23024599997328f534b22e832933e2ede80288ea3db80a26d1179ce0dd7dabfd

Analysis

max time kernel
141s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 03:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
Size

803KB
MD5

5ed9ef12f02de09c4af1add838b39492
SHA1

5fd12a66ff254bacfdd86b448a716e8deffd81cb
SHA256

23024599997328f534b22e832933e2ede80288ea3db80a26d1179ce0dd7dabfd
SHA512

9325d4b088cae2774f7932e68cacb351235bc2058fa49884fd9117113d206ce25d653ae8b0d79507125d301c1cb2e41bd5dc972d5a5d1ea78c298239857e638b
SSDEEP

24576:rtsilRE16+8vAFDMNnWAfBRFbQ5LO/zz2EmWhrx12xB4xxQxG4xfnxKc2LvDDPW3:psiTE16+ohD9QVOrz2Hmrx12xB4xxQx3

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 20 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

pid	Process
304	runsvc.exe
2532	runsvc.exe
2192	runsvc.exe
1268	runsvc.exe
1996	runsvc.exe
2808	runsvc.exe
2820	runsvc.exe
1488	runsvc.exe
2300	runsvc.exe
2596	runsvc.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine	runsvc.exe

Loads dropped DLL 20 IoCs

pid	Process
2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
304	runsvc.exe
304	runsvc.exe
2532	runsvc.exe
2532	runsvc.exe
2192	runsvc.exe
2192	runsvc.exe
1268	runsvc.exe
1268	runsvc.exe
1996	runsvc.exe
1996	runsvc.exe
2808	runsvc.exe
2808	runsvc.exe
2820	runsvc.exe
2820	runsvc.exe
1488	runsvc.exe
1488	runsvc.exe
2300	runsvc.exe
2300	runsvc.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File created	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe
File opened for modification	C:\Windows\SysWOW64\runsvc.exe	runsvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
304	runsvc.exe
2532	runsvc.exe
2192	runsvc.exe
1268	runsvc.exe
1996	runsvc.exe
2808	runsvc.exe
2820	runsvc.exe
1488	runsvc.exe
2300	runsvc.exe
2596	runsvc.exe

