Resubmissions

28-11-2024 02:19

241128-cr9sks1kht 10

27-11-2024 21:08

241127-zyzyaawqgn 10

27-11-2024 20:16

241127-y145caymbs 10

27-11-2024 20:13

241127-yzlxdavlen 10

27-11-2024 19:53

241127-yl61dsxpcs 10

27-11-2024 19:38

241127-ycrjcaxkfx 10

27-11-2024 19:03

241127-xqsswsslej 10

27-11-2024 19:03

241127-xqf44aslcr 3

27-11-2024 19:02

241127-xpxqfsslan 3

27-11-2024 18:32

241127-w6pkqs1mek 10

Analysis

  • max time kernel
    90s
  • max time network
    234s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 01:44

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://185.172.128.3

Attributes
  • install_dir

    One_Dragon_Center

  • install_file

    MSI.CentralServer.exe

  • strings_key

    fd2f5851d3165c210396dcbe9930d294

  • url_paths

    /QajE3OBS/index.php

rc4.plain

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 4 IoCs
  • Detect ZGRat V1 29 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Sets file execution options in registry 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 6 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:5016
    • C:\Users\Admin\AppData\Local\Temp\Files\Wattyl.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Wattyl.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Windows\SysWOW64\at.exe
          AT /delete /yes
          4⤵
            PID:4684
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\SysWOW64\at.exe
            AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
            4⤵
              PID:3720
        • C:\Users\Admin\AppData\Local\Temp\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
          "C:\Users\Admin\AppData\Local\Temp\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
          2⤵
          • Sets file execution options in registry
          • Executes dropped EXE
          • Modifies Control Panel
          • Suspicious use of AdjustPrivilegeToken
          PID:2496
        • C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe"
          2⤵
          • Executes dropped EXE
          PID:5108
        • C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
          2⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:2892
        • C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
          2⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • System policy modification
          PID:4100
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4704
        • C:\Users\Admin\AppData\Local\Temp\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
          "C:\Users\Admin\AppData\Local\Temp\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
          2⤵
          • Sets file execution options in registry
          • Executes dropped EXE
          • Modifies Control Panel
          PID:1924
        • C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
          2⤵
            PID:3852
          • C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
            "C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe"
            2⤵
              PID:208
            • C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
              "C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe"
              2⤵
                PID:384
                • C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe
                  "C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
                  3⤵
                    PID:6160
                • C:\Users\Admin\AppData\Local\Temp\Files\fud_new.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\fud_new.exe"
                  2⤵
                    PID:2216
                  • C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe
                    "C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe"
                    2⤵
                      PID:4784
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        "C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe"
                        3⤵
                          PID:5084
                        • C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe
                          "C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe"
                          3⤵
                            PID:1940
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                              "C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe"
                              4⤵
                                PID:4092
                          • C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
                            "C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe"
                            2⤵
                              PID:4060
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
                                3⤵
                                • Command and Scripting Interpreter: PowerShell
                                PID:7064
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                3⤵
                                • Command and Scripting Interpreter: PowerShell
                                PID:7072
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp24B5.tmp.bat""
                                3⤵
                                  PID:5984
                                  • C:\Windows\system32\timeout.exe
                                    timeout 3
                                    4⤵
                                    • Delays execution with timeout.exe
                                    PID:6556
                              • C:\Users\Admin\AppData\Local\Temp\Files\native.exe
                                "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
                                2⤵
                                  PID:5404
                                • C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"
                                  2⤵
                                    PID:6568
                                  • C:\Users\Admin\AppData\Local\Temp\Files\Uni400uni.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Files\Uni400uni.exe"
                                    2⤵
                                      PID:5832
                                    • C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"
                                      2⤵
                                        PID:2936
                                    • C:\Windows\iaacws.exe
                                      C:\Windows\iaacws.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Checks processor information in registry
                                      PID:1408
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                      1⤵
                                      • Enumerates system info in registry
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      • Suspicious use of WriteProcessMemory
                                      PID:5044
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffe8f9fab58,0x7ffe8f9fab68,0x7ffe8f9fab78
                                        2⤵
                                          PID:3876
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:2
                                          2⤵
                                            PID:2020
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                            2⤵
                                              PID:3308
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                              2⤵
                                                PID:2380
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:1
                                                2⤵
                                                  PID:1620
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:1
                                                  2⤵
                                                    PID:1476
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3612 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:1
                                                    2⤵
                                                      PID:4984
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                                      2⤵
                                                        PID:4328
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                                        2⤵
                                                          PID:4344
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                                          2⤵
                                                            PID:3984
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4400 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                                            2⤵
                                                              PID:1680
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                                              2⤵
                                                                PID:3156
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5108 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:1
                                                                2⤵
                                                                  PID:4448
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4972 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:1
                                                                  2⤵
                                                                    PID:2860
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                                                    2⤵
                                                                      PID:4080
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                                                      2⤵
                                                                        PID:1680
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:8
                                                                        2⤵
                                                                          PID:2628
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3472 --field-trial-handle=1952,i,12052126561379815075,10718527908940524092,131072 /prefetch:2
                                                                          2⤵
                                                                            PID:5868
                                                                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                                          1⤵
                                                                            PID:4288
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2216 -ip 2216
                                                                            1⤵
                                                                              PID:2892
                                                                            • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
                                                                              1⤵
                                                                                PID:5396
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2216 -ip 2216
                                                                                1⤵
                                                                                  PID:6484
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2216 -ip 2216
                                                                                  1⤵
                                                                                    PID:5652
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2216 -ip 2216
                                                                                    1⤵
                                                                                      PID:6428

                                                                                    Network

                                                                                    MITRE ATT&CK Enterprise v15

                                                                                    Replay Monitor

                                                                                    Loading Replay Monitor...

