Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 22:22

General

  • Target

    a77f9f8096b832ba68658b03c5410b22.exe

  • Size

    3.8MB

  • MD5

    a77f9f8096b832ba68658b03c5410b22

  • SHA1

    8b7465cefc92c07bff66d5df85321f3a97579110

  • SHA256

    3684ae4716bf63da137d84df3b52dc186bd234087432fb19a4c62410a894a667

  • SHA512

    abc5be37885881e862005518c6bfd924d10ea797bf1e0a6757acade539aafc5240c21902b5179730c446e017188561a26d226461cf138c008efd5c02aeb4a451

  • SSDEEP

    98304:WxM5bQFedwc1W+V50StngH32LFw1T0ndB5bLeYlmv4L/BXfJMx3rKmf8h1vy:mMZaLkXtUxQdB5bLeYlEyBXfJMx7KmEe

Malware Config

Extracted

Family

warzonerat

C2

111.90.146.200:5200

Signatures

  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 17 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 63 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 21 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe
    "C:\Users\Admin\AppData\Local\Temp\a77f9f8096b832ba68658b03c5410b22.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c test.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\notepad.exe
          "C:\Windows\system32\notepad.exe"
          4⤵
          • Drops startup file
          PID:2584
        • C:\Users\Admin\AppData\Local\Temp\test.exe
          test.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • NTFS ADS
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath C:\
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2792
          • C:\ProgramData\images.exe
            "C:\ProgramData\images.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\notepad.exe
              "C:\Windows\system32\notepad.exe"
              6⤵
                PID:2436
              • C:\ProgramData\images.exe
                "C:\ProgramData\images.exe" 2 2504 259410146
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2904
                • C:\ProgramData\images.exe
                  "C:\ProgramData\images.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:1384
                  • C:\Windows\SysWOW64\notepad.exe
                    "C:\Windows\system32\notepad.exe"
                    8⤵
                      PID:1972
                    • C:\ProgramData\images.exe
                      "C:\ProgramData\images.exe"
                      8⤵
                      • Executes dropped EXE
                      PID:1524
                    • C:\ProgramData\images.exe
                      "C:\ProgramData\images.exe" 2 1524 259413391
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1084
                      • C:\ProgramData\images.exe
                        "C:\ProgramData\images.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: MapViewOfSection
                        PID:1460
                        • C:\Windows\SysWOW64\notepad.exe
                          "C:\Windows\system32\notepad.exe"
                          10⤵
                            PID:596
                          • C:\ProgramData\images.exe
                            "C:\ProgramData\images.exe"
                            10⤵
                            • Executes dropped EXE
                            PID:2932
                          • C:\ProgramData\images.exe
                            "C:\ProgramData\images.exe" 2 2932 259415263
                            10⤵
                            • Executes dropped EXE
                            PID:1200
                            • C:\ProgramData\images.exe
                              "C:\ProgramData\images.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious behavior: MapViewOfSection
                              PID:2232
                              • C:\Windows\SysWOW64\notepad.exe
                                "C:\Windows\system32\notepad.exe"
                                12⤵
                                  PID:2824
                                • C:\ProgramData\images.exe
                                  "C:\ProgramData\images.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  PID:3032
                                • C:\ProgramData\images.exe
                                  "C:\ProgramData\images.exe" 2 3032 259417837
                                  12⤵
                                  • Executes dropped EXE
                                  PID:2120
                                  • C:\ProgramData\images.exe
                                    "C:\ProgramData\images.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: MapViewOfSection
                                    PID:1920
                                    • C:\Windows\SysWOW64\notepad.exe
                                      "C:\Windows\system32\notepad.exe"
                                      14⤵
                                        PID:888
                                      • C:\ProgramData\images.exe
                                        "C:\ProgramData\images.exe"
                                        14⤵
                                        • Executes dropped EXE
                                        PID:2844
                                      • C:\ProgramData\images.exe
                                        "C:\ProgramData\images.exe" 2 2844 259419304
                                        14⤵
                                        • Executes dropped EXE
                                        PID:2848
                                        • C:\ProgramData\images.exe
                                          "C:\ProgramData\images.exe"
                                          15⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • Suspicious behavior: MapViewOfSection
                                          PID:1928
                                          • C:\Windows\SysWOW64\notepad.exe
                                            "C:\Windows\system32\notepad.exe"
                                            16⤵
                                              PID:1684
                                            • C:\ProgramData\images.exe
                                              "C:\ProgramData\images.exe"
                                              16⤵
                                              • Executes dropped EXE
                                              PID:944
                                            • C:\ProgramData\images.exe
                                              "C:\ProgramData\images.exe" 2 944 259420692
                                              16⤵
                                              • Executes dropped EXE
                                              PID:2988
                                              • C:\ProgramData\images.exe
                                                "C:\ProgramData\images.exe"
                                                17⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • Suspicious behavior: MapViewOfSection
                                                PID:2000
                                                • C:\Windows\SysWOW64\notepad.exe
                                                  "C:\Windows\system32\notepad.exe"
                                                  18⤵
                                                    PID:3056
                                                  • C:\ProgramData\images.exe
                                                    "C:\ProgramData\images.exe"
                                                    18⤵
                                                    • Executes dropped EXE
                                                    PID:3008
                                                  • C:\ProgramData\images.exe
                                                    "C:\ProgramData\images.exe" 2 3008 259422346
                                                    18⤵
                                                    • Executes dropped EXE
                                                    PID:1540
                                                    • C:\ProgramData\images.exe
                                                      "C:\ProgramData\images.exe"
                                                      19⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      • Suspicious behavior: MapViewOfSection
                                                      PID:2212
                                                      • C:\Windows\SysWOW64\notepad.exe
                                                        "C:\Windows\system32\notepad.exe"
                                                        20⤵
                                                          PID:2408
                                                        • C:\ProgramData\images.exe
                                                          "C:\ProgramData\images.exe"
                                                          20⤵
                                                          • Executes dropped EXE
                                                          PID:2128
                                                        • C:\ProgramData\images.exe
                                                          "C:\ProgramData\images.exe" 2 2128 259423968
                                                          20⤵
                                                          • Executes dropped EXE
                                                          PID:1712
                                                          • C:\ProgramData\images.exe
                                                            "C:\ProgramData\images.exe"
                                                            21⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious behavior: MapViewOfSection
                                                            PID:2532
                                                            • C:\Windows\SysWOW64\notepad.exe
                                                              "C:\Windows\system32\notepad.exe"
                                                              22⤵
                                                                PID:2580
                                                              • C:\ProgramData\images.exe
                                                                "C:\ProgramData\images.exe"