Runs .reg file with regedit 10 IoCs

pid	Process
532	regedit.exe
1276	regedit.exe
2612	regedit.exe
2692	regedit.exe
2084	regedit.exe
2964	regedit.exe
2696	regedit.exe
2384	regedit.exe
620	regedit.exe
2588	regedit.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
304	runsvc.exe
2532	runsvc.exe
2192	runsvc.exe
1268	runsvc.exe
1996	runsvc.exe
2808	runsvc.exe
2820	runsvc.exe
1488	runsvc.exe
2300	runsvc.exe
2596	runsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2672	2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe	31
PID 2628 wrote to memory of 2672	2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe	31
PID 2628 wrote to memory of 2672	2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe	31
PID 2628 wrote to memory of 2672	2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe	31
PID 2672 wrote to memory of 532	2672	cmd.exe	32
PID 2672 wrote to memory of 532	2672	cmd.exe	32
PID 2672 wrote to memory of 532	2672	cmd.exe	32
PID 2672 wrote to memory of 532	2672	cmd.exe	32
PID 2628 wrote to memory of 304	2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe	33
PID 2628 wrote to memory of 304	2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe	33
PID 2628 wrote to memory of 304	2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe	33
PID 2628 wrote to memory of 304	2628	5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe	33
PID 304 wrote to memory of 2532	304	runsvc.exe	34
PID 304 wrote to memory of 2532	304	runsvc.exe	34
PID 304 wrote to memory of 2532	304	runsvc.exe	34
PID 304 wrote to memory of 2532	304	runsvc.exe	34
PID 2532 wrote to memory of 648	2532	runsvc.exe	35
PID 2532 wrote to memory of 648	2532	runsvc.exe	35
PID 2532 wrote to memory of 648	2532	runsvc.exe	35
PID 2532 wrote to memory of 648	2532	runsvc.exe	35
PID 648 wrote to memory of 1276	648	cmd.exe	36
PID 648 wrote to memory of 1276	648	cmd.exe	36
PID 648 wrote to memory of 1276	648	cmd.exe	36
PID 648 wrote to memory of 1276	648	cmd.exe	36
PID 2532 wrote to memory of 2192	2532	runsvc.exe	37
PID 2532 wrote to memory of 2192	2532	runsvc.exe	37
PID 2532 wrote to memory of 2192	2532	runsvc.exe	37
PID 2532 wrote to memory of 2192	2532	runsvc.exe	37
PID 2192 wrote to memory of 3016	2192	runsvc.exe	38
PID 2192 wrote to memory of 3016	2192	runsvc.exe	38
PID 2192 wrote to memory of 3016	2192	runsvc.exe	38
PID 2192 wrote to memory of 3016	2192	runsvc.exe	38
PID 3016 wrote to memory of 2964	3016	cmd.exe	39
PID 3016 wrote to memory of 2964	3016	cmd.exe	39
PID 3016 wrote to memory of 2964	3016	cmd.exe	39
PID 3016 wrote to memory of 2964	3016	cmd.exe	39
PID 2192 wrote to memory of 1268	2192	runsvc.exe	40
PID 2192 wrote to memory of 1268	2192	runsvc.exe	40
PID 2192 wrote to memory of 1268	2192	runsvc.exe	40
PID 2192 wrote to memory of 1268	2192	runsvc.exe	40
PID 1268 wrote to memory of 1856	1268	runsvc.exe	41
PID 1268 wrote to memory of 1856	1268	runsvc.exe	41
PID 1268 wrote to memory of 1856	1268	runsvc.exe	41
PID 1268 wrote to memory of 1856	1268	runsvc.exe	41
PID 1856 wrote to memory of 2696	1856	cmd.exe	42
PID 1856 wrote to memory of 2696	1856	cmd.exe	42
PID 1856 wrote to memory of 2696	1856	cmd.exe	42
PID 1856 wrote to memory of 2696	1856	cmd.exe	42
PID 1268 wrote to memory of 1996	1268	runsvc.exe	43
PID 1268 wrote to memory of 1996	1268	runsvc.exe	43
PID 1268 wrote to memory of 1996	1268	runsvc.exe	43
PID 1268 wrote to memory of 1996	1268	runsvc.exe	43
PID 1996 wrote to memory of 1776	1996	runsvc.exe	44
PID 1996 wrote to memory of 1776	1996	runsvc.exe	44
PID 1996 wrote to memory of 1776	1996	runsvc.exe	44
PID 1996 wrote to memory of 1776	1996	runsvc.exe	44
PID 1776 wrote to memory of 2384	1776	cmd.exe	45
PID 1776 wrote to memory of 2384	1776	cmd.exe	45
PID 1776 wrote to memory of 2384	1776	cmd.exe	45
PID 1776 wrote to memory of 2384	1776	cmd.exe	45
PID 1996 wrote to memory of 2808	1996	runsvc.exe	46
PID 1996 wrote to memory of 2808	1996	runsvc.exe	46
PID 1996 wrote to memory of 2808	1996	runsvc.exe	46
PID 1996 wrote to memory of 2808	1996	runsvc.exe	46

C:\Users\Admin\AppData\Local\Temp\5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:532
- C:\Windows\SysWOW64\runsvc.exe
  C:\Windows\system32\runsvc.exe 736 "C:\Users\Admin\AppData\Local\Temp\5ed9ef12f02de09c4af1add838b39492_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\runsvc.exe
    C:\Windows\system32\runsvc.exe 748 "C:\Windows\SysWOW64\runsvc.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1276
  - - C:\Windows\SysWOW64\runsvc.exe
      C:\Windows\system32\runsvc.exe 752 "C:\Windows\SysWOW64\runsvc.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2964
    - - C:\Windows\SysWOW64\runsvc.exe
        
        C:\Windows\system32\runsvc.exe 744 "C:\Windows\SysWOW64\runsvc.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2696
      - C:\Windows\SysWOW64\runsvc.exe
        
        C:\Windows\system32\runsvc.exe 768 "C:\Windows\SysWOW64\runsvc.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2384
        
        C:\Windows\SysWOW64\runsvc.exe
        
        C:\Windows\system32\runsvc.exe 760 "C:\Windows\SysWOW64\runsvc.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:620
        
        C:\Windows\SysWOW64\runsvc.exe
        
        C:\Windows\system32\runsvc.exe 764 "C:\Windows\SysWOW64\runsvc.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2588
        
        C:\Windows\SysWOW64\runsvc.exe
        
        C:\Windows\system32\runsvc.exe 772 "C:\Windows\SysWOW64\runsvc.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        10⤵
        
