hxxps://github[.]com/Covide0/Disord-tool

Analysis

max time kernel
121s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Covide0/Disord-tool

Score

9^/10

spyware stealer upx

Malware Config

Signatures

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/4576-277-0x0000000000540000-0x00000000009E8000-memory.dmp	WebBrowserPassView
behavioral1/files/0x00070000000234d0-286.dat	WebBrowserPassView
behavioral1/memory/4156-293-0x00000000007A0000-0x0000000000C1A000-memory.dmp	WebBrowserPassView
behavioral1/memory/4600-342-0x0000000000CB0000-0x0000000001158000-memory.dmp	WebBrowserPassView
behavioral1/files/0x00070000000234d8-358.dat	WebBrowserPassView

Nirsoft 10 IoCs

resource	yara_rule
behavioral1/memory/4576-277-0x0000000000540000-0x00000000009E8000-memory.dmp	Nirsoft
behavioral1/files/0x00070000000234d0-286.dat	Nirsoft
behavioral1/memory/4156-293-0x00000000007A0000-0x0000000000C1A000-memory.dmp	Nirsoft
behavioral1/memory/4600-342-0x0000000000CB0000-0x0000000001158000-memory.dmp	Nirsoft
behavioral1/files/0x00070000000234d3-348.dat	Nirsoft
behavioral1/files/0x00070000000234d8-358.dat	Nirsoft
behavioral1/memory/6080-383-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1624-391-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/files/0x00070000000234d5-393.dat	Nirsoft
behavioral1/files/0x00070000000234d7-413.dat	Nirsoft

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	RtkBtManServ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
4156	RtkBtManServ.exe
3216	bfsvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000234d4-381.dat	upx
behavioral1/files/0x00070000000234d6-385.dat	upx
behavioral1/memory/1624-386-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/6080-383-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/1624-391-0x0000000000400000-0x000000000041B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
107	discord.com
108	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
105	ipecho.net
106	ipecho.net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	RtkBtManServ.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5496	msedge.exe
5496	msedge.exe
3424	msedge.exe
3424	msedge.exe
916	identity_helper.exe
916	identity_helper.exe
4572	msedge.exe
4572	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	RtkBtManServ.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe
3424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 5308	3424	msedge.exe	84
PID 3424 wrote to memory of 5308	3424	msedge.exe	84
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5312	3424	msedge.exe	85
PID 3424 wrote to memory of 5496	3424	msedge.exe	86
PID 3424 wrote to memory of 5496	3424	msedge.exe	86
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87
PID 3424 wrote to memory of 1900	3424	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Covide0/Disord-tool
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa819846f8,0x7ffa81984708,0x7ffa81984718
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5668156943788362302,17032136897310614742,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4668 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\Temp1_Disord-tool-main.zip\Disord-tool-main\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Disord-tool-main.zip\Disord-tool-main\Setup.exe"
1⤵
PID:4576
- C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
  "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" 3DdHBGXJtZaBFfP8HsYgGdL3DLw4WBuf00yKjIbZKNdN8Wce9zeX112QfGYxZraz/aEhqClIyWqnT5Ipj/x5jb7xBVctMJi5w/RM0zyrfZSYeeKkmwpTl77eCFgl0Bon9mFKgtOPwVWHUWYst/I7vcroxy3sDz6hk0z30TkkIMg=
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Checks computer location settings
    PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
        
        C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
        5⤵
        Executes dropped EXE
        
        PID:3216
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    - Checks computer location settings
    PID:5552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      PID:3816
    - - C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
        5⤵
        
        PID:4040
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    PID:3976
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      PID:972
    - - C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
        5⤵
        
        PID:6080
    - - C:\Users\Admin\AppData\Local\Temp\splwow64.exe
        
        C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
        5⤵
        
        PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\hh.exe
        
        C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
        5⤵
        
        PID:6064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
    3⤵
    PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c compile.bat
      4⤵
      PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\xwizard.exe
        
