asyncrat | a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540

Analysis

max time kernel
30s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe
Size

3.1MB
MD5

9a2f790be72e695e35a553a4d50407f0
SHA1

b49330568cfbc72de78121faa1a9f78c29a7499e
SHA256

a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540
SHA512

99a793531db8af94aa24a3b4135d2cb452b7274780907af938d533e0fd8fb6dabf78e24956afa61be0eb03aa816de807f2b009f98700c35ec838a0151fd107ec
SSDEEP

49152:I+2dVFEJzcjZfT05Z6p22h15ASMpXIXSnm9FgJ9DUC6:IZVFEJzcjB22hCz6

Score

10^/10

asyncrat njrat redline default diamotrix hacked credential_access defense_evasion discovery evasion execution infostealer persistence privilege_escalation pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diamotrix

176.111.174.140:1912

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

176.111.174.140:6606

176.111.174.140:7707

176.111.174.140:8808

Mutex

Hp6kvaq9BCyI

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

acpanel.hackcrack.io:16164

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023630-150.dat	family_redline
behavioral2/memory/3028-163-0x00000000006E0000-0x0000000000732000-memory.dmp	family_redline

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000002363a-224.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5276	powershell.exe
5268	powershell.exe
5512	powershell.exe
5604	powershell.exe
5180	powershell.exe
5192	powershell.exe
5216	powershell.exe
5232	powershell.exe
5536	powershell.exe
5276	powershell.exe
5268	powershell.exe
5512	powershell.exe
5604	powershell.exe
5180	powershell.exe
5192	powershell.exe
5216	powershell.exe
5232	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	relog.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5344	netsh.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	sqlmap GUI v.2.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	TempSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	6BA7.tmp.nikmok1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	version.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 14 IoCs

pid	Process
1364	zwg.exe
4612	sqlmap GUI v.2.0.exe
220	TempSetup.exe
916	~sqlmap_GUI_v_2_0.exe
936	svchost.exe
3028	69F0.tmp.nikmok2.exe
3772	6BA7.tmp.nikmok1.exe
3628	svchost.exe
2996	explorer.exe
3496	version.exe
4936	svchost.exe
5440	91DD.tmp.nikzbi.exe
5932	91DD.tmp.nikzbi.exe
5408	explorer.exe

Loads dropped DLL 5 IoCs

pid	Process
5932	91DD.tmp.nikzbi.exe
5932	91DD.tmp.nikzbi.exe
5932	91DD.tmp.nikzbi.exe
5932	91DD.tmp.nikzbi.exe
5932	91DD.tmp.nikzbi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common User Networking = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_{DEE6FB13BF2F1128056648} = "C:\\Users\\Admin\\AppData\\Roaming\\{DEE6FB13BF2F1128056648}\\Service_{DEE6FB13BF2F1128056648}.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Networking System = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7800\\svchost.exe"	TempSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{DEE6FB13BF2F1128056648}\\{DEE6FB13BF2F1128056648}.exe"	zwg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe"	relog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe"	relog.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	TempSetup.exe
File created	C:\Windows\assembly\Desktop.ini	TempSetup.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4752	cmd.exe
1072	cmd.exe
4592	cmd.exe
1384	cmd.exe
396	cmd.exe
896	cmd.exe
4540	cmd.exe
4340	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1364 set thread context of 2884	1364	zwg.exe	96