        PID:648
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2612
        
        C:\Windows\SysWOW64\runsvc.exe
        
        C:\Windows\system32\runsvc.exe 776 "C:\Windows\SysWOW64\runsvc.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2692
        
        C:\Windows\SysWOW64\runsvc.exe
        
        C:\Windows\system32\runsvc.exe 780 "C:\Windows\SysWOW64\runsvc.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        12⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
274B

MD5
eee5718ce97d259fd8acec31375fc375

SHA1
989c64b0c9a049f1b7ad9e677c4566ab1559744f

SHA256
1975123645c58e5160d63cc6ab8430f9dd0bc70d5cddafccf3687d655730dcfb

SHA512
6c2e14846b20128ac8bea8470b4455fd4b65de7457c216824cfa7008fafa41c29445290de6780dc4f6f3beea97ec3137c02c9b7504877d6c845e573a7b7db610

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
925B

MD5
0d1e5715cf04d212bcd7c9dea5f7ab72

SHA1
a8add44bf542e4d22260a13de6a35704fb7f3bfb

SHA256
5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473

SHA512
89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
748bce4dacebbbd388af154a1df22078

SHA1
0eeeb108678f819cd437d53b927feedf36aabc64

SHA256
1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a

SHA512
d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
683B

MD5
6fe56f6715b4c328bc5b2b35cb51c7e1

SHA1
8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3

SHA256
0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be

SHA512
8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
f1cbbc2ce0d93c45a92edcc86780e9f0

SHA1
d893306caae2584cdeba4c80c3bfe18548fa227a

SHA256
6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7

SHA512
b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
584f47a0068747b3295751a0d591f4ee

SHA1
7886a90e507c56d3a6105ecdfd9ff77939afa56f

SHA256
927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

SHA512
ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
849B

MD5
558ce6da965ba1758d112b22e15aa5a2

SHA1
a365542609e4d1dc46be62928b08612fcabe2ede

SHA256
c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb

SHA512
37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
bf7ee07851e04b2a0dbe554db62dc3aa

SHA1
cad155b66053cd7ce2b969a0eb20a8f4812b1f46

SHA256
13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9

SHA512
9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
cd085b8c40e69c2bf1eb3d59f8155b99

SHA1
3499260f24020fe6d54d9d632d34ba2770bb06e0

SHA256
10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

SHA512
3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c2d6056624c1d37b1baf4445d8705378

SHA1
90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

SHA256
3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

SHA512
d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
6b0182442d6e09100c34904ae6d8ee0c

SHA1
6255e65587505629521ea048a4e40cc48b512f2c

SHA256
cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4

SHA512
64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
449B

MD5
c6b0028a6f5508ef564d624eda0e72bc

SHA1
18901c9856a9af672c2e27383c15d2da41f27b6b

SHA256
b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06

SHA512
5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
978B

MD5
2e2266221550edce9a27c9060d5c2361

SHA1
f39f2d8f02f8b3a877d5969a81c4cb12679609f3

SHA256
e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb

SHA512
e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a920eceddece6cf7f3487fd8e919af34

SHA1
a6dee2d31d4cbd1b18f5d3bc971521411a699889

SHA256
ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6

SHA512
a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5002319f56002f8d7ceacecf8672ce25

SHA1
3b26b6801be4768cc7582e29bc93facdf2a74be3

SHA256
f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

SHA512
8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
895301bce84d6fe707b5cfd50f1f9f97

SHA1
50a012f59655621768f624c4571654145663c042

SHA256
b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

SHA512
a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a57e37dfb6f88b2d04424936ed0b4afb

SHA1
35e2f81486b8420b88b7693ad3e92f846367cb12

SHA256
411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d

SHA512
41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5b77620cb52220f4a82e3551ee0a53a6

SHA1
07d122b8e70ec5887bad4ef8f4d6209df18912d0

SHA256
93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579

SHA512
9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
8a84d46ef81c793a90a80bc806cffdcf

SHA1
02fac9db9330040ffc613a325686ddca2678a7c5

SHA256
201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4

SHA512
b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c1e5f93e2bee9ca33872764d8889de23

SHA1
167f65adfc34a0e47cb7de92cc5958ee8905796a

SHA256
8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

SHA512
482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
e2d37af73d5fe4a504db3f8c0d560e3d

SHA1
88c6bf5b485dd9c79283ccb5d2546ffbb95e563d

SHA256
e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008

SHA512
8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
2b307765b7465ef5e4935f0ed7307c01

