agenttesla | 6a9b62894ee77e4131d0fbf4f43fe634e10c0c8ae616012a8e62a5047ba8b7a5

Analysis

max time kernel
151s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EstrogenExecutor3.0.exe
Size

1.8MB
MD5

5e75df34a8c11bae2d273edc7b9044c7
SHA1

829867bd84371a5d6cd2c628eb2adee07a44a03a
SHA256

e898f8b48bddbf5dfe8e6eb3d9287c1a5164616b7e9977a4cda96c36bc967db8
SHA512

05690fab406761fea1b2f60589198ea1cfa453a51022d3f968cfc55cddab900d1e2d4db9dcdee376974e009209876e4d1bee9717ce023e06a8b282f07f9c411b
SSDEEP

24576:n3lzFXQHA6mjAafPoMmcdzhj8vQoyxzhQdnabbTbNH5se0A0Xk+l+4lk3HgCoIK2:3lRXGV2ocFkM4abDN6ezM+H

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral3/memory/2256-11-0x000000000BB10000-0x000000000BD24000-memory.dmp	family_agenttesla

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1892	attrib.exe
1300	attrib.exe

Executes dropped EXE 9 IoCs

pid	Process
2572	AssetLoader.exe
2408	vr2.exe
2484	sr2.exe
2632	ug2.exe
2424	bg.exe
1896	bg.exe
1364	Process not Found
2516	aids.exe
1528	$77svrhost.exe

