da14845db5bb3ffaeeab3648ec76829c96193f73dd2625ba165e4cfd2b4f1c68

Analysis

max time kernel
312s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MonoxideXVIII.exe
Size

2.7MB
MD5

2164b4bd4de3340a8f6e814d23a31748
SHA1

427305168b8b609c03341b8ac610c899dcd6994e
SHA256

da14845db5bb3ffaeeab3648ec76829c96193f73dd2625ba165e4cfd2b4f1c68
SHA512

c07536481a1997035522b4f38e4a70d5b49c390c690cec3af9f08b6d4e440355019dad08ef92b97a73c52a3944c4aec50d9bd1a38663ea7b0da0e076ca511846
SSDEEP

49152:n+clb1BRntmeSKCZEUn7znM/xA8rrmpPzX2DjBmUoIbGR6iBKWGkyMQnByUCs:tmXrz8JrEPr2DjBmUoIbpi8YyhTCs

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	MonoxideXVIII.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	MonoxideXVIII.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 27 IoCs

pid	Process
2948	HideConsoleWindow.exe
1792	MouseCursorsDrawer.exe
5016	UpdateGDI.exe
4080	LowRgbShader.exe
1164	UpdateGDI.exe
3456	HyperSineWaves.exe
404	PatBlt.exe
932	UpdateGDI.exe
4244	HcShader.exe
3216	InverterTrain.exe
2268	InvertedGlitch.exe
932	UpdateGDI.exe
4100	NoColorRectangles.exe
964	DarkMove.exe
1648	UpdateGDI.exe
4684	FastTanWaves.exe
4304	BoungCircles.exe
3144	UpdateGDI.exe
3220	RgbQuadShader.exe
4660	UpdateGDI.exe
2544	InvMelter.exe
4164	X-ScreenDrawer.exe
4872	WeakPatBlt.exe
4328	UpdateGDI.exe
3704	HslContinueWave.exe
4144	RgbPolygon.exe
4332	MouseCursorsDrawer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\hal.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 11 IoCs

evasion

pid	Process
3968	timeout.exe
3252	timeout.exe
2520	timeout.exe
4260	timeout.exe
404	timeout.exe
3044	timeout.exe
4456	timeout.exe
4164	timeout.exe
1964	timeout.exe
868	timeout.exe
4836	timeout.exe

Kills process with taskkill 20 IoCs

evasion

pid	Process
4628	taskkill.exe
3052	taskkill.exe
2636	taskkill.exe
1368	taskkill.exe
4304	taskkill.exe
3544	taskkill.exe
1524	taskkill.exe
4324	taskkill.exe
1976	taskkill.exe
5056	taskkill.exe
4408	taskkill.exe
372	taskkill.exe
3932	taskkill.exe
4572	taskkill.exe
880	taskkill.exe
1124	taskkill.exe
4216	taskkill.exe
2824	taskkill.exe
2092	taskkill.exe
804	taskkill.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{DCC77088-A382-467C-A6EF-3927F3DA533F}	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4324	reg.exe
4856	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2972	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4584	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	4960	whoami.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeShutdownPrivilege	3416	WScript.exe
Token: SeCreatePagefilePrivilege	3416	WScript.exe
Token: 33	2836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2836	AUDIODG.EXE
Token: SeShutdownPrivilege	3416	WScript.exe
Token: SeCreatePagefilePrivilege	3416	WScript.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
4596	OpenWith.exe
4460	MonoxideXVIII.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
4584	OpenWith.exe
224	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 3924	216	MonoxideXVIII.exe	83
PID 216 wrote to memory of 3924	216	MonoxideXVIII.exe	83
PID 4460 wrote to memory of 4376	4460	MonoxideXVIII.exe	111
PID 4460 wrote to memory of 4376	4460	MonoxideXVIII.exe	111
PID 4924 wrote to memory of 1844	4924	cmd.exe	123
PID 4924 wrote to memory of 1844	4924	cmd.exe	123
PID 4924 wrote to memory of 868	4924	cmd.exe	124
PID 4924 wrote to memory of 868	4924	cmd.exe	124
PID 4924 wrote to memory of 4376	4924	cmd.exe	125
PID 4924 wrote to memory of 4376	4924	cmd.exe	125
PID 4924 wrote to memory of 1312	4924	cmd.exe	126
PID 4924 wrote to memory of 1312	4924	cmd.exe	126
PID 4924 wrote to memory of 2948	4924	cmd.exe	127
PID 4924 wrote to memory of 2948	4924	cmd.exe	127
PID 4924 wrote to memory of 2948	4924	cmd.exe	127
PID 4924 wrote to memory of 4960	4924	cmd.exe	128
PID 4924 wrote to memory of 4960	4924	cmd.exe	128
PID 4924 wrote to memory of 732	4924	cmd.exe	129
PID 4924 wrote to memory of 732	4924	cmd.exe	129
PID 4924 wrote to memory of 532	4924	cmd.exe	130
PID 4924 wrote to memory of 532	4924	cmd.exe	130
PID 4924 wrote to memory of 4348	4924	cmd.exe	132
PID 4924 wrote to memory of 4348	4924	cmd.exe	132
PID 4924 wrote to memory of 880	4924	cmd.exe	134
PID 4924 wrote to memory of 880	4924	cmd.exe	134
PID 4924 wrote to memory of 4324	4924	cmd.exe	137
PID 4924 wrote to memory of 4324	4924	cmd.exe	137
PID 4924 wrote to memory of 4856	4924	cmd.exe	138
PID 4924 wrote to memory of 4856	4924	cmd.exe	138
PID 4924 wrote to memory of 4260	4924	cmd.exe	139
PID 4924 wrote to memory of 4260	4924	cmd.exe	139
PID 4924 wrote to memory of 3972	4924	cmd.exe	145
PID 4924 wrote to memory of 3972	4924	cmd.exe	145
PID 4924 wrote to memory of 2456	4924	cmd.exe	146
PID 4924 wrote to memory of 2456	4924	cmd.exe	146
PID 4924 wrote to memory of 3340	4924	cmd.exe	147
PID 4924 wrote to memory of 3340	4924	cmd.exe	147
PID 4924 wrote to memory of 3416	4924	cmd.exe	148
PID 4924 wrote to memory of 3416	4924	cmd.exe	148
PID 4924 wrote to memory of 1964	4924	cmd.exe	149
PID 4924 wrote to memory of 1964	4924	cmd.exe	149
PID 3340 wrote to memory of 1792	3340	WScript.exe	150
PID 3340 wrote to memory of 1792	3340	WScript.exe	150
PID 3340 wrote to memory of 1792	3340	WScript.exe	150
PID 4924 wrote to memory of 404	4924	cmd.exe	153
PID 4924 wrote to memory of 404	4924	cmd.exe	153
PID 4924 wrote to memory of 3216	4924	cmd.exe	155
PID 4924 wrote to memory of 3216	4924	cmd.exe	155
PID 4924 wrote to memory of 2268	4924	cmd.exe	156
PID 4924 wrote to memory of 2268	4924	cmd.exe	156
PID 3216 wrote to memory of 5016	3216	wscript.exe	157
PID 3216 wrote to memory of 5016	3216	wscript.exe	157
PID 3216 wrote to memory of 5016	3216	wscript.exe	157
PID 2268 wrote to memory of 4080	2268	WScript.exe	159
PID 2268 wrote to memory of 4080	2268	WScript.exe	159
PID 2268 wrote to memory of 4080	2268	WScript.exe	159
PID 4924 wrote to memory of 3044	4924	cmd.exe	161
PID 4924 wrote to memory of 3044	4924	cmd.exe	161
PID 4924 wrote to memory of 4628	4924	cmd.exe	163
PID 4924 wrote to memory of 4628	4924	cmd.exe	163
PID 4924 wrote to memory of 1536	4924	cmd.exe	164
PID 4924 wrote to memory of 1536	4924	cmd.exe	164
PID 4924 wrote to memory of 4988	4924	cmd.exe	165
PID 4924 wrote to memory of 4988	4924	cmd.exe	165