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	TempSetup.exe
File created	C:\Windows\assembly\Desktop.ini	TempSetup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	TempSetup.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x001200000002364a-369.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2792	916	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~sqlmap_GUI_v_2_0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6BA7.tmp.nikmok1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69F0.tmp.nikmok2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4748	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4668	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4896	schtasks.exe
1224	schtasks.exe
4904	schtasks.exe
452	schtasks.exe
4340	schtasks.exe
2588	schtasks.exe
5096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1364	zwg.exe
1364	zwg.exe
1364	zwg.exe
1364	zwg.exe
1364	zwg.exe
1364	zwg.exe
1364	zwg.exe
1364	zwg.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe
2884	relog.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1364	zwg.exe
Token: SeSecurityPrivilege	1364	zwg.exe
Token: SeTakeOwnershipPrivilege	1364	zwg.exe
Token: SeLoadDriverPrivilege	1364	zwg.exe
Token: SeSystemProfilePrivilege	1364	zwg.exe
Token: SeSystemtimePrivilege	1364	zwg.exe
Token: SeProfSingleProcessPrivilege	1364	zwg.exe
Token: SeIncBasePriorityPrivilege	1364	zwg.exe
Token: SeCreatePagefilePrivilege	1364	zwg.exe
Token: SeBackupPrivilege	1364	zwg.exe
Token: SeRestorePrivilege	1364	zwg.exe
Token: SeShutdownPrivilege	1364	zwg.exe
Token: SeDebugPrivilege	1364	zwg.exe
Token: SeSystemEnvironmentPrivilege	1364	zwg.exe
Token: SeRemoteShutdownPrivilege	1364	zwg.exe
Token: SeUndockPrivilege	1364	zwg.exe
Token: SeManageVolumePrivilege	1364	zwg.exe
Token: 33	1364	zwg.exe
Token: 34	1364	zwg.exe
Token: 35	1364	zwg.exe
Token: 36	1364	zwg.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe
Token: SeDebugPrivilege	2884	relog.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2996	explorer.exe
2996	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 1364	720	a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe	92
PID 720 wrote to memory of 1364	720	a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe	92
PID 1364 wrote to memory of 5096	1364	zwg.exe	93
PID 1364 wrote to memory of 5096	1364	zwg.exe	93
PID 720 wrote to memory of 4612	720	a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe	95
PID 720 wrote to memory of 4612	720	a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe	95
PID 1364 wrote to memory of 2884	1364	zwg.exe	96
PID 1364 wrote to memory of 2884	1364	zwg.exe	96
PID 1364 wrote to memory of 2884	1364	zwg.exe	96
PID 2884 wrote to memory of 4896	2884	relog.exe	99
PID 2884 wrote to memory of 4896	2884	relog.exe	99
PID 2884 wrote to memory of 1224	2884	relog.exe	101
PID 2884 wrote to memory of 1224	2884	relog.exe	101
PID 2884 wrote to memory of 4904	2884	relog.exe	103
PID 2884 wrote to memory of 4904	2884	relog.exe	103
PID 2884 wrote to memory of 452	2884	relog.exe	105
PID 2884 wrote to memory of 452	2884	relog.exe	105
PID 4612 wrote to memory of 220	4612	sqlmap GUI v.2.0.exe	107
PID 4612 wrote to memory of 220	4612	sqlmap GUI v.2.0.exe	107
PID 2884 wrote to memory of 4340	2884	relog.exe	108
PID 2884 wrote to memory of 4340	2884	relog.exe	108
PID 4612 wrote to memory of 916	4612	sqlmap GUI v.2.0.exe	110
PID 4612 wrote to memory of 916	4612	sqlmap GUI v.2.0.exe	110
PID 4612 wrote to memory of 916	4612	sqlmap GUI v.2.0.exe	110
PID 2884 wrote to memory of 3476	2884	relog.exe	56
PID 2884 wrote to memory of 3476	2884	relog.exe	56
PID 220 wrote to memory of 936	220	TempSetup.exe	114
PID 220 wrote to memory of 936	220	TempSetup.exe	114