Loads dropped DLL 11 IoCs

pid	Process
2256	EstrogenExecutor3.0.exe
2572	AssetLoader.exe
1896	bg.exe
1896	bg.exe
1896	bg.exe
1896	bg.exe
1896	bg.exe
1896	bg.exe
1896	bg.exe
1364	Process not Found
1760	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000500000001959c-112.dat	upx
behavioral3/files/0x000500000001959c-113.dat	upx
behavioral3/memory/1896-120-0x000007FEF3950000-0x000007FEF3F38000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svrhost\\$77svrhost.exe\""	sr2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	discord.com
8	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2256	EstrogenExecutor3.0.exe
2256	EstrogenExecutor3.0.exe
2484	sr2.exe
2632	ug2.exe
2408	vr2.exe
2408	vr2.exe
2484	sr2.exe
2632	ug2.exe
2516	aids.exe
2516	aids.exe
1528	$77svrhost.exe
1528	$77svrhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sr2.exe	AssetLoader.exe
File created	C:\Windows\ug2.exe	AssetLoader.exe
File created	C:\Windows\vr2.exe	AssetLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
540	schtasks.exe
1968	schtasks.exe
1932	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
888	timeout.exe
1712	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	EstrogenExecutor3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	EstrogenExecutor3.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	EstrogenExecutor3.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	powershell.exe
2408	vr2.exe
2408	vr2.exe
2408	vr2.exe
2408	vr2.exe
2408	vr2.exe
2408	vr2.exe
2408	vr2.exe
2484	sr2.exe
2484	sr2.exe
2484	sr2.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe
2516	aids.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2408	vr2.exe
Token: SeDebugPrivilege	2632	ug2.exe
Token: SeIncreaseQuotaPrivilege	660	wmic.exe
Token: SeSecurityPrivilege	660	wmic.exe
Token: SeTakeOwnershipPrivilege	660	wmic.exe
Token: SeLoadDriverPrivilege	660	wmic.exe
Token: SeSystemProfilePrivilege	660	wmic.exe
Token: SeSystemtimePrivilege	660	wmic.exe
Token: SeProfSingleProcessPrivilege	660	wmic.exe
Token: SeIncBasePriorityPrivilege	660	wmic.exe
Token: SeCreatePagefilePrivilege	660	wmic.exe
Token: SeBackupPrivilege	660	wmic.exe
Token: SeRestorePrivilege	660	wmic.exe
Token: SeShutdownPrivilege	660	wmic.exe
Token: SeDebugPrivilege	660	wmic.exe
Token: SeSystemEnvironmentPrivilege	660	wmic.exe
Token: SeRemoteShutdownPrivilege	660	wmic.exe
Token: SeUndockPrivilege	660	wmic.exe
Token: SeManageVolumePrivilege	660	wmic.exe
Token: 33	660	wmic.exe
Token: 34	660	wmic.exe
Token: 35	660	wmic.exe
Token: SeIncreaseQuotaPrivilege	660	wmic.exe
Token: SeSecurityPrivilege	660	wmic.exe
Token: SeTakeOwnershipPrivilege	660	wmic.exe
Token: SeLoadDriverPrivilege	660	wmic.exe
Token: SeSystemProfilePrivilege	660	wmic.exe
Token: SeSystemtimePrivilege	660	wmic.exe
Token: SeProfSingleProcessPrivilege	660	wmic.exe
Token: SeIncBasePriorityPrivilege	660	wmic.exe
Token: SeCreatePagefilePrivilege	660	wmic.exe
Token: SeBackupPrivilege	660	wmic.exe
Token: SeRestorePrivilege	660	wmic.exe
Token: SeShutdownPrivilege	660	wmic.exe
Token: SeDebugPrivilege	660	wmic.exe
Token: SeSystemEnvironmentPrivilege	660	wmic.exe
Token: SeRemoteShutdownPrivilege	660	wmic.exe
Token: SeUndockPrivilege	660	wmic.exe
Token: SeManageVolumePrivilege	660	wmic.exe
Token: 33	660	wmic.exe
Token: 34	660	wmic.exe
Token: 35	660	wmic.exe
Token: SeDebugPrivilege	2408	vr2.exe
Token: SeBackupPrivilege	272	vssvc.exe
Token: SeRestorePrivilege	272	vssvc.exe
Token: SeAuditPrivilege	272	vssvc.exe
Token: SeDebugPrivilege	2516	aids.exe
Token: SeDebugPrivilege	2484	sr2.exe
Token: SeDebugPrivilege	2516	aids.exe
Token: SeDebugPrivilege	1528	$77svrhost.exe
Token: SeDebugPrivilege	2232	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2516	aids.exe
1528	$77svrhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2572	2256	EstrogenExecutor3.0.exe	28
PID 2256 wrote to memory of 2572	2256	EstrogenExecutor3.0.exe	28
PID 2256 wrote to memory of 2572	2256	EstrogenExecutor3.0.exe	28
PID 2256 wrote to memory of 2572	2256	EstrogenExecutor3.0.exe	28
PID 2572 wrote to memory of 2532	2572	AssetLoader.exe	29
PID 2572 wrote to memory of 2532	2572	AssetLoader.exe	29
PID 2572 wrote to memory of 2532	2572	AssetLoader.exe	29
PID 2572 wrote to memory of 2532	2572	AssetLoader.exe	29
PID 2572 wrote to memory of 2408	2572	AssetLoader.exe	31
PID 2572 wrote to memory of 2408	2572	AssetLoader.exe	31
PID 2572 wrote to memory of 2408	2572	AssetLoader.exe	31
PID 2572 wrote to memory of 2408	2572	AssetLoader.exe	31
PID 2572 wrote to memory of 2484	2572	AssetLoader.exe	32
PID 2572 wrote to memory of 2484	2572	AssetLoader.exe	32
PID 2572 wrote to memory of 2484	2572	AssetLoader.exe	32
PID 2572 wrote to memory of 2484	2572	AssetLoader.exe	32
PID 2572 wrote to memory of 2632	2572	AssetLoader.exe	33
PID 2572 wrote to memory of 2632	2572	AssetLoader.exe	33
PID 2572 wrote to memory of 2632	2572	AssetLoader.exe	33
PID 2572 wrote to memory of 2632	2572	AssetLoader.exe	33
PID 2572 wrote to memory of 2424	2572	AssetLoader.exe	34
PID 2572 wrote to memory of 2424	2572	AssetLoader.exe	34
PID 2572 wrote to memory of 2424	2572	AssetLoader.exe	34
PID 2572 wrote to memory of 2424	2572	AssetLoader.exe	34
PID 2424 wrote to memory of 1896	2424	bg.exe	35
PID 2424 wrote to memory of 1896	2424	bg.exe	35
PID 2424 wrote to memory of 1896	2424	bg.exe	35
PID 2632 wrote to memory of 660	2632	ug2.exe	36
PID 2632 wrote to memory of 660	2632	ug2.exe	36
PID 2632 wrote to memory of 660	2632	ug2.exe	36
PID 2408 wrote to memory of 1772	2408	vr2.exe	42
PID 2408 wrote to memory of 1772	2408	vr2.exe	42
PID 2408 wrote to memory of 1772	2408	vr2.exe	42
PID 2408 wrote to memory of 1832	2408	vr2.exe	44
PID 2408 wrote to memory of 1832	2408	vr2.exe	44
PID 2408 wrote to memory of 1832	2408	vr2.exe	44
PID 1772 wrote to memory of 540	1772	cmd.exe	46
PID 1772 wrote to memory of 540	1772	cmd.exe	46
PID 1772 wrote to memory of 540	1772	cmd.exe	46
PID 1832 wrote to memory of 888	1832	cmd.exe	47
PID 1832 wrote to memory of 888	1832	cmd.exe	47
PID 1832 wrote to memory of 888	1832	cmd.exe	47
PID 1832 wrote to memory of 2516	1832	cmd.exe	50
PID 1832 wrote to memory of 2516	1832	cmd.exe	50
PID 1832 wrote to memory of 2516	1832	cmd.exe	50
PID 2484 wrote to memory of 1300	2484	sr2.exe	51
PID 2484 wrote to memory of 1300	2484	sr2.exe	51
PID 2484 wrote to memory of 1300	2484	sr2.exe	51
PID 2484 wrote to memory of 1892	2484	sr2.exe	53
PID 2484 wrote to memory of 1892	2484	sr2.exe	53
PID 2484 wrote to memory of 1892	2484	sr2.exe	53
PID 2484 wrote to memory of 1760	2484	sr2.exe	55
PID 2484 wrote to memory of 1760	2484	sr2.exe	55
PID 2484 wrote to memory of 1760	2484	sr2.exe	55
PID 1760 wrote to memory of 1712	1760	cmd.exe	57
PID 1760 wrote to memory of 1712	1760	cmd.exe	57
PID 1760 wrote to memory of 1712	1760	cmd.exe	57
PID 1760 wrote to memory of 1528	1760	cmd.exe	58
PID 1760 wrote to memory of 1528	1760	cmd.exe	58
PID 1760 wrote to memory of 1528	1760	cmd.exe	58
PID 1528 wrote to memory of 2064	1528	$77svrhost.exe	60
PID 1528 wrote to memory of 2064	1528	$77svrhost.exe	60
PID 1528 wrote to memory of 2064	1528	$77svrhost.exe	60
PID 1528 wrote to memory of 1968	1528	$77svrhost.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1300	attrib.exe
1892	attrib.exe