                                                                                    Downloads

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\71b020ff-1c2a-4027-b820-e5e0c1623f1b.tmp

                                                                                      Filesize

                                                                                      6KB

                                                                                      MD5

                                                                                      ec3b7649d3d5192c8b67aa69b9efdbb8

                                                                                      SHA1

                                                                                      c9a5085999b8af0dd3c65bf0562a06a82be254de

                                                                                      SHA256

                                                                                      39770171dd874c898d4b0693a557893c10aafe4fd98e873c05d1ef0509769f63

                                                                                      SHA512

                                                                                      1b777132ca1e1cd53a81720a2955372e768ac7281ced2b3c9f6ece2d57ca9ce39fc39a8e4589b88967b5ef5c30f7b762b94baa415d18ffef66e1e80dbe38cd2a

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

                                                                                      Filesize

                                                                                      199KB

                                                                                      MD5

                                                                                      585ac11a4e8628c13c32de68f89f98d6

                                                                                      SHA1

                                                                                      bcea01f9deb8d6711088cb5c344ebd57997839db

                                                                                      SHA256

                                                                                      d692f27c385520c3b4078c35d78cdf154c424d09421dece6de73708659c7e2a6

                                                                                      SHA512

                                                                                      76d2ed3f41df567fe4d04060d9871684244764fc59b81cd574a521bb013a6d61955a6aedf390a1701e3bfc24f82d92fd062ca9e461086f762a3087c142211c19

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                      Filesize

                                                                                      264B

                                                                                      MD5

                                                                                      5995487ae527a3ca87b5c9253c5a909b

                                                                                      SHA1

                                                                                      4681f3eaae84588c6389e72c5f8be8462a24f46e

                                                                                      SHA256

                                                                                      1ef0d66c06092f568018fd4113f9c5507ce734102087417fe206bcbea3986cc2

                                                                                      SHA512

                                                                                      84862c517321f0e69360ed562b7a9b7e829105c4a767231ed95a792c5b851a551ddcaf4526649d2e360e9fbd6a57a8faf365ffb82cc540ab49e6390231927935

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                      Filesize

                                                                                      408B

                                                                                      MD5

                                                                                      918ed49d9c4b201a8263dfac10c78da6

                                                                                      SHA1

                                                                                      f549e44a636504ba168a3d4d98ae287d77314fde

                                                                                      SHA256

                                                                                      77261549673d9b89469a6835c324bb6798077b4d9bc310b67178312e6f00ef3a

                                                                                      SHA512

                                                                                      7970045f884b2c80626aae2fa008eb3babd0c10a37f40c61f4dbf9d4f2fdad2d047513522a386832143c2ce7816bcf5554d3335dbbc374957081d7b28d6f7a24

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7cbf8053-e394-4c21-953e-9c3d48fbdf05.tmp

                                                                                      Filesize

                                                                                      1KB

                                                                                      MD5

                                                                                      d054e8e39cf52c58ec90666c130886f6

                                                                                      SHA1

                                                                                      426c9f8ba8f723ba7b61602cab487e52599d116e

                                                                                      SHA256

                                                                                      d01500af4e4482415c6464408f5955ec3e3237b52aeb8b914a9d2fdda2a1b4bf

                                                                                      SHA512

                                                                                      ad61f41ddebc2d4098f40fb396ed9a9e1f4d819a0e14afe9237108507725191d69b597860e0fcb835334b2b19cc101c0e026651e87ac812ccd21800baefa9d16

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                      Filesize

                                                                                      4KB

                                                                                      MD5

                                                                                      28dadd591f100d58b85a6f3c39d8d10f

                                                                                      SHA1

                                                                                      c2f5531f0830e25f87f1fa33f537f23591038d09

                                                                                      SHA256

                                                                                      87f67c0bf9b96d65edd3a112bbdad6a628cd2a990c4dfa07f8b7e0a641526e22

                                                                                      SHA512

                                                                                      2cedf2578a7ea6598233697b4185272aeb37756018235701dab15d697e7aea013d8a926302c303743df31c95364922099f6b333a349f1b8b435ed2fb0cb7d5e2

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                      Filesize

                                                                                      4KB

                                                                                      MD5

                                                                                      5932815dd6a5a15be1474158253e24ab

                                                                                      SHA1

                                                                                      d1b75054c8e9062d3538cc35a3a828ae09b084f4

                                                                                      SHA256

                                                                                      39a290e865b37d89f1e72708a43b28e16ab493fc58ac45fc8a19cd7d75c10b23

                                                                                      SHA512

                                                                                      d06809991963ee73c4f682fd678543265018eabea4d27ad26623867cc5a149b55834ae67bae553c2c549ab9b4bdf6f31f4b8fdc57c2cb8943537ce8eb0e04eac

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                      Filesize