SHA1
c46a1947f8b2785114891f7905f663d9ae517f1b

SHA256
a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85

SHA512
fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
54ca6e3ef1c12b994043e85a8c9895f0

SHA1
5eaccfb482cbe24cf5c3203ffdc926184097427e

SHA256
0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

SHA512
925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
501effddf60a974e98b67dc8921aa7e8

SHA1
734dfe4b508dbc1527ec92e91821a1251aec5b2e

SHA256
672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

SHA512
28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
e6d8af5aed642209c88269bf56af50ae

SHA1
633d40da997074dc0ed10938ebc49a3aeb3a7fc8

SHA256
550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec

SHA512
6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d8be0d42e512d922804552250f01eb90

SHA1
cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3

SHA256
901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82

SHA512
f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5855edf3afa67e11de78af0389880d18

SHA1
c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f

SHA256
c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa

SHA512
5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
1b2949b211ab497b739b1daf37cd4101

SHA1
12cad1063d28129ddd89e80acc2940f8dfbbaab3

SHA256
3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

SHA512
a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f82bc8865c1f6bf7125563479421f95c

SHA1
65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

SHA256
f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

SHA512
00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8c6aa92ac8ffdfb7a0fb3dafd14d65f1

SHA1
cac3992d696a99a5dec2ab1c824c816117414b16

SHA256
dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa

SHA512
f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5da7efcc8d0fcdf2bad7890c3f8a27ca

SHA1
681788d5a3044eee8426d431bd786375cd32bf13

SHA256
7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8

SHA512
6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8a36f3bf3750851d8732b132fa330bb4

SHA1
1cb36be31f3d7d9439aac14af3d7a27f05a980eb

SHA256
5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9

SHA512
a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6bf876cd9994f0d41be4eca36d22c42a

SHA1
50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

SHA256
ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

SHA512
605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
61ec72543aaac5c7b336d2b22f919c07

SHA1
5bddb1f73b24c2113e9bf8268640f75fb0f3bd8d

SHA256
088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea

SHA512
e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
294976e85ad11a45853f99c1b208723f

SHA1
8d83101d69420b5af97ec517165d849d3ab498fc

SHA256
04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff

SHA512
e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d5e129352c8dd0032b51f34a2bbecad3

SHA1
a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

SHA256
ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

SHA512
9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f8a9a1aa9bab7821d25ae628e6d04f68

SHA1
c3e7a9ccc9805ae94aabfd16e2cb461fde3fae5a

SHA256
76ee7c489d11427af94d0334368ef2ed44df4a74984ffd4022c9ea9fae9c41fb

SHA512
0fb3a29367fa3c3eb36c6a7e9ff217ccdd7cce18309964aa7068a00f500ea4ea49588344ebbc52ae77d83e5042c3fdb84f56fa1dae07b8bb774aed6fffd18c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
fa83299c5a0d8714939977af6bdafa92

SHA1
46a4abab9b803a7361ab89d0ca000a367550e23c

SHA256
f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

SHA512
85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5575ef034e791d4d3b09da6c0c4ee764

SHA1
50a0851ddf4b0c4014ad91f976e953baffe30951

SHA256
9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14

SHA512
ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
63ff40a70037650fd0acfd68314ffc94

SHA1
1ab29adec6714edf286485ac5889fddb1d092e93

SHA256
1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b

SHA512
2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b9dc88ed785d13aaeae9626d7a26a6a0

SHA1
ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e

SHA256
9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc

SHA512
df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
0a839c0e3eb1ed25e6211159e43f4df1

SHA1
a227a9322f58b8f40b2f6f326dca58145f599587

SHA256
717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0

SHA512
bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f5fa5178657d29a36c5dc4ac9445cbdc

SHA1
4be1a87a89715d24d52b23c59006f9cb74437ba0

SHA256
f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114

SHA512
54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
c8441ec8a2edf9b2f4f631fe930ea4d9

SHA1
2855ee21116b427d280fcaa2471c9bd3d2957f6f

SHA256
dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184

SHA512
b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
831afd728dd974045c0654510071d405

SHA1
9484f4ee8e9eef0956553a59cfbcbe99a8822026

SHA256
03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2

SHA512
ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
558e454bc2d99d7949719cf24f540dd2

