asyncrat | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

max time kernel
36s
max time network
89s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 17:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

0.tcp.us-cal-1.ngrok.io:11837

Mutex

11bbf22e-826e-486b-b024-adbd86228a9e

Attributes

encryption_key
7A589EDBC6A581E125BF830EF0D05FC74BB75E30
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
ctfmon
subdirectory
SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

Manager

serveo.net:11453

Mutex

a851cc5b-e50f-4270-9929-06c6323cdb3d

Attributes

encryption_key
5A3C537E5FB2739D5B2468FC37915D58EF4AC5EA
install_name
Runtime broker.exe
log_directory
Microsoftsessential
reconnect_delay
3000
startup_key
Runtime broker
subdirectory
Microsoft_Essentials

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

0.tcp.eu.ngrok.io:15174

0.tcp.in.ngrok.io:10147

172.204.136.22:1604

Mutex

aNoM7pvDUvoo

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

127.0.0.1:48990

147.185.221.22:48990

163.5.215.245:9049

Attributes

Install_directory
%Userprofile%
install_file
svchostt.exe

aes.plain

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

45.136.51.217:2222

82.117.243.110:5173

Mutex

d1mBeqcqGummV1rEKw

Attributes

encryption_key
h9j7M9986eVjQwMbjacZ
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

stealc

Botnet

QQtalk1

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

vidar

Version

11.3

Botnet

a21440e9f7223be06be5f5e2f94969c7

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

xworm

Version

3.0

Attributes

Install_directory
%Userprofile%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/ct3KF8KR

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes

delay
1
install
true
install_file
atat.exe
install_folder
%AppData%

aes.plain

Extracted

Family

lumma

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://ponintnykqwm.shop/api

Extracted

Family

stealc

Botnet

Voov2

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

quasar

Version

1.4.1

Botnet

Helper Atanka

193.203.238.136:8080

Mutex

14f39659-ca5b-4af7-8045-bed3500c385f

Attributes

encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
install_name
diskutil.exe
log_directory
Logs
reconnect_delay
3000
startup_key
diskutil
subdirectory
diskutil

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000019451-1913.dat	family_vidar_v7
behavioral1/memory/3076-1920-0x00000000008D0000-0x0000000000BD0000-memory.dmp	family_vidar_v7
behavioral1/memory/3076-2038-0x00000000008D0000-0x0000000000BD0000-memory.dmp	family_vidar_v7

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0009000000019360-1328.dat	family_xworm
behavioral1/memory/3568-1329-0x00000000009D0000-0x00000000009E6000-memory.dmp	family_xworm
behavioral1/memory/3472-1821-0x0000000001270000-0x0000000001286000-memory.dmp	family_xworm
behavioral1/memory/3996-1848-0x0000000000AE0000-0x0000000000AF6000-memory.dmp	family_xworm
behavioral1/memory/3812-2749-0x0000000001050000-0x0000000001068000-memory.dmp	family_xworm
behavioral1/memory/3608-3748-0x00000000009A0000-0x00000000009AA000-memory.dmp	family_xworm

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/files/0x0013000000017049-565.dat	family_quasar
behavioral1/memory/2896-632-0x0000000000D20000-0x0000000001044000-memory.dmp	family_quasar
behavioral1/files/0x001800000001749c-873.dat	family_quasar
behavioral1/memory/1784-881-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar
behavioral1/memory/4072-1232-0x0000000001310000-0x0000000001634000-memory.dmp	family_quasar
behavioral1/memory/2776-1289-0x0000000000100000-0x0000000000424000-memory.dmp	family_quasar
behavioral1/memory/3804-1591-0x0000000000890000-0x00000000008DE000-memory.dmp	family_quasar
behavioral1/memory/3100-1837-0x0000000000FC0000-0x000000000100E000-memory.dmp	family_quasar
behavioral1/memory/4144-3767-0x0000000000390000-0x00000000006C2000-memory.dmp	family_quasar

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000005b74-3864.dat	family_lockbit

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b0000000186ed-894.dat	family_asyncrat
behavioral1/files/0x000400000001de21-3782.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1948	powershell.exe
2932	powershell.exe
4172	powershell.exe
4116	powershell.exe
4044	powershell.exe
1936	powershell.exe
4600	powershell.exe
2420	powershell.exe
3908	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3636	netsh.exe
3404	netsh.exe
3820	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/3720-2287-0x0000000000C90000-0x0000000000CDE000-memory.dmp	net_reactor

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	cbot.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbot.exe	cbot.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnk	com%20surrogate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnk	com%20surrogate.exe

Executes dropped EXE 23 IoCs

pid	Process
2896	negarque.exe
1784	Client-built.exe
2480	yellow-rose.exe
2692	CrSpoofer.exe
4072	Client.exe
2776	Runtime broker.exe
3376	Serials_Checker.exe
3568	com%20surrogate.exe
3744	networks_profile.exe
2676	PaoNan.exe
4068	networks_profile.exe
692	tacticalagent-v2.8.0-windows-amd64.exe
3472	tacticalagent-v2.8.0-windows-amd64.tmp
3288	testingg.exe
3392	cbot.exe
3960	maza-0.16.3-win64-setup-unsigned.exe
3916	server.exe
3804	jgesfyhjsefa.exe
3336	jet.exe
3232	RambledMime.exe
3412	NVIDIA.exe
3104	jdrgsotrti.exe
1292	donut.exe