PID 220 wrote to memory of 936	220	TempSetup.exe	114
PID 3476 wrote to memory of 3028	3476	Explorer.EXE	115
PID 3476 wrote to memory of 3028	3476	Explorer.EXE	115
PID 3476 wrote to memory of 3028	3476	Explorer.EXE	115
PID 2884 wrote to memory of 4608	2884	relog.exe	78
PID 3476 wrote to memory of 3772	3476	Explorer.EXE	151
PID 3476 wrote to memory of 3772	3476	Explorer.EXE	151
PID 3476 wrote to memory of 3772	3476	Explorer.EXE	151
PID 936 wrote to memory of 3628	936	svchost.exe	117
PID 936 wrote to memory of 3628	936	svchost.exe	117
PID 3628 wrote to memory of 2996	3628	svchost.exe	121
PID 3628 wrote to memory of 2996	3628	svchost.exe	121
PID 2996 wrote to memory of 2528	2996	explorer.exe	122
PID 2996 wrote to memory of 2528	2996	explorer.exe	122
PID 3772 wrote to memory of 2180	3772	6BA7.tmp.nikmok1.exe	124
PID 3772 wrote to memory of 2180	3772	6BA7.tmp.nikmok1.exe	124
PID 3772 wrote to memory of 2180	3772	6BA7.tmp.nikmok1.exe	124
PID 3772 wrote to memory of 3472	3772	6BA7.tmp.nikmok1.exe	126
PID 3772 wrote to memory of 3472	3772	6BA7.tmp.nikmok1.exe	126
PID 3772 wrote to memory of 3472	3772	6BA7.tmp.nikmok1.exe	126
PID 3472 wrote to memory of 4748	3472	cmd.exe	128
PID 3472 wrote to memory of 4748	3472	cmd.exe	128
PID 3472 wrote to memory of 4748	3472	cmd.exe	128
PID 2180 wrote to memory of 2588	2180	cmd.exe	129
PID 2180 wrote to memory of 2588	2180	cmd.exe	129
PID 2180 wrote to memory of 2588	2180	cmd.exe	129
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132
PID 4608 wrote to memory of 3920	4608	msedge.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Temp\a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe
  "C:\Users\Admin\AppData\Local\Temp\a34889e85ea0d3169c8382155dd5af32ecf9f8e1834bdae0f540ace75a894540.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Local\Temp\zwg.exe
    "C:\Users\Admin\AppData\Local\Temp\zwg.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /create /tn "SystemServicesTools" /tr "C:\Users\Admin\AppData\Roaming\{DEE6FB13BF2F1128056648}\{DEE6FB13BF2F1128056648}.exe" /sc onstart /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5096
  - - C:\Windows\system32\relog.exe
      C:\Windows\system32\relog.exe
      4⤵
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "FnEe3fQ8ko" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4896
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "FnEe3fQ8ko" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Service_Microsoft.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1224
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "FnEe3fQ8ko" /tr "C:\Users\Admin\AppData\Roaming\Mozilla\Service_Mozilla.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4904
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "FnEe3fQ8ko" /tr "C:\Users\Admin\AppData\Roaming\Sun\Service_Sun.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:452
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "IAqlQ0cu4e" /tr "C:\Users\Admin\AppData\Roaming\{DEE6FB13BF2F1128056648}\Service_{DEE6FB13BF2F1128056648}.exe" /sc onstart /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4340
- - C:\Users\Admin\AppData\Local\Temp\sqlmap GUI v.2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlmap GUI v.2.0.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\TempSetup.exe
      "C:\Users\Admin\AppData\Local\TempSetup.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:936
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\wumt2rro.inf
        8⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5408
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe
      "C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1076
        5⤵
        Program crash
        
