Overview

overview

10

Static

static

10

exe bomb.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    336s
  • max time network
    337s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    exe bomb.zip

  • Size

    1.1MB

  • MD5

    bb664a3a77772836032da72a2c990ee8

  • SHA1

    9cd55742edab48b3635e27ed388def80d3a724d5

  • SHA256

    30c6dca8d7298ad8b76d2b4fb29ba10778537df7552e5aeafaad63ffa7287807

  • SHA512

    6662be34b999d63f7e00b4d643ee3323163afefd54431f1d2426940ace3737e4e7118ce86ceb0300a9b02ac52a87044e66827cc5ddb0ed02a24d8217fd7df1c9

  • SSDEEP

    24576:xC7nBACGnldUSyU7IMzH8z8vqFodFsD35vVwz:xC7BA7nrUSNDqadGDpV0

Score
10/10
asyncratdarkcometnjratxwormdefaultguest16sazanvictimdiscoveryevasionexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

192.168.1.122:1604

Mutex

DC_MUTEX-20997BK

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    LEeu9F65GHcF

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

eu-west-36307.packetriot.net:22281

Mutex

6480365a57ae304293b6250c39f9b34b

Attributes
  • reg_key

    6480365a57ae304293b6250c39f9b34b

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

ximlxhkxkljothcwg

Attributes
  • c2_url_file

    https://paste.tc/raw/x-88152-88

  • delay

    1

  • install

    false

  • install_file

    services

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:7521

chf35s6.localto.net:7521
Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    System.exe

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

uygpiyt.localto.net:1604

uygpiyt.localto.net:1843
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Sazan