Loads dropped DLL 53 IoCs

pid	Process
1028	4363463463464363463463463.exe
3032	4363463463464363463463463.exe
2640	4363463463464363463463463.exe
2640	4363463463464363463463463.exe
696	4363463463464363463463463.exe
2480	yellow-rose.exe
2640	4363463463464363463463463.exe
2640	4363463463464363463463463.exe
1568	4363463463464363463463463.exe
3764	Process not Found
1140	4363463463464363463463463.exe
3744	networks_profile.exe
2040	4363463463464363463463463.exe
692	tacticalagent-v2.8.0-windows-amd64.exe
2784	4363463463464363463463463.exe
2784	4363463463464363463463463.exe
4068	networks_profile.exe
2784	4363463463464363463463463.exe
2784	4363463463464363463463463.exe
1644	4363463463464363463463463.exe
3960	maza-0.16.3-win64-setup-unsigned.exe
3960	maza-0.16.3-win64-setup-unsigned.exe
3288	testingg.exe
3288	testingg.exe
1644	4363463463464363463463463.exe
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
2968	4363463463464363463463463.exe
2968	4363463463464363463463463.exe
3336	jet.exe
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
340	4363463463464363463463463.exe
340	4363463463464363463463463.exe
2108	4363463463464363463463463.exe
2108	4363463463464363463463463.exe
340	4363463463464363463463463.exe
1184	Process not Found
1184	Process not Found
1184	Process not Found
1184	Process not Found
696	4363463463464363463463463.exe
696	4363463463464363463463463.exe
3364	WerFault.exe
3364	WerFault.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anf4anlh.bmz\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\goamnqml.olm\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anf4anlh.bmz\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\goamnqml.olm\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zk01l2pp.rod\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zk01l2pp.rod\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Serials_Checker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchostt = "C:\\Users\\Admin\\svchostt.exe"	com%20surrogate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
135	raw.githubusercontent.com
36	raw.githubusercontent.com
37	raw.githubusercontent.com
78	raw.githubusercontent.com
83	raw.githubusercontent.com
115	raw.githubusercontent.com
232	0.tcp.in.ngrok.io
275	raw.githubusercontent.com
298	raw.githubusercontent.com
240	raw.githubusercontent.com
288	0.tcp.us-cal-1.ngrok.io
68	raw.githubusercontent.com
98	0.tcp.eu.ngrok.io
134	raw.githubusercontent.com
200	raw.githubusercontent.com
46	raw.githubusercontent.com
56	raw.githubusercontent.com
109	raw.githubusercontent.com
214	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
90	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.exe	server.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-1422-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1421-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1419-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1465-0x0000000000400000-0x0000000000B05000-memory.dmp	upx
behavioral1/memory/2676-1464-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1462-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1460-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1458-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1456-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/3392-1485-0x000000013F050000-0x000000013F069000-memory.dmp	upx
behavioral1/files/0x0005000000019dde-1482.dat	upx
behavioral1/memory/2676-1454-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1452-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1450-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1448-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1446-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1445-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1442-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1440-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1438-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1436-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1434-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1432-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1430-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1428-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1426-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1418-0x00000000002E0000-0x00000000002EB000-memory.dmp	upx
behavioral1/memory/2676-1424-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1423-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2676-1645-0x0000000000400000-0x0000000000B05000-memory.dmp	upx
behavioral1/memory/3392-1658-0x000000013F050000-0x000000013F069000-memory.dmp	upx
behavioral1/memory/992-2114-0x000007FEE8C60000-0x000007FEE9252000-memory.dmp	upx
behavioral1/memory/2676-2448-0x0000000000400000-0x0000000000B05000-memory.dmp	upx
behavioral1/memory/4620-3766-0x000007FEF6CB0000-0x000007FEF7115000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\svchost.exe.exe	server.exe
File opened for modification	C:\Program Files (x86)\svchost.exe.exe	server.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3756	sc.exe
3776	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000001878e-1341.dat	pyinstaller
behavioral1/files/0x000500000001a4df-2120.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3364	3232	WerFault.exe	153
3608	3720	WerFault.exe	184
3192	1208	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgesfyhjsefa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RambledMime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaoNan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maza-0.16.3-win64-setup-unsigned.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yellow-rose.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tacticalagent-v2.8.0-windows-amd64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	testingg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3368	PING.EXE
3728	PING.EXE
3832	cmd.exe
3264	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3380	timeout.exe
4792	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3712	taskkill.exe
3556	taskkill.exe
3956	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3368	PING.EXE
3728	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3188	schtasks.exe
3284	schtasks.exe
3252	schtasks.exe
4004	schtasks.exe
3732	schtasks.exe
2936	schtasks.exe
4836	schtasks.exe
3228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe
3392	cbot.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3916	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	4363463463464363463463463.exe
Token: SeDebugPrivilege	340	4363463463464363463463463.exe
Token: SeDebugPrivilege	2968	4363463463464363463463463.exe
Token: SeDebugPrivilege	1028	4363463463464363463463463.exe
Token: SeDebugPrivilege	1140	4363463463464363463463463.exe
Token: SeDebugPrivilege	3032	4363463463464363463463463.exe
Token: SeDebugPrivilege	2108	4363463463464363463463463.exe
Token: SeDebugPrivilege	2040	4363463463464363463463463.exe
Token: SeDebugPrivilege	696	4363463463464363463463463.exe
Token: SeDebugPrivilege	2640	4363463463464363463463463.exe
Token: SeDebugPrivilege	1644	4363463463464363463463463.exe
Token: SeDebugPrivilege	1568	4363463463464363463463463.exe
Token: SeDebugPrivilege	2784	4363463463464363463463463.exe
Token: SeDebugPrivilege	1420	4363463463464363463463463.exe
Token: SeDebugPrivilege	2840	4363463463464363463463463.exe
Token: SeDebugPrivilege	296	4363463463464363463463463.exe
Token: SeDebugPrivilege	2896	negarque.exe
Token: SeDebugPrivilege	1784	Client-built.exe
Token: SeDebugPrivilege	4072	Client.exe
Token: SeDebugPrivilege	2776	Runtime broker.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: SeDebugPrivilege	3568	com%20surrogate.exe
Token: SeIncreaseQuotaPrivilege	3660	WMIC.exe
Token: SeSecurityPrivilege	3660	WMIC.exe
Token: SeTakeOwnershipPrivilege	3660	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4072	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4072	Client.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4072	Client.exe
2676	PaoNan.exe
2676	PaoNan.exe
2676	PaoNan.exe
3804	jgesfyhjsefa.exe
3568	com%20surrogate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 2896	1028	4363463463464363463463463.exe	64
PID 1028 wrote to memory of 2896	1028	4363463463464363463463463.exe	64
PID 1028 wrote to memory of 2896	1028	4363463463464363463463463.exe	64
PID 1028 wrote to memory of 2896	1028	4363463463464363463463463.exe	64
PID 3032 wrote to memory of 1784	3032	4363463463464363463463463.exe	66
PID 3032 wrote to memory of 1784	3032	4363463463464363463463463.exe	66
PID 3032 wrote to memory of 1784	3032	4363463463464363463463463.exe	66
PID 3032 wrote to memory of 1784	3032	4363463463464363463463463.exe	66
PID 2640 wrote to memory of 2480	2640	4363463463464363463463463.exe	67
PID 2640 wrote to memory of 2480	2640	4363463463464363463463463.exe	67
PID 2640 wrote to memory of 2480	2640	4363463463464363463463463.exe	67
PID 2640 wrote to memory of 2480	2640	4363463463464363463463463.exe	67
PID 696 wrote to memory of 2692	696	4363463463464363463463463.exe	68
PID 696 wrote to memory of 2692	696	4363463463464363463463463.exe	68
PID 696 wrote to memory of 2692	696	4363463463464363463463463.exe	68
PID 696 wrote to memory of 2692	696	4363463463464363463463463.exe	68
PID 2896 wrote to memory of 3188	2896	negarque.exe	69
PID 2896 wrote to memory of 3188	2896	negarque.exe	69
PID 2896 wrote to memory of 3188	2896	negarque.exe	69
PID 1784 wrote to memory of 3228	1784	Client-built.exe	71
PID 1784 wrote to memory of 3228	1784	Client-built.exe	71
PID 1784 wrote to memory of 3228	1784	Client-built.exe	71
PID 2896 wrote to memory of 4072	2896	negarque.exe	73
PID 2896 wrote to memory of 4072	2896	negarque.exe	73
PID 2896 wrote to memory of 4072	2896	negarque.exe	73
PID 1784 wrote to memory of 2776	1784	Client-built.exe	74
PID 1784 wrote to memory of 2776	1784	Client-built.exe	74
PID 1784 wrote to memory of 2776	1784	Client-built.exe	74
PID 4072 wrote to memory of 3252	4072	Client.exe	75
PID 4072 wrote to memory of 3252	4072	Client.exe	75
PID 4072 wrote to memory of 3252	4072	Client.exe	75
PID 2776 wrote to memory of 3284	2776	Runtime broker.exe	77
PID 2776 wrote to memory of 3284	2776	Runtime broker.exe	77
PID 2776 wrote to memory of 3284	2776	Runtime broker.exe	77
PID 2640 wrote to memory of 3376	2640	4363463463464363463463463.exe	79
PID 2640 wrote to memory of 3376	2640	4363463463464363463463463.exe	79
PID 2640 wrote to memory of 3376	2640	4363463463464363463463463.exe	79
PID 2640 wrote to memory of 3376	2640	4363463463464363463463463.exe	79
PID 3376 wrote to memory of 3408	3376	Serials_Checker.exe	80
PID 3376 wrote to memory of 3408	3376	Serials_Checker.exe	80
PID 3376 wrote to memory of 3408	3376	Serials_Checker.exe	80
PID 3408 wrote to memory of 3520	3408	cmd.exe	82
PID 3408 wrote to memory of 3520	3408	cmd.exe	82
PID 3408 wrote to memory of 3520	3408	cmd.exe	82
PID 3408 wrote to memory of 3448	3408	cmd.exe	83
PID 3408 wrote to memory of 3448	3408	cmd.exe	83
PID 3408 wrote to memory of 3448	3408	cmd.exe	83
PID 2640 wrote to memory of 3568	2640	4363463463464363463463463.exe	84
PID 2640 wrote to memory of 3568	2640	4363463463464363463463463.exe	84
PID 2640 wrote to memory of 3568	2640	4363463463464363463463463.exe	84
PID 2640 wrote to memory of 3568	2640	4363463463464363463463463.exe	84
PID 3408 wrote to memory of 3660	3408	cmd.exe	86
PID 3408 wrote to memory of 3660	3408	cmd.exe	86
PID 3408 wrote to memory of 3660	3408	cmd.exe	86
PID 3408 wrote to memory of 3716	3408	cmd.exe	87
PID 3408 wrote to memory of 3716	3408	cmd.exe	87
PID 3408 wrote to memory of 3716	3408	cmd.exe	87
PID 1568 wrote to memory of 3744	1568	4363463463464363463463463.exe	88
PID 1568 wrote to memory of 3744	1568	4363463463464363463463463.exe	88
PID 1568 wrote to memory of 3744	1568	4363463463464363463463463.exe	88
PID 1568 wrote to memory of 3744	1568	4363463463464363463463463.exe	88
PID 3408 wrote to memory of 3876	3408	cmd.exe	90
PID 3408 wrote to memory of 3876	3408	cmd.exe	90
PID 3408 wrote to memory of 3876	3408	cmd.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2596
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  PID:4496
- C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
  2⤵
  PID:4560

