765fb78fcf226672a5b6f426eb7b5e2ce052606a436d1546c2a3d73be8bcabdc996b81d2bb94e68cfb58c2dbacb8f21292e736e8ae6f2

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          2fbfd27388b0ed36766cfb00a7b2a087

          SHA1

          17ed2ddbb1780e394af73fdae87672008a1589dc

          SHA256

          da57d3f624b0abb4771ea977b9e3c877fb4dac8f4122a6364321305f6d61901f

          SHA512

          be78be34eaf54c52c0ed7672d94ed25d8224a6e17dc96f62d223eeda3a0f4a622b75c80b5e4c53d83794aeb82c85381122146c7d97f1b4f6a0c4b13190b3291b

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          2.1MB

          MD5

          9d023d7585032bb32ff2f17a199cc1fb

          SHA1

          6f021240f4143373c524fb3a638b8d08c75e1cd6

          SHA256

          4cecd0d986b859dfe95e19609cabe97207351c4e7ddb2589f9653d6416c7dc7d

          SHA512

          ff056c161a4c5ef0caf02f01b094709ec480bb2bb0cde5e3699991948a91faaccb5a43225ec21655abd8349f044cc1eb4792a89addb324cd304b3023f256db93

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          2.1MB

          MD5

          c2c61bbd126de36f2c59562025df30d8

          SHA1

          22bb207248426d9e1d51c5834115b70cd83e6987

          SHA256

          cb8233bb85f25aee2df42f624240d4d5492e8e44751eccd58e034057226a9d89

          SHA512

          41dccfd3fbac756d4e1086b48dc6ce19b02d844c160a863c7bb10e09d54b83daea77e9a5422cbfee5b1b6d6656e28db8e357c7429165f41fa0212b5e27e9e946

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • memory/1756-428-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1756-440-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1756-388-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1756-453-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1756-449-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1756-444-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1816-442-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/1816-452-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2804-139-0x0000000002A00000-0x0000000002DFB000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2804-170-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2804-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2804-147-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2804-205-0x0000000002A00000-0x0000000002DFB000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2804-146-0x0000000002E00000-0x00000000036EB000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/3508-189-0x0000000007A60000-0x0000000007A7E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3508-149-0x0000000004FD0000-0x0000000005006000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3508-167-0x0000000006580000-0x000000000659E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3508-168-0x00000000065D0000-0x000000000661C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3508-169-0x0000000006A50000-0x0000000006A94000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3508-156-0x0000000005F10000-0x0000000005F76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3508-172-0x0000000002F40000-0x0000000002F50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3508-173-0x0000000007830000-0x00000000078A6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3508-175-0x00000000078D0000-0x00000000078EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3508-174-0x0000000007F30000-0x00000000085AA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3508-177-0x000000007F170000-0x000000007F180000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3508-176-0x0000000007A80000-0x0000000007AB2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/3508-179-0x0000000071DF0000-0x0000000072144000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3508-166-0x0000000006080000-0x00000000063D4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3508-190-0x0000000007AC0000-0x0000000007B63000-memory.dmp

          Filesize

          652KB

          Download

        • memory/3508-178-0x0000000072AA0000-0x0000000072AEC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3508-191-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3508-192-0x0000000007CC0000-0x0000000007D56000-memory.dmp

          Filesize

          600KB

          Download

        • memory/3508-193-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3508-194-0x0000000007C00000-0x0000000007C0E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3508-195-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/3508-196-0x0000000007D90000-0x0000000007DAA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3508-197-0x0000000007D80000-0x0000000007D88000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3508-200-0x00000000735B0000-0x0000000073D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3508-155-0x0000000005EA0000-0x0000000005F06000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3508-152-0x0000000002F40000-0x0000000002F50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3508-154-0x00000000055B0000-0x00000000055D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3508-153-0x0000000005640000-0x0000000005C68000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3508-150-0x00000000735B0000-0x0000000073D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3508-151-0x0000000002F40000-0x0000000002F50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3668-114-0x0000000000400000-0x000000000062E000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/3668-51-0x0000000000A20000-0x0000000000B20000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3668-213-0x0000000000400000-0x000000000062E000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/3668-148-0x0000000000400000-0x000000000062E000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/3668-141-0x0000000000A20000-0x0000000000B20000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/3668-53-0x0000000000400000-0x000000000062E000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/3668-52-0x0000000002230000-0x000000000224C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3668-60-0x0000000061E00000-0x0000000061EF3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/3792-1-0x0000000000DC0000-0x000000000141A000-memory.dmp

          Filesize

          6.4MB

          Download

        • memory/3792-29-0x0000000075240000-0x00000000759F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3792-0-0x0000000075240000-0x00000000759F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3996-28-0x00007FF73E190000-0x00007FF73E1F4000-memory.dmp

          Filesize

          400KB

          Download

        • memory/3996-116-0x0000000002D60000-0x0000000002E90000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3996-115-0x0000000002B20000-0x0000000002C2C000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3996-204-0x0000000002D60000-0x0000000002E90000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4416-254-0x00000000735B0000-0x0000000073D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4416-255-0x0000000002F10000-0x0000000002F20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4512-246-0x0000000007830000-0x00000000078D3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/4512-236-0x0000000074100000-0x0000000074454000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4512-251-0x00000000735B0000-0x0000000073D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4512-248-0x0000000007DF0000-0x0000000007E04000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4512-247-0x0000000007DA0000-0x0000000007DB1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4512-219-0x00000000735B0000-0x0000000073D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4512-227-0x0000000006230000-0x0000000006584000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4512-221-0x0000000005410000-0x0000000005420000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4512-220-0x0000000005410000-0x0000000005420000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4512-235-0x0000000074BD0000-0x0000000074C1C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4512-232-0x0000000006900000-0x000000000694C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4512-234-0x0000000005410000-0x0000000005420000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4908-108-0x0000000000400000-0x00000000008E2000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4908-37-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4908-140-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4992-437-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/5092-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/5092-216-0x0000000002A50000-0x0000000002E49000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/5092-319-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/5092-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download