C2

127.0.0.1:1604

Mutex

DC_MUTEX-1ESBB3Q

Attributes
  • gencode

    KdZ2b3vZaGVw

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Darkcomet family
    darkcomet
  • Detect Xworm Payload 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies security service 2 TTPs 4 IoCs
    evasion
  • Njrat family
    njrat
  • Windows security bypass 2 TTPs 8 IoCs
    evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Async RAT payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 22 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\exe bomb.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1536
  • C:\Users\Admin\Desktop\HELL-96SQH6IO9SOI2GJFE2H9FUEM3FGU34H.exe
    "C:\Users\Admin\Desktop\HELL-96SQH6IO9SOI2GJFE2H9FUEM3FGU34H.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:1168
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1048
      2⤵
      • Program crash
      PID:4436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1168 -ip 1168
    1⤵
      PID:5044
    • C:\Users\Admin\Desktop\HELL-96SQH6IO9SOI2GJFE2H9FUEM3FGU34H.exe
      "C:\Users\Admin\Desktop\HELL-96SQH6IO9SOI2GJFE2H9FUEM3FGU34H.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1016
        2⤵
        • Program crash
        PID:4572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1208 -ip 1208
      1⤵
        PID:2476
      • C:\Users\Admin\Desktop\xray.exe
        "C:\Users\Admin\Desktop\xray.exe"
        1⤵
        • Modifies WinLogon for persistence
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3860
        • C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
          "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
          2⤵
          • Modifies security service
          • Windows security bypass
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:4048
      • C:\Users\Admin\Desktop\xray.exe
        "C:\Users\Admin\Desktop\xray.exe"
        1⤵
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2240
      • C:\Users\Admin\Desktop\xray.exe
        "C:\Users\Admin\Desktop\xray.exe"
        1⤵
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • System policy modification
        PID:4164
      • C:\Users\Admin\Desktop\Payload.exe
        "C:\Users\Admin\Desktop\Payload.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1848
        • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
          "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2208
      • C:\Users\Admin\Desktop\services.exe
        "C:\Users\Admin\Desktop\services.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4252
      • C:\Users\Admin\Desktop\Skype.exe
        "C:\Users\Admin\Desktop\Skype.exe"
        1⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Skype.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3408
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Skype.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\System.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4560
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4916
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\AppData\Local\System.exe"
          2⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4388
      • C:\Users\Admin\Desktop\calculate.exe
        "C:\Users\Admin\Desktop\calculate.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Users\Admin\AppData\Local\Temp\VSDAD0F.tmp\DotNetFX472\NDP472-KB4054530-x86-x64-AllOS-TRK.exe
          "C:\Users\Admin\AppData\Local\Temp\VSDAD0F.tmp\DotNetFX472\NDP472-KB4054530-x86-x64-AllOS-TRK.exe" /q /norestart /skipenucheck /ChainingPackage FullX64ClickOnce
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4760
          • C:\ed40df46d4930addcb5b0bd06315\Setup.exe
            C:\ed40df46d4930addcb5b0bd06315\\Setup.exe /q /norestart /skipenucheck /ChainingPackage FullX64ClickOnce /x86 /x64 /lcid 1055 /lpredist
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:3448
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
          2⤵
          • Modifies registry class
          PID:3848
      • C:\Users\Admin\AppData\Local\System.exe
        C:\Users\Admin\AppData\Local\System.exe
        1⤵
        • Executes dropped EXE
        PID:4952
      • C:\Users\Admin\Desktop\SpotifyGenerator.exe
        "C:\Users\Admin\Desktop\SpotifyGenerator.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2460
      • C:\Users\Admin\Desktop\Crypted.exe
        "C:\Users\Admin\Desktop\Crypted.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Users\Admin\Desktop\Crypted.exe
          "C:\Users\Admin\Desktop\Crypted.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1416
      • C:\Users\Admin\AppData\Local\System.exe
        C:\Users\Admin\AppData\Local\System.exe
        1⤵
        • Executes dropped EXE
        PID:2292
      • C:\Users\Admin\Desktop\SpotifyGenerator.exe
        "C:\Users\Admin\Desktop\SpotifyGenerator.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4992
      • C:\Users\Admin\Desktop\calculate.exe
        "C:\Users\Admin\Desktop\calculate.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4180
      • C:\Users\Admin\Desktop\Crypted.exe
        "C:\Users\Admin\Desktop\Crypted.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Users\Admin\Desktop\Crypted.exe
          "C:\Users\Admin\Desktop\Crypted.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4568
      • C:\Users\Admin\Desktop\HELL-96SQH6IO9SOI2GJFE2H9FUEM3FGU34H.exe
        "C:\Users\Admin\Desktop\HELL-96SQH6IO9SOI2GJFE2H9FUEM3FGU34H.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4552
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1016
          2⤵
          • Program crash
          PID:4536
      • C:\Users\Admin\Desktop\xray.exe
        "C:\Users\Admin\Desktop\xray.exe"
        1⤵
        • Modifies security service
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • System policy modification
        PID:4724
      • C:\Users\Admin\Desktop\Skype.exe
        "C:\Users\Admin\Desktop\Skype.exe"
        1⤵
        • Executes dropped EXE
        PID:396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4552 -ip 4552
        1⤵
          PID:3696
        • C:\Users\Admin\Desktop\Payload.exe
          "C:\Users\Admin\Desktop\Payload.exe"
          1⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4768
        • C:\Users\Admin\Desktop\services.exe
          "C:\Users\Admin\Desktop\services.exe"
          1⤵
          • Executes dropped EXE
          PID:884
        • C:\Windows\system32\launchtm.exe
          launchtm.exe /2
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3880
          • C:\Windows\System32\Taskmgr.exe
            "C:\Windows\System32\Taskmgr.exe" /2
            2⤵
            • Drops startup file
            • Checks SCSI registry key(s)
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:916
        • C:\Users\Admin\AppData\Local\System.exe
          C:\Users\Admin\AppData\Local\System.exe
          1⤵
          • Executes dropped EXE
          PID:3992
        • C:\Users\Admin\AppData\Local\System.exe
          C:\Users\Admin\AppData\Local\System.exe
          1⤵
          • Executes dropped EXE
          PID:2792