        PID:2792
- C:\Users\Admin\AppData\Local\Temp\69F0.tmp.nikmok2.exe
  "C:\Users\Admin\AppData\Local\Temp\69F0.tmp.nikmok2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\6BA7.tmp.nikmok1.exe
  "C:\Users\Admin\AppData\Local\Temp\6BA7.tmp.nikmok1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D97.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4748
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4936
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tdqsaz.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\tdqsaz.exe"'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Users\Admin\AppData\Local\Temp\tdqsaz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tdqsaz.exe"
        7⤵
        
        PID:2772
        
        C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        8⤵
        
        PID:5516
- C:\Users\Admin\AppData\Local\Temp\91DD.tmp.nikzbi.exe
  "C:\Users\Admin\AppData\Local\Temp\91DD.tmp.nikzbi.exe"
  2⤵
  - Executes dropped EXE
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\91DD.tmp.nikzbi.exe
    "C:\Users\Admin\AppData\Local\Temp\91DD.tmp.nikzbi.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x26c,0x7ff9604fd198,0x7ff9604fd1a4,0x7ff9604fd1b0
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2368,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=2364 /prefetch:2
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1976,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2560,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1040,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8
  2⤵
  PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 916 -ip 916
1⤵
PID:4644

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:1072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:4592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:1384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:4340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  PID:4540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5604

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe

Filesize
548KB

MD5
bc366b2c1803069f350f4192cd676d47

SHA1
f4cb2c5127d8ea90883c0f60c660d0ab92720768

SHA256
5ecf311d38dcc488b93e22c7e7175557f8733dbbb8d6fcd452b911f7821acac8

SHA512
1dacc54d9f2c0b826a29f6683e6e13fc5291c058912922fd9c112ccabb67e7e797d604c99bc16abcf7bfc49a8934cbcc5920d98cab0b44a6001c0f770c53fac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\69F0.tmp.nikmok2.exe

Filesize
300KB

MD5
8d14c4ba7260c61ecde30d97fd3c124a

SHA1
f60a7243a5160ff0dd60c37e1de43b81cead3549

SHA256
6985ec7f67fabd26633c991be04ce5f899224a56bb078ba186b4be21f9e4714d

SHA512
b068decea7ec68d2b4347493d9e4b8cc4fb0c3c5f5ecc2a52be6eb35d28e75d3de1636efe0b67cce825e8d08d3fb82d137b1d6eb1225662fb8c3dff9616dcc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6BA7.tmp.nikmok1.exe

Filesize
47KB

MD5
27058f6c310e29963251df57e752456a

SHA1
747b0923209199b7e430e1a6896e9304eae02707

SHA256
f0033f3778e39a3be78d3938a73c5e02301a85d138e2e4e3ec41be55996ceaa6

SHA512
d6a9317d28580ada68c927bb7d0aa69a91e5868bdfa6dfb79f37fe9284e55ff35a96b10b69a2d342d5b8a5cb6019e31e17643460458e0f070084918266148eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\91DD.tmp.nikzbi.exe

Filesize
5.6MB

MD5
f2b9c2a610af9cfb62abcdd5b850b320

SHA1
d62b336d480017ba6e0ca231ab8e27cbd0e61e7d

SHA256
4369303e92d091c8cd523fd5883c0b9da72990191cd9b6ebabba7853d243d4f8

SHA512
32b61513d7720e98225f1c930b7650039a4d9435f88b7c7934f55122906de816a2d7f4e5923a3ad872566cd508d98cac6497e796dbe502fcfbec662745fa9304

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemUpdate.exe

Filesize
297KB

MD5
f765a1b738c578e624078f0199278b97

SHA1
7446e9353fa590ace1c04363eafcb3b64665d509

SHA256
810791ccd63225a766dd580e0e83d502df14172812fb912997e6a844bc9d7f6c

SHA512
7995bb5ad2bab667f9e79c32859f4c403a708b4ce4d25438fef1438c6515802d1d654361a061d4df511126c0ec0239d3562ab27f5ab1377959575baa26ed1dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54402\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_35magrsi.22r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlmap GUI v.2.0.exe

Filesize
2.6MB

MD5
74965febb08e87910b0f9d29eced3ff5

SHA1
3228699546d63437dc845a5bb1d63f86591fa91e

SHA256
ee1fd2fda74829875c8c27d05b4e6296459988d19549f30e4ed3ecb513bd2f43

SHA512
9c316c01101e0601b363f85d7ba42fc488af4aa2ee107100ff6b0efd70e1179910594edc735a3aad2964f518c741bd188bf17736cc07c90914526222fb00e869

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D97.tmp.bat

Filesize
151B

MD5
cac14771c1ac64880dedbf10e9334a0b

SHA1
57ef403d2f7e84695c02a4919a2e3ba0299d649a

SHA256
4f449c6a0338bb3df419de758bbdf4a355f31a8f6e521ae6dcb0ecb0c25670d2

SHA512
5857a2df205f30a5657b8188d85b49288987c219c4bb9011925cefe7333cfcc197c700581257a644292764422443c9a5a1258ea7e80dc479c4041d0b6a8217f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wumt2rro.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwg.exe