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3972	attrib.exe

C:\Users\Admin\AppData\Local\Temp\MonoxideXVIII.exe
"C:\Users\Admin\AppData\Local\Temp\MonoxideXVIII.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEMP_FOLDER\Init.cmd" "
  2⤵
  - Modifies registry class
  PID:3924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2060

C:\Users\Admin\Desktop\MonoxideXVIII.exe
"C:\Users\Admin\Desktop\MonoxideXVIII.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\TEMP_FOLDER\Init.cmd" "
  2⤵
  - Modifies registry class
  PID:4376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\TEMP_FOLDER\Init.cmd" "
1⤵
- Modifies registry class
PID:4456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\ZScript Procesor.cmd" C:\Users\Admin\Desktop\TEMP_FOLDER\Script.zsc"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\system32\rundll32.exe
  RunDll32 "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\ADZP 20 Complex.sys"
  2⤵
  PID:1844
- C:\Windows\system32\whoami.exe
  whoami /groups
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\system32\find.exe
  find "S-1-16-12288"
  2⤵
  PID:4376
- C:\Windows\system32\rundll32.exe
  RunDll32 "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\ADZP 20 Complex.sys"
  2⤵
  PID:1312
- C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\HideConsoleWindow.exe
  "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\HideConsoleWindow.exe"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\system32\whoami.exe
  whoami /groups
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\system32\find.exe
  find "S-1-16-12288"
  2⤵
  PID:732
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\5152_22556.vbs"
  2⤵
  PID:532
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\6018_20267.vbs"
  2⤵
  PID:4348
- C:\Windows\system32\taskkill.exe
  taskkill /im "Taskmgr.exe" /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4324
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4856
- C:\Windows\system32\timeout.exe
  timeout /nobreak 5
  2⤵
  - Delays execution with timeout.exe
  PID:4260
- C:\Windows\system32\attrib.exe
  attrib +h "18901_9999.vbs"
  2⤵
  - Views/modifies file attributes
  PID:3972
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\18901_9999.vbs"
  2⤵
  PID:2456
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\9724_11307.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\MouseCursorsDrawer.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\MouseCursorsDrawer.exe"
    3⤵
    - Executes dropped EXE
    PID:1792
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\Play.vbs"
  2⤵
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1964
- C:\Windows\system32\timeout.exe
  timeout /nobreak 10
  2⤵
  - Delays execution with timeout.exe
  PID:404
- C:\Windows\system32\wscript.exe
  WScript "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\Ug.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe"
    3⤵
    - Executes dropped EXE
    PID:5016
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\30379_29523.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\LowRgbShader.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\LowRgbShader.exe"
    3⤵
    - Executes dropped EXE
    PID:4080
- C:\Windows\system32\timeout.exe
  timeout /nobreak 10
  2⤵
  - Delays execution with timeout.exe
  PID:3044
- C:\Windows\system32\taskkill.exe
  taskkill /im "LowRgbShader.exe" /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\system32\wscript.exe
  WScript "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\Ug.vbs"
  2⤵
  - Checks computer location settings
  PID:1536
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe"
    3⤵
    - Executes dropped EXE
    PID:1164
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\17050_522.vbs"
  2⤵
  - Checks computer location settings
  PID:4988
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\HyperSineWaves.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\HyperSineWaves.exe"
    3⤵
    - Executes dropped EXE
    PID:3456
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\7294_9166.vbs"
  2⤵
  - Checks computer location settings
  PID:4852
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\PatBlt.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\PatBlt.exe"
    3⤵
    - Executes dropped EXE
    PID:404
- C:\Windows\system32\timeout.exe
  timeout /nobreak 10
  2⤵
  - Delays execution with timeout.exe
  PID:4456
- C:\Windows\system32\taskkill.exe
  taskkill /im "HyperSineWaves.exe" /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\system32\taskkill.exe
  taskkill /im "PatBlt.exe" /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\system32\wscript.exe
  WScript "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\Ug.vbs"
  2⤵
  - Checks computer location settings
  PID:4628
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe"
    3⤵
    - Executes dropped EXE
    PID:932
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\12160_28151.vbs"
  2⤵
  - Checks computer location settings
  PID:3144
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\HcShader.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\HcShader.exe"
    3⤵
    - Executes dropped EXE
    PID:4244
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\11809_6866.vbs"
  2⤵
  - Checks computer location settings
  PID:3648
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InverterTrain.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InverterTrain.exe"
    3⤵
    - Executes dropped EXE
    PID:3216
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\14536_24653.vbs"
  2⤵
  - Checks computer location settings
  PID:2532
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InvertedGlitch.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InvertedGlitch.exe"
    3⤵
    - Executes dropped EXE
    PID:2268
- C:\Windows\system32\timeout.exe
  timeout /nobreak 30
  2⤵
  - Delays execution with timeout.exe
  PID:4164
- C:\Windows\system32\taskkill.exe
  taskkill /im "MouseCursorsDrawer.exe" /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\system32\taskkill.exe
  taskkill /im "HcShader.exe" /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\system32\taskkill.exe
  taskkill /im "InverterTrain.exe" /f
  2⤵
  - Kills process with taskkill
  PID:4216
- C:\Windows\system32\taskkill.exe
  taskkill /im "InvertedGlitch.exe" /f
  2⤵
  - Kills process with taskkill
  PID:3544
- C:\Windows\system32\wscript.exe
  WScript "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\Ug.vbs"
  2⤵
  - Checks computer location settings
  PID:2864
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe"
    3⤵
    - Executes dropped EXE
    PID:932
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\24326_31848.vbs"