                                                                22⤵
                                                                • Executes dropped EXE
                                                                PID:3004
                                                              • C:\ProgramData\images.exe
                                                                "C:\ProgramData\images.exe" 2 3004 259425357
                                                                22⤵
                                                                • Executes dropped EXE
                                                                PID:2740
                                                                • C:\ProgramData\images.exe
                                                                  "C:\ProgramData\images.exe"
                                                                  23⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetThreadContext
                                                                  • Suspicious behavior: MapViewOfSection
                                                                  PID:1556
                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                    "C:\Windows\system32\notepad.exe"
                                                                    24⤵
                                                                      PID:2548
                                                                    • C:\ProgramData\images.exe
                                                                      "C:\ProgramData\images.exe"
                                                                      24⤵
                                                                      • Executes dropped EXE
                                                                      PID:2696
                                                                    • C:\ProgramData\images.exe
                                                                      "C:\ProgramData\images.exe" 2 2696 259426839
                                                                      24⤵
                                                                      • Executes dropped EXE
                                                                      PID:2540
                                                                      • C:\ProgramData\images.exe
                                                                        "C:\ProgramData\images.exe"
                                                                        25⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:2708
                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                          "C:\Windows\system32\notepad.exe"
                                                                          26⤵
                                                                            PID:2560
                                                                          • C:\ProgramData\images.exe
                                                                            "C:\ProgramData\images.exe"
                                                                            26⤵
                                                                            • Executes dropped EXE
                                                                            PID:2516
                                                                          • C:\ProgramData\images.exe
                                                                            "C:\ProgramData\images.exe" 2 2516 259428508
                                                                            26⤵
                                                                            • Executes dropped EXE
                                                                            PID:1904
                                                                            • C:\ProgramData\images.exe
                                                                              "C:\ProgramData\images.exe"
                                                                              27⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • Suspicious behavior: MapViewOfSection
                                                                              PID:2224
                                                                              • C:\Windows\SysWOW64\notepad.exe
                                                                                "C:\Windows\system32\notepad.exe"
                                                                                28⤵
                                                                                  PID:2688
                                                                                • C:\ProgramData\images.exe
                                                                                  "C:\ProgramData\images.exe"
                                                                                  28⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2936
                                                                                • C:\ProgramData\images.exe
                                                                                  "C:\ProgramData\images.exe" 2 2936 259430473
                                                                                  28⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:2208
                                                                                  • C:\ProgramData\images.exe
                                                                                    "C:\ProgramData\images.exe"
                                                                                    29⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                    PID:1484
                                                                                    • C:\Windows\SysWOW64\notepad.exe
                                                                                      "C:\Windows\system32\notepad.exe"
                                                                                      30⤵
                                                                                        PID:1992
                                                                                      • C:\ProgramData\images.exe
                                                                                        "C:\ProgramData\images.exe"
                                                                                        30⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:1664
                                                                                      • C:\ProgramData\images.exe
                                                                                        "C:\ProgramData\images.exe" 2 1664 259432236
                                                                                        30⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:2348
                                                                                        • C:\ProgramData\images.exe
                                                                                          "C:\ProgramData\images.exe"
                                                                                          31⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                          PID:616
                                                                                          • C:\Windows\SysWOW64\notepad.exe
                                                                                            "C:\Windows\system32\notepad.exe"
                                                                                            32⤵
                                                                                              PID:1656
                                                                                            • C:\ProgramData\images.exe
                                                                                              "C:\ProgramData\images.exe"
                                                                                              32⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:576
                                                                                            • C:\ProgramData\images.exe
                                                                                              "C:\ProgramData\images.exe" 2 576 259433968
                                                                                              32⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:1764
                                                                                              • C:\ProgramData\images.exe
                                                                                                "C:\ProgramData\images.exe"
                                                                                                33⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Suspicious behavior: MapViewOfSection
                                                                                                PID:3040
                                                                                                • C:\Windows\SysWOW64\notepad.exe
                                                                                                  "C:\Windows\system32\notepad.exe"
                                                                                                  34⤵
                                                                                                    PID:2872
                                                                                                  • C:\ProgramData\images.exe
                                                                                                    "C:\ProgramData\images.exe"
                                                                                                    34⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:1096
