f18dbf85ce6e20ff9639b55c4f595e76ed93888cf6a87afdad0abd5689f531cb

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab3233851d7f29ea66074a9a50a59540N.exe
Size

330KB
MD5

ab3233851d7f29ea66074a9a50a59540
SHA1

7d5b8e5c84e0908261afa1f9f47264d2d1820724
SHA256

f18dbf85ce6e20ff9639b55c4f595e76ed93888cf6a87afdad0abd5689f531cb
SHA512

e27242405648634f9c572d8b67e0e62c536cf95b355a2eeecd676abcc0a993fb170d7515c298b9a0dbeed6c16b36ce502bb0d6ca2957c838624ca0385e930006
SSDEEP

6144:YeC4EwZFoobUk8qp0qpgogZfpjkNaXihVP:8fhuLwflkLVP

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	um4btljb.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	um4btljb.bat
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ab3233851d7f29ea66074a9a50a59540N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ab3233851d7f29ea66074a9a50a59540N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ab3233851d7f29ea66074a9a50a59540N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ab3233851d7f29ea66074a9a50a59540N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	um4btljb.bat

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	ab3233851d7f29ea66074a9a50a59540N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	um4btljb.bat

Executes dropped EXE 1 IoCs

pid	Process
1672	um4btljb.bat

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	um4btljb.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ab3233851d7f29ea66074a9a50a59540N.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org
19	api.ipify.org

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3880	sc.exe
1548	sc.exe
4332	sc.exe
1356	sc.exe
2292	sc.exe
1172	sc.exe
4436	sc.exe
1768	sc.exe
2332	sc.exe
864	sc.exe
2804	sc.exe
1068	sc.exe
3412	sc.exe
4572	sc.exe
3572	sc.exe
5020	sc.exe
1416	sc.exe
3064	sc.exe
2172	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3304	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	ab3233851d7f29ea66074a9a50a59540N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	ab3233851d7f29ea66074a9a50a59540N.exe
2088	ab3233851d7f29ea66074a9a50a59540N.exe
2088	ab3233851d7f29ea66074a9a50a59540N.exe
2088	ab3233851d7f29ea66074a9a50a59540N.exe
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat
1672	um4btljb.bat

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	ab3233851d7f29ea66074a9a50a59540N.exe
Token: SeDebugPrivilege	1672	um4btljb.bat
Token: SeSecurityPrivilege	4852	wevtutil.exe
Token: SeBackupPrivilege	4852	wevtutil.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3572	2088	ab3233851d7f29ea66074a9a50a59540N.exe	83
PID 2088 wrote to memory of 3572	2088	ab3233851d7f29ea66074a9a50a59540N.exe	83
PID 2088 wrote to memory of 5020	2088	ab3233851d7f29ea66074a9a50a59540N.exe	84
PID 2088 wrote to memory of 5020	2088	ab3233851d7f29ea66074a9a50a59540N.exe	84
PID 2088 wrote to memory of 3136	2088	ab3233851d7f29ea66074a9a50a59540N.exe	89
PID 2088 wrote to memory of 3136	2088	ab3233851d7f29ea66074a9a50a59540N.exe	89
PID 2088 wrote to memory of 1172	2088	ab3233851d7f29ea66074a9a50a59540N.exe	91
PID 2088 wrote to memory of 1172	2088	ab3233851d7f29ea66074a9a50a59540N.exe	91
PID 3136 wrote to memory of 1416	3136	cmd.exe	93
PID 3136 wrote to memory of 1416	3136	cmd.exe	93
PID 2088 wrote to memory of 4908	2088	ab3233851d7f29ea66074a9a50a59540N.exe	95
PID 2088 wrote to memory of 4908	2088	ab3233851d7f29ea66074a9a50a59540N.exe	95
PID 2088 wrote to memory of 4332	2088	ab3233851d7f29ea66074a9a50a59540N.exe	97
PID 2088 wrote to memory of 4332	2088	ab3233851d7f29ea66074a9a50a59540N.exe	97
PID 2088 wrote to memory of 1672	2088	ab3233851d7f29ea66074a9a50a59540N.exe	98
PID 2088 wrote to memory of 1672	2088	ab3233851d7f29ea66074a9a50a59540N.exe	98
PID 2088 wrote to memory of 1544	2088	ab3233851d7f29ea66074a9a50a59540N.exe	100
PID 2088 wrote to memory of 1544	2088	ab3233851d7f29ea66074a9a50a59540N.exe	100
PID 2088 wrote to memory of 2688	2088	ab3233851d7f29ea66074a9a50a59540N.exe	102
PID 2088 wrote to memory of 2688	2088	ab3233851d7f29ea66074a9a50a59540N.exe	102
PID 1672 wrote to memory of 4436	1672	um4btljb.bat	105
PID 1672 wrote to memory of 4436	1672	um4btljb.bat	105
PID 1672 wrote to memory of 1768	1672	um4btljb.bat	104
PID 1672 wrote to memory of 1768	1672	um4btljb.bat	104
PID 1544 wrote to memory of 864	1544	cmd.exe	108
PID 1544 wrote to memory of 864	1544	cmd.exe	108
PID 4908 wrote to memory of 2332	4908	cmd.exe	109
PID 4908 wrote to memory of 2332	4908	cmd.exe	109
PID 2688 wrote to memory of 2172	2688	cmd.exe	110
PID 2688 wrote to memory of 2172	2688	cmd.exe	110
PID 2688 wrote to memory of 2756	2688	cmd.exe	111
PID 2688 wrote to memory of 2756	2688	cmd.exe	111
PID 2688 wrote to memory of 3304	2688	cmd.exe	112
PID 2688 wrote to memory of 3304	2688	cmd.exe	112
PID 1672 wrote to memory of 1684	1672	um4btljb.bat	113
PID 1672 wrote to memory of 1684	1672	um4btljb.bat	113
PID 1672 wrote to memory of 1356	1672	um4btljb.bat	115
PID 1672 wrote to memory of 1356	1672	um4btljb.bat	115
PID 1684 wrote to memory of 2804	1684	cmd.exe	117
PID 1684 wrote to memory of 2804	1684	cmd.exe	117
PID 1672 wrote to memory of 3604	1672	um4btljb.bat	118
PID 1672 wrote to memory of 3604	1672	um4btljb.bat	118
PID 1672 wrote to memory of 3880	1672	um4btljb.bat	120
PID 1672 wrote to memory of 3880	1672	um4btljb.bat	120
PID 1672 wrote to memory of 1004	1672	um4btljb.bat	122
PID 1672 wrote to memory of 1004	1672	um4btljb.bat	122
PID 1672 wrote to memory of 1548	1672	um4btljb.bat	124
PID 1672 wrote to memory of 1548	1672	um4btljb.bat	124
PID 3604 wrote to memory of 1068	3604	cmd.exe	126
PID 3604 wrote to memory of 1068	3604	cmd.exe	126
PID 1004 wrote to memory of 2292	1004	cmd.exe	127
PID 1004 wrote to memory of 2292	1004	cmd.exe	127
PID 2688 wrote to memory of 4532	2688	cmd.exe	128
PID 2688 wrote to memory of 4532	2688	cmd.exe	128
PID 2688 wrote to memory of 4852	2688	cmd.exe	129
PID 2688 wrote to memory of 4852	2688	cmd.exe	129
PID 1672 wrote to memory of 620	1672	um4btljb.bat	130
PID 1672 wrote to memory of 620	1672	um4btljb.bat	130
PID 620 wrote to memory of 3064	620	cmd.exe	132
PID 620 wrote to memory of 3064	620	cmd.exe	132
PID 1672 wrote to memory of 3372	1672	um4btljb.bat	133
PID 1672 wrote to memory of 3372	1672	um4btljb.bat	133
PID 3372 wrote to memory of 3412	3372	cmd.exe	135
PID 3372 wrote to memory of 3412	3372	cmd.exe	135

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2172	attrib.exe
4532	attrib.exe
400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ab3233851d7f29ea66074a9a50a59540N.exe
"C:\Users\Admin\AppData\Local\Temp\ab3233851d7f29ea66074a9a50a59540N.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WerSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3572
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config wdfilter start=disabled
  2⤵
  - Launches sc.exe
  PID:5020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Windows\system32\sc.exe
    sc stop wdfilter
    3⤵
    - Launches sc.exe
    PID:1416
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WinDefend start=disabled
  2⤵
  - Launches sc.exe
  PID:1172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\system32\sc.exe
    sc stop WerSvc
    3⤵
    - Launches sc.exe
    PID:2332
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\um4btljb.bat
  "C:\Users\Admin\AppData\Local\Temp\um4btljb.bat" ok
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config wdfilter start=disabled
    3⤵
    - Launches sc.exe
    PID:1768
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:4436
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:2804
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WinDefend start=disabled
    3⤵
    - Launches sc.exe
    PID:1356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\system32\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:1068
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:3880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2292
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
    3⤵
    - Launches sc.exe
    PID:1548
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\system32\sc.exe
      sc stop WdNisSvc
      4⤵
      Launches sc.exe
      PID:3064
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\system32\sc.exe
      sc stop XblGameSave
      4⤵
      Launches sc.exe
      PID:3412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    PID:3224
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:2172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop faceit
    3⤵
    PID:4148
  - - C:\Windows\system32\sc.exe
      sc stop faceit
      4⤵
      Launches sc.exe
      PID:4572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9e0be55-5a6d-4e29-bd2f-9abfe58b1bcf.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\ab3233851d7f29ea66074a9a50a59540N.exe"
    3⤵
    - Views/modifies file attributes
    PID:2172
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2756
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:3304
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\ab3233851d7f29ea66074a9a50a59540N.exe"
    3⤵
    - Views/modifies file attributes
    PID:4532
- - C:\Windows\system32\wevtutil.exe
    wevtutil el
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\b9e0be55-5a6d-4e29-bd2f-9abfe58b1bcf.bat"
    3⤵
    - Views/modifies file attributes
    PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
750e4be22a6fdadd7778a388198a9ee3

SHA1
8feb2054d8a3767833dd972535df54f0c3ab6648

SHA256
26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

SHA512
b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f9c3838c7736a15f01d2192457c52eb7

SHA1
60f02ae06f51a56b1656baf3b3d337fb87863387

SHA256
ec7d5cd3c4c3d93573d4cb323b16ffc6134114e0717150920bbdacbee53587a9

SHA512
b0b2cd91a39cb9e30b5d75cc2295d6186823fe502313813cc06bd575590d1b559a6b5e60ae5b09874c04b1d58efb332dc74228c202614b5894a5a0e26024acd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_geza5gjc.a05.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9e0be55-5a6d-4e29-bd2f-9abfe58b1bcf.bat

Filesize
652B

MD5
93a9a38bd9653e6dd2329fd018c2c27b

SHA1
d749a61afa8012e9eb0c3b0872fcb0324432342b

SHA256
71092f87a2757c4f46cc3bb87ed1b4161a6b05f67f57f82d77fbd45feb4385cd

SHA512
78ed6e29e22e19a717f6e1de1dbade25b55ec0ac394711e24cda35923fca703963a48577c5e66da559acea98eb2d6a82f4c5c5f90acf6e32e0746bb2bb5b378c

Download Submit
C:\Users\Admin\AppData\Local\Temp\um4btljb.bat

Filesize
331KB

MD5
1832ccf64b1cc3cdb645d6583bfa1a45

SHA1
130882f8938937d78e5df002303ff75fd66239d3

SHA256
6daf0f5f058abfe2c6c9bc517e6e218c0b8ca28ef434155ec2cfe4517958f491

SHA512
1b067132962894502171392bfc7668845c4bac87d959ed12fd5ddc78dbd26938c23e901fca53ffc1e37c4e80e386b428dfc8baa6af882fa9345cb6e8e751bfa4

Download Submit
C:\Users\Admin\AppData\Roaming\spf\unknown.log

Filesize
271B

MD5
cb725e5eb1703a36f8c9fa6e548643a6

SHA1
0113f10cd7035c89e609b07185cd83d2c2c53b7b

SHA256
3c0bc90ffd7399f0e5ffad1df364ce4a88d5941590a33235a50d83440481dded

SHA512
2c86c9655f67bb076e8388d453351ada86bed8d7d685b82e8c97522fb8f28ce5e61fe57c721293a6b954f1636b506ac824a99e09f907be5301db28a43e2946b6

Download Submit
memory/2088-0-0x00007FF82AE13000-0x00007FF82AE15000-memory.dmp

Filesize
8KB

Download
memory/2088-1-0x000002B22CD80000-0x000002B22CDBE000-memory.dmp

Filesize
248KB

Download
memory/2088-2-0x00007FF82AE10000-0x00007FF82B8D1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-16-0x00007FF82AE10000-0x00007FF82B8D1000-memory.dmp

Filesize
10.8MB

Download
memory/3056-32-0x000001F42FC00000-0x000001F42FC22000-memory.dmp

Filesize
136KB

Download