  2⤵
  - Checks computer location settings
  PID:2252
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\NoColorRectangles.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\NoColorRectangles.exe"
    3⤵
    - Executes dropped EXE
    PID:4100
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\17969_20839.vbs"
  2⤵
  - Checks computer location settings
  PID:3788
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\DarkMove.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\DarkMove.exe"
    3⤵
    - Executes dropped EXE
    PID:964
- C:\Windows\system32\timeout.exe
  timeout /nobreak 30
  2⤵
  - Delays execution with timeout.exe
  PID:3968
- C:\Windows\system32\taskkill.exe
  taskkill /im "NoColorRectangles.exe" /f
  2⤵
  - Kills process with taskkill
  PID:2636
- C:\Windows\system32\taskkill.exe
  taskkill /im "DarkMove.exe" /f
  2⤵
  - Kills process with taskkill
  PID:2824
- C:\Windows\system32\wscript.exe
  WScript "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\Ug.vbs"
  2⤵
  - Checks computer location settings
  PID:4900
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe"
    3⤵
    - Executes dropped EXE
    PID:1648
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\20413_14402.vbs"
  2⤵
  - Checks computer location settings
  PID:3856
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\FastTanWaves.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\FastTanWaves.exe"
    3⤵
    - Executes dropped EXE
    PID:4684
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\25307_686.vbs"
  2⤵
  - Checks computer location settings
  PID:512
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\BoungCircles.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\BoungCircles.exe"
    3⤵
    - Executes dropped EXE
    PID:4304
- C:\Windows\system32\timeout.exe
  timeout /nobreak 30
  2⤵
  - Delays execution with timeout.exe
  PID:868
- C:\Windows\system32\taskkill.exe
  taskkill /im "BoungCircles.exe" /f
  2⤵
  - Kills process with taskkill
  PID:2092
- C:\Windows\system32\taskkill.exe
  taskkill /im "FastTanWaves.exe" /f
  2⤵
  - Kills process with taskkill
  PID:1976
- C:\Windows\system32\wscript.exe
  WScript "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\Ug.vbs"
  2⤵
  - Checks computer location settings
  PID:1844
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe"
    3⤵
    - Executes dropped EXE
    PID:3144
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\29045_19445.vbs"
  2⤵
  - Checks computer location settings
  PID:4628
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\RgbQuadShader.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\RgbQuadShader.exe"
    3⤵
    - Executes dropped EXE
    PID:3220
- C:\Windows\system32\timeout.exe
  timeout /nobreak 30
  2⤵
  - Delays execution with timeout.exe
  PID:3252
- C:\Windows\system32\taskkill.exe
  taskkill /im "RgbQuadShader.exe" /f
  2⤵
  - Kills process with taskkill
  PID:5056
- C:\Windows\system32\wscript.exe
  WScript "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\Ug.vbs"
  2⤵
  - Checks computer location settings
  PID:4564
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe"
    3⤵
    - Executes dropped EXE
    PID:4660
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\288_10226.vbs"
  2⤵
  - Checks computer location settings
  PID:1304
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InvMelter.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InvMelter.exe"
    3⤵
    - Executes dropped EXE
    PID:2544
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\18745_7889.vbs"
  2⤵
  - Checks computer location settings
  PID:3708
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\X-ScreenDrawer.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\X-ScreenDrawer.exe"
    3⤵
    - Executes dropped EXE
    PID:4164
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\18699_11858.vbs"
  2⤵
  - Checks computer location settings
  PID:2436
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\WeakPatBlt.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\WeakPatBlt.exe"
    3⤵
    - Executes dropped EXE
    PID:4872
- C:\Windows\system32\timeout.exe
  timeout /nobreak 30
  2⤵
  - Delays execution with timeout.exe
  PID:2520
- C:\Windows\system32\taskkill.exe
  taskkill /im "InvMelter.exe" /f
  2⤵
  - Kills process with taskkill
  PID:804
- C:\Windows\system32\taskkill.exe
  taskkill /im "X-ScreenDrawer.exe" /f
  2⤵
  - Kills process with taskkill
  PID:3932
- C:\Windows\system32\taskkill.exe
  taskkill /im "WeakPatBlt.exe" /f
  2⤵
  - Kills process with taskkill
  PID:4572
- C:\Windows\system32\wscript.exe
  WScript "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\\Ug.vbs"
  2⤵
  - Checks computer location settings
  PID:660
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe"
    3⤵
    - Executes dropped EXE
    PID:4328
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\31633_5685.vbs"
  2⤵
  - Checks computer location settings
  PID:1256
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\HslContinueWave.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\HslContinueWave.exe"
    3⤵
    - Executes dropped EXE
    PID:3704
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\14798_20201.vbs"
  2⤵
  - Checks computer location settings
  PID:3412
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\RgbPolygon.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\RgbPolygon.exe"
    3⤵
    - Executes dropped EXE
    PID:4144
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\TEMP_FOLDER\21517_20718.vbs"
  2⤵
  - Checks computer location settings
  PID:1836
- - C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\MouseCursorsDrawer.exe
    "C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\MouseCursorsDrawer.exe"
    3⤵
    - Executes dropped EXE
    PID:4332
- C:\Windows\system32\timeout.exe
  timeout /nobreak 30
  2⤵
  - Delays execution with timeout.exe
  PID:4836
- C:\Windows\system32\taskkill.exe
  taskkill /im "WScript.exe" /f
  2⤵
  - Kills process with taskkill
  PID:4408
- C:\Windows\system32\taskkill.exe
  taskkill /im "HslContinueWave.exe" /f
  2⤵
  - Kills process with taskkill
  PID:1524
- C:\Windows\system32\taskkill.exe
  taskkill /im "RgbPolygon.exe" /f
  2⤵
  - Kills process with taskkill
  PID:4324
- C:\Windows\system32\taskkill.exe
  taskkill /im "MouseCursorsDrawer.exe" /f
  2⤵
  - Kills process with taskkill
  PID:372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell Wininit
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- - C:\Windows\system32\wininit.exe
    "C:\Windows\system32\wininit.exe"
    3⤵
    PID:1212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
704KB