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Impair Defenses

        2
        T1562

        Disable or Modify Tools

        2
        T1562.001

        Modify Registry

        6
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        4
        T1012

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payload.exe.log
          Filesize

          319B

          MD5

          da4fafeffe21b7cb3a8c170ca7911976

          SHA1

          50ef77e2451ab60f93f4db88325b897d215be5ad

          SHA256

          7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

          SHA512

          0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log
          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          62623d22bd9e037191765d5083ce16a3

          SHA1

          4a07da6872672f715a4780513d95ed8ddeefd259

          SHA256

          95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

          SHA512

          9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          98baf5117c4fcec1692067d200c58ab3

          SHA1

          5b33a57b72141e7508b615e17fb621612cb8e390

          SHA256

          30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

          SHA512

          344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          d8cb3e9459807e35f02130fad3f9860d

          SHA1

          5af7f32cb8a30e850892b15e9164030a041f4bd6

          SHA256

          2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

          SHA512

          045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HFIFAC2.tmp.html
          Filesize

          15KB

          MD5

          cd131d41791a543cc6f6ed1ea5bd257c

          SHA1

          f42a2708a0b42a13530d26515274d1fcdbfe8490

          SHA256

          e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

          SHA512

          a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\VSDAD0F.tmp\DotNetFX472\NDP472-KB4054530-x86-x64-AllOS-TRK.exe
          Filesize

          5.4MB

          MD5

          81a2540a1d22ee889e391cc79dae12ac

          SHA1

          181af08f91a0cb72c798d018e7af3969a2481097

          SHA256

          08f90d9350af82a90bde09b22ec9c8b0390392734b20cc1b3fcfc7cd814ea3df

          SHA512

          e746a5563783cb71c9ebb5572eecf64b1aaec0246d65d6aa3b20992c352e998fe7e30f11031c93a6815b828a47128a32ee6c3170b5e6ccc3e29629d33225bbef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgerio51.p0s.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\88603cb2913a7df3fbd16b5f958e6447_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
          Filesize

          51B

          MD5

          5fc2ac2a310f49c14d195230b91a8885

          SHA1

          90855cc11136ba31758fe33b5cf9571f9a104879

          SHA256

          374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

          SHA512

          ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk
          Filesize

          957B

          MD5

          aa20040781184d708c9008c428977ca6

          SHA1

          8899c2f634df8affd97801bba95a991cf51824c5

          SHA256

          2fa85b94faec8037a88d544d9923160ef5886ec8e9b31e991bbbb0063495bd99

          SHA512

          5e201fb4673da2f50fa68cb7b70411350b71d7537abc53d86a91de5cb0ee58fe8d8c3fc1b68539367036e188e886cf15d477d956e9353401b36494fd83bae2fb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
          Filesize

          8B

          MD5

          cf759e4c5f14fe3eec41b87ed756cea8

          SHA1

          c27c796bb3c2fac929359563676f4ba1ffada1f5

          SHA256

          c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

          SHA512

          c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\dclogs\2024-12-05-5.dc
          Filesize

          80B

          MD5

          9025f46a28cd6c3b7a1000d27f5b53b7

          SHA1

          3feeaa7e9b53ab8b5a41e9bba54c0bb8edfc7cbe

          SHA256

          c0d4e7b9fd65a845907d0ab5fb2030f50fc147ce4897bfbc3f996c5f807c0198

          SHA512

          33ab629ce81aed162a65f61af5d7e70704eab31b4157de4bf911e96243ccfaff01dc3761000262ab4878fdc52f2bd2a74098b9b5e7cf09606f118087d582b0d4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\dclogs\2024-12-05-5.dc
          Filesize

          128B

          MD5

          66626183b078197f6561e1c9cca9a044

          SHA1

          8b23d0da89920ea92dc646cac8be314c63b2ffa7

          SHA256

          ca0bbfc91b8c50f8f926b799d3cc4beed899c6d5cbb93ae0cbb82f72682ab783

          SHA512

          a20e5e29dfd3b7cf31dcb4e3984261cc9b1f86c92a3c7b497796f215e3d0809499560e37af07facd3737de7d4ba39379a5186799fb7606a5aee2dafa0a9e081b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\dclogs\2024-12-05-5.dc
          Filesize