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:340
- C:\Users\Admin\AppData\Local\Temp\Files\RambledMime.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RambledMime.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 72
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3364
- C:\Users\Admin\AppData\Local\Temp\Files\NVIDIA.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NVIDIA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3412
- C:\Users\Admin\AppData\Local\Temp\Files\uu.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\uu.exe"
  2⤵
  PID:4524

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2968
- C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jet.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3336
- C:\Users\Admin\AppData\Local\Temp\Files\s.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
  2⤵
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\Files\hack.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hack.exe"
  2⤵
  PID:4728

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Users\Admin\AppData\Local\Temp\Files\negarque.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\negarque.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3188
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "ctfmon" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3252
- C:\Users\Admin\AppData\Local\Temp\Files\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"
  2⤵
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\Files\Extension2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Extension2.exe"
  2⤵
  PID:5036

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1140
- C:\Users\Admin\AppData\Local\Temp\Files\PaoNan.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PaoNan.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\Files\aa.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\aa.exe"
  2⤵
  PID:2380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
    3⤵
    PID:4684
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5B8.tmp.bat""
    3⤵
    PID:4444
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4792
  - - C:\Users\Admin\AppData\Roaming\atat.exe
      "C:\Users\Admin\AppData\Roaming\atat.exe"
      4⤵
      PID:4812
- C:\Users\Admin\AppData\Local\Temp\Files\daytjhasdawd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\daytjhasdawd.exe"
  2⤵
  PID:3256
- C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Sync.exe"
  2⤵
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\Files\VB.NET%20CRYPTER%20V2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VB.NET%20CRYPTER%20V2.exe"
  2⤵
  PID:4232

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Runtime broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft_Essentials\Runtime broker.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3228
- - C:\Users\Admin\AppData\Roaming\Microsoft_Essentials\Runtime broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft_Essentials\Runtime broker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft_Essentials\Runtime broker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3284
- C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
  2⤵
  PID:3472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2932
- C:\Users\Admin\AppData\Local\Temp\Files\Xbest%20V1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Xbest%20V1.exe"
  2⤵
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\Files\Xbest%20V1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Xbest%20V1.exe"
    3⤵
    PID:992
- C:\Users\Admin\AppData\Local\Temp\Files\MS14-068.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\MS14-068.exe"
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\Files\MS14-068.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\MS14-068.exe"
    3⤵
    PID:3416
- C:\Users\Admin\AppData\Local\Temp\Files\Prototype.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Prototype.exe"
  2⤵
  PID:4908

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2108
- C:\Users\Admin\AppData\Local\Temp\Files\jdrgsotrti.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jdrgsotrti.exe"
  2⤵
  - Executes dropped EXE
  PID:3104

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2040
- C:\Users\Admin\AppData\Local\Temp\Files\tacticalagent-v2.8.0-windows-amd64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tacticalagent-v2.8.0-windows-amd64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\is-USHL3.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-USHL3.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$10364,3652845,825344,C:\Users\Admin\AppData\Local\Temp\Files\tacticalagent-v2.8.0-windows-amd64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3264
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3368
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrpc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrpc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net stop tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      PID:3888
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalagent
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3812
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalagent
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3816
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3832
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3728
    - - C:\Windows\SysWOW64\net.exe
        
        net stop tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3536
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM tacticalrmm.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:3712
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalagent
      4⤵
      System Location Discovery: System Language Discovery
      PID:3620
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalagent
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3756
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c sc delete tacticalrpc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3572
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete tacticalrpc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3776
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c net start tacticalrmm
      4⤵
      System Location Discovery: System Language Discovery
      PID:3172
    - - C:\Windows\SysWOW64\net.exe
        
        net start tacticalrmm
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start tacticalrmm
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
- C:\Users\Admin\AppData\Local\Temp\Files\Journal-https.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Journal-https.exe"
  2⤵
  PID:3544
- C:\Users\Admin\AppData\Local\Temp\Files\OfferedBuilt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\OfferedBuilt.exe"
  2⤵
  PID:4164

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\Files\donut.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\donut.exe"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe"
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\hbfgjhhesfd.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2936
- C:\Users\Admin\AppData\Local\Temp\Files\000.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\000.exe"
  2⤵
  PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:3128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:3556
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:3956
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      PID:3848
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      PID:1868
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:1896
- C:\Users\Admin\AppData\Local\Temp\Files\jgurtgjasdth.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jgurtgjasdth.exe"
  2⤵
  PID:3332

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\Files\yellow-rose.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\yellow-rose.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\Files\Serials_Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Serials_Checker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\system32\cmd.exe
    cmd /c "Serials_Checker.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\system32\mode.com
      mode con: cols=90 lines=48
      4⤵
      PID:3520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get serialnumber
      4⤵
      PID:3716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:3876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:2720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:3544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:3672
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
      4⤵
      PID:3892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:3852
- C:\Users\Admin\AppData\Local\Temp\Files\com%20surrogate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\com%20surrogate.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\com%20surrogate.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'com%20surrogate.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchostt.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1948
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\Admin\svchostt.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3732
- C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe"
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\FIDAFCAFCBKE" & exit
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:3380
- C:\Users\Admin\AppData\Local\Temp\Files\diskutil.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\diskutil.exe"
  2⤵
  PID:4144
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4836

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1644
- C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3804
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\jgesfyhjsefa.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4004

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4068

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2784
- C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3288
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3916
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3636
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3404
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3820
- C:\Users\Admin\AppData\Local\Temp\Files\cbot.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cbot.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3392
- C:\Users\Admin\AppData\Local\Temp\Files\ZinTask.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ZinTask.exe"
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 52
    3⤵
    - Program crash
    PID:3192

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1420
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    PID:2884

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2840
- C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\JJSploit_8.10.7_x64-setup.exe"
  2⤵
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\Files\main1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\main1.exe"
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\Files\main1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\main1.exe"
    3⤵
    PID:3440
- C:\Users\Admin\AppData\Local\Temp\Files\OLDxTEAM.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\OLDxTEAM.exe"
  2⤵
  PID:3720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 528
    3⤵
    - Program crash
    PID:3608