        C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
        5⤵
        
        PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
    3⤵
    PID:1032
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4648

C:\Users\Admin\AppData\Local\Temp\Temp1_disord tool.zip\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_disord tool.zip\Setup.exe"
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
  "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" 3DdHBGXJtZaBFfP8HsYgGdL3DLw4WBuf00yKjIbZKNdN8Wce9zeX112QfGYxZraz/aEhqClIyWqnT5Ipj/x5jb7xBVctMJi5w/RM0zyrfZSYeeKkmwpTl77eCFgl0Bon9mFKgtOPwVWHUWYst/I7vcroxy3sDz6hk0z30TkkIMg=
  2⤵
  PID:2804

C:\Users\Admin\AppData\Local\Temp\Temp1_Disord-tool-main.zip\Disord-tool-main\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Disord-tool-main.zip\Disord-tool-main\Setup.exe"
1⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\Temp1_Disord-tool-main.zip\Disord-tool-main\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Disord-tool-main.zip\Disord-tool-main\Setup.exe"
1⤵
PID:3828

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Disord-tool-main.zip\Disord-tool-main\Scraped\roles.txt
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RtkBtManServ.exe.log

Filesize
2KB

MD5
274019c1242741f6e61dfaf8db5d2057

SHA1
2ceb96a24b4f127add892f6f6869dc78d151bd44

SHA256
476b44685b557d3ede093d108278beeeae274328e2de97d19d26afa18858fd40

SHA512
2a06e223cc2ea66417d332647ab74b90aa927ff93651ea4a6a12847e57b7e823db69e4f9560e31312bd314eb8f6f5a9d3862a29f973fff9e745d495a2ada5c4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\459cae26-aa1a-4ed7-a3f1-7c877652b527.tmp

Filesize
1KB

MD5
fb0350e3f326de7609aab0088e890ea7

SHA1
ca2060f0d981b9dd765685cdcf4b048d8dcc691a

SHA256
dbae44727f64c321ba18e68e9397abf31f849e3ac05b0699e9df41c2bf9dccea

SHA512
a24afb2175e61069b92c426581313addd4bf4fb2f3c420f03c20df9c92426e96683b1907049432018f3a2c230246e2a001515b0cae1e7868ad20bae01d2ce85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cd15318816d63ffc57b438fc90dfe44b

SHA1
856719353d64e9572b3900e833e98be361f68b49

SHA256
1379b948c452adbb6971e25cbde9c3afdeb8a9a44bd56ec245887a5cdcf976f9

SHA512
049b2c7be2227c18918632346a281f5b236eb78a12fd8643266213cb1ed75896f156896944df4c86e306827ce96b920832073a2fa1d88d0e563473735561c160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
22a8e72c614f5401cd8a637b26e6acad

SHA1
5ede7e1e48a4b2d67b74c66a91c84b51958f20ed

SHA256
e946ba5c46569ef527c6e6ac784c7c6e0743d0dbceff61561e646aa58d24bb93

SHA512
4276268160856785bb70427b8d7093c15c999378c36475507b0ff9b2025e27272b49ccf016153917b6f40a11079dd756c0539e0036fa355d0b3abc6205d7e289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
b71451c576c516f59c7bbd4fdb906c30

SHA1
84aa8a48a30043ea9f44d5e4ff1b37e4860dc055

SHA256
9917069cfb1f2823d27a424801eb5b7cdd3645f95d2d3e20572d55573c4f234a

SHA512
cad1abc1ff27c9ec32d6aa3983d2b30e826df3f48b87f30eb2b7e1c1672c460f4b7256aae47e464f0365657cc762a9a696cc970bd04b07e51f62a8d6fade809b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
82eed7f6ef92c6ef0f8e81dbb28b7dfe