          176B

          MD5

          925a4b8cd0667cddf7758559eed586d4

          SHA1

          9f26ba327d616d046469e622f6f0b2a8a5046dda

          SHA256

          c5b598baef247e90e0abbeee3ef8aa868b5340ca49357a3eebc7af3f62181efb

          SHA512

          89313f0cf377579a9cb26978422c56cd57d9c4929801ccb2d3ef726c4e614005fbb594dc443e4b6b84973e4ee22edf3e1cd20702baa0c198de16a21469bcb2fd

          Download Submit

        • C:\Users\Admin\Desktop\Crypted.exe
          Filesize

          332KB

          MD5

          39981a721a6542fb36dc05b3fc20c274

          SHA1

          74698ff07ef58b8ef23dda2ed91971d4ced3e1d4

          SHA256

          fd88ebaedaaa336bf48f9e8c21a084c5dc6870c27ff76f62d3ea5526205fa9cd

          SHA512

          1c3ee4a6a68b4d8d7db0a4eccaa34120d8be7b9b8df87d4af681f51805f5bbacd567b96eb1662d50ad9d454656e864b13af5aaf96151dd8743c9b05fc80a966b

          Download Submit

        • C:\Users\Admin\Desktop\HELL-96SQH6IO9SOI2GJFE2H9FUEM3FGU34H.exe
          Filesize

          123KB

          MD5

          868183a0f26683d1d6655a8519b626ba

          SHA1

          1e646f5cdf2ac3b9692e4cd9c1bbdd9ab523395e

          SHA256

          8bfbcf2d850c68a7ed6b023faa9062a2189e4e1ed8915351f3b97dbde0d5e528

          SHA512

          1836a4cb23521d4bd5794eee20e8fdd6e8311ea743f6b9440c4d7f6e5c5501b65aea51f4a01cb40ac28b4a143e02fd8adf50493cfe4124ac0027490afd87597b

          Download Submit

        • C:\Users\Admin\Desktop\Payload.exe
          Filesize

          55KB

          MD5

          411b64acfcc7f07971c630aa8d229dfa

          SHA1

          f8e02349ff1be29dfa98dc45a38077289670c1a6

          SHA256

          c5f77db7ad369d1ace046583b196f763465cd0692ffea635b8c036ba3ecda1bb

          SHA512

          63ec93dc64157e25a87346c9a7469be8ac367c099328525e4e6db70f7c696590d6fa46e9bf9dd3ef5c6ee60352f22390437cf1c17f537e6e4ca9f1ad9bf5d72e

          Download Submit

        • C:\Users\Admin\Desktop\Skype.exe
          Filesize

          74KB

          MD5

          ab7fe54a2dff556af9d0f6524169f305

          SHA1

          cfd61fb50874d48900f8a058f2f2500aa4caafeb

          SHA256

          1947f33f50a76eb1093d5bdbc01979f086dbe1f3e9b8501afc4547ed14ea8b5c

          SHA512

          e7b054fa38fdce9283dcd2fa8f9e8d0cfae813825a6626582aeb089d53e2fe9bb50a18c145d938006f88b2d87e936600db24ba41d480eb49e8a31b26ada6be8c

          Download Submit

        • C:\Users\Admin\Desktop\SpotifyGenerator.exe
          Filesize

          47KB

          MD5

          b0bea0e74c6022eb15797f3a0d983d3e

          SHA1

          d74156db340aa6531eeddbd56b9661a71b2d27d9

          SHA256

          f03aa9a082ef9a099dd59e8ba4a956bd48153f834dbe9c1bb8df4af914751d9a

          SHA512

          fa061c98014f16a1686906c80a9154accac34276e596c373a4810aa6d73286805d99da42025a89b866ced01be5391e960a36827069909c888b3d5ff235886c39