MD5
3e3e87d2e4e242c7caaca5e3a30be2b0

SHA1
80524290ed1b054ed98827d0102efcee2bdcf6d5

SHA256
6f6c4ad8a64f9bddb55d3838054bb927a5945464961b33095bc0da418a77817a

SHA512
96b655c82a34062c1d2313419c98a0c0d5d47f5fd87a63d4c9477af7e836a71624d23752e84aec644a33c76c3ebc5c6c29f906cbb630b625eb0b27a2f4f50e8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
8a5c9aa8dad5ca6d59bcd27ae4f52354

SHA1
dd163ed2fe70ca416ae364853cecbac3e756c8ae

SHA256
7d31568eb354ca67840b8df31a54cb3712d7a25511691c5cf1fa07cbc69c4a14

SHA512
78fd88b939f7906221794ecdec7f46d2af4b8a6774a916f138e3baba6796228a3121d6de46b9d44988a41abfaee71bf9a9fc6daf4a6b59ed339f3086d02258c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMP_FOLDER\Init.cmd

Filesize
84B

MD5
964558f1bb16f96ba584411623448e02

SHA1
343ed92dbdedf742b01c8616c6c3ad7b7db18f41

SHA256
983e70838323a3554f14960d9be781a755a5e8e8e550add74d502816425942a6

SHA512
3cdca2a5146840ca09e83dde33d35fcc0d52439f189f4ad018d025ff9117ac1c0f30ae817967331d803985e3afced8884df673754c3d64009c5aa39884ce11d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEMP_FOLDER\Script.zsc