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:296
- C:\Users\Admin\AppData\Local\Temp\Files\mtbkkesfthae.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\mtbkkesfthae.exe"
  2⤵
  PID:3440
- C:\Users\Admin\AppData\Local\Temp\Files\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client.exe"
  2⤵
  PID:3228
- C:\Users\Admin\AppData\Local\Temp\Files\dlhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dlhost.exe"
  2⤵
  PID:3812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\dlhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dlhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\dlhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4116
- C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
  2⤵
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
    3⤵
    PID:4620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-583149141373534224-17199573971071011262791168571422580867-10867689741824754310"
1⤵
PID:3264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-157161531841472796-10466596-901694255127225994311838976584280521641529096024"
1⤵
PID:3832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1990345512828504065-2134374444-368423355-6881627149559395221238565738-252512119"
1⤵
PID:3776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1781500818-1558474436-130145461817537924391216573006116006034911710566841499380746"
1⤵
PID:3324

C:\Windows\system32\taskeng.exe
taskeng.exe {3982E192-EFF8-49F8-AF21-B5AB1A6276CD} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
PID:3760
- C:\Users\Admin\svchostt.exe
  C:\Users\Admin\svchostt.exe
  2⤵
  PID:3996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:4136

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edc4d1d331dc5f1042fa897832985d56

SHA1
ed0d321a1999c5ecd8e5ba776140960731bdfc41

SHA256
8aa8ffdbd25be0480ae12670c10629652ae25f788435ff3d0c07fd76ee13f8c9

SHA512
f2715c098bff0b492c7e4c033950920129e92c157ff27f9e49b28bcf76ca97dd9b8bfc660f6ad85ed101169dd31fc82fc1e3aedaca0d95960a3601583c4789b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b96f6c6b85f6aa4070b5c81e26444397

SHA1
3791635d6dc17891b6efe38fbed5d60e68df78aa

SHA256
13c7974a50d7784ba16645867edd463b1fa35f5442d9a7abf9dfa04e71cb7c86

SHA512
76656e3524a784517aa3b842e6fdb4d3af8de8b02b559790563b8a4344fecace6f839c0708de1b206d5f4cde2c3c9ca9e6dd624ed901e856e85dfecc5e57524f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bd8e570132e108fc65c0748b2f7b16d

SHA1
cfc04e98ab9c612b0fc4e1094e0b1f9dbe78252d

SHA256
c76757d0ebe1a8abc2eabf1e09dd962f64a997809188dc042953e455047d7091

SHA512
3e51ea3733f588ce1cb0aadcab04f0eb60899dd0b611ae37f23f7e09d1fba256ccdf895a5680396a7adac3cf9488ed6699b9938d4febd7e9cd4ef287e4bd043c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57f63c81a8ccb8d956601fd328e2f25f

SHA1
27e6aa2d2ad2f9413553e863ee350ffa4c445e4b

SHA256
cf19a73e0b147313834716d1c6037853216bd3d4d280448721aaf93a7c4569af

SHA512
0104766b3717122b027bb7d7b08d0e830e977a0f8741b1228b097150c10a0ced1d1f422ff0a961a536cc217b1cef37a4be74645b55ee0585323be1d4f5c0f778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c89aa44565692fc495a2584f505b59d

SHA1
c609eb180c0a4bec774dd84b73fe8910a813a498

SHA256
dcd61fe6aed6b5805d05d999f6d0279bda3b6b7d9b57358150c0269d2314b184

SHA512
b1b36d4d1fdb23380bbee58487ea877b5141bb2c2163580db8d006503ffe97c25411de9055723b9ba00a9a6107e6d66342877af27afd79f395b5c09a68fe6410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ea80b5108c86c47844531d64e70897c

SHA1
9f4b2039381a3ce121d91c9263b13310e79dd633

SHA256
2f9312d2af82f5e2728579b3fb710b3a49dcf662c5c14535db3b9f158fca5a9a

SHA512
b10f71605ee908e8afff087533955f225150800e9ee73bdb6e5667308cdadb365c1271772b68bd8b461b37a447c8196117ecd71ba3295cdd25e7c0b804b40c25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acfeaced0b3b7c8fbea90b70f128d442

SHA1
e654800c96c6a52a0385dc7c97e1ef9b07acbbd5

SHA256
379751170182e17ff9c1fd1634619e66aa0791f629363417a3c43a3bd3549995

SHA512
c4c9c1017c394220cb347175ad4138f74a595d3f254ba50096ab93fef8afa3047bbf3e942571964d8892dfac15188e0edda885b01088af15d6415c87f20966fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
592b2ea3569e2572cfcbf8d49d124580

SHA1
a9dcf330061e41845b5d2eeafcadfe14901d0010

SHA256
e1ab6766eb6d32801eb7aa3ff541acedf6e4c35ac42af783a478babea2bb59d5

SHA512
f2096028506b7ee061305672e70563bece3c71d59ba34cd5dca017e2cc6d6fa7e8aaaf464846a0ec82c78c6068a62d817d204f5bd97591d3e7eade20382cfe3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b81446083fdd220ce329dcf5071bc89

SHA1
f070c83fdeab50f2ee40c8e7301c7d831773a290

SHA256
1d3984f4a03713ef55f0386c282fab4a72a04132004cf174eec5c249a08dc58b

SHA512
bceaf81c23e1f60c0462c60b9d4ecf8f8dc9c444aad98635e4cda2dd7a7ba9bb0c57fd404370368582c72b70ec2c880ed22cd8318c39ac90e9abe1fdc9242c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9db0d1c6cb13fd62b3de8455e5149206

SHA1
acf8e322165e376c4e1bacfd7c6022df59d5a341

SHA256
576bc46931b36dab9ebdfd1ef72e88e7184d644269b6225201dbb72ad37734fd

SHA512
926c8e782bb928b87e83d160980eded9be46158dc5ad3d1ee6f42066706a6a14a21950f86b27d4b741183b076c6a165e932c755deba0ff2081f739c1ed765f49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3140769f9e482c49160f36b54e22a977

SHA1
95c4c0c415c716ef9e43f9f8f45d3e00473b7e66

SHA256
388a8c36f275b820f28700db51cc3b066048cd739904ad96fea0111c9658b176

SHA512
7996efa69327a32d6c211287a9d91aa517e3f197d0fc5c8cdc90ffe8333c6a13e036fd07c5fdcee28265aac749c9dea3864fd3385ee86e3b35b2c44fc05aaec4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
532d82a270c120627a9f603560d91069

SHA1
8066debd56a87e0d33e1b841239e33768c28b7f7

SHA256
8d765aaba4dad8a59a96cf2759f63864858968d606524042ac9e979e829b84c0

SHA512
ff3a2bd6fcdeaafca2587964c401439758172cb33790d3caf12fdb535e32e8c049e22cffa8661f70281d558fa6564988c16817f263735fcd0010688af5536586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1345629e07e37ef2f7ec91b308a05b7

SHA1
875d66aa710c4052574a153f4e1b60ae6120d2d3

SHA256
7efaca417124e5c83f445039228ee56661ca704a45f4ac9a85af24d5298d3078

SHA512
d93013056abe1cdf3ddfd7a2d93fe32b78f275cf78f25a4e22129501a98f62c6d58f89051741e33b8112fe7acf0c6f27432fc690579b4fdc5cccd205532ac424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e3f292e4814be8f5cd8c96e90a1c5d2

SHA1
0cf973754e9aa4f3a47ec44807fd71d27e22a2c3

SHA256
5395172c6eceab95ba594409d4e317e5ac6738a08b48b49d2687a546a664d772

SHA512
5bdd1fb091ff88e5445de22560cdea5f6051d0e718aa6130a11e425de938a59a60949777ea0903de19175bfaf6f1c152a251ee72c74ec2c16b9059022347aa81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
768da4da554d884bf6d3a4d888141d12