                                                                                      4KB

                                                                                      MD5

                                                                                      c68e39d7787fa38361be0bb14d290e29

                                                                                      SHA1

                                                                                      28e633ca2f9965f0e9a721ebd437c08f2dde60dd

                                                                                      SHA256

                                                                                      0ced07bfebcc74a468f40a182b8f4d10a7c3365cf856936c19ed0a45d8c1c90e

                                                                                      SHA512

                                                                                      7a19acaaeeefa842d85a80d05033503aa8350efa7c4303671fb85a4e49baa220c7e8041269d2d50146de443fe924515b1b228f8c365489668025fb4cf8f54165

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                                      Filesize

                                                                                      2B

                                                                                      MD5

                                                                                      d751713988987e9331980363e24189ce

                                                                                      SHA1

                                                                                      97d170e1550eee4afc0af065b78cda302a97674c

                                                                                      SHA256

                                                                                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                      SHA512

                                                                                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                      Filesize

                                                                                      523B

                                                                                      MD5

                                                                                      270b3d0a38d5204ad2ba36ac374dd9ce

                                                                                      SHA1

                                                                                      27a7dd3332aa7cb2513087a2a45c0b6df4f9fa76

                                                                                      SHA256

                                                                                      9bc6d6d3a408ccc76a647b4cf683c1da2e84e5fcbac29c187d85c56c94639f60

                                                                                      SHA512

                                                                                      43effbca3155d4455817dbec21784310e89befffced909e9200026ec62c249ab1b188fc3182e59beaa19b6d9d4a8205cfd59bd32bf4d55e9934a0795c092281d

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                      Filesize

                                                                                      1KB

                                                                                      MD5

                                                                                      2b5763516d36395bb8182fda648c5772

                                                                                      SHA1

                                                                                      7179b7b08906163a132db78757eca7159050988e

                                                                                      SHA256

                                                                                      adf9b928da89f28dfb2000d423667c1601bd5a6902a04c8dd9ef7168981348f8

                                                                                      SHA512

                                                                                      5fe01e733e5734aa58ae6e5febb8ce3bf65245fe86f24e78b55e3624abd09e4146c2150d3ce36d8877916869c7e54b57f47cb1d8207874b0952ce29a1d1049a9

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                                      Filesize

                                                                                      1KB

                                                                                      MD5

                                                                                      8ac38d724a69c4f6fb9f011420eb310a

                                                                                      SHA1

                                                                                      7a3e572c192417691a53fb768fc7e3418adcd92b

                                                                                      SHA256

                                                                                      f31ea88a68ba54620097a9ca7afb43825643e8a7d22f04ea0c3c23855cd70355

                                                                                      SHA512

                                                                                      4730cb6a986aded2e9cdd73a3e6f171fbdc29795103f29fa6a24b6336ca7f6f286dcd71008bf356e99b8b32e0d0f0d1db4f2fb048879cba8ea451681519bc107

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                      Filesize

                                                                                      6KB

                                                                                      MD5

                                                                                      eb0773868aad66d859e1c0c0d834797d

                                                                                      SHA1

                                                                                      375a82da322966f3ca00c576a7b0844a541659e8

                                                                                      SHA256

                                                                                      ff18f6b26ef155c6e8c99ed4fefaedf3658c2d6f53132dabcf1d661737b91f53

                                                                                      SHA512

                                                                                      74a732b5120b1a254c424e75ceb74ae54df6db1f0fce3069a72d111604c2ba6c5e1af19b676ba74bb56c822178477d2f4680288255cc10c9e40c63a525cbc6e1

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                      Filesize

                                                                                      6KB

                                                                                      MD5

                                                                                      ce429a458e98ad124c724c8c442feaab

                                                                                      SHA1

                                                                                      3d297c5830c55110f6b597d0b6bc00934632564c

                                                                                      SHA256

                                                                                      ecb6aa32de7526deb516cf3d3c972a69ceb89de0944972f529de1dd551cad5c8

                                                                                      SHA512

                                                                                      0653718a7db69eee516e089bbcf1e6d06c86ba1a3f26db924e80a60d05ff821c864905e8f2e822c02b79d1875ce7d1dca84fe3b94f669667c86a4a07be655db9

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c8ec8dcf-6d62-4e30-8a5b-75e547ba1f88.tmp

                                                                                      Filesize

                                                                                      6KB

                                                                                      MD5

                                                                                      6c95aebd110bfe4917a1865c7d98acb5

                                                                                      SHA1

                                                                                      59d55374e0a34516451084242ba280d9aaeb7402

                                                                                      SHA256

                                                                                      abcaf1cacd6ab324dc040819a9136b39bf39804dc0fdd81ac95d0f756b6aae8c

                                                                                      SHA512

                                                                                      309d51e0922d9997bf2ec65f260c5fea496252a879410f34f298bcb5647bf352e56e2028b19f29fb94df9a3043985d83fbd141838c3a6241140d73728a937937

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                      Filesize

                                                                                      257KB

                                                                                      MD5

                                                                                      b486a17f953c95171a00da72f56c3102

                                                                                      SHA1

                                                                                      2205fc3f13214a8426b6a7e5c3c5ba9a7ac97044

                                                                                      SHA256

                                                                                      be68226c12bf41c1e7541b79101d50bc1cf01f0d3c4065243fd6dca448f7aa47

                                                                                      SHA512

                                                                                      f8bbeed2945c410522d7071e27633c5080d807a2c50ceb95d96fe48e2617cb305f99e92f660df88c0ab494158b30fb573c9f6dd2daaa445675f5e2af4469ae80

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                      Filesize