                                                                                                  • C:\ProgramData\images.exe
                                                                                                    "C:\ProgramData\images.exe" 2 1096 259435902
                                                                                                    34⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:760
                                                                                                    • C:\ProgramData\images.exe
                                                                                                      "C:\ProgramData\images.exe"
                                                                                                      35⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                      PID:2724
                                                                                                      • C:\Windows\SysWOW64\notepad.exe
                                                                                                        "C:\Windows\system32\notepad.exe"
                                                                                                        36⤵
                                                                                                          PID:2296
                                                                                                        • C:\ProgramData\images.exe
                                                                                                          "C:\ProgramData\images.exe"
                                                                                                          36⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:2992
                                                                                                        • C:\ProgramData\images.exe
                                                                                                          "C:\ProgramData\images.exe" 2 2992 259437743
                                                                                                          36⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:3044
                                                                                                          • C:\ProgramData\images.exe
                                                                                                            "C:\ProgramData\images.exe"
                                                                                                            37⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                                            PID:1168
                                                                                                            • C:\Windows\SysWOW64\notepad.exe
                                                                                                              "C:\Windows\system32\notepad.exe"
                                                                                                              38⤵
                                                                                                                PID:2536
                                                                                                              • C:\ProgramData\images.exe
                                                                                                                "C:\ProgramData\images.exe"
                                                                                                                38⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:2196
                                                                                                              • C:\ProgramData\images.exe
                                                                                                                "C:\ProgramData\images.exe" 2 2196 259439412
                                                                                                                38⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:2856
                                                                                                                • C:\ProgramData\images.exe
                                                                                                                  "C:\ProgramData\images.exe"
                                                                                                                  39⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                                  PID:636
                                                                                                                  • C:\Windows\SysWOW64\notepad.exe
                                                                                                                    "C:\Windows\system32\notepad.exe"
                                                                                                                    40⤵
                                                                                                                      PID:1144
                                                                                                                    • C:\ProgramData\images.exe
                                                                                                                      "C:\ProgramData\images.exe"
                                                                                                                      40⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:2020
                                                                                                                    • C:\ProgramData\images.exe
                                                                                                                      "C:\ProgramData\images.exe" 2 2020 259441144
                                                                                                                      40⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:1812
                                                                                                                      • C:\ProgramData\images.exe
                                                                                                                        "C:\ProgramData\images.exe"
                                                                                                                        41⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                                        PID:2028
                                                                                                                        • C:\Windows\SysWOW64\notepad.exe
                                                                                                                          "C:\Windows\system32\notepad.exe"
                                                                                                                          42⤵
                                                                                                                            PID:676
                                                                                                                          • C:\ProgramData\images.exe
                                                                                                                            "C:\ProgramData\images.exe"
                                                                                                                            42⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:892
                                                                                                                          • C:\ProgramData\images.exe
                                                                                                                            "C:\ProgramData\images.exe" 2 892 259442860
                                                                                                                            42⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:2360
                                                  • C:\ProgramData\images.exe
                                                    "C:\ProgramData\images.exe"
                                                    6⤵
                                                    • Executes dropped EXE
                                                    PID:2504
                                              • C:\Users\Admin\AppData\Local\Temp\test.exe
                                                "C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2656 259406917
                                                4⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of WriteProcessMemory
                                                PID:2704
                                                • C:\Users\Admin\AppData\Local\Temp\test.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\test.exe"
                                                  5⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious behavior: MapViewOfSection
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2456
                                                  • C:\Windows\SysWOW64\notepad.exe
                                                    "C:\Windows\system32\notepad.exe"
                                                    6⤵
                                                      PID:2968
                                                    • C:\Users\Admin\AppData\Local\Temp\test.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\test.exe" 2 2716 259411098
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:2752
                                                    • C:\Users\Admin\AppData\Local\Temp\test.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\test.exe"
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:2716
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell Add-MpPreference -ExclusionPath C:\
                                                        7⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2268