SHA1
e9c772bcee4ae780cdc28b0b4876385639e59b39

SHA256
677ec2cfe2ae99352aa12ac658d01a7bb0b51cf3cd2c568e94a78754326ca43a

SHA512
5bb10dcf81ccab0b7e2274d3ccdbda5a38014576096fef71725cfa6e16a4bfd29f481f3bc5ad15426fb9918eeca67fff11291a88caf10974433214674c1c1b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
1c6131354c6987300ea512b765475b82

SHA1
2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53

SHA256
3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640

SHA512
b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ad9e5e67282bb74482c05e3bf2eb188b

SHA1
10b02442ea4b1151a2334645c3e290a82ecfad1f

SHA256
7af82efceff1e9221d76472e6ffd6aa78ca00ccbb5fa32cb2238ed08812b931f

SHA512
b0ca37f35618547b4e5ab94eb367940a9d5a500b5c91cf2bbdddba8d1725bcc619c5acd2365711a970c307bbe0aa539b50803d119963b9f0c6da198e3157ded7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ffbb389d817acf25cc38799c239d512c

SHA1
8b4854ed9e257c3da9ec11d0f145805c6ae6193f

SHA256
f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39

SHA512
382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
e78a2688839aaee80b2bfdc4639329c5

SHA1
818a0dd05493b075a9f2eaf063e64d5a653f470a

SHA256
bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d

SHA512
2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
8d6eb64e58d3f14686110fcaf1363269

SHA1
d85c0b208716b400894ba4cb569a5af4aa178a2f

SHA256
c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5

SHA512
5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
0bccb0cc2d0641cd0ac7ce17afe64b9f

SHA1
103f5bc2b153913e8a614a7abb43941fe90862a4

SHA256
cae50ec401dae988f1221cead7de58cf4301040fd9fbb8d1c4ad032034ee1842

SHA512
cce4edc7c607ca3969fb19f93a836d87170e2c50fcf136acb3bcb5500b99b1ae73a999b7d648a3643f58cf960b071b24215e1c59f874ca38a50cf1ef90b06389

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
752fd85212d47da8f0adc29004a573b2

SHA1
fa8fe3ff766601db46412879dc13dbec8d055965

SHA256
9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

SHA512
d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ff6c57e8ec2b96b8da7fe900f1f3da1c

SHA1
a6f0dc2e2a0a46e1031017b81825173054bf76ae

SHA256
ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6

SHA512
c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
117efa689c5631c1a1ee316f123182bd

SHA1
f477bf1e9f4db8452bd9fe314cd18715f7045689

SHA256
79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7

SHA512
abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

Download Submit
C:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\runsvc.exe

Filesize
803KB

MD5
5ed9ef12f02de09c4af1add838b39492

SHA1
5fd12a66ff254bacfdd86b448a716e8deffd81cb

SHA256
23024599997328f534b22e832933e2ede80288ea3db80a26d1179ce0dd7dabfd

SHA512
9325d4b088cae2774f7932e68cacb351235bc2058fa49884fd9117113d206ce25d653ae8b0d79507125d301c1cb2e41bd5dc972d5a5d1ea78c298239857e638b

Download Submit
memory/304-137-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/304-134-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/304-135-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/304-138-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/304-142-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/304-143-0x0000000005140000-0x00000000058D3000-memory.dmp

Filesize
7.6MB

Download
memory/1268-392-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1268-389-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1268-508-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1268-512-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1488-992-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1488-876-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1488-996-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1996-633-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1996-513-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/1996-629-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2192-388-0x00000000052A0000-0x0000000005A33000-memory.dmp

Filesize
7.6MB

Download
memory/2192-266-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2192-268-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2192-384-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2192-390-0x00000000052A0000-0x0000000005A33000-memory.dmp

Filesize
7.6MB

Download
memory/2192-391-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2300-997-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2300-1113-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2300-1117-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2532-146-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2532-267-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2532-145-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2532-262-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2596-1118-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2628-132-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2628-118-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2628-1-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2628-0-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2628-9-0x0000000000401000-0x000000000041E000-memory.dmp

Filesize
116KB

Download
memory/2628-112-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2628-130-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2628-133-0x00000000052F0000-0x0000000005A83000-memory.dmp

Filesize
7.6MB

Download
memory/2808-634-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2808-750-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2808-754-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2820-875-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2820-755-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download
memory/2820-871-0x0000000000400000-0x0000000000B93000-memory.dmp

Filesize
7.6MB

Download