SHA1
ce521a824d7e854301f8537b16d235e11fc95608

SHA256
cc95fd8a6e36557e6374c2a24097361ce4db9cee02b841c3bf3d93a1d96a7706

SHA512
502dca627765f40d384775242dd7fed497c0b5df1d54ccb8bfca8dd6f706bdf0b5f5eb140e12c6f871e2a96353fbd3ca2858e0f000327e4768c140920c2ea8f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80c07ac60c7f16db3eac97354fa3a9f3

SHA1
9ebd0da7debda9280119d2757463d7d1cffce40a

SHA256
18e5dfca188e964324e7c76af873238f109ce1932b2523d427cc6442930eb9cf

SHA512
47cc571aa7c309158fc37f7ce2a2da853c3149ef2eef394b8f6b7ba80370d26486d5a013a716575dcba8dd1422ea1a0dc6d03b949e340eafc0bdc6a66a9cf967

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa3e8c514d7b1c8cdb1de65ac47b982a

SHA1
0dd2dc1957dd49e5f223e0178fd7388a04a9cf41

SHA256
20ee1791527d4a1beef9229de9a2c64c7066165793850d0b7c0fe1cd3095f696

SHA512
905d32a2f75ab06a97df69542f22c93328b1dc035c7c58ab10e189191c4a13c97d781984350e256782091694f048d474a5ef3cdb78dce03029ca567021350ec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3916a0a11e33698ba45fc9e93e08ed6b

SHA1
37ee17b9fc7860074f46853f50303fb4dbd30d55

SHA256
d89875a029df0b8b295c97ccb9a9e33f2a20387ca1d427aef5058af600971f57

SHA512
7e7646c5a8c2fd7acae21f5fdb2d23bf01444f4f136b0eced0a8c7215f4f6543fca16d6518c7e49d82dfb252a79ce0efd35a0501d941e059a049672db5fdcb3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac8eeb0947320d97d1291d482351d0a2

SHA1
4f4776ac487a29a197ab017280d10b0cd44a8bf3

SHA256
30a203255f6b3017ba41670b4fdce975537e9c1e5d268112452a332706828183

SHA512
b7e23027c63168ceb2232b50419e07d7c898563361f92f8621b754532bcc4f4189c101fcebaeeb84fee82b7ee7373dcf4c3ac3a6fc8af887610973225af3e3a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee9ef0bccb418f0f25634352fa954f27

SHA1
784fa533d9fd6682f57b65e1d5814beee134f070

SHA256
8b2d4a695d499d1c5e6734960e971327fb5f506c5ca51d38bfa9c724aa07801e

SHA512
c8be6420d75ed81ddab8c08a049901997d3efff1ccae05ae00050ae33778d8a580f9ea796edf8b4d71be95d4f12eca287a6a1a6f7def13f753fe73469043d082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f58bdf05d4a4dd6d956d13aae9b558d

SHA1
a9dea662738066e5a5dcb9c372dff86b08c40201

SHA256
cb25966280020d86959409a7022da73ad8c6da66c1bb3088c65e75866d0e9589

SHA512
689e641975b7626c969c0726d6af632d2767d63d5a1b9ec01da0723eb5eee35d2cbc4c035eacc8a3d02823e527f0281654bfd942369d3f1d2add54b8fc44783e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2c0e3f5b1881f8a1a0b5f143d3024bc

SHA1
4bd84cd887e74dcda1008dfa993635644348f284

SHA256
691d5843cf2278d94e265f99fdb57802999e502db063e6fec1e8071619b03153

SHA512
2a9a6f3fb1cb7248253c78485018d48430cccc23336ffb2471e7641c0af8c027abac5beeafe86d516f7575e20268164584e96b3bd88efb23e2fe355d5e78117b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5580a21002c6e848d561c9966df5a22

SHA1
ef68cb15d183e46d991151e16c1107b378b360ee

SHA256
652ff311fbca70783a19162a3dd616213eff4d46d69a6ce27517ddfc8d2c90ed

SHA512
3347d787ef01eef5a9a911ecdab7d34a22c8a2528fcfd367d3f7035bcef44236150ba63bd637085aba0c2ede731d6882fc7fdfe0af1ced1da369b416d6588f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d0c4f53fb8bb7679b1b3705503f7aca

SHA1
da01dd2d87427bea0f696df84eeb701defcf835a

SHA256
e1df4cb1c92aa739b4c4c9b9058036280d54f6e3d9a0608047ef0580b194e719

SHA512
b7adb17741ad89610354960909cec2eb421fb524cbdc027ca834a885d1e2fe557068dc8c9b6cc7986e4cc593715e3991c9dd457333bb177fba4dca5373c4ba34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ccc3f7e218b06d6813262fa7ab6ae00

SHA1
b5c46152cb6aa54321cf2843ff83c93827ed904d

SHA256
815d5b2590fb2f23aed538627ee1cc8e5be79c98c78c43c0fe67648c4accd0f7

SHA512
047991798074a173d88cb6debeb0af02770d15ffee2bc7e52847fa694bc24954363967c79c1c69d26b2eb125fc29e16eba4298688a681dd3c76fe075b42cab0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45f4df2992d1df72a42476dc2be79227

SHA1
7da928fe0a5e348b8f17e6be742958de5f852e8a

SHA256
99ee64249bf9254d0e142aed217e4478f7724bc343fbc04277c58042f8f44d0f

SHA512
142044986a18c5a05664dacffe224b0c82e0e3040e8c7b3617c92d3cbc340dadb44d20a3ba6e7ea3e5d5a86de86cfaed72c2f0b036beb292b718fd04abde0f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa2d09e5f66adf902a15c56a45dfefd0

SHA1
bcc5e7daf24788c088fc9e0afc4fd52910f75e08

SHA256
83b1b6a06caf57fa17b49113b3968d4680d48cf7e148f0cbc50a49dd4b1b6268

SHA512
0c818a583bcd5889909c528baf6f669f49c15179122151fb2ccb1f71298fbf492b7b35d45837a511310b9692df33b1a85e592e1008fef111863e4c67c5914f1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dea65496dbe5bb6e20e4fd7e489dba6b

SHA1
d9a1faca9d646176920751192471c077ed48766a

SHA256
84c20f03130ee4e66d56332051399281fdcb9bc408f9806ae8a6f690827652e7

SHA512
a8529134a40ffcb468236e82ae397ad7e6f7d31cfb0aad9d58bf40856906e602a8decb6c7ca286a76883883459139f1d2f691ea9cb41bf94c9cfe52a7d001167

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c20b978089a12971f46911436da30be7

SHA1
7f1707df37353edb496afde54933acface734341

SHA256
f88a919e8289119c574fc44571e7a41da3cedc30a9dda4828b05f17ee6884575

SHA512
a1c172f2bdfb2f6e289c7f4a2e3f74b0ae34200e035847f095e3517212a6192125e97d121e177acab62fa3e4bfbfbb08d8ca731a83237e7143d788ec46741484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c4dfd762b44ac7969132e5742aed041

SHA1
fc6df59fdd17141d9c49af0c4294398543cac7e3

SHA256
18e9800cfc87db4ccb6accf1a427c8c412501e7e7ae4bca591445b056165396c

SHA512
bb8690f06fbf500897e95fb65f7cec0f8dd7fc31df9325f3e6f57561b99aaaeb11df251584a90ae41ae216b325757fd8f2a49910d220c5a384e4abb8c00d4423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e343c8fbe964242243dc38d178f690a5

SHA1
3e6dbd07a13af1efb3b29f0c99c9cf0d6504ef57

SHA256
a78149fc3423fb5c051e8457eecd258c9a3ac5fafe5ad92c776c042ae9015daf

SHA512
ff8d5f6e06cc703eed378960272b1d58d12ecef2f24afc54e1977514beed32b62c70ff97b626f1076fa7203bdacb938b635c14417922d147277bb65d1a3a2bf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
828ab9c06ef978bd111e040fabe46a97