C:\Users\Admin\AppData\Local\Temp\EstrogenExecutor3.0.exe
"C:\Users\Admin\AppData\Local\Temp\EstrogenExecutor3.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe
  "C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAagBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZQBpACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\vr2.exe
    "C:\Windows\vr2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aids" /tr '"C:\Users\Admin\AppData\Roaming\aids.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "aids" /tr '"C:\Users\Admin\AppData\Roaming\aids.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:540
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB1A.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:888
    - - C:\Users\Admin\AppData\Roaming\aids.exe
        
        "C:\Users\Admin\AppData\Roaming\aids.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2516
- - C:\Windows\sr2.exe
    "C:\Windows\sr2.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svrhost"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1300
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svrhost\$77svrhost.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1892
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.bat""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1712
    - - C:\Users\Admin\svrhost\$77svrhost.exe
        
        "C:\Users\Admin\svrhost\$77svrhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svrhost.exe
        6⤵
        
        PID:2064
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77svrhost.exe" /TR "C:\Users\Admin\svrhost\$77svrhost.exe \"\$77svrhost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:1968
      - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svrhost.exe
        6⤵
        
        PID:2688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svrhost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        6⤵
        Creates scheduled task(s)
        
        PID:1932
- - C:\Windows\ug2.exe
    "C:\Windows\ug2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:660
- - C:\Users\Admin\AppData\Roaming\bg.exe
    "C:\Users\Admin\AppData\Roaming\bg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Roaming\bg.exe
      "C:\Users\Admin\AppData\Roaming\bg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar945A.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24242\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
0d6d4654c98caa8ff93eebbc744bfb8b

SHA1
e4662e675a2ae93e66bddb0743fb81c0cf1e31d4

SHA256
1686b1b0a72655c89348bd5a2e5c88e6e5ca228f407c02f9700b43a045e60aab

SHA512
db3d59af607e9428b646b8993547b1129e92bb1aad12684cd69c0050517f6d8a1832393323c7f99d0b1dfa6ae801c8921234a3e470063b6715435e99e0b03ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24242\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
7daa81e752613950b67903f4ea69a0da