                                                                                      257KB

                                                                                      MD5

                                                                                      2ea2730e998f9100c36cd15497891b55

                                                                                      SHA1

                                                                                      1004eaf7811734359d2ef557f2d4a5760fd9b5cc

                                                                                      SHA256

                                                                                      7ecee5b822dde0d69bac1fb2a5785cd4485720fa049b7166dfa7fbc053bac23d

                                                                                      SHA512

                                                                                      2f4ed1131b2c4dcfdd8afa7dd8d3a3457fd7e784b5ce45b34a46e2829a5f523b3e64d6b324a9f6b2d29b02b3a89390a9d0129db5c91ee047ed52c8001a06bd66

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                      Filesize

                                                                                      305KB

                                                                                      MD5

                                                                                      90c69d968bf2cceb118f9bf8858151fb

                                                                                      SHA1

                                                                                      63f003bb1d89d7b7428800345dc3c0fb6e785dd6

                                                                                      SHA256

                                                                                      6e3641d853985f1fd40f2706041eba85794c003e5880db27f10f180307ed84d2

                                                                                      SHA512

                                                                                      100669d096d2d606e3fd153d3c099aa067fec0ef486e89cd3163bce3ccc696517272748ec95b1f076afd5b6391f038ea801634f80cc365c35e91ed3a70aa0c32

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                      Filesize

                                                                                      258KB

                                                                                      MD5

                                                                                      15b1c335dfd554f7638a21239bbd8f24

                                                                                      SHA1

                                                                                      04e1a7ecafc0eb3f8eceffd7ee547f1085d69e62

                                                                                      SHA256

                                                                                      ea1d12233bb1acd3b7e71d3a9dc05862af4baed770a26f6082c36a9b0c19a923

                                                                                      SHA512

                                                                                      b0faec73c9f0deee33257d09f378f6c0bdb6944d617413fc7acc74428443cd91930a44f20fd8ff4b3b4bd4d960852de35365e567554713be6252514163df316e

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                      Filesize

                                                                                      258KB

                                                                                      MD5

                                                                                      16508957001605814e06e292f5ead94d

                                                                                      SHA1

                                                                                      0de892365ba9785aae291f2cb7f91854378f22a0

                                                                                      SHA256

                                                                                      9362f61aa9b10efe91a7c92f9f665d0288a52f8db82f5be01348195f7af7c199

                                                                                      SHA512

                                                                                      27979c842c7f6b426eed0b1ba17720d4777c6e5058064dc8412991bf66b60613ff5acefe921118acf7a5d71ef63ecb2ba08d19f5fb3ac0476a87fa2fb4cdbe53

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                                      Filesize

                                                                                      90KB

                                                                                      MD5

                                                                                      2ba91e2d59127f9f7320570397c0f2f9

                                                                                      SHA1

                                                                                      d1edb4bdfd9bd7ebd62685d6d043228708a29e04

                                                                                      SHA256

                                                                                      3da58734869af624740bfd6319cd3377d4c8623820a622df17110edc802771de

                                                                                      SHA512

                                                                                      20472bd17c42a21e00bab2edf61770282650f21fbdf536c3e7658979d32e5b79e7c98c6f11b2c68a7a4eab1df5138202e9bec3dd90cd7854ee2e9d17634f2c1d

                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe585c44.TMP

                                                                                      Filesize

                                                                                      87KB

                                                                                      MD5

                                                                                      d59ae41ce7ee34c4b367292d1c505dc6

                                                                                      SHA1

                                                                                      02efa493d043d75e5bf105a9bbb9567e6598a6f7

                                                                                      SHA256

                                                                                      396d5180548c1a65d4bb23397a5649bce1b1e93d80ff9e1e1febecd531cc59e5

                                                                                      SHA512

                                                                                      7ed7ee97766259ccfd0c309d9863955f46c5ae8db12600d97441525f6c01522af3f86e98a53d82f4c5511e419191e4cb034e25cb27403ad2552594b6baf1152e

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Filesize

                                                                                      18KB

                                                                                      MD5

                                                                                      5d329bdb0135ca312b89b2bcf2882427

                                                                                      SHA1

                                                                                      0280a1d12befbcbd44d17e14c4f2ad9b4173ee49

                                                                                      SHA256

                                                                                      0cce94c7842a79bad3fae1dd0fffc576c0250994fda7d71e2212941e21da9905

                                                                                      SHA512

                                                                                      5aef56324d3635e66057d8673c709dbf9ebabe083499f9be2ceee0d2a2c0b82d52ffb2525ee75927a76101f9840acd6858d81ac4dfe3a9fa8865054f11b31019

                                                                                    • C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe

                                                                                      Filesize

                                                                                      166KB

                                                                                      MD5

                                                                                      d27cf074083cda9a8bc9658651de9b79

                                                                                      SHA1

                                                                                      baa8bed1b971e86168f43aae9368032e64e0ad9a

                                                                                      SHA256

                                                                                      eeafad325c35e85dbe694969a2cad3f30d33e7b640749e2617ec3faa3eb4efc3

                                                                                      SHA512

                                                                                      d0ec13cb90eed1af9582de550424ea6a57ff8bba39a3d01a5cb8d38ac399a1ca70d39ffabe57a7b3e49ac12ff1453f5e63563d4b7c28fd23169d8766bc54c12b

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]