SHA1
90ffdf7531525c77a52f197403b956dd600e8375

SHA256
7ea39c97804f73850683df1dd533e17f082e6f58290607413ab19f3b8dca47ad

SHA512
8b8c3a66143ebfbff399f22699160b4ca72825c56175767fde217a9246fd13b48ca63d5d5a7bdf75a57b530a84bd15c9589c834d3e8c867a32770603137158f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de469a917648b86b4125db8eb4e36bb8

SHA1
d7fd5db0b95703ad62857e7242f01a8c7ef25148

SHA256
5823fa330fb5f5a5deb0e25631358918501c47d8f1731e2b38e30c590ba6edf4

SHA512
228737b56a80144dceb1ddeea599f6f4740c2e07479f81f2b38a6a261b85730c23c03f9fb38a40f606fb5c7f7539ddfb2bb22eeefcb74f73e601c930147c68b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d1bb257f5cfe59bb4f42c4170e82a74

SHA1
75349986c24cfb02b8ec937a7c34da77329e958b

SHA256
a5f34b1a998168669ec3be65c3498bf7552787d495647b0c5856b9bf93539df0

SHA512
57cbc746ec88c2c070aada6ecedeb867215f953a7432306e6b9d8aa7ba5814a14d2b4cc838d1b309d1ce3732f467bdb2129c7875dd667318132700ebfd2bfc0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1ae81fa8cdd4f71c7ac3e8036a5ecddd

SHA1
d47bbea0cefc2ccb7d9293ddeaa466805129aa9c

SHA256
52fc3f24249d44c83f5673a903c0d62b9517674087b46f4a56a936cea2e5f148

SHA512
11715a71ebe6cef1e4a92c08574d3ab91d50bf755d73303b6d31a6ffbbadb21318c9e44b8c00f202f57d586f95d6db31f78b96c74b498bfb73b2bc692ea2e92e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
ec4bf685a07ce28f5fa2e8ce338bef03

SHA1
c1b1ea69009b0a43e07c6ead006c443a797aea6b

SHA256
81e4d2ba794c586ac707ec9d88ceb9252724b768a2bf1b6f846fd436eff491a3

SHA512
7e6b06e5609a9384334c2fafad3f7c45afd427277bc3bd2539cfaf10bdbb8428e168c8897cfca3426062ec381a6c36ebc0dc90cec2d0103c2873cf7d0c1bc7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBF5B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
3.1MB

MD5
8cadd9d05b28bdf0f3caeed0ce516d9c

SHA1
b6b04039117acc2ffaef424eeaf6d99b4086487f

SHA256
7fc8b932158ef8ced6bebf0c254f96cd6cd4cd1a0fd3a90e54652768c477aaf7

SHA512
2e1c01240ac20ac2a374926893fa4796d4f4daa8f479c1c55ad62791ca0cb32cc8baf192d849abefc9c1a88d69045f4aeb563105d5d54fcac049b3b8f2ba7fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Extension2.exe

Filesize
72KB

MD5
d1ba5271cc1825702119cfd7e0232f81

SHA1
89515a56e8963338673fc076f0143ddd005910fe

SHA256
9b4013e7e8decdbe58db125765084aaaff774701c363ffbbd4f8dd24eda4fc3c

SHA512
88ef050d054f7c7bf847c762c34a4797e171534c769265b615cdb75246b6535c5b97e135f94431debd2cea2cd8b7fd905f08c601d3032545e7842fd04e8c0728

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Journal-https.exe

Filesize
321KB

MD5
01eec167288db3f18288cc9c88adb3c6

SHA1
70f205c1c9762dd7ce19f50af83b282111dd3a52

SHA256
c85b4b2a7cf3a9d1f52c355f26b918cf562c02af28bf2f43e7ebecbde5bae8d8

SHA512
4697a8162a3c187a058aaad4f02eedd603324810495d2d6687462fb3329f4bf2f8e704d61dd72a390045bac3c58cbd5b2a214fa4c00f9249ec8ef04b3876a3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\MS14-068.exe

Filesize
3.3MB

MD5
6450254d888950d0137da706c58b2fe4

SHA1
677f7c6e9fa320ac3175619b69acc61da6e07539

SHA256
6782c5111abd17435851432895b55cc6371d323a06d710801551cea800bf65d0

SHA512
c4c515149e00a8aad95a4715ba48166be2e6f402b711000ea9257e364f956ebb43a5297314f74bfde49fe72b3e06e7d8659161f012b5cb428a8210117545b0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Prototype.exe

Filesize
72KB

MD5
be9cf1233b2ee932a3f1e4d0731e7903

SHA1
3d004f963cae751f5be3914cd91d1c38f4df7f2a

SHA256
dcfe0636c7f7a34fc02249d3af2d7178580c0038ee355e08ba316c2bb48d5761

SHA512
13689dd7155885bd1e51db2fe844b85bd79986276f1901d057991f37f87195585ec17b26fb47deea699fefb01685a7d24cf93b415d813b0b2dd000322d15c6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RambledMime.exe

Filesize
1.4MB

MD5
8ccd94001051879d7b36b46a8c056e99

SHA1
c334f58e72769226b14eea97ed374c9b69a0cb8b

SHA256
04e3d4de057cff319c71a23cc5db98e2b23281d0407e9623c39e6f0ff107f82a

SHA512
9ce4dc7de76dae8112f3f17d24a1135f6390f08f1e7263a01b6cb80428974bf7edf2cde08b46e28268d2b7b09ab08e894dd2a7d5db7ebffe7c03db819b52c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Serials_Checker.exe

Filesize
156KB

MD5
7bb94f8ef9ae8d6440291eead6967970

SHA1
154414a487b8f61f0b5e894fa48372ee8158f8ae

SHA256
5541c5c5a62d4bfa83b4e1f1202d9cedbb1c9c642daeaa470fe6d1c1fbb37551

SHA512
64f3407c876f47d365c9c6a319f489f248b49df8b243c2983c24861e7e0b75a65c4ab9e250b09cf1b32e4603273277f4dbb06c82c4fd47103716d710dcce8288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ZinTask.exe

Filesize
2.5MB

MD5
dba7abdb1d2ada8cb51d1c258b1b3531

SHA1
fa18a0affb277c99e71253bca5834e6fe6cd7135

SHA256
3d0a544073fc4c02d5634bd33f76f9dae07d9a325340ed747bcfde51ea52e23f

SHA512
0491865151140a5252a87a771f6552fd527fae3dec3c43ca0b806702e7ad4953b7d16bd1d8f275828f8b094bc337f79ed5c298beed4ec99186e4f4c3bd3cdf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cbot.exe

Filesize
26KB

MD5
5e87e3ff39b1c965a0dbf410113fabf2

SHA1
a9477ed3731b7a25ec3d0fd3248dc70c8de5ef95

SHA256
b818306c6c085e12fd7a7e46cba2b199f912e96e10ae2d4c2f64ef527cf96ebb

SHA512
444c75b22c447fc80fc4deab6fa77fe781a7916e4f68147c6d87e683e8137b8225bd70c2fe8960cb558ea48fa8603f814a5710fd8304aecb219101aea11e9013

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\com%20surrogate.exe

Filesize
59KB

MD5
8843d79e5ece984ef952051cb5b4f601

SHA1
72bb266a7aae0320f05276a0ed42753c2dc07f2b

SHA256
80d44bb082a49dd49bf5926ea31ca0c225725daa4ba0614ae3ef1e121fdef89c

SHA512
e19cb6c484f0415cd3cab9e716a07cd5ae3662ee22b690310081c68ab73617df8fa8236a98d72fbf5ae3b88efefe88e3c845eb42f0bf9b93963c628573c87ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\daytjhasdawd.exe