SHA1
00f86240d69e15a9e319e4c79026b54edc3ea671

SHA256
e255d1b403a48dd600b58d2124e7ceaf2edc6ca0448096f4160d85dd3e38c6a3

SHA512
c1ae0b6537191cd175a6c072a17215c1efb1ed719a73a56cbf139da4928730cf2a3cfc6c0a1ac5ce00957777f5f32323fc171bed7849863ec3cb7184a08dec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
898964872c15b531ff4bce16ccb32f21

SHA1
6fe38ecd6e6e9f666418d42008f9baf7c5a9af64

SHA256
52f2c643e4e7e6a64441dfa6b00b7a53ba573e80357c752745c670d9382ec018

SHA512
d97268284e65cd15365d8ac21dbfdc9794391b0113d6f12b9f40ce9e1e31472437131911dae84e09c55bbe6c99593065f4d18e319b4a3abb6b89bb6e3e785cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24242\python311.dll

Filesize
256KB

MD5
1c620511e099f7d99744b61a05ce22cd

SHA1
aff9b88ab7d6e096561f3b444f863e873226e85f

SHA256
d5b1fbb025d7211aca886ea48a12959c624c2de9cddf005ad57a1c46d37189f9

SHA512
b8440c146d9c5ab5c71ba366596910e7a8ebf4f27002e39a49a678000cec0596d70e94899b9dee8ff09dec76bfecbd754d0e5a5a09b17a794292062ef3b49124

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24242\ucrtbase.dll

Filesize
768KB

MD5
a8841001a0964317aab63fcb0c8811e0

SHA1
66677f52b4d0148495a2c1e1936f5a1d32a6fd8e

SHA256
45e05ae6b24ed78346cffa5bc9b943571f5e2fb8b19fe05ec912cf541a07e7c8

SHA512
977bf790463b3b6244f8ba266e21297456fab4ca3cfb0c322d19b5ea12e22e99d5f05e489511f52308dc913457cc0799ee7aac09fe9f2e9e182294e8cc0320bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp67F7.tmp.bat

Filesize
146B

MD5
9fd349104b259775b3c4c748cfcafdd0

SHA1
5928af5f6e49f8aae408bc68d884b0f94a660d1a

SHA256
e504b9c376cc110e8baf2ca6ac19a663ef6f6c22ab8e4b805dc97d3c5ce095d9

SHA512
bead5d409c492a067b5bc2b927e41b7e9b042848f7dc329e3857ee0ee03a2f2b8fda153951e5521b4d8792c693630ec245748d26e6f98a1f293bdeda15db772c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB1A.tmp.bat

Filesize
148B

MD5
a5a4e83b6066b930970afe6dcbe10408

SHA1
d59f9c945e52267f70f7a20ec2081074b864ae70

SHA256
09d5a13270c82f7a34d22574e49bf1a6d5abc871961ac5a126b42ba5274ff00a

SHA512
e490a37674f5fa59089acca0f44d0492bdb4a15fb74514db341a62eb490bdeafd1be712a32d0c30a0eac55b0ff8771fcd0da5c464e177ba4be49226aa26e9934

Download Submit
C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe

Filesize
5.7MB

MD5
98f39533229eb4a9cc18a55246279b45

SHA1
275c3ad5f832c3521185353312063f837dcebddb

SHA256
a1069ed1ad6ddef97c0f97b033856815a66d4230313d0f44f97b071afe3e453a

SHA512
c792de92aac285d95864e2123b4387ae2cb89bed6bf9cde4110977720f536b15214c552ae2cd51b00fe7037d759c612df525cb4a5ee9e3738bcfb383a5bdb160

Download Submit
C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe

Filesize
5.2MB

MD5
78f830f85dcb0da79d42539c31fbaa96

SHA1
dca6d3dea197ebe75961d71db47af87ad65f7296

SHA256
89cd257f317e3649350fe9bc52f8a52b9a2f9cbd55911b26698d24fcc829c35e

SHA512
f0ec938978168dda3bb1c30d6cda3e3174ac80447db83d6fca9b562430d0f092c34e3ff9b060fa2eee2c00a183ceb4c96ff83a6a20a1947f7c649a45a3af2127