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\ProgramData\images.exe

                                            Filesize

                                            896KB

                                            MD5

                                            1bb85dabf28324af9128aaa56b6ed285

                                            SHA1

                                            d6fe601514624be5c671415e3fb9378a0de37a63

                                            SHA256

                                            01fa5de76942c797e7b581036f985cbda1f7b70faeafaaaf7c8f84a472ffb79d

                                            SHA512

                                            fc2c924b45c260084d2fc4bdf64628d1906258fd68ae59001401c739029f6e4fd570af946f911a177f2a20ef3f5e284248a0a1cb4dd11d9e503ea81bcb8d1ebb

                                          • C:\ProgramData\images.exe

                                            Filesize

                                            704KB

                                            MD5

                                            52627a572b33f868fefeefb94b9190d4

                                            SHA1

                                            9f41f71b092696defe4cf068389828b2632b9f7b

                                            SHA256

                                            67185fd41b66c02887794303c6d84ddf562ef870bca2da1d3731b8a93c4a2a71

                                            SHA512

                                            e18329b1f6af57da86fa19a607b8760ea97881e52740e68471d5b6a2ff0c5c5f36ebb670f7c80f9367d38016abeeed1aff66d3886937b6d4c6941d51c7b7269b

                                          • C:\ProgramData\images.exe

                                            Filesize

                                            832KB

                                            MD5

                                            eb98b0b09972cac8ba1d085be1ed860a

                                            SHA1

                                            387139baa019568b698e1b5020a48f1b66bdf87f

                                            SHA256

                                            02c96d2669ab605259cfba92b8be216b77fca988da0ccadb18824552bbe68005

                                            SHA512

                                            40a589645d1b510a06b2605025e46db47e6688c1190b9bfd06acab61615bbe5660eb38a3de289be554e8bf97c2dee9e58768c84331cd768dccd1557a41c4efbf

                                          • C:\ProgramData\images.exe

                                            Filesize

                                            448KB

                                            MD5

                                            e08b44966543acbdb5444bbef1f6920e

                                            SHA1

                                            79d213780443d577968e8d583198ba27c8401d38

                                            SHA256

                                            774f828165e7254f8e762044f940cb56e923e73b3b20a158997867bcb30b5cb7

                                            SHA512

                                            d641c7004c766187845e90e915ab22938ce178f1683df2778a1c80f24d36da80780eef54c294c51b0c8879e1970cfae168498c48535e8ff54a5bca6fd3e3e86b

                                          • C:\ProgramData\images.exe

                                            Filesize

                                            576KB

                                            MD5

                                            91b28ca3de12a917cd682a16ff4c8fb1

                                            SHA1

                                            b8e1085711806046034dbedef31f1c8f81fcc80d

                                            SHA256

                                            3b452794db6bafcad6b1678343caa31305249be92e3c0e3e0acc583b00a78bb4

                                            SHA512

                                            613571338b07da13b35db21be39017980dc33a61d7b4e4b315239e5d62d65f62cc97a94665bb609a024743882332517e77f74d0c79e9214d8eefa57514e9ba31

                                          • C:\ProgramData\images.exe

                                            Filesize

                                            512KB

                                            MD5

                                            d983fd0b78b5f0f5db285ee2b1b5c0a2

                                            SHA1

                                            80921be149a2b4997e90462465af5819283ecf72

                                            SHA256

                                            a0932c824bd008775cba6a164c14519641197a9d7c5f7a1630226805985f1591

                                            SHA512

                                            e4ad1787f10f2d1a336dad3b16bf6ac84ae6a92d09719a96ea0f030567d7399e7fe9300939ae68422190d15cd058378c1a33fc20b4f6ba9d74da399ebe18b1d2

                                          • C:\Users\Admin\AppData\Local\Temp\test.exe

                                            Filesize

                                            981KB

                                            MD5

                                            927f2eb4beb38d925b3f29888f4faa9e

                                            SHA1

                                            0de7008a074337d9437a145319681f608ac1baee

                                            SHA256

                                            042f3b72dd1f50e1d42935e31c8d8fd1dadd1c623f85440a47aafc29673e09e8

                                            SHA512

                                            d71132e1e7d238a57b3557596ab955639f82647388cd32ee40ab98a593242a6eef50b3b699d8374ddfc69774f5c4a3c47fce1c26e1065f0aa90a9818da859411

                                          • C:\Users\Admin\AppData\Local\Temp\test.exe

                                            Filesize

                                            768KB

                                            MD5

                                            636b8f2c82559d9a4702c3f50af41db2

                                            SHA1

                                            cb4d8436a38d5049a91df14aa5646ae158be4ccb

                                            SHA256

                                            d278992af9409018161845115c196b7d7faf1843a8138bae5d1e7b2136d8ed65

                                            SHA512

                                            29abf16150295310a97fcdd0614e2629b9e850479aa113e708b438bc6e3d3f0237cd24c94badd47a8599adea2575251ddd2963175819572eca90d4d95b5e8299

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            ef9528202cfc667b9d921d32fb20bd73

                                            SHA1

                                            1b59cbbc31c226b82bed7602dbaa95058d58dbaa

                                            SHA256

                                            a1574c2c5b9ff3e8da9d16148b9a11518544ac331d5ca827fbe2e247b6482267

                                            SHA512

                                            2bb1ddbb49b64aa7a85cbd6e6626e4cc95295fefb663203cce7b9bb53e3cc6fc5c171b51d9bd1377d9be07b2cdb2f6d92f9b9567fb9c26a3ea0c076e214e2842

                                          • \Users\Admin\AppData\Local\Temp\test.exe

                                            Filesize

                                            944KB

                                            MD5

                                            e045acd7da053280720f4404d1b19590

                                            SHA1

                                            cc7793f62f016e03bee235b2a2ad003525d3d89c

                                            SHA256

                                            07bdd44042e474dda49baeda2c97f053366c87e126ebd0c9f904b8096fbd3823

                                            SHA512

                                            7dfe155250ec0824ff16cb538d7cf6360bdee683958ba864682889003d9c00e5f7c3cf13bae831cc7695b274e9e25b69b64aaeee68974b6d58402d3f666838cf

                                          • memory/1084-101-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/1084-100-0x0000000000240000-0x0000000000241000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1084-103-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1200-132-0x0000000000220000-0x0000000000221000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1200-135-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/1200-134-0x00000000003D0000-0x00000000003D1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1384-91-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1384-92-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/1384-89-0x00000000001B0000-0x00000000001B1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1460-122-0x0000000000300000-0x0000000000301000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1460-123-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/1460-125-0x0000000000690000-0x0000000000691000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1524-102-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/1524-113-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/1920-163-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/1920-166-0x0000000000290000-0x0000000000291000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/1920-164-0x0000000000220000-0x0000000000221000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2120-157-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2120-156-0x0000000000290000-0x0000000000291000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2120-154-0x0000000000220000-0x0000000000221000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2232-146-0x0000000000600000-0x0000000000601000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2232-143-0x0000000000300000-0x0000000000301000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2232-145-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2268-137-0x00000000743A0000-0x000000007494B000-memory.dmp

                                            Filesize

                                            5.7MB

                                          • memory/2268-109-0x00000000743A0000-0x000000007494B000-memory.dmp

                                            Filesize

                                            5.7MB

                                          • memory/2268-110-0x00000000023E0000-0x0000000002420000-memory.dmp

                                            Filesize

                                            256KB

                                          • memory/2268-112-0x00000000023E0000-0x0000000002420000-memory.dmp

                                            Filesize

                                            256KB

                                          • memory/2268-111-0x00000000743A0000-0x000000007494B000-memory.dmp

                                            Filesize

                                            5.7MB

                                          • memory/2456-57-0x0000000000220000-0x0000000000221000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2456-59-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2456-61-0x0000000000250000-0x0000000000251000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2504-85-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2504-56-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2504-71-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2524-1-0x0000000000400000-0x0000000000C00000-memory.dmp

                                            Filesize

                                            8.0MB

                                          • memory/2524-21-0x0000000000400000-0x0000000000C00000-memory.dmp

                                            Filesize

                                            8.0MB

                                          • memory/2584-17-0x00000000000C0000-0x00000000000C1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2584-9-0x00000000000C0000-0x00000000000C1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2616-44-0x00000000002A0000-0x00000000002A1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2616-42-0x0000000000220000-0x0000000000221000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2616-52-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2656-12-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2656-18-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2656-25-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2656-39-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2704-20-0x0000000000220000-0x0000000000221000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2704-22-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2704-24-0x0000000000290000-0x0000000000291000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2716-117-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2716-79-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2752-78-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2752-82-0x00000000001B0000-0x00000000001B1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2752-77-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2792-81-0x00000000743A0000-0x000000007494B000-memory.dmp

                                            Filesize

                                            5.7MB

                                          • memory/2792-136-0x0000000002770000-0x00000000027B0000-memory.dmp

                                            Filesize

                                            256KB

                                          • memory/2792-131-0x0000000002770000-0x00000000027B0000-memory.dmp

                                            Filesize

                                            256KB

                                          • memory/2792-83-0x00000000743A0000-0x000000007494B000-memory.dmp

                                            Filesize

                                            5.7MB

                                          • memory/2792-118-0x0000000002770000-0x00000000027B0000-memory.dmp

                                            Filesize

                                            256KB

                                          • memory/2792-138-0x00000000743A0000-0x000000007494B000-memory.dmp

                                            Filesize

                                            5.7MB

                                          • memory/2792-80-0x0000000002770000-0x00000000027B0000-memory.dmp

                                            Filesize

                                            256KB

                                          • memory/2792-84-0x0000000002770000-0x00000000027B0000-memory.dmp

                                            Filesize

                                            256KB

                                          • memory/2792-120-0x00000000743A0000-0x000000007494B000-memory.dmp

                                            Filesize

                                            5.7MB

                                          • memory/2844-173-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2844-176-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2848-174-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2864-6-0x0000000000220000-0x0000000000221000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2864-7-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2864-8-0x0000000000290000-0x0000000000291000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2904-66-0x00000000002A0000-0x00000000002A1000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2904-64-0x0000000000220000-0x0000000000221000-memory.dmp

                                            Filesize

                                            4KB

                                          • memory/2904-74-0x0000000000400000-0x00000000004FC000-memory.dmp

                                            Filesize

                                            1008KB

                                          • memory/2932-139-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/2932-133-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/3032-155-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/3032-158-0x0000000000400000-0x0000000000553000-memory.dmp

                                            Filesize

                                            1.3MB