Filesize
6KB

MD5
90ae51ebc3b79352ca1209d5b7f8a909

SHA1
a899733286fb21ae0beb68f3c8a6bdc32cb120cb

SHA256
db84a9a37544102abb8e2a7c42a0a5b51e375d4190cefeee2573eb4422bb09f5

SHA512
6e4e3d3d749a42e2e79d3eb3797044b87d25c0241a15b9d4b487f9d41046e3c0648ecd933367001fba3107b01e856975fcfaeb96fcd136395a30ac6a96933764

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ealclk4z.aew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\11809_6866.vbs

Filesize
252B

MD5
05115170a796779ce04043d2682dacdd

SHA1
e6958c42adf576e3e4e8062799d1b91ad92b15b7

SHA256
a9012d6ce2d481dbeb76f2bb7931b6801bbd17ca80f987621495b92b5fdd3733

SHA512
49dc8583fae8182d5d05ae88d5804f497da81d09c0036d6eada61661017ea2fbabea5f0dce8b154acc96d9eee82bd27390b6bae2cca21b676b9db5f56b7fe9ed

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\12160_28151.vbs

Filesize
248B

MD5
b666b356cd3badfaeb68166e514ec232

SHA1
e712e44a8b086824c38f8b8133bda30054303d4c

SHA256
a9ed35b2f0f8f99df00a8274bebd19f8983a4c7098b15bae4a39c0b00a014ab0

SHA512
ff319a5db015fe1b4b98483938b637512aafd9a58b80fa5deb4822c89b0de7105e1a7c791df32288f2b7293d9747f7e22bb29dd71289e036f3f04fdcfafa509d

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\14536_24653.vbs

Filesize
254B

MD5
f8652bf2a194bbaa458bf4a2464abd22

SHA1
888875da07026f611cc09f5330d32ed4616e75a5

SHA256
9fee6372c5a03a7c2bcb55bca05ab1f1300245e5724fa0d8ba90e7504811e10a

SHA512
f893742cb92ae6207dca6bec4daaab02090778a2449989f95f2ff9e40742b56c51c312253ab5d606ce5b7336b1d4fb96f3d3eb3149a91228ec7fc4a9b2d426ac

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\17050_522.vbs

Filesize
205B

MD5
4a896bbd3a612e960017df3eeff671fb

SHA1
89497f983fd095384ba72bf2aa19c533f971774f

SHA256
b07ba3d0928652d90f8e3f17972ce109e1b837b3fc7c771b397825d32083fb08

SHA512
1932df2a519b21fe4cd5274404d3aa454306fcee7a13004f1939b54d921395c419a651350d62f1fe0bf964b81929dfbf8a783ec87af9d033304a0d499b7fc1d0

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\17050_522.vbs

Filesize
252B

MD5
69f6d8a49124613aa52a62e48bd2ba5f

SHA1
c05c4f24f2c04b60fce38519312ffc7a9db5806d

SHA256
e7d3d1e2095c60a57bf05121ca85dd75838173f5b5ab74abcca4015588941620

SHA512
79d4e53a5a899f9976111e274629601fc5d7b5d478141d5de2e5c185dd7397ee5a8b926c75716fd8325ae6e7fe383bb02d92d9e7fba7eac416c4b319e33dcbee

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\17969_20839.vbs

Filesize
248B

MD5
64f0521371da699b8a97304bcd96f3ab

SHA1
157e7356fab822891c506bb45b2aa48db8e35282

SHA256
24d5a764185432da78e3273036a0ef83c6968e5032552dc0682e8a7cce5f76b0

SHA512
aafc4da30626d8e0487aa63e535584bec58eb4d25eed48351bbecc1e78032a6811cfac6cece65378045df8e0ef3609fada9879807bcb09be66724ef69b6580e5

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\18745_7889.vbs

Filesize
253B

MD5
db171f017c58005a90f2068b06c21750

SHA1
9153bdcfcded196af1174e45561151d9405753ad

SHA256
7822511f50b42dc01c3b4ea8fd3ceb4992203719ab502917874a5af58fc2bb99

SHA512
90c5e0d4d9f1aa04af90ce04fa81f263badf95ad9a5ed6528f0de61cd9c2c3520cdc11fe676882ef35ee8e8c70b6c3e863faa2191344fdac75a80d32fe6d5dc4

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\18901_9999.vbs

Filesize
325B

MD5
f35955ad1baa1d58b3c54c4f7a269502

SHA1
c2229ac6842e8af04a1c20282935d19d1d36dfb9

SHA256
d2f62e7adf08826384233f87ac5e9cf9954fa4782fb793e2a4c7b30a383f140e

SHA512
79aedbe89bb53196d6e5a300a760e271c17f1da578a302450f81d7eba0914b3bac7e2f2b606a62746f3535d60f30d686b32b34cda1e8103c12d95416e8d52ab8

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\20413_14402.vbs

Filesize
252B

MD5
303c436891eafb3032bf76f1335b1da2

SHA1
623e58c819007a5686e5b3179f927d164df68b47

SHA256
b221b07599c1d371b9df7812393ff3de5084da4c91d47df097e60c57f015a6e1

SHA512
258b813d90e9b1c1c43ea3e84f08da7ae22f6728f39a9a27bb61927372e259f25136dac66d60beecb4da629c0e85c44105f4327f87935bc8e9a64f64b4e27730