                                                                                      Filesize

                                                                                      837KB

                                                                                      MD5

                                                                                      c57970f4dc0fca663ffea4c73e764186

                                                                                      SHA1

                                                                                      3add0a81686d6d9a6153d245f8eeb3114d2fbaff

                                                                                      SHA256

                                                                                      25319d2f46a945944462a20eeb31a0d5f83ad6246a39b04d9e33ee035656257e

                                                                                      SHA512

                                                                                      cccf0c81c2bbb122b709b6c8583c7b93ad10f8fcf92d24cdbdf224736e6eeb1bbafc1e691e68c86cb417e161916292cd07b23c4502572f7574f836df228441bb

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]

                                                                                      Filesize

                                                                                      837KB

                                                                                      MD5

                                                                                      3c2e2258c744c0ae97e2e7f428ac6ce2

                                                                                      SHA1

                                                                                      1b6d52c50d119ee47fde30550b913f623c3cabdb

                                                                                      SHA256

                                                                                      c2bdf8928c73388a807ad12f4f080b1ac39fe6cdf8a2e041bcfed83ccd804356

                                                                                      SHA512

                                                                                      57de9e255baabde6de201e4d1da2bff367cf7b56bf97ce0b9e7fea06c4811c37f4f8c6d52cb5adfe241fbe8cb17e905c7bcbabad5207d78d4fd06a838edc2bd4

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\EPQ.exe

                                                                                      Filesize

                                                                                      1.2MB

                                                                                      MD5

                                                                                      615b4b1ddc71f4928bf4afdfaa68231f

                                                                                      SHA1

                                                                                      73c81d78040e61f77f87e2bcb3451cb187128d17

                                                                                      SHA256

                                                                                      de8e969262354abb8f4bcc774639973c44d0b84611f6622dd5f0464c760e2ebc

                                                                                      SHA512

                                                                                      dce6b144f554acb73ac2d35de860849dd0807379818e186b9f72f38369760bc9b9234955d6d7b44be399e66031621eccd41a00db09dd3d3109f26e17e39ca04a

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe

                                                                                      Filesize

                                                                                      404KB

                                                                                      MD5

                                                                                      b8d922472d6da5b157598c94b8677fa5

                                                                                      SHA1

                                                                                      470c464307f86b53b7ed9d4785e68d1b12599448

                                                                                      SHA256

                                                                                      458e3d9f3f51d58101a3b4d8496bceed86391b80c68aeba4aa1411c930094d8a

                                                                                      SHA512

                                                                                      e24381bb55e8ba4216f72dcb520854265c0da7e1a87b18438999a217de50abebd9a6a5f9532ebea90a35599ee3217a1ec6780ef61f584a0d7604acc17e7fbf10

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe

                                                                                      Filesize

                                                                                      311KB

                                                                                      MD5

                                                                                      ed7cf64192cd90aac14b69cdd202f30d

                                                                                      SHA1

                                                                                      eb1e1a8d336631f7be51e4189bcf251ee71bf60a

                                                                                      SHA256

                                                                                      8f5d2c5facf4702e4a6338b5224d9526d4761535901acf27f43992024340ccb0

                                                                                      SHA512

                                                                                      8d320b1f8bc051537f9e63cad2b3af5111f7d30b24cd38633b2a2ea84f81cd7c70fd85074222f61ffd4a1f02509df9428ee805534e175f581291f12a0275612c

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\Uni400uni.exe

                                                                                      Filesize

                                                                                      556KB

                                                                                      MD5

                                                                                      e1d8325b086f91769120381b78626e2e

                                                                                      SHA1

                                                                                      0eb6827878445d3e3e584b7f08067a7a4dc9e618

                                                                                      SHA256

                                                                                      b925abb193e7003f4a692064148ffe7840096022a44f4d5ae4c0abb59a287934

                                                                                      SHA512

                                                                                      c8c0b424c2ed7ee598997bdc0b0d2099b650a280903716891b0eaa340acf556c0642d921fcb7f654387a4a1f1ec4a32feaf8d872b51ca482a977f11e2974072c

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\Uni400uni.exe

                                                                                      Filesize

                                                                                      384KB

                                                                                      MD5

                                                                                      f7eccd35b20de87410188d65d5f05564

                                                                                      SHA1

                                                                                      db8459e5bfb26b334c4a1cdfdd7244b189dd35a9

                                                                                      SHA256

                                                                                      396e1038f887004522943f2014faac6241cb0d571105a7367a89972bbfbd1d77

                                                                                      SHA512

                                                                                      2f5a036fc353ad43ea659c1277af9877b742702b688d33aa3b28798f3167540e0597ebaf3353f2b427072ec7707b54dcdc2260ba8e49676d86e9032e5cd8428c