          Download Submit

        • C:\Users\Admin\Desktop\calculate.exe
          Filesize

          553KB

          MD5

          d02dd96450aad4137ddbe1c0c15b476b

          SHA1

          a0b84b677835a7e26cde0bba06635b9c0759df3e

          SHA256

          a756c75518fea32b684dbf6b57151e45596eaae4f08f767792d7b5c5eb249750

          SHA512

          9452f79bffb194c9424f8706d0d759a49ea18520fb911f2f8bb1c76baa6f8199fde78035840a3fbb752b3fb1e889f821e0ac3859270d4ee8eec5f94061a5d1c7

          Download Submit

        • C:\Users\Admin\Desktop\services.exe
          Filesize

          74KB

          MD5

          e7ba2c20ff0d6d894b2e342dfbc682da

          SHA1

          b459862f4e9a5a8ed260f13682691eb19e8620f8

          SHA256

          4820832a84cc249be6408727b394f68127af853496b2f3ac5702fa07c98af452

          SHA512

          a8291c5357a81f40e9a01467788fad6e57b7869e065223a8a5fa4ee8b471d7491dc3c6af069fd6a635cee7b3d7f34a2cf18d9563b80a874c714f765985668c36

          Download Submit

        • C:\Users\Admin\Desktop\xray.exe
          Filesize

          658KB

          MD5

          d10c9632d629e612688f4d899adad7ac

          SHA1

          23b80255a664d7218c388c0e4e4b059c37ea09af

          SHA256

          8cec15a4d96162345b86b2dc2219f182c194e5860febfbc698cf23eac91dcc72

          SHA512

          eb4a370049f00ef00296403c3028fcd7f472f34f1d07df02c28512c17ac5b18cbebc02024ad4a0849490cb5c085613fd0640b6a28cf3db4b2623cfca9afb5dec

          Download Submit

        • C:\ed40df46d4930addcb5b0bd06315\1033\LocalizedData.xml
          Filesize

          80KB

          MD5

          64767bc621a1e7340b06ce7c3b824948

          SHA1

          e2c001e6a84d9659e64ddb4952d061c159f0cee5

          SHA256

          680ef849e3c03088c692f65ccd1bd88c5843077be4256dca61d4aed671927027

          SHA512

          079653668a6e82429863c52c92d3e94b6e8bf88b2e27006873dd68d1a1bd18246903946f0554d46931d501d3eed682d48608b50606f00c46b5ee50f9f293a8c7

          Download Submit

        • C:\ed40df46d4930addcb5b0bd06315\1055\LocalizedData.xml
          Filesize

          81KB

          MD5

          074ad3ee18ba63f2ad82e61b996240c7

          SHA1

          5f0ee0c2534e56d47d4a676752ab550b294a0ccd

          SHA256

          ac4766bda5691b5dc25ce0a4b36b6df905c5b13e520a43cf17ca6008a7ac78bb

          SHA512

          0fb57b2b3ad43823d89d01899d1d4a67cff6ead58fc4c209dace823fd2b20ae164597d2c977fe807043fa3c98f337f845a06f2afe77f06a31e963b8738f3181f

          Download Submit

        • C:\ed40df46d4930addcb5b0bd06315\ParameterInfo.xml
          Filesize

          1.1MB

          MD5

          43d3216ac960f4f0b3459698cc9198fc

          SHA1

          ca3adbf3d591f0a15a4f04f79d3a15b28e7201b4

          SHA256

          8e3d4d85e83451f153e912cc7a214cc9f3282949a40366f5c00fb0b89cd72b38

          SHA512

          64788a2dd6660b4e4ae00ad7ca3caa9bfeba1c5ce418f3f5aca2b27876f6de910e1e57a193c44c3d53349b4666163b1c70cdf760bbb6f6dc8d131d48dd7862f6