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\24326_31848.vbs

Filesize
257B

MD5
19d65fd6d374f8182973388904b3e0c4

SHA1
1bbec4299fb6b4f6e65d9d36b164f98bf63724ab

SHA256
5051b0960eb73724b48efab5fe82f240e13bf7346aefbe57d05b6115d3bc996e

SHA512
c6bb3bdad62e9eb0a79e198887dc23816871c5b14fb175242a46ed2ac115f8934c366a0c3a828714065879b42e04155dc4fd3a7a4d83ffa2486642b6847d694f

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\25307_686.vbs

Filesize
250B

MD5
5de24ae5650f2658f3c4a20a9d09bded

SHA1
fd8113c317ccb5215867374c6b9dd82912095e11

SHA256
936428e4fb307c716e5711ca908935b9c3837293f081b85f08c19038e623340f

SHA512
94af5ac9fc4b15c597b5d23548ca3c35550f0559b0ae1d295f1d6b059f570cd9d19e27d7e576789e97a238da89008db5c7d6e3a928757e89c1de4c7a979a47c5

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\288_10226.vbs

Filesize
247B

MD5
ec831207cc7541b79b3d8b1cda0cd6be

SHA1
b0c510981f63d2e6f57d399c6f51609c8c4d78fa

SHA256
dd6bd582cfe8e81cb5ff092ff567d8ba0d6b0514658edeeac5748bc959376332

SHA512
c42673385ad1dae20bd2d9d441556e3968e1a3611ccccc429379042e41d85a056e743a8e60fc4bd2c166b699d7836b40b3bc4bdd955c4341a97a9235c54172cb

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\29045_19445.vbs

Filesize
253B

MD5
e6585c4e1984d350410f2b86785358a0

SHA1
63dfcbdae1bcd2e148be41bcd999645021b16e0d

SHA256
6f84ef56effd407d0e4a7b54b18ca967ca6cd54760ef5f7a61a47bdc45fa5143

SHA512
7fbc8ea07d9d1cb292e3753fc513660485cdd32c9e6b80a162b1d00f564458255fa94dec234ac90a5f9769f86e9943bca260a8285369d2335c03cfa39f20a6ec

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\30379_29523.vbs

Filesize
252B

MD5
f368037a62756523c2000a8d5a8744d6

SHA1
85272218edaad9af9e56b628d94792fc5a279381

SHA256
6df5e1e7f5539f3006b6ff2d357bbaf210c03f0851ad156c571673116ce40114

SHA512
0491ada9c4bb3ecd9ed32552e407764e00a1328f6c362bc34b826d1820ad94060153ab5177b88a905a0281e122ab82b103807777d23715c39b074816637ac987

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\5152_22556.vbs

Filesize
688B

MD5
1ca33b52eb86a86c9644a12226dc1da4

SHA1
e0daedba48e41021f4bd8015fcf1b1f6399e91c0

SHA256
acba61073b145798bba92f2e155cb76dbce85e4f20344aa3a335f24e5496f44f

SHA512
e868457508c7482edfce3d66c4f0d62dbe3e39b0e6c726f1e449ad6bc87a1f3b0c91423b5ad3b57bfbda0807a6c85881e5e6fb60fdaca18baa275c1b74f40b07

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\6018_20267.vbs

Filesize
691B

MD5
36238cca8919ca80f983e2d8fb44c262

SHA1
0fdfa104ab9de3e49a92fe824f4118f772d14ff6

SHA256
e623968c805efe912adaf8398c8c79e4ab0960f556d761a490b8a6710357dc59

SHA512
8ccd554094454dadbbfa7465ec4b1fec65fd0a20ac2bc3b8ca03d85e90ad47e4f754cf0d091191f96ed8d66ae314b9b9af209c99f92145a5ab3c526e68bccff9

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\7294_9166.vbs

Filesize
244B

MD5
d380b1c8ee65165bfc164d7fce4b640b

SHA1
c608c4858919feeafc524129903b546bdab76285

SHA256
84826a17daffd8d1d2113573cd29a9744fece5a30090f4c56487c4dad985c9ea

SHA512
e2f2749f55686a0f6c168814ce447b7a97a72f95195dd5438a132798dacb4548c8ad8e4ad0c6b4706fa10c10eec6b7e0e13da83a69b6e5e371340f2b746650fb

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\9724_11307.vbs

Filesize
257B

MD5
e85a07292b6aee167be4caaef86b1e2f

SHA1
d63cafcc0ecd763c67fde5606ed1a574e15083c3

SHA256
d873e44f8c5cb259672d36201e87d857f8379df4c967c342346d0207632ab145

SHA512
3d82dac0756576baecf6899fd692ef0ae6881f8de32bc90cf6df53472a801b2b7edba29e528a01da3a89f25e8d95faf6d546640844d9eb85fb111860120de325

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\Play.vbs

Filesize
260B

MD5
de43ba210d09d3344b40df41d4cabd41

SHA1
78ea4d9e4cbe7780a7881d638ae6621a26e33c93

SHA256
346a461d37612236ef68f177539c1b5b38cf9279e7e73cd1448a626c5840a5da

SHA512
251b20dec2b083455b05535463656adb5da60dd7cdd31e62f1ef631bd9149fd67241fdae2175e4ef93cb1529992c7e89dfd44eb2d78e7d87cfb4a7d238f95faa