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\Wattyl.exe

                                                                                      Filesize

                                                                                      477KB

                                                                                      MD5

                                                                                      34e03669773d47d0d8f01be78ae484e4

                                                                                      SHA1

                                                                                      4b0a7e2af2c28ae191737ba07632ed354d35c978

                                                                                      SHA256

                                                                                      2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

                                                                                      SHA512

                                                                                      8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\cp.exe

                                                                                      Filesize

                                                                                      1.8MB

                                                                                      MD5

                                                                                      97256cf11c9109c24fde65395fef1306

                                                                                      SHA1

                                                                                      e60278d8383912f03f25e3f92bf558e2a33f229d

                                                                                      SHA256

                                                                                      21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

                                                                                      SHA512

                                                                                      41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\fud_new.exe

                                                                                      Filesize

                                                                                      436KB

                                                                                      MD5

                                                                                      f6ee2a295cd2ba584f9a363ade3d55b3

                                                                                      SHA1

                                                                                      c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c

                                                                                      SHA256

                                                                                      c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3

                                                                                      SHA512

                                                                                      7db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe

                                                                                      Filesize

                                                                                      5.3MB

                                                                                      MD5

                                                                                      de08b70c1b36bce2c90a34b9e5e61f09

                                                                                      SHA1

                                                                                      1628635f073c61ad744d406a16d46dfac871c9c2

                                                                                      SHA256

                                                                                      432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

                                                                                      SHA512

                                                                                      18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe

                                                                                      Filesize

                                                                                      281KB

                                                                                      MD5

                                                                                      5c71794e0bfd811534ff4117687d26e2

                                                                                      SHA1

                                                                                      f4e616edbd08c817af5f7db69e376b4788f835a5

                                                                                      SHA256

                                                                                      f5740aded1f401665ab8bde43afee5dc0b01aa8aacabe9b8bb61b1ef52134a39

                                                                                      SHA512

                                                                                      a7a489d39d2cabdd15fd23354140c559a93969a7474c57553c78dbb9ebbf045541f42c600d7d4bea54a2a1f1c6537b8027a1f385fde6040f339959862ac2ea54

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe

                                                                                      Filesize

                                                                                      80KB

                                                                                      MD5

                                                                                      d4304bf0e2d870d9165b7a84f2b75870

                                                                                      SHA1

                                                                                      faba7be164ea0dbd4f51605dd4f22090df8a2fb4

                                                                                      SHA256

                                                                                      6fc5c0b09ee18143f0e7d17231f904a5b04a7bd2f5d3c2c7bfe1ef311f41a4d3

                                                                                      SHA512

                                                                                      2b81bcab92b949d800559df746958a04f45ae34c480747d20bd3d7c083ce6069076efe073db4618c107e8072a41f684ea5559f1d92052fd6e4c523137e59e8d7

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe

                                                                                      Filesize

                                                                                      4.2MB

                                                                                      MD5

                                                                                      b93c1a30f9aeefb0508a1f16c9a6b34d

                                                                                      SHA1

                                                                                      3065a68ed567c3c5eb6de6579fc489c6fa775d84

                                                                                      SHA256

                                                                                      6c90dd61f4fb62c923098bd71d01fc8bcd8a4bbafd47d168e9ad92d38628b63f

                                                                                      SHA512

                                                                                      955e10707004ba4161949186b006e825e5cf896888ba15fd5eda47b2e63e4165b95881c23b8bcc3fe677e73c060a373fb88e589d7a741790c721cc97a1e26650

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\svcyr.exe

                                                                                      Filesize

                                                                                      104KB

                                                                                      MD5

                                                                                      7edc4b4b6593bd68c65cd155b8755f26

                                                                                      SHA1

                                                                                      2e189c82b6b082f2853c7293af0fa1b6b94bd44b

                                                                                      SHA256

                                                                                      dcd92ec043cb491b3de3e4f73fbe35041274a9b81d48b4377c8c9a8157c95590

                                                                                      SHA512

                                                                                      509b4630cf02fd7ef02893367a281bb2a361e527ea6279bf19477b2fcde5f477f5a3f8c4f1fb692406df472a52fb000aa55875469ddf5ea8ee9c411b37c1f979

                                                                                    • C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

                                                                                      Filesize

                                                                                      15KB

                                                                                      MD5

                                                                                      2ca4bd5f5fece4e6def53720f2a7a9bb

                                                                                      SHA1

                                                                                      04b49bb6f0b9600782d091eaa5d54963ff6d7e10

                                                                                      SHA256

                                                                                      ab55d9b53f755a232a7968d7b5fcb6ca56fc0f59e72b1e60ab8624a0ee6be8c1

                                                                                      SHA512

                                                                                      3e9e5c9793b4880990fbc8ab38f8a28b38a7493adb3ee1727e5ce0f8377348142705533f672356152a895694800c82517c71f2070c0dff08b73555214a165481

                                                                                    • C:\Users\Admin\AppData\Local\Temp\GSC510.tmp

                                                                                      Filesize

                                                                                      44KB

                                                                                      MD5

                                                                                      7d46ea623eba5073b7e3a2834fe58cc9

                                                                                      SHA1

                                                                                      29ad585cdf812c92a7f07ab2e124a0d2721fe727

                                                                                      SHA256

                                                                                      4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

                                                                                      SHA512

                                                                                      a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3nmhqji.5p4.ps1

                                                                                      Filesize

                                                                                      60B

                                                                                      MD5

                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                      SHA1

                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                      SHA256

                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                      SHA512

                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                    • C:\Users\Admin\AppData\Local\Temp\autF5C5.tmp

                                                                                      Filesize

                                                                                      261KB

                                                                                      MD5

                                                                                      ae74415cd5e15b9244462f535bfa1483

                                                                                      SHA1

                                                                                      d1296196c60fb5ebaa68354f2e2d6d065c3aee16

                                                                                      SHA256

                                                                                      261a2c8c507dc06be6d683b456b46f979abadb1d6f0157a09a13ba07327a4eab

                                                                                      SHA512

                                                                                      103a8df8a05f7a49cf478263c2e21e29b8a4d4df3e0b69b8c09b5a4c94a97f564de58e9b8c70477b2714aaddefe228e1a249e3e4dc4646780bf88ff70998419b