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3Z2MSO14J9446KPUXB03.temp

Filesize
7KB

MD5
d38eff3fb8ecfeea3d17f1c0697eea7f

SHA1
296b2f8f180146a36968fe9b78d4c081ba051828

SHA256
3b9eada2b2988228586adc7676bb32ad7b0a42c3967f30b7038b78d8a9ee0de1

SHA512
0e6c60be53604051c8de280fd23d3c309cf6a4093e52b450deed47fc5db7280acd8caa658c508d1b81d7248e6a255f9f20d508a149a49c9d19abd2779841792e

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
222KB

MD5
d6f5dea546d76974923569836ecd4407

SHA1
47745a04a6609583ecbdc5c7a50bc5c015718be7

SHA256
e41af52ee565fb2bdba81202e9af4b56a48f65f957273735bfe883553ce548d8

SHA512
548f5dafd87527c2c994e98b82141e1e11cf0ca1b58458430d612d53ca6181788c1bdbcf59bf24da4d55e454a0fed11b4bce1d2654eb84971ca453712900c68b

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
231KB

MD5
d7d2eca9fde365623cb92d2268d74ec7

SHA1
1d86ff0040d7794c9dca32eb074c9c8aaeafc7f8

SHA256
0c3fedcebc428956763552a72d972ad8763c45c7b9a79f8d3dd3b84929e90271

SHA512
f278be80bda245f9cba20e335ed63e8f2278f30b88ceb371f9a02c9e03567e946a72583729c10efc896c4286062962b2d18a9c0b2528120e0ae2f480fa5d5a03

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
896KB

MD5
67a7d02fa3dd127524d1dfcc0ce4da74

SHA1
974f6b99ad7e15f5d7c8a51971aee9012251d3bb

SHA256
38f01cd6ead4858b73de1fe95484e7df6c2c702d88ca3b4f99a5e187632b46b4

SHA512
573499cdddc2fbe549ca13eb05cf37eb2658d91821f518e787792ca3ac9863e3bae149fd9a3afee0be750ecb7e22f73ddca85b245ca18ecd48224cd4be2e34c7

Download Submit
C:\Users\Admin\svrhost\$77svrhost.exe

Filesize
319KB

MD5
22ae7032a840832cfef43f3091a7d71d

SHA1
b89a910570b58ceda1bf4ebd4cd78fedceee29ee

SHA256
2308ad2d5925e5661eb8d9be3f3196a495eecf83c5f6ce053ac086d64e045ab5

SHA512
3ff841bed1bb1991234587ef6151e615be11c4da33f596841bc7a43a66e6f90f663be874e3faea7d838cf8d72f6e0132de1096a7aa802ed5d3fa9f4efe525265

Download Submit
C:\Users\Admin\svrhost\$77svrhost.exe

Filesize
361KB

MD5
6926b8651f5710854acc53bf524ad9a1

SHA1
ab2bede35c95ce1b83e166c449058842f3bbaed7

SHA256
1ddc05af8d7e7443f57b9f848aa079c8ab8f85906d8268201c71e4cf719a6c05

SHA512
b421abb7f7ad553688be03fdc5c8726544e7fb04df8e3d0503abb93a54b1af3a0c25beafccdcac69426890d8647f950c1e377b972440272aa047fa3ea32519c0

Download Submit
C:\Users\Admin\svrhost\$77svrhost.exe

Filesize
459KB

MD5
b2ad4dbe8c91ba533da26014a2116fb9

SHA1
fbc14b9f161898aed48dce103d063cb92cd66a20

SHA256
eb8bb9cee94e652f3398305969c40d59d04fcf4cb44249795bd9b7ab75b712c6

SHA512
5f4804712b8a6e9f0d395aed21809cf3b3a89badc8de0ec28055e64b34fa0bda77e294e198f2e05ca15abbf2c2fe66de77f1186bd33ed1e1e2fde0583e160f04

Download Submit
C:\Windows\sr2.exe

Filesize
465KB

MD5
3612aafe99f7c5bd7657821bd61ab3f7

SHA1
e766cf16e04105323fa92fdbeebcbc3cdf0ae9e0

SHA256
78ebd2f96fa47fdd6b221dee7acd9b634287584acf109bd16abb2d1940cdfb9b

SHA512
1e953ae58a9e86ef4d1dbfdefa991db160dc063835cc9a4dc955c4e74274b0493dc99ff4ea32c7ae314fe0e89e7ca4e41e5dead04b7f4e2bd405767290f6fce0