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\VarResult.tmp

Filesize
8B

MD5
5d947b74dd010b57950701bde43de250

SHA1
68c79f1edd5f77624ad93eb2af0a1adce17c5cee

SHA256
afea7ccc76635c0fce9f8e50abe625f06b4ce8909815405c1dfb81d79c19db9a

SHA512
37f0cffff9f897b85c0e89b73ffa7eb57bc538e6e88e3eff570f0e287e5a069b4c5856ecda09bac0736c523b4521c6f5fbcd068f23913e185af3ba5d727021f0

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\AudioSequenceFolder\CUTTED_MONOXIDE.EXE_AUDIO.mp3

Filesize
3.2MB

MD5
492164d562ad6a88e05b681248b02db3

SHA1
acc737c06aaa5eff8025aaf86f7be13ca665e6b6

SHA256
35616e0ffa82159242f497cce09ae7db11e20dddcdbc234e556fe82f9947d291

SHA512
66d52c93d1a26f96b8190e34f6bef96930a39f1c81022a47ad8baff59b0ceb9fafa3d919ab70f508f08732ccd16af02b96e969d3491fde2edab74122d71d6a6f

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\BoungCircles.exe

Filesize
9KB

MD5
522fe53b1ee2049ed348f73aca1cc7ab

SHA1
8238d23f4007fb2f7e70d0e381eece7f84e9baa9

SHA256
0f0abe061841de8bd1990abb2ef43c4be94f3078ca116811f97f8d9eda84ffb8

SHA512
f76d0ee8eb9221ee084befe129fd6db6aed82f592303bb1927eae43960ddf7b42c9ab2f25cad843e8de17107105b9539427a62a872cddc252c32fe31bb50d403

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\DarkMove.exe

Filesize
9KB

MD5
7bd1b97e34466e1205dea28b30fa0c44

SHA1
ae578b105e13ec26493dca0eab0cad42f5c63460

SHA256
47fd161d40d628746d16936f9d71cf84bf6732b276a51482c9aa70cfd45fbaf4

SHA512
a017fa2d6fb03398345cc8a490103f2e5b974d14463d3d33c49a9848f4c271db0055f15f0587717b799862237a60042c4122962de2bab752f225cddd3a1964a6

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\FastTanWaves.exe

Filesize
10KB

MD5
5f07f349f86291456e7a33c87913af66

SHA1
d0de1f42bb4824852454c5ce16e6c856f44884a3

SHA256
b030e1bafe01f146b545bb179a348f5726e918c11746a2c3f376b00d8da1442a

SHA512
89d28f33767daf5b965a6626ea8826a014b6063808aa436646cd4d0c95f3f9a300502abdca59edae438e2f77346aff5d5058d3d58f18670ecc6250a10c27936d

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\HcShader.exe

Filesize
10KB

MD5
597dd285a5b0492ed461a9e0eed13a6d

SHA1
17a443fe9c8ee2c70c2dba3f38e9760fe4dccba6

SHA256
32c929965f43cd06232b3f1f3b0730a6068aa8f2e6eb1978e16c9538fe8bbc57

SHA512
344494e18b6e54bae913bbb9d5ab157366f7090e3d2572cc8dc9a0e815cba215d51d57265e9b5ff066ed1658493f308890266dcb2dbf28743734052c6c67991c

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\HyperSineWaves.exe

Filesize
9KB

MD5
5b5db42241639829f2b1d81b4adbc88b

SHA1
4ff7ea3f0a148b96f055c53d779b930f34fe68f5

SHA256
eb11ee8b444cf0d8669e95b7e76ea5c71676832edd6be4e403fa09d71cd1a415

SHA512
3eb3deb8477e52c984ba015a1d469698f84d69f676e7361fb4ca728db61d716ac91be75c593faf7766fc44f3eef07cdd75478907203e83e90658237918d7c47b

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InvMelter.exe

Filesize
9KB

MD5
3245a683663a354b8670f57abfe5ad0e

SHA1
c29659513d90ecb99971d364f4dbb6d4c70cdc7d

SHA256
049f68e036218b4e9917287af04abcbbf78c7bb4c361c75c61d27bb49f65f09b

SHA512
12520e64b613377763f3229ff1d60434998a2b31f25b8a63cb6b4f9995f54d50eafe407e5c7f2f1de9f482b0169d7b0ea7d22251a845afd8668c1a07ef19a98c

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InvertedGlitch.exe

Filesize
9KB

MD5
399463f6ffa6f6c230d22e4ebd8028eb

SHA1
22f25b95479fae5cc2a780b95cdb40e6914bc28e

SHA256
16fee758b4ad7213e6b86bde1c6e07b1a8003c18c0597f35e732ca8fe82a9d49

SHA512
fba2844c1d6b6a3e0ba076418bef30a981a6dbced693f025290521c0dcd2fafd2b926e042f03d7d74b2602ecdc8f161fe810e0b1460d6fcac835a1772ae2a578

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\InverterTrain.exe

Filesize
9KB

MD5
6d99d004a7adbfcf98b5c77e72a701ed

SHA1
f1b1ca8c1d72e4282cc230df1eeea0fde178a0b7

SHA256
a8203ed651633a21b3fb054121f2141c16becda30b34d805b8258209c601c64b

SHA512
c25cbbc2e20ef290bc70a64465a3f78fb4ef5db6a93a01990c3e4bc91be09c10cc510de853174834e5e6341f00c2d61fc6f5280f950a244f7f6f5308d2241a08