SHA1
053e648ac8b91789cfab64112250d3ee6023d7ce

SHA256
0e6641cb544fccbd802fdbdb5d7c9d0ffb4c7f73c6f89ef2f05738e4f10b9f3a

SHA512
0e479ac82709b089aa78f29b9622e51b71f3f1d6b220bf1ad7144722a4cc47e5d428830e47b7fed74d8907f7b39828886133b17d1ac530d9668340a14cf0d69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3b2cb11e146b8f6f4d6a99897973f5a

SHA1
ab5b4760266ce9139935c0dd6c93573cb2dc5354

SHA256
1767dd26abf8334c0576df8c1544bb3c1f5c27cbd72569e0cd6e4894fb76d195

SHA512
521417000ac035d0dae89526e73d068b740bd0ebd3652bf75247adf4339fb718f3709b5de7305e771e96474587e9db30c7f6499a6cd74c38f7c502aa91e9834a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0aae91e800ddae2b9825b6ce41f0db30

SHA1
d2f1553108ed299d2f032b1231bc19303263e69d

SHA256
c06cbe174173fc33b2080db8dcb9b11fdf2f300a43bd634e1f1b636254ac1be5

SHA512
016d2f8b48a0516042a7cd9938533058b368b842399cd6b0e3f51b4c62750c831e287dd910b18d068b0bd7b65c810476b5b6e2efb693eee8241ba2d98a4213e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7857ee4c22ec6ff405e4f76e95fd1b0d

SHA1
c755cb610d76bbef0b2f2960a3a10c5f27132093

SHA256
4d2bbe62dbcb4d265538e599a80c4ef33629120bc28309dc7e6e4900c6d195b7

SHA512
0c6059d3e81faae18eeee01d628eb998995be5fdfa71b098816e9dde8c33291804d7b49dbec92ca97563dccc1206f818b4444b2ecfe88d281196663aa4a65798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
09f2ac086609ad5759f3736da4ea65c8

SHA1
343a7a41a4d7c758b128be7847c87cdcd115b641

SHA256
d696d8e6f6302d2e87d8d5fd62c7e424b2316228de8c376f395ec9fa6e78adb1

SHA512
b20422ab790b81a298a3da98289b58abe53faa7f53cea8a5e241099c344c5766e5dc08e6fca5a365664fa924f69902484110bdab0b925ae1450851fa2af216e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5844f3.TMP

Filesize
874B

MD5
b63e5ad4d1bc1659432ed2ed7f044911

SHA1
7bf0e9b4aecab493ade06e06e3abc9717e85805b

SHA256
967202c43642d903c807866c1eafbef2556a120764cfe1f1e2c533c826fa0346

SHA512
c54499cb57a2471c7599c2d31ecdb8b54c563b4dc684875da51b9b8aac666534c1dfec8b0f0e76e42f4902e8bb56aa7ba13a443d52bd9ef75f3efade717f03fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7a6a10b1fd5e42e2969ffd8dfa827df7

SHA1
4aa1e1d27aec41e46027ff033e8cf8bb78b24276

SHA256
fe715bb15fdb0df2884b208b18c91a79184c6c1d972e30c84111ffcd62b331ed

SHA512
8eddb62d46efbc55cca6bec228624a8e4963e80d1ae2b12a88bfdf5678d37d9de4db31a0bb24173c874d7199142089b5cb587c9d56017074f290252b0c8523a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
093284d1661465bf2b0a89da60ff9e69

SHA1
a4cffbf2b488f66595e8b89a40383ac8b2f171bd

SHA256
23987fc37d8013bfc1811a43bc0ccc6b6c3b98f98a35f26952e18c1eb20410d1

SHA512
f303cb69fc650e66b07d4ab0b6d4037d9701c96e127dd91070f3c16a10b3e19e969c5fe289c469adc4b2481328e7f06fdf26813b13a3fc1640802e1ae6984d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_History.txt