Filesize
322KB

MD5
c1e4bbc07edcd498c3237c435a2479b8

SHA1
a5724a7cff16711d8c1a3071f39abe4df392d560

SHA256
410bbd43e9fe61cfd4dc8a903f016cb0b50e5efcd49cfba0bcc2a93fc9c50155

SHA512
56446325ae45aa7e6ae09a87e877263a7bba944732d6f791dc1cd65c1edbcaf3fc247a3f0abee887ea974526a9caeacd585ed2b8b3c4434ec187806998bbdea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe

Filesize
1.9MB

MD5
5d60754656f1f151c16b1fc549fd49f1

SHA1
e3f8119de8a81cf65493226c0f22f90fe1f1796c

SHA256
01622451923785e4584d2f48ec2b5533199e88edc3394b764dca1d553464bfbd

SHA512
226ef88e2486309d5dbc2a88753966d7a5778e6ad23abd675d75902fd88a4b42190cb0c12a6ada7f416e93c5c3862538713b5b3b2e5420d1cd69ec2d79ef3a2b

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe

Filesize
298KB

MD5
c147ef135d6d64a43181f44d918c9170

SHA1
4ad5bb062d448f425e443726a2a367374590068d

SHA256
48039323e06bea728304fb0dd5482a628f699815ca8b0786cf3e98055c3baa63

SHA512
1fcf850ca909cdb29e423abc5d32c887975affb5afba59062c2963c21083e07b0427e0f09a681dbd92dc3a96db9a5217a78247d403dab8f2dbc74a2b67c60992

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe

Filesize
318KB

MD5
5ab938d81d5597daf06c36f2a88224f9

SHA1
5419752a973ad3b7007bfdf736f504efc2a29b4d

SHA256
e252b8c435d0cb78728469eb48580d51de502a85af73115e77352575e8ad5d85

SHA512
e3bf3e53465ccd2d7377086441ea5ad3015da116a04908075d2c322c98b807c6ab92fa03ae51fa92c323cea6fe3fdce5c70f48449f46aa9d75faafb229cff64a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe

Filesize
263KB

MD5
fdea3876296a5159163aa307f23ec4af

SHA1
3ee1911770107d2e872fc514818ace437f0f205e

SHA256
e35d2f11ad7aee4bc758e068ad82406e99cd2310db82ab6c879b4a048da3896b

SHA512
c55851a91f08f130096e05e591913e3a6f73d70b0b6567bbc5fb9c939a2d79b6f96273ad7d8abf90ad4e6c9e175eb5507ab95b8a774c434f5463951e5c61e26b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
46KB

MD5
c9ee90b6246b82685a26af067eada50c

SHA1
247dcdc29bdf134535c0142bc22a0a15e1033c28

SHA256
d9402ee82fb2cfc8965666cf3157bdf39547838814189106d565541522b8335e

SHA512
de676e0a7af1e59e2fd25393a976223414e6ee378f2607a409a00b37283800bacff0fd4393fca4cc53bbe1915ed46f775557a61134281aecbc27f9d98f66bb28

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
1530b50aac226cd50815c69326517e51

SHA1
e97855298b61d8a5b6cf2450a990d5cbc40c6aa4

SHA256
1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3

SHA512
c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

Download Submit
memory/220-102-0x000000001BEC0000-0x000000001BEE0000-memory.dmp

Filesize
128KB

Download
memory/220-127-0x000000001D450000-0x000000001D484000-memory.dmp

Filesize
208KB

Download
memory/220-130-0x000000001EC40000-0x000000001ED12000-memory.dmp

Filesize
840KB

Download
memory/916-113-0x0000000000460000-0x000000000064E000-memory.dmp

Filesize
1.9MB

Download
memory/916-114-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/916-115-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/916-116-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/916-118-0x0000000005200000-0x0000000005256000-memory.dmp

Filesize
344KB

Download
memory/916-117-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/936-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-281-0x00007FF7A4AA0000-0x00007FF7A4AF7000-memory.dmp

Filesize
348KB

Download
memory/2884-511-0x00007FF7A4AA0000-0x00007FF7A4AF7000-memory.dmp

Filesize
348KB

Download
memory/2996-282-0x000000001BD30000-0x000000001BD3C000-memory.dmp

Filesize
48KB

Download
memory/3028-234-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download
memory/3028-486-0x0000000006C00000-0x0000000006C50000-memory.dmp

Filesize
320KB

Download
memory/3028-470-0x0000000008030000-0x000000000855C000-memory.dmp

Filesize
5.2MB

Download
memory/3028-469-0x0000000007930000-0x0000000007AF2000-memory.dmp

Filesize
1.8MB

Download
memory/3028-286-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/3028-232-0x0000000006100000-0x0000000006718000-memory.dmp

Filesize
6.1MB

Download
memory/3028-233-0x0000000005360000-0x000000000546A000-memory.dmp

Filesize
1.0MB

Download
memory/3028-163-0x00000000006E0000-0x0000000000732000-memory.dmp

Filesize
328KB

Download
memory/3028-235-0x00000000052B0000-0x00000000052EC000-memory.dmp

Filesize
240KB

Download
memory/3028-236-0x0000000005300000-0x000000000534C000-memory.dmp

Filesize
304KB

Download
memory/3476-121-0x0000000003210000-0x0000000003253000-memory.dmp

Filesize
268KB

Download
memory/3476-123-0x0000000003410000-0x0000000003467000-memory.dmp

Filesize
348KB

Download
memory/3476-124-0x0000000003260000-0x0000000003276000-memory.dmp

Filesize
88KB

Download
memory/3628-249-0x000000001F2E0000-0x000000001F342000-memory.dmp

Filesize
392KB

Download
memory/3772-231-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/4612-26-0x000000001BC10000-0x000000001BCB6000-memory.dmp

Filesize
664KB

Download
memory/4612-30-0x000000001BCC0000-0x000000001BCC8000-memory.dmp

Filesize
32KB

Download
memory/4612-29-0x000000001C7D0000-0x000000001C86C000-memory.dmp

Filesize
624KB

Download
memory/4612-28-0x000000001C1A0000-0x000000001C66E000-memory.dmp

Filesize
4.8MB

Download
memory/4612-36-0x000000001CA80000-0x000000001CACC000-memory.dmp

Filesize
304KB

Download
memory/4612-24-0x00007FF966CB0000-0x00007FF967651000-memory.dmp

Filesize
9.6MB

Download
memory/4612-23-0x00007FF966F65000-0x00007FF966F66000-memory.dmp

Filesize
4KB

Download
memory/4612-250-0x00007FF966F65000-0x00007FF966F66000-memory.dmp

Filesize
4KB

Download
memory/4612-251-0x00007FF966CB0000-0x00007FF967651000-memory.dmp

Filesize
9.6MB

Download
memory/4936-490-0x0000000007540000-0x000000000755E000-memory.dmp

Filesize
120KB

Download
memory/4936-489-0x00000000073E0000-0x0000000007442000-memory.dmp

Filesize
392KB

Download
memory/4936-488-0x0000000007460000-0x00000000074D6000-memory.dmp

Filesize
472KB

Download
memory/5192-292-0x00000233B4270000-0x00000233B4292000-memory.dmp

Filesize
136KB

Download
memory/5516-520-0x00007FF715FA0000-0x00007FF715FF0000-memory.dmp

Filesize
320KB

Download
memory/5536-501-0x0000000005EA0000-0x00000000061F4000-memory.dmp

Filesize
3.3MB

Download
memory/5536-494-0x0000000005D20000-0x0000000005D42000-memory.dmp

Filesize
136KB

Download
memory/5536-495-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/5536-506-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/5536-507-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/5536-508-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/5536-510-0x0000000006A00000-0x0000000006A22000-memory.dmp

Filesize
136KB

Download
memory/5536-509-0x00000000069A0000-0x00000000069BA000-memory.dmp

Filesize
104KB

Download
memory/5536-493-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/5536-492-0x0000000004F10000-0x0000000004F46000-memory.dmp

Filesize
216KB

Download