                                                                                    • C:\Users\Admin\AppData\Local\Temp\nonsubmerged

                                                                                      Filesize

                                                                                      29KB

                                                                                      MD5

                                                                                      c4de0cb7a44d1c73f2e1e81e09bc8fd1

                                                                                      SHA1

                                                                                      4ef513564fb628c4169a23e5607aafccc05de7f1

                                                                                      SHA256

                                                                                      8df404ad76c69b20382fad3d9da093bd9c205f0288286b89b703b9ba3f640395

                                                                                      SHA512

                                                                                      b83533318dbd71c959f79539eaf9252774ee4b017c9c726f047716e2a7fc971eb971fb238a69fde528ded23e286c268c10c23913faf0507ef2d878f2aa259a46

                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsyC815.tmp\InstallOptions.dll

                                                                                      Filesize

                                                                                      14KB

                                                                                      MD5

                                                                                      d753362649aecd60ff434adf171a4e7f

                                                                                      SHA1

                                                                                      3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

                                                                                      SHA256

                                                                                      8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

                                                                                      SHA512

                                                                                      41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

                                                                                    • C:\Users\Admin\AppData\Local\Temp\nsyC815.tmp\ioSpecial.ini

                                                                                      Filesize

                                                                                      659B

                                                                                      MD5

                                                                                      fb60d5d3e19a4f82ecef07165dad03fd

                                                                                      SHA1

                                                                                      297fdd55c00c8bf50ce6c36edf85154ad2705866

                                                                                      SHA256

                                                                                      6f1fd030997a759bc62d62035ad697d3b638a38f9b02a656632b3b425f7f6c62

                                                                                      SHA512

                                                                                      2c950c2cded44b0d029b07b0e394845ff2a615ac5153733877c1807276582ad0181322662a1326b30288916abe9eea57ecf278518c504209893cd765ad48bca0

                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp24B5.tmp.bat

                                                                                      Filesize

                                                                                      143B

                                                                                      MD5

                                                                                      e828ca371e9335bb30152135574b4d78

                                                                                      SHA1

                                                                                      35ff6a4af844d73632a69f98d81f3ebd7357e7b4

                                                                                      SHA256

                                                                                      16c0ef312118a2e43e4ddb27bb6abb225afa4487e3c3bf59639b3ffac2e23ae9

                                                                                      SHA512

                                                                                      3ffc121cc885eff2328c7d7496dd803b85a4232562e94e6dc4c9b69e4d1d090e0adb90c45a83199fb2671f8ee8b8d3c6ca2606f6282c2690cd851c2e3c743171

                                                                                    • C:\Windows\SysWOW64\setting.ini

                                                                                      Filesize

                                                                                      136KB

                                                                                      MD5

                                                                                      44dcd5a788708294de35fe967eb1689a

                                                                                      SHA1

                                                                                      d4fbde03543c8ed33d0b59cec641ea816e5ac913

                                                                                      SHA256

                                                                                      b7578977382173f398e2b3246822a749ab596760c7a294905fc85371527b11d5

                                                                                      SHA512

                                                                                      1a55546d6f82624d35af2819a7eff56ce1f496ad1db6f4d1a4fc07284d52ec0a922ff8655a7c66a1c7a6e1b0cf223eb12492065a8bbe192ba0365596856d87d2

                                                                                    • memory/1828-30-0x0000000000400000-0x000000000048D000-memory.dmp

                                                                                      Filesize

                                                                                      564KB

                                                                                    • memory/1924-435-0x0000000000400000-0x00000000004EC000-memory.dmp

                                                                                      Filesize

                                                                                      944KB

                                                                                    • memory/2372-318-0x00000000751F0000-0x00000000759A0000-memory.dmp

                                                                                      Filesize

                                                                                      7.7MB

                                                                                    • memory/2372-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                    • memory/2372-307-0x00000000751FE000-0x00000000751FF000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                    • memory/2372-3-0x00000000751F0000-0x00000000759A0000-memory.dmp

                                                                                      Filesize

                                                                                      7.7MB

                                                                                    • memory/2372-2-0x0000000005700000-0x000000000579C000-memory.dmp

                                                                                      Filesize

                                                                                      624KB

                                                                                    • memory/2372-1-0x0000000000E60000-0x0000000000E68000-memory.dmp

                                                                                      Filesize

                                                                                      32KB

                                                                                    • memory/2496-68-0x0000000000400000-0x00000000004EC000-memory.dmp

                                                                                      Filesize

                                                                                      944KB

                                                                                    • memory/2496-69-0x000000006FCF0000-0x000000006FD00000-memory.dmp

                                                                                      Filesize

                                                                                      64KB

                                                                                    • memory/2496-124-0x0000000005190000-0x000000000540E000-memory.dmp

                                                                                      Filesize

                                                                                      2.5MB

                                                                                    • memory/2892-422-0x0000000000C90000-0x0000000000CFC000-memory.dmp

                                                                                      Filesize

                                                                                      432KB

                                                                                    • memory/3852-497-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-487-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-460-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-463-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-483-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-458-0x0000000000960000-0x0000000000EBA000-memory.dmp

                                                                                      Filesize

                                                                                      5.4MB

                                                                                    • memory/3852-459-0x0000000005930000-0x0000000005DE0000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-473-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-479-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-511-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-491-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-509-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-507-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-505-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-461-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-501-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-499-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-496-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-493-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-489-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-485-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-481-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-477-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-475-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-471-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-469-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-467-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/3852-465-0x0000000005930000-0x0000000005DDB000-memory.dmp

                                                                                      Filesize

                                                                                      4.7MB

                                                                                    • memory/4060-2370-0x0000000000240000-0x00000000006E4000-memory.dmp

                                                                                      Filesize

                                                                                      4.6MB

                                                                                    • memory/4060-3925-0x0000000000240000-0x00000000006E4000-memory.dmp

                                                                                      Filesize

                                                                                      4.6MB

                                                                                    • memory/4060-2472-0x0000000000240000-0x00000000006E4000-memory.dmp

                                                                                      Filesize

                                                                                      4.6MB

                                                                                    • memory/4060-2471-0x0000000000240000-0x00000000006E4000-memory.dmp

                                                                                      Filesize

                                                                                      4.6MB

                                                                                    • memory/4092-2426-0x0000000002FE0000-0x0000000003034000-memory.dmp

                                                                                      Filesize

                                                                                      336KB

                                                                                    • memory/4092-2470-0x00000000056F0000-0x0000000005742000-memory.dmp

                                                                                      Filesize

                                                                                      328KB

                                                                                    • memory/4100-305-0x0000000005560000-0x0000000005B04000-memory.dmp

                                                                                      Filesize

                                                                                      5.6MB

                                                                                    • memory/4100-304-0x0000000000720000-0x000000000072A000-memory.dmp

                                                                                      Filesize

                                                                                      40KB

                                                                                    • memory/4100-397-0x0000000006150000-0x000000000615A000-memory.dmp

                                                                                      Filesize

                                                                                      40KB

                                                                                    • memory/4100-309-0x0000000005050000-0x00000000050E2000-memory.dmp

                                                                                      Filesize

                                                                                      584KB

                                                                                    • memory/4704-359-0x0000000007AE0000-0x000000000815A000-memory.dmp

                                                                                      Filesize

                                                                                      6.5MB

                                                                                    • memory/4704-334-0x0000000006170000-0x000000000618E000-memory.dmp

                                                                                      Filesize

                                                                                      120KB

                                                                                    • memory/4704-357-0x0000000006740000-0x000000000675E000-memory.dmp

                                                                                      Filesize

                                                                                      120KB

                                                                                    • memory/4704-358-0x0000000007390000-0x0000000007433000-memory.dmp

                                                                                      Filesize

                                                                                      652KB

                                                                                    • memory/4704-360-0x00000000074A0000-0x00000000074BA000-memory.dmp

                                                                                      Filesize

                                                                                      104KB

                                                                                    • memory/4704-381-0x00000000076A0000-0x00000000076B1000-memory.dmp

                                                                                      Filesize

                                                                                      68KB

                                                                                    • memory/4704-361-0x0000000007510000-0x000000000751A000-memory.dmp

                                                                                      Filesize

                                                                                      40KB

                                                                                    • memory/4704-386-0x00000000077C0000-0x00000000077C8000-memory.dmp

                                                                                      Filesize

                                                                                      32KB

                                                                                    • memory/4704-347-0x000000006F420000-0x000000006F46C000-memory.dmp

                                                                                      Filesize

                                                                                      304KB

                                                                                    • memory/4704-385-0x00000000077E0000-0x00000000077FA000-memory.dmp

                                                                                      Filesize

                                                                                      104KB

                                                                                    • memory/4704-335-0x0000000006530000-0x000000000657C000-memory.dmp

                                                                                      Filesize

                                                                                      304KB

                                                                                    • memory/4704-346-0x0000000007350000-0x0000000007382000-memory.dmp

                                                                                      Filesize

                                                                                      200KB

                                                                                    • memory/4704-333-0x0000000005C70000-0x0000000005FC4000-memory.dmp

                                                                                      Filesize

                                                                                      3.3MB

                                                                                    • memory/4704-323-0x0000000005AF0000-0x0000000005B56000-memory.dmp

                                                                                      Filesize

                                                                                      408KB

                                                                                    • memory/4704-321-0x00000000052A0000-0x00000000052C2000-memory.dmp

                                                                                      Filesize

                                                                                      136KB

                                                                                    • memory/4704-322-0x0000000005A80000-0x0000000005AE6000-memory.dmp

                                                                                      Filesize

                                                                                      408KB

                                                                                    • memory/4704-320-0x00000000052E0000-0x0000000005908000-memory.dmp

                                                                                      Filesize

                                                                                      6.2MB

                                                                                    • memory/4704-380-0x0000000007720000-0x00000000077B6000-memory.dmp

                                                                                      Filesize

                                                                                      600KB

                                                                                    • memory/4704-319-0x0000000004BA0000-0x0000000004BD6000-memory.dmp

                                                                                      Filesize

                                                                                      216KB

                                                                                    • memory/4704-383-0x00000000076D0000-0x00000000076DE000-memory.dmp

                                                                                      Filesize

                                                                                      56KB

                                                                                    • memory/4704-384-0x00000000076E0000-0x00000000076F4000-memory.dmp

                                                                                      Filesize

                                                                                      80KB

                                                                                    • memory/5016-18-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                      Filesize

                                                                                      108KB

                                                                                    • memory/5832-4528-0x000002AE86900000-0x000002AE86936000-memory.dmp

                                                                                      Filesize

                                                                                      216KB

                                                                                    • memory/7072-4550-0x00000224D2EE0000-0x00000224D2F02000-memory.dmp

                                                                                      Filesize

                                                                                      136KB