Filesize
6KB

MD5
702b9f4db578da8e685858292c0d5b21

SHA1
e54e594d433ddffb55777afe0549e05f00edf164

SHA256
583abf6fbb142326eb0d7fd666dbdc292fe5aeb53ae49ce499e2ed514bf2f8f0

SHA512
f712c0859e6a20b8d954b4732e92c0e205fb3b41856632227469782ade4a6a8b82bd7914e3b3272dc7e62a7994a14ad5d3763de648306567c0e78cc927e306c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

Filesize
4KB

MD5
25a7e8d624c2bfdb2facdc50a1d9b965

SHA1
bbf90e7e78dcba692d6a35716d72cd1affc8cf9c

SHA256
880d0a92fcd2d68631b413e0cc98d71fc68337abb19f59901c075e058c694b47

SHA512
35e57b1fd68fd64c325d179323c3383c39cb00e37b42480c0962517eb8ffdffd5d3a95b77122161f651e45ab2fee4a8e5c3f604bd80351a2680f087ea2b9517f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies1

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies3

Filesize
20KB

MD5
017936a6a3a5fdf897d9659c0aecf440

SHA1
9c24e93987a508348937497cec2eebb848f43fd2

SHA256
0e26a8c987d6ea655e4b55c02de318019d5a47c5ffad7865a124b1a78e835717

SHA512
131cbc3ea40a45537b5c49d57ff372a1d7c0221857340fae47880df86dabd09b1956492b61027c62bb230c85f4a896d77f8fae8f2c259eec60066fbfa74b71a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
4.4MB

MD5
3405f654559010ca2ae38d786389f0f1

SHA1
8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

SHA256
bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

SHA512
cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

Filesize
420B

MD5
51c9e864182413f35b76d42d435df261

SHA1
dc5ec227ab38093927a119b4d646c3811c3553cd

SHA256
e6c5c674268a865db840afd3764cd498bdfd8fe677c5193d662abbe64d68975b

SHA512
b36e683b6487bfbf4e512214343128e57a52eb71356345caba70a98dc5b0bad764da842d08443d3b47bd3dddbe24af146c561ae480038c95f124a51565e3fd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

Filesize
71KB

MD5
899d3ed011eb58459b8a4fc2b81f0924

SHA1
80361f1e0b93143ec1ddfee156760f5938c85791

SHA256
5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

SHA512
802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhv4378.tmp

Filesize
14.0MB

MD5
0b58d7d5c61a3b0f182f202e15db6350

SHA1
b52e46ad92278bbd042ba84208432815cdc3b923

SHA256
37ec0ea7b48bbb3b3fd4afcc416598eb390d89e17152ffa35a60afcd4fb76418

SHA512
4cec54813b4bb609a3c9fe718a786604ccc201c79b086f10a1cabbf3999b522b0569adcced2c29fd66aef1ab0be1a9d0fce9ca5ebf382138e422dc5bb77e9c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
70B

MD5
d90accebb3f79fe65cd938425c07b0ae

SHA1
9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

SHA256
aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

SHA512
44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
74B

MD5
808099bfbd62ec04f0ed44959bbc6160

SHA1
f4b6853d958c2c4416f6e4a5be8a11d86f64c023

SHA256
f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

SHA512
e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
71B

MD5
91128da441ad667b8c54ebeadeca7525

SHA1
24b5c77fb68db64cba27c338e4373a455111a8cc

SHA256
50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

SHA512
bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.bat

Filesize
156B

MD5
eb51755b637423154d1341c6ee505f50

SHA1
d71d27e283b26e75e58c0d02f91d91a2e914c959

SHA256
db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

SHA512
e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\compile.vbs

Filesize
265B

MD5
ca906422a558f4bc9e471709f62ec1a9

SHA1
e3da070007fdeae52779964df6f71fcb697ffb06

SHA256
abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

SHA512
661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\config

Filesize
106B

MD5
74aa06530b7e38626a9f0f68cbf3c627

SHA1
2aa33dc8b29fe9b5f7a890bf926a80da4c8f099f

SHA256
3c25abc197d8864ded7d967b3d52df30da4f8602c86f2bbddbc27927e88919e2

SHA512
ec20859322fe256edf6aaa99618ef0a5305399c9bc4590c08155eeb503ac9cb9680a347dd457b3bf32256f4261e1dabf2a3b2e3a68b278cf7108fa19d4758b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hh.exe

Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

Filesize
391KB

MD5
053778713819beab3df309df472787cd

SHA1
99c7b5827df89b4fafc2b565abed97c58a3c65b8

SHA256
f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

SHA512
35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\splwow64.exe

Filesize
49KB

MD5
0d8360781e488e250587a17fbefa646c

SHA1
29bc9b438efd70defa8fc45a6f8ee524143f6d04

SHA256
ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

SHA512
940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

Download Submit
C:\Users\Admin\AppData\Local\Temp\whysosad

Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

Filesize
184KB

MD5
a776e68f497c996788b406a3dc5089eb

SHA1
45bf5e512752389fe71f20b64aa344f6ca0cad50

SHA256
071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

SHA512
02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

Filesize
1KB

MD5
ae8eed5a6b1470aec0e7fece8b0669ef

SHA1
ca0e896f90c38f3a8bc679ea14c808726d8ef730

SHA256
3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e

SHA512
e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwizard.exe

Filesize
544KB

MD5
df991217f1cfadd9acfa56f878da5ee7

SHA1
0b03b34cfb2985a840db279778ca828e69813116

SHA256
deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

SHA512
175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 298793.crdownload

Filesize
8.0MB

MD5
163d049be62ec330d58de345c469f5b7

SHA1
017bc41af63de2cdb0a48afb294a0f63d0934ace

SHA256
1e94a23418e1d58dc56995b6006e182148c0e254a97ad02c8ca09547f7ed0a08

SHA512
2ee38c0f93041ddb07e05cba68d4dca69f7432ecf10e1f44be1ed2c2ecca11bbf597c7e4502d5b35b5def609ec6556aebe1c95e9c89602853128798d6f04d1dd

Download Submit
memory/1624-386-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1624-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2804-513-0x0000000005B10000-0x0000000005BB2000-memory.dmp

Filesize
648KB

Download
memory/4156-331-0x0000000008180000-0x0000000008188000-memory.dmp

Filesize
32KB

Download
memory/4156-325-0x00000000058F0000-0x00000000058FC000-memory.dmp

Filesize
48KB

Download
memory/4156-336-0x00000000089B0000-0x00000000089CE000-memory.dmp

Filesize
120KB

Download
memory/4156-332-0x00000000087D0000-0x0000000008862000-memory.dmp

Filesize
584KB

Download
memory/4156-293-0x00000000007A0000-0x0000000000C1A000-memory.dmp

Filesize
4.5MB

Download
memory/4156-330-0x0000000004ED0000-0x0000000004F72000-memory.dmp

Filesize
648KB

Download
memory/4156-328-0x0000000005970000-0x00000000059AC000-memory.dmp

Filesize
240KB

Download
memory/4156-329-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/4156-327-0x0000000005940000-0x0000000005970000-memory.dmp

Filesize
192KB

Download
memory/4156-294-0x0000000005460000-0x0000000005510000-memory.dmp

Filesize
704KB

Download
memory/4156-326-0x0000000005920000-0x000000000593A000-memory.dmp

Filesize
104KB

Download
memory/4156-324-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/4156-295-0x0000000005610000-0x0000000005686000-memory.dmp

Filesize
472KB

Download
memory/4576-279-0x0000000005C20000-0x0000000005C86000-memory.dmp

Filesize
408KB

Download
memory/4576-278-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/4576-277-0x0000000000540000-0x00000000009E8000-memory.dmp

Filesize
4.7MB

Download
memory/4600-342-0x0000000000CB0000-0x0000000001158000-memory.dmp

Filesize
4.7MB

Download
memory/6080-383-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download