Download Submit
C:\Windows\ug2.exe

Filesize
779KB

MD5
cb17890e3a0628d17484632467a584b4

SHA1
5044894ac4a0ee17a265df066b1ca2f85f811465

SHA256
d38a9fb2193fbd4ec28d229e4eb8c134ba51861d5f9fb2c87ad22703c0da2ef6

SHA512
46823b75bf6a615d5abfdf70b9af756fd1aecc2ec41818e0bfadbe570046885a7b43ec45bf8525d9be6739f93410fe48deb0006ae9cc182909b931dd46d8fb1b

Download Submit
C:\Windows\vr2.exe

Filesize
525KB

MD5
580515ffee63af73ff50115767e4befd

SHA1
c616ad338a1c4d602b3c8c483258d27fbc1ea87e

SHA256
990117ee841d6897cc9790552abe248d200e46feb0d80609788df61d66271d1a

SHA512
56e9c3572bf3fd6eaac2d63bfd1a952f4ea52cee98f6aa44cebca39d5a62f4eaeb378c7bcfded70a44d19b2de2325508cfb2f7beb74ab8aa915daf696c90fafc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24242\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
1bde33f0454eb6a02549107c97fab7d1

SHA1
7276a41d76780da4aecce0a9f0386274d5ae47cd

SHA256
25ea41b07fb34008ac9f4d28aadc0ff0c6f03b10c12b56c1a7e6b5e730f5d48b

SHA512
df836a5ea3008e5df9fc0194a2381ee9cd80f892f6b77af6f57f3aff72c99924b872fd9bd8a45c72b3787c381bc1c324346758d631fe780c0a8dc23381d43590

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2b3375caffd7eff2bffcd5336006a6ee

SHA1
8494cd20af1d86330558cc86cc2566adee00b594

SHA256
89970b77351d562b264f4e534feb80bcfbab98330fb4eb814ea4773953676b26

SHA512
f0525a19105eb8e0fdcbe8d16553fa9dfbc85742f923bd635637650068b437bc91790209000c1352d732397f0e68b5d96f1928fe98b1c59e001b733feb0fd61f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24242\python311.dll

Filesize
128KB

MD5
d7dda7bfdcfc7194940998952e3820f1

SHA1
7990ecb9715591af1cd3803e41a61aecc2d47f31

SHA256
9cac51d4764f2587a19066e06aa15c2e1e04f3b5c096589448b5c03c9054262b

SHA512
5b75afb0896b867022003d3d1a05164c36269a9c5661891f1dec1625e5e471b2530b16d3661ab409006fe42077f5699a5bef5971baadc6fa747f3e860c7f8172

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24242\ucrtbase.dll

Filesize
1.1MB

MD5
337b243eda185e326d5f972fcbeba07b

SHA1
5c8ec0fe64cb88911509703570775a626444cb99

SHA256
41225f978be3cbb7ce05c0666de8f88909e9973bed0df45fcb4e94b76761b208

SHA512
4111a269483217aa856daeef9fb3d561ca736e7789a46d758e20a3a56773bbcdacacbbbfef9dc7d2a2ea3a5b36d7cc29ee731b22c2bda2c0f2f6a9fd3d2282b2

Download Submit
\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe

Filesize
5.6MB

MD5
7ef919e48865984f76fa211f7c59025d

SHA1
653325b1542252e667e836d6fa74a2b8b31c537c

SHA256
d615fc82d19dad37ad3366a257ff73fdd5e50cdec9d566e96da0ed945a29afa6

SHA512
98e90df25f5086a7f8fcf87fd5688520d2d76a7c059ac4419fbc6a756bf9b858f5efaca62efe16b2dd632621015b1bf19aedc2a863ffc02878ca8a8da9af17e6

Download Submit
\Users\Admin\AppData\Roaming\bg.exe

Filesize
7.7MB

MD5
7210b56ee23f7fb0a722f2914a942a0e

SHA1
095aaed7b1d5796d1b50179b87bb1d7dcc4ae087

SHA256
0fa85258cfe02c5d4d3f05c533ed448f10367664e17849702417f1e1bfd7f2d3

SHA512
028db31691ffbf2c68d065e7cb65d23fcedf327cb28363db583b46b3223717db79eaad184ce94116741867440164008ce5a6be850fef686ab06f092b8f272950

Download Submit
\Users\Admin\AppData\Roaming\bg.exe

Filesize
930KB

MD5
5cbefc72932b9d5be2e981bea0becc18

SHA1
4ad210e524dcec127a6911ee8a456ebf48adaddd

SHA256
1544da50da882c7af2c79683250f68ef48e77b82652b9b6513de8fbe614f9d5a

SHA512
dfe02c99337a616a2fc01b8baeddfd3a210d4334a7648acf7eb658831ccb6737426035786f91d3b0076c59ff10a7e136f8ab4f9a488f9b34051242d460b51c0a

Download Submit
\Users\Admin\svrhost\$77svrhost.exe

Filesize
291KB

MD5
1af4e742fa45402f010952d581204007

SHA1
4bb006d9639ca500468a17ce4c22e08a70176463

SHA256
cdaa50bc322fccaf73948557a0d2236baedaa005a1dec521418cacec5c434c78

SHA512
42f452b342107ccf02212b942938f0416a9464befe3e634628a9b639eb10cb24d97997a0de707c234374323a18e0b7761e5790e9e3ea03cfec460cab08cef031

Download Submit
memory/1528-296-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1528-243-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download
memory/1528-298-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download
memory/1528-239-0x000000013FD40000-0x000000013FDFE000-memory.dmp

Filesize
760KB

Download
memory/1528-295-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download
memory/1528-297-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download
memory/1528-242-0x00000000021A0000-0x0000000002220000-memory.dmp

Filesize
512KB

Download
memory/1528-240-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/1896-120-0x000007FEF3950000-0x000007FEF3F38000-memory.dmp

Filesize
5.9MB

Download
memory/2232-249-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2232-262-0x000007FEED270000-0x000007FEEDC0D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-261-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2232-253-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2232-263-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2232-252-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2232-294-0x000007FEED270000-0x000007FEEDC0D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-251-0x000007FEED270000-0x000007FEEDC0D000-memory.dmp

Filesize
9.6MB

Download
memory/2232-250-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2256-122-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2256-2-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2256-1-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2256-114-0x000000000BF90000-0x000000000C068000-memory.dmp

Filesize
864KB

Download
memory/2256-11-0x000000000BB10000-0x000000000BD24000-memory.dmp

Filesize
2.1MB

Download
memory/2256-0-0x00000000001B0000-0x000000000055E000-memory.dmp

Filesize
3.7MB

Download
memory/2256-3-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2256-132-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2408-131-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2408-127-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2408-141-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2408-140-0x000000001B3A0000-0x000000001B420000-memory.dmp

Filesize
512KB

Download
memory/2408-92-0x0000000001370000-0x000000000144A000-memory.dmp

Filesize
872KB

Download
memory/2408-116-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-152-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2408-151-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-88-0x000000013FFB0000-0x000000014006E000-memory.dmp

Filesize
760KB

Download
memory/2484-124-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2484-232-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-117-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-128-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2484-139-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2484-220-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2484-207-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-216-0x0000000000A40000-0x0000000000AC0000-memory.dmp

Filesize
512KB

Download
memory/2516-221-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-218-0x00000000005E0000-0x0000000000660000-memory.dmp

Filesize
512KB

Download
memory/2516-214-0x00000000005E0000-0x0000000000660000-memory.dmp

Filesize
512KB

Download
memory/2516-212-0x0000000000300000-0x00000000003DA000-memory.dmp

Filesize
872KB

Download
memory/2516-211-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2516-219-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2516-238-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2516-217-0x00000000005E0000-0x0000000000660000-memory.dmp

Filesize
512KB

Download
memory/2516-222-0x00000000005E0000-0x0000000000660000-memory.dmp

Filesize
512KB

Download
memory/2532-121-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/2532-133-0x000000006E6E0000-0x000000006EC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-123-0x000000006E6E0000-0x000000006EC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-119-0x000000006E6E0000-0x000000006EC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2532-118-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/2632-134-0x000000001AB10000-0x000000001AB90000-memory.dmp

Filesize
512KB

Download
memory/2632-129-0x000000001AB10000-0x000000001AB90000-memory.dmp

Filesize
512KB

Download
memory/2632-135-0x000000001AB10000-0x000000001AB90000-memory.dmp

Filesize
512KB

Download
memory/2632-138-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2632-89-0x0000000000270000-0x00000000003CC000-memory.dmp

Filesize
1.4MB

Download
memory/2632-115-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download