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\LowRgbShader.exe

Filesize
9KB

MD5
c2128ea0e88867372a86dbce2a7a1417

SHA1
bf0790062349cb82f5fb9dfcbf6f3ab3d749d478

SHA256
37b31546e59467dd425ce763a833f64d7094d35381562134122b8edca1a6299c

SHA512
0f0ba02ba738d6d7c2a5145885994efbdbc503383044276af9ae845753edc2fd6e8cfd343f635336f1923c279a28db693baccfccefffdb2189d5be98120b5fea

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\MouseCursorsDrawer.exe

Filesize
9KB

MD5
908aca718efe2cfb4a52e392b75b0bb9

SHA1
482bdbe26707fff60def2935c1428522838bbef6

SHA256
69f780e20019feca2baaf6c3750c978004e1992da29bbec14ecba66337b5d129

SHA512
4b26ccecc1b9ac34ebb44e8f411ca9042c179b4ee9311d54639099c725e82177584a832472378e9c45e4cd54e4e5d345357df67b28bc7c5147dfb836a713e707

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\NoColorRectangles.exe

Filesize
9KB

MD5
50dce653fe94a2f3c37d63faa31cf75b

SHA1
e6a7e45520cc8fbd16b9dc3e2f5657ea131af8c6

SHA256
06f68e008bc78cfea7209a1349b0e5d801a2f1b9b46b03c7078d2439daca9b35

SHA512
9481087d2c130bc2593e02d4a4286342f124abfeb7bfaf5c9607c1ec69cd34181c90e170e7237aa1b6b33f91fa0c9b2de22ef1c21384a0bf7662f068a1da47ce

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\PatBlt.exe

Filesize
9KB

MD5
c545ab5e08df0b5417d3f824c9f86e73

SHA1
b28618334ba3b0e48020e7a98affa23defc6db74

SHA256
f38ff2cc77eacac05476af2f70b4c052b9e013657ae251d6c1ffc69fcec1b198

SHA512
622a615a1a57363f923ff574b73362b9a4f1f6514c22e7501d776ca45d7724f464aa79990283bf58d5a23d580425673a0f34cf67c51adc8a5d6b08afaef37a53

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\GdiEffectLib\RgbQuadShader.exe

Filesize
9KB

MD5
87870f507c258b0a9f3f284aded6ed3d

SHA1
f1a72ae6a0870f62b1e38352370b46c5653d5010

SHA256
c5d48084401c5515eb8170efad89a0a5b4977593b22bf42011d9fbc34dffa15d

SHA512
2533623bd00196c1f6e11fb4d49ff4f8c9cfa18441a2a50caacbe4159b6fcb6d75873cd5ecc0fa8035a7e4344c0b6b9aceb5b3f8461bb8e466404f96b1e07149

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\HideConsoleWindow.exe

Filesize
9KB

MD5
0b1f0308646646579219853252468199

SHA1
2a6df63625f08d7099f4303d182cd17019ad2490

SHA256
99366514d571b050a1bb7112dceddd19f7db26f6baaa60fbdd988705c5beb1e6

SHA512
1a8dcf8970cdf05752a2a9ae7440d5071d0c3616648204aabce27d9f4cac980293f2d00e792ed9e6fadc77b50781e8e4d5cff714a6c4b3a51bfed7d6b210ab76

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\Ug.vbs

Filesize
244B

MD5
7a2a972564ee16d44d759bfee31d8646

SHA1
74b89af3e945aba5b91930b09812fd9ac2e3c87f

SHA256
73e85bad6909a5d58edaed46c36ce9a4638aeba34d498e55510cd75f6fc41201

SHA512
331b9efebc20ace3923fec10946dc6cd0a3faa3fa5d469116f5aa393a39181123c0efe3629e9f8f65298ca4ac820805d7c08d580b4094e93e7fd57e8b2dd7644

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\UpdateGDI.exe

Filesize
9KB

MD5
3b03ba574eb56f111697e31ecc856d5f

SHA1
2735769011732f1bf5602848d55e5ab714a9fba6

SHA256
4fc2db131b14909451ccbeaf00f34209a75a48e4a6f59461d0ce724966d12619

SHA512
28649b8c5e59700ce39633f0c43cbe89654554e6916d5aeee385b806668e7438b53f1e920d073ce42a3424ac70496f7e2aa4a9dbbeebc963724f4262ecd9e2ad

Download Submit
C:\Users\Admin\Desktop\TEMP_FOLDER\ZScriptAPI\ZScript Procesor.cmd

Filesize
18KB

MD5
6e6a83fad56fe2e5a7c69241706f2fb6

SHA1
87afda766e0af5576632b970ee75ecad579f2c54

SHA256
e194b1ccaa5d27bafdac64f838f8dd2c6610f9c0998880a2d98e18f99c1d7cf7

SHA512
432d95c5efb517fa8b9c9182de42a2213a098baa14cf0646ccb2b8fa359e180210ffddf809ca50bf2cedac711378f96fe5ca7756d2043a382345cd235714712d

Download Submit
memory/2972-419-0x00000293EB310000-0x00000293EB332000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads