1ef9f6f47ce297fa50fe714562d32ec98773acddeec5b17b956e6d4b94bbd14f

Analysis

max time kernel
2s
max time network
257s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aridek shit/SpoofShit4.exe
Size

1.1MB
MD5

8029a358e207c6bcbbdb3758b1562fef
SHA1

6327a7b2a38e77a025f21f645b912abcc1c7a80b
SHA256

a0140e7fd03531cb2185c8ac6501172e42c3cf2f0b26d2415200e0051701d4c6
SHA512

69ee949643a663e4e24db66a91f0e960c0bd65d89db0dfb7edcd40152fdb913c955d39e522df527dffe7463b778a8f9812345ca1591489c2db33ede266441f56
SSDEEP

24576:OtA4KdTeDUbJWtenvHxcaFNoAN76B3Q19Voo7znR6pl/xbS:PdTUUbJWwnfxc+SAY+9uo3nR6plJbS

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 42 IoCs

Processes:

extd.exeextd.exeextd.exeload.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exemac.exe

pid	process
4612	extd.exe
3864	extd.exe
1216	extd.exe
2052	load.exe
3476	tool.exe
4564	tool.exe
1808	tool.exe
3564	tool.exe
4724	tool.exe
116	tool.exe
1992	tool.exe
3268	tool.exe
1292	tool.exe
232	tool.exe
3688	tool.exe
320	tool.exe
3052	tool.exe
4936	tool.exe
3536	tool.exe
3236	tool.exe
3744	mac.exe
4612	extd.exe
3864	extd.exe
1216	extd.exe
2052	load.exe
3476	tool.exe
4564	tool.exe
1808	tool.exe
3564	tool.exe
4724	tool.exe
116	tool.exe
1992	tool.exe
3268	tool.exe
1292	tool.exe
232	tool.exe
3688	tool.exe
320	tool.exe
3052	tool.exe
4936	tool.exe
3536	tool.exe
3236	tool.exe
3744	mac.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/4612-37-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral4/memory/4612-39-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral4/memory/3864-44-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral4/memory/1216-46-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral4/memory/4612-37-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral4/memory/4612-39-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral4/memory/3864-44-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral4/memory/1216-46-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: LoadsDriver 32 IoCs

Processes:

pid process

656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeSecurityPrivilege	3668	WMIC.exe
Token: SeTakeOwnershipPrivilege	3668	WMIC.exe
Token: SeLoadDriverPrivilege	3668	WMIC.exe
Token: SeSystemProfilePrivilege	3668	WMIC.exe
Token: SeSystemtimePrivilege	3668	WMIC.exe
Token: SeProfSingleProcessPrivilege	3668	WMIC.exe
Token: SeIncBasePriorityPrivilege	3668	WMIC.exe
Token: SeCreatePagefilePrivilege	3668	WMIC.exe
Token: SeBackupPrivilege	3668	WMIC.exe
Token: SeRestorePrivilege	3668	WMIC.exe
Token: SeShutdownPrivilege	3668	WMIC.exe
Token: SeDebugPrivilege	3668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3668	WMIC.exe
Token: SeRemoteShutdownPrivilege	3668	WMIC.exe
Token: SeUndockPrivilege	3668	WMIC.exe
Token: SeManageVolumePrivilege	3668	WMIC.exe
Token: 33	3668	WMIC.exe
Token: 34	3668	WMIC.exe
Token: 35	3668	WMIC.exe
Token: 36	3668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeSecurityPrivilege	3668	WMIC.exe
Token: SeTakeOwnershipPrivilege	3668	WMIC.exe
Token: SeLoadDriverPrivilege	3668	WMIC.exe
Token: SeSystemProfilePrivilege	3668	WMIC.exe
Token: SeSystemtimePrivilege	3668	WMIC.exe
Token: SeProfSingleProcessPrivilege	3668	WMIC.exe
Token: SeIncBasePriorityPrivilege	3668	WMIC.exe
Token: SeCreatePagefilePrivilege	3668	WMIC.exe
Token: SeBackupPrivilege	3668	WMIC.exe
Token: SeRestorePrivilege	3668	WMIC.exe
Token: SeShutdownPrivilege	3668	WMIC.exe
Token: SeDebugPrivilege	3668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3668	WMIC.exe
Token: SeRemoteShutdownPrivilege	3668	WMIC.exe
Token: SeUndockPrivilege	3668	WMIC.exe
Token: SeManageVolumePrivilege	3668	WMIC.exe
Token: 33	3668	WMIC.exe
Token: 34	3668	WMIC.exe
Token: 35	3668	WMIC.exe
Token: 36	3668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2024	WMIC.exe
Token: SeSecurityPrivilege	2024	WMIC.exe
Token: SeTakeOwnershipPrivilege	2024	WMIC.exe
Token: SeLoadDriverPrivilege	2024	WMIC.exe
Token: SeSystemProfilePrivilege	2024	WMIC.exe
Token: SeSystemtimePrivilege	2024	WMIC.exe
Token: SeProfSingleProcessPrivilege	2024	WMIC.exe
Token: SeIncBasePriorityPrivilege	2024	WMIC.exe
Token: SeCreatePagefilePrivilege	2024	WMIC.exe
Token: SeBackupPrivilege	2024	WMIC.exe
Token: SeRestorePrivilege	2024	WMIC.exe
Token: SeShutdownPrivilege	2024	WMIC.exe
Token: SeDebugPrivilege	2024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2024	WMIC.exe
Token: SeRemoteShutdownPrivilege	2024	WMIC.exe
Token: SeUndockPrivilege	2024	WMIC.exe
Token: SeManageVolumePrivilege	2024	WMIC.exe
Token: 33	2024	WMIC.exe
Token: 34	2024	WMIC.exe
Token: 35	2024	WMIC.exe
Token: 36	2024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2024	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SpoofShit4.execmd.exeload.execmd.exemac.execmd.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 4880	1676	SpoofShit4.exe	cmd.exe
PID 1676 wrote to memory of 4880	1676	SpoofShit4.exe	cmd.exe
PID 4880 wrote to memory of 4612	4880	cmd.exe	extd.exe
PID 4880 wrote to memory of 4612	4880	cmd.exe	extd.exe
PID 4880 wrote to memory of 3864	4880	cmd.exe	extd.exe
PID 4880 wrote to memory of 3864	4880	cmd.exe	extd.exe
PID 4880 wrote to memory of 1216	4880	cmd.exe	extd.exe
PID 4880 wrote to memory of 1216	4880	cmd.exe	extd.exe
PID 4880 wrote to memory of 2052	4880	cmd.exe	load.exe
PID 4880 wrote to memory of 2052	4880	cmd.exe	load.exe
PID 4880 wrote to memory of 2052	4880	cmd.exe	load.exe
PID 2052 wrote to memory of 1544	2052	load.exe	cmd.exe
PID 2052 wrote to memory of 1544	2052	load.exe	cmd.exe
PID 1544 wrote to memory of 3476	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3476	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 4564	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 4564	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 1808	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 1808	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3564	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3564	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 4724	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 4724	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 116	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 116	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 1992	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 1992	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3268	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3268	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 1292	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 1292	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 232	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 232	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3688	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3688	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 320	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 320	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3052	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3052	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 4936	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 4936	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3536	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3536	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3236	1544	cmd.exe	tool.exe
PID 1544 wrote to memory of 3236	1544	cmd.exe	tool.exe
PID 4880 wrote to memory of 3744	4880	cmd.exe	mac.exe
PID 4880 wrote to memory of 3744	4880	cmd.exe	mac.exe
PID 4880 wrote to memory of 3744	4880	cmd.exe	mac.exe
PID 3744 wrote to memory of 388	3744	mac.exe	cmd.exe
PID 3744 wrote to memory of 388	3744	mac.exe	cmd.exe
PID 388 wrote to memory of 4236	388	cmd.exe	cmd.exe
PID 388 wrote to memory of 4236	388	cmd.exe	cmd.exe
PID 4236 wrote to memory of 3668	4236	cmd.exe	WMIC.exe
PID 4236 wrote to memory of 3668	4236	cmd.exe	WMIC.exe
PID 4236 wrote to memory of 4928	4236	cmd.exe	findstr.exe
PID 4236 wrote to memory of 4928	4236	cmd.exe	findstr.exe
PID 388 wrote to memory of 1988	388	cmd.exe	reg.exe
PID 388 wrote to memory of 1988	388	cmd.exe	reg.exe
PID 388 wrote to memory of 544	388	cmd.exe	reg.exe
PID 388 wrote to memory of 544	388	cmd.exe	reg.exe
PID 388 wrote to memory of 1712	388	cmd.exe	reg.exe
PID 388 wrote to memory of 1712	388	cmd.exe	reg.exe
PID 388 wrote to memory of 1540	388	cmd.exe	reg.exe
PID 388 wrote to memory of 1540	388	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit4.exe
"C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\33B4.bat "C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit4.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\extd.exe "/getconsoletitle" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4612
- - C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\extd.exe "/resizewindow" "C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit4.exe" "0" "0" "1129" "520" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:3864
- - C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\extd.exe "/center" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:1216
- - C:\Users\Admin\AppData\Roaming\dump\load.exe
    "load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3614.tmp\3615.tmp\3616.bat C:\Users\Admin\AppData\Roaming\dump\load.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SM "System manufacturer"
        5⤵
        Executes dropped EXE
        
        PID:3476
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SP "System Product Name"
        5⤵
        Executes dropped EXE
        
        PID:4564
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SV "System Version"
        5⤵
        Executes dropped EXE
        
        PID:1808
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SS "System Serial Number"
        5⤵
        Executes dropped EXE
        
        PID:3564
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SU "AUTO"
        5⤵
        Executes dropped EXE
        
        PID:4724
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SK "SKU"
        5⤵
        Executes dropped EXE
        
        PID:116
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SF "To be filled by O.E.M."
        5⤵
        Executes dropped EXE
        
        PID:1992
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /BS 3009133021595
        5⤵
        Executes dropped EXE
        
        PID:3268
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /BT "Default string"
        5⤵
        Executes dropped EXE
        
        PID:1292
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /BLC "Default string"
        5⤵
        Executes dropped EXE
        
        PID:232
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CM "Default string"
        5⤵
        Executes dropped EXE
        
        PID:3688
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CV "Default string"
        5⤵
        Executes dropped EXE
        
        PID:320
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CS "Default string"
        5⤵
        Executes dropped EXE
        
        PID:3052
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CA "Default string"
        5⤵
        Executes dropped EXE
        
        PID:4936
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CSK "Default string"
        5⤵
        Executes dropped EXE
        
        PID:3536
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /PSN 277062143025223
        5⤵
        Executes dropped EXE
        
        PID:3236
- - C:\Users\Admin\AppData\Roaming\dump\mac.exe
    "mac.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\38F2.tmp\38F3.tmp\38F4.bat C:\Users\Admin\AppData\Roaming\dump\mac.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
      - C:\Windows\system32\findstr.exe
        
        findstr [0-9]
        6⤵
        
        PID:4928
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
        5⤵
        
        PID:1988
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
        5⤵
        
        PID:544
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
        5⤵
        
        PID:1712
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 5A5401C3D33C /f
        5⤵
        
        PID:1540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
        5⤵
        
        PID:3272
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
      - C:\Windows\system32\findstr.exe
        
        findstr [0-9]
        6⤵
        
        PID:404
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
        5⤵
        
        PID:1576
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
        5⤵
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
        5⤵
        