          Download Submit

        • C:\ed40df46d4930addcb5b0bd06315\Setup.exe
          Filesize

          80KB

          MD5

          5b378d6133955269f9ff9571756e68be

          SHA1

          6ddc7a4179e092e9e7c5815b87df3e5e6a2b557a

          SHA256

          622ffbd06c57f0ee5e72f58bbab05780153b9cc8918b784597d7f141597e7f29

          SHA512

          441644895081905d9edc8c8c7ea9514e94390b89e94b5e94a34080c9efa382e3ff5d6edaea9fe03b7d8e1fcbc62b8e656e638d55940c4408046fa2c7ebc727f0

          Download Submit

        • C:\ed40df46d4930addcb5b0bd06315\SetupEngine.dll
          Filesize

          859KB

          MD5

          62f60fbb153615f0f9854566462afffa

          SHA1

          b76ac946ae61ef577b12e0165f1ee39c79e05f40

          SHA256

          80d286407891cd55a6ee0822a9ba85ff9f1ca57e0d71a78049729276ea5f4d38

          SHA512

          718a5b42c7796eb2b14a26226f2de60bd804960c7c756baf44001d2a7df8faa463deccf9f30a4671c86a2110c225bd4ffad1343ef71a09b471da4132ae7fae19

          Download Submit

        • C:\ed40df46d4930addcb5b0bd06315\UiInfo.xml
          Filesize

          35KB

          MD5

          8ace169bf65675c089e0327d5b1f7437

          SHA1

          43646e29c878f58ac4b5d7c192d11b3becd9e9f6

          SHA256

          8f7847cfc9ec70b6758f6fbe9b98809ca7bf8ecb25bf9b3a8e7e052b83dfa94b

          SHA512

          3e98f8351e96bab4b8cecf93e590c722233d119d7cec76445a0b170f69de647bd65eafeafecc8888573e986b3f80403480728c7a1e014961fbd60dc169ca5db7

          Download Submit

        • C:\ed40df46d4930addcb5b0bd06315\sqmapi.dll
          Filesize

          223KB

          MD5

          0c0e41efeec8e4e78b43d7812857269a

          SHA1

          846033946013f959e29cd27ff3f0eaa17cb9e33f

          SHA256

          048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c

          SHA512

          e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28

          Download Submit

        • memory/916-407-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-415-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-416-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-417-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-412-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-413-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-414-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-418-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-408-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/916-406-0x000002737F550000-0x000002737F551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1168-24-0x0000000074B30000-0x00000000752E0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1168-23-0x0000000004C00000-0x0000000004C0A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1168-22-0x0000000074B30000-0x00000000752E0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1168-21-0x0000000004C70000-0x0000000004D02000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1168-20-0x0000000005180000-0x0000000005724000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1168-19-0x00000000001D0000-0x00000000001F4000-memory.dmp

          Filesize

          144KB

          Download

        • memory/1168-18-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-26-0x0000000074B00000-0x0000000074BAB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1208-27-0x0000000074B00000-0x0000000074BAB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1208-28-0x0000000074B00000-0x0000000074BAB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1416-355-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-380-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-357-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-360-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-361-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-356-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-366-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-352-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-449-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-358-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-447-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-438-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-354-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-420-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-436-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-434-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-426-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/1416-397-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/2240-94-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/2460-344-0x0000000000B60000-0x0000000000B72000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3408-129-0x0000020CF8130000-0x0000020CF8152000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3848-332-0x00000235A9D00000-0x00000235A9D08000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3848-333-0x00000235C4260000-0x00000235C43E6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3860-91-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-398-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-116-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-102-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-97-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-446-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-115-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-419-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-171-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-92-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-435-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-390-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4048-433-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4164-96-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4252-113-0x0000000000CC0000-0x0000000000CD8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4568-379-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/4568-383-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/4568-381-0x0000000000400000-0x00000000004B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/4724-385-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4968-119-0x0000000000A40000-0x0000000000A58000-memory.dmp

          Filesize

          96KB

          Download