        PID:2872
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
        5⤵
        
        PID:400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
        5⤵
        
        PID:1784
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
        6⤵
        
        PID:2700
    - - C:\Windows\system32\netsh.exe
        
        netsh interface set interface name="Ethernet" disable
        5⤵
        
        PID:1248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\33B4.bat

Filesize
764B

MD5
e7ef7bf594ac19823ca86e8351dafc8d

SHA1
7e79cc98432feeb91d99ec449dee62a2a6c1bbea

SHA256
f0d9310e8acb456319e6270829ee4c4545e4c0fec75a242ab15de5b9f9ad1350

SHA512
f6b91b3d3148bde89031eb1bb94e5d2da1093d3b3c5a2bca5aa8108a645b454733a70a60af4acb74388f4c8f99e2761ff9845546a5309522fef20c3e183974b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\33B2.tmp\33B3.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\3614.tmp\3615.tmp\3616.bat

Filesize
545B

MD5
a8d805349e3718d67fb16fea2e860186

SHA1
394704bef9cf3580aae4ea83f7e698d38ccd5a53

SHA256
f5662df0ec4b20f0503ca6a1ffb0180f36e28127e00e565546360550585c76b6

SHA512
37546bd2430906c1bb7096f1d67ce0b9e71bd69e902a028f590df8637af9c57aa4b77a517f2670b8c8000177872251efb3782502b8cb8c5efe8cb2f89c6cba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\38F2.tmp\38F3.tmp\38F4.bat

Filesize
2KB

MD5
520fc11aec0a3ad2f983d0feb45663ea

SHA1
04407e7e1a79276d0f553ae0a33233cbd3d7abd3

SHA256
c090406b49faa48c87c724cf3984873fd5f19f8df49f6e760c4f2cea36c82f8d

SHA512
aacf6d53d825f77a08ea9e427bd095b9d8c7d3f48f113dba9d73b4d06e7e4e4c849f4d0c887bc88971711934fc13457b802366be6bfd809cb88fd3fe43a9a82d

Download Submit
C:\Users\Admin\AppData\Roaming\dump\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\Roaming\dump\load.exe

Filesize
89KB

MD5
5700cabc6bf4e6aea2f3535fe34f14e2

SHA1
9b0bd296120b99060c88fb5f870f8da1e046d640

SHA256
18c0da701463f2f99e5b8c91d2aa6315b4538960fe883a6bfb519f623fc2696b

SHA512
8db7bcf3e6babbcd2d122d55b6eb17136392ce7951cfbec550b1e8ea2d08348ffdaea37666be0e9df3889867907180c3bfa95ffbe8a307a94b147cc397bead5b

Download Submit
C:\Users\Admin\AppData\Roaming\dump\mac.exe

Filesize
91KB

MD5
bbf53988addf18f5aa2da913415023f3

SHA1
ebcda9e77718046f948e0ba9c995a641d7273607

SHA256
0ac0e1b4b036533afaf256e2d7acbb5ce3ce74848f46aa9aa5aac1126571b7e3

SHA512
ee6ac0607301d29761e2b1c684163361c89070f575899e6ad8f70795051672232da174c8e8aa3a70c6ff0a0d50a30cf7815585da7378cb366623072eb88f2322

Download Submit
C:\Users\Admin\AppData\Roaming\dump\tool.exe

Filesize
453KB

MD5
b696823b80d01a67c1e25355fdaa8bab

SHA1
932d2cd264daa771e93b094de870feb4ec0e1d93

SHA256
4ef86ce5877adc7f861b79da511ca2cbc7b454d6acc33e4a3ccbf21092fe6d94

SHA512
7eadf67c666152002a8d168e6beea36f3f7a7b2c57c313461dea1ba8cb0590fe0d6f6c2c0b4cd147e3ff2429fb99de8e84f3a036c8c7dbf5012d1346e4aff65f

Download Submit
memory/1216-46-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1216-46-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3864-44-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3864-44-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4612-39-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4612-37-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4612-39-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4612-37-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656