Filesize
239KB

MD5
3ba1890c7f004d7699a0822586f396a7

SHA1
f33b0cb0b9ad3675928f4b8988672dd25f79b7a8

SHA256
5243e946c367c740d571141cdbc008339559c517efaf3061475a1eced7afaed2

SHA512
66da498ce0136c20c9a6af10c477d01b2fe4c96fe48bb658996e78c249f3e88dc1fda2f60f78106a0b967de4c95698b2cb9983d1a599e67753223d915116189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\donut.exe

Filesize
157KB

MD5
77fdab910751ae4b3b437ed594ee1b4d

SHA1
04feabf0b665f3e4bc29950f7ffc291d9cc4a9d1

SHA256
ee0fbd09ef81052faa267adb297a644ab51e80245e66346f97e31834bae9814b

SHA512
6c5682df48028f0660e50d4e450cbd742f02668f46df2757920e0305ba4cb8cfa00221119a24f2916b4013b4569d7829ad8d5e4e98287c451410a87b4d883b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hack.exe

Filesize
40KB

MD5
85c26f8ddd62f0bc481621018ee53828

SHA1
d43b3bab4e5be0691cc33b10fb733799e42ccd90

SHA256
04df02c6e3e2ddd7169acee434a234c737e42d14bbeb3687449e25ea5a00f21f

SHA512
d3d38c6796948c83683bcc54ed10377441e0652782311f7b6ab1bcc661fd6d1c8ab2dd373ea857c6d6e1fe3c0c4177bff9dd1925d2f48c934bf124d233daa874

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jdrgsotrti.exe

Filesize
239KB

MD5
aeb9f8515554be0c7136e03045ee30ac

SHA1
377be750381a4d9bda2208e392c6978ea3baf177

SHA256
7f671b0f622d94aebf0c6ab2f021b18e1c60beda819bc48c0b2c6a8f5fdd7e02

SHA512
d0cfc09d01bd42e0e42564f99332030ed2ff20624bfd83a3f1bb3682fe004e90d89539f5868bba637287795e2668dd14409e2e0ed2ea1c6982c7ce11db727bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jgurtgjasdth.exe

Filesize
1.2MB

MD5
c4980749cfdb6b389814d446eb2b601d

SHA1
1f2e4fef1888b7aefe1aff728a09943c7e1d804f

SHA256
35eeb2b70651a87b22403e74a1ffeb93fda4a91b6b3fa560fa419d0c52b6d42f

SHA512
26f32a2c596b0ea5a4788444f7a3e4b325e32d6eaf6b6a7be6f0b6b0faaf0f0c846120fc7a8b8194322eeac19b978a837928cd6b326322db2e4269867a6213e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mtbkkesfthae.exe

Filesize
409KB

MD5
774a8755eccb3ebd8463204e8cd60941

SHA1
d8ecf01619f49c805ce41a2317c1a4ca99cfb270

SHA256
88200c0685cdb81d2aa94923ffcca110416d4dd9599e00c44635f13c630aa254

SHA512
d7a6f5e8259a48e7ca331233289c37f8d9769f31b6e6878f52c1b18d0eceaa4c5dd899562a0abeda29640fa88b76bc7b70a57d3d1752d80b979f617e600f1b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\negarque.exe

Filesize
3.1MB

MD5
2fd750229aa6122c30607bb59293a909

SHA1
0feb9d22c13e6c2d19942788a49721db23e48d35

SHA256
5420cbc5d6be7831ccd48e8c7860f7d5c1060db80ed82063258f81c777aca8f1

SHA512
772b515f3efcff2a0fde47c125f9531d50028394a6c758e45e54743298714d118edaa94c6a67034a8a1cdce06f68342acee5b0fc0bc5ca610d28e8b8a6f52dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\networks_profile.exe

Filesize
6.6MB

MD5
7306abcf62c8ee10a1692a6a85af9297

SHA1
69900ccc2400e685b981b3654af57c062ffb44e2

SHA256
37c9a26faec0bb21171b3968d2e4254f6ae10ff7ae0d0b1493226685bc5d3b4b

SHA512
cd00a60387e06fcc6f14242adb97a54575a49cf1e9b22c74aa5d8bb7617e571fc194049691e4ee0fcff8bdd659b04de62f46d07e2f3330c18ac7035134e183d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe

Filesize
943KB

MD5
96e4917ea5d59eca7dd21ad7e7a03d07

SHA1
28c721effb773fdd5cb2146457c10b081a9a4047

SHA256
cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957

SHA512
3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\testingg.exe

Filesize
93KB

MD5
87301d7789d34f5f9e2d497b4d9b8f88

SHA1
b65a76d11f1d2e44d6f5113cf0212bc36abb17b1

SHA256
fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516

SHA512
e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\yellow-rose.exe

Filesize
82KB

MD5
c507ff3ac4f63664d2dbda6e0a0370ac

SHA1
15f3bf7302cc9564c7438441062940ae512841aa

SHA256
575508759faf2e82139ed579a692fd7b240ae9db57c91a24bd0ab31143e0c622

SHA512
f36e9a143a05c21d1f9caa36ac69ec76332026649ce09daca181a686847810bd31b116dec0ae20f424a9ade984203bbb8ee07bc4f917924c3b9877ef9e730df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Serials_Checker.bat

Filesize
855B

MD5
ab84096b01cdcc304e442659c12edfc3

SHA1
f42281b6ab6e7373307091381a300bc659076ecc

SHA256
f943b4a7127ef21b45db4731a3df69431c051f8e6b3e4c13c2b4ea51616f1045

SHA512
601dedb7d0a64c2e12a63c548ffd1801c67c8cc4dcae88848cd897d3d0ea34480169b3714a538e86eac71d6d577d4b82644aca1a87e7994b8a619f71b4b1aeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBF7D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24202\pip-24.1.2.dist-info\top_level.txt

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\anf4anlh.bmz\NVIDIA.exe

Filesize
10KB

MD5
3da09b942edac59bc7a540bc822e3442

SHA1
1dae7e12435d70649f4fbf949426f8c98bdbeae8

SHA256
aa6f15888d7e42537c6c02ebc6d27f4e8d295f853d6dde864cac30b30852df65

SHA512
e0480de61d73c1edd7e3e6fa88c625cec673726c8da27760dac18c097beb7c61c11063d7487ed187ba5d6050491257a99769895d53c4362bd1f242438653113b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs338F.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso56F8.tmp\NSISdl.dll

Filesize
15KB

MD5
ee68463fed225c5c98d800bdbd205598

SHA1
306364af624de3028e2078c4d8c234fa497bd723

SHA256
419485a096bc7d95f872ed1b9b7b5c537231183d710363beee4d235bb79dbe04

SHA512
b14fb74cb76b8f4e80fdd75b44adac3605883e2dcdb06b870811759d82fa2ec732cd63301f20a2168d7ad74510f62572818f90038f5116fe19c899eba68a5107

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso56F8.tmp\StartMenu.dll

Filesize
7KB

MD5
d070f3275df715bf3708beff2c6c307d

SHA1
93d3725801e07303e9727c4369e19fd139e69023

SHA256
42dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7

SHA512
fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso56F8.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso56F8.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso56F8.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoFFD4.tmp\System.dll

Filesize
23KB

MD5
8643641707ff1e4a3e1dfda207b2db72

SHA1
f6d766caa9cafa533a04dd00e34741d276325e13

SHA256
d1b94797529c414b9d058c17dbd10c989eef59b1fa14eea7f61790d7cfa7fd25

SHA512
cc8e07395419027914a6d4b3842ac7d4f14e3ec8be319bfe5c81f70bcf757f8c35f0aaeb985c240b6ecc71fc3e71b9f697ccda6e71f84ac4930adf5eac801181

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoFFD4.tmp\modern-wizard.bmp

Filesize
150KB

MD5
7ad4ed23b001dd26f3dd14fb56fb5510

SHA1
2ad8da321199ba0ef626132daf8fdabfcdcdc9ec

SHA256
2c6c609cc49b1a35ccb501a8452f0ad521f1946dbd3ca48875ca779d94c236a5

SHA512
f3730e701642668521c6f3bf7ab7748e2a5351314a92f34a5fc5ecb42fd6013f1820263611b92ab525587b0ecbcda80a9aab6e995062c904b72507b84442323a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoFFD4.tmp\nsDialogs.dll

Filesize
11KB

MD5
79a0bde19e949a8d90df271ca6e79cd2

SHA1
946ad18a59c57a11356dd9841bec29903247bb98

SHA256
8353f495064aaf30b32b02f5d935c21f86758f5a99d8ee5e8bf8077b907fad90

SHA512
2a65a48f5dd453723146babca8d047e112ab023a589c57fcf5441962f2846a262c2ad25a2985dba4f2246cdc21d973cbf5e426d4b75dd49a083635400f908a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB5B8.tmp.bat

Filesize
148B

MD5
d3d906a48d5dcdc43e4cd3f5b3efbdae

SHA1
103bb386f86deb6187904b27cc67b90b20bac081

SHA256
d3cd934ccb21eb24f194a70ff10e61dd9ab79a454271d3423c9e7e43185dec99

SHA512
124236c1936f3c1b8d7338fdc7ec67a78fe9f5e11bcdea3a230c268ff5f23e601e91e277a284447c1274c4384ac37b5a54e1b867549934e22d9cf4e94f1be965

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4

Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FKP93TE8DMVWEXWP03JB.temp

Filesize
7KB

MD5
01ac8581487237cee820804b07fd9ddc

SHA1
1e4a6dd572087c2ad36e621f9de2007aeb84fead

SHA256
a90cb0dd105a7c209df4f23ce10d7cd95b727316fd8699653caa473a88701ee0

SHA512
f31a2df8e62e25f14a53ea9e9806e550774d0c6096c92c79f5c9b5cba693729d44e62d957df69bb24085a70349af9b104df77645d973361036dc277fa22984f4

Download Submit
C:\Users\Admin\AppData\Roaming\atat.exe

Filesize
74KB

MD5
447523b766e4c76092414a6b42080308

SHA1
f4218ea7e227bde410f5cbd6b26efd637fc35886

SHA256
3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

SHA512
98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N19XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\CrSpoofer.exe

Filesize
312KB

MD5
2e87d4e593da9635c26553f5d5af389a

SHA1
64fad232e197d1bf0091db37e137ef722024b497

SHA256
561c94494c3cd0b918bdf5eb323682fad6596a0a54c4cdd85a99880b4028b3f8

SHA512
0667ddaea41c4c4f21e7bc249384230763c4be7d9c01d6b1cf694da647fbcd66de859afad5f7c88399656da48b349e892f22301380da0bd100199e9c5b23c2e3

Download Submit
\Users\Admin\AppData\Local\Temp\GSE60B.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
memory/296-2668-0x00000000066A0000-0x000000000690D000-memory.dmp

Filesize
2.4MB

Download
memory/296-2647-0x00000000066A0000-0x000000000690D000-memory.dmp

Filesize
2.4MB

Download
memory/340-4092-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/340-57-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/340-1322-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/692-1466-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/692-1667-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/692-1660-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/696-2703-0x0000000006A90000-0x0000000006E4D000-memory.dmp

Filesize
3.7MB

Download
memory/696-2717-0x0000000006A90000-0x0000000006E4D000-memory.dmp

Filesize
3.7MB

Download
memory/992-2114-0x000007FEE8C60000-0x000007FEE9252000-memory.dmp

Filesize
5.9MB

Download
memory/1140-3749-0x0000000006E20000-0x0000000007070000-memory.dmp

Filesize
2.3MB

Download
memory/1140-3755-0x0000000006E20000-0x0000000007070000-memory.dmp

Filesize
2.3MB

Download
memory/1140-1416-0x0000000006800000-0x0000000006F05000-memory.dmp

Filesize
7.0MB

Download
memory/1140-1644-0x0000000006800000-0x0000000006F05000-memory.dmp

Filesize
7.0MB

Download
memory/1784-881-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/2108-1804-0x0000000006B80000-0x0000000006DD0000-memory.dmp

Filesize
2.3MB

Download
memory/2108-1805-0x0000000006B80000-0x0000000006DD0000-memory.dmp

Filesize
2.3MB

Download
memory/2380-3493-0x0000000001350000-0x0000000001368000-memory.dmp

Filesize
96KB

Download
memory/2420-1603-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2420-1604-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2480-1610-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2480-1609-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2480-1743-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2596-104-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-0-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/2596-58-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/2596-2-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-1-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2596-4093-0x0000000074260000-0x000000007494E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-1918-0x0000000006B90000-0x0000000006E90000-memory.dmp

Filesize
3.0MB

Download
memory/2640-1919-0x0000000006B90000-0x0000000006E90000-memory.dmp

Filesize
3.0MB

Download
memory/2676-1450-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1422-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1423-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1452-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1454-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1440-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1424-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1418-0x00000000002E0000-0x00000000002EB000-memory.dmp

Filesize
44KB

Download
memory/2676-1426-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1428-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1442-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1645-0x0000000000400000-0x0000000000B05000-memory.dmp

Filesize
7.0MB

Download
memory/2676-1430-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1421-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1445-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1432-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1438-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1436-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-2448-0x0000000000400000-0x0000000000B05000-memory.dmp

Filesize
7.0MB

Download
memory/2676-1419-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1434-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1446-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1465-0x0000000000400000-0x0000000000B05000-memory.dmp

Filesize
7.0MB

Download
memory/2676-1464-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1462-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1456-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1460-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1448-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2676-1458-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2692-914-0x0000000001300000-0x0000000001354000-memory.dmp

Filesize
336KB

Download
memory/2776-1289-0x0000000000100000-0x0000000000424000-memory.dmp

Filesize
3.1MB

Download
memory/2784-1656-0x0000000004320000-0x0000000004339000-memory.dmp

Filesize
100KB

Download
memory/2784-1657-0x0000000004320000-0x0000000004339000-memory.dmp

Filesize
100KB

Download
memory/2784-1483-0x0000000004320000-0x0000000004339000-memory.dmp

Filesize
100KB

Download
memory/2784-1484-0x0000000004320000-0x0000000004339000-memory.dmp

Filesize
100KB

Download
memory/2896-632-0x0000000000D20000-0x0000000001044000-memory.dmp

Filesize
3.1MB

Download
memory/2932-1844-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2932-1845-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/3076-2038-0x00000000008D0000-0x0000000000BD0000-memory.dmp

Filesize
3.0MB

Download
memory/3076-1920-0x00000000008D0000-0x0000000000BD0000-memory.dmp

Filesize
3.0MB

Download
memory/3100-1837-0x0000000000FC0000-0x000000000100E000-memory.dmp

Filesize
312KB

Download
memory/3104-1810-0x0000000000C50000-0x0000000000EA0000-memory.dmp

Filesize
2.3MB

Download
memory/3104-1806-0x0000000000C50000-0x0000000000EA0000-memory.dmp

Filesize
2.3MB

Download
memory/3228-2745-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/3232-1817-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3232-1828-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3256-3762-0x00000000008F0000-0x0000000000B40000-memory.dmp

Filesize
2.3MB

Download
memory/3256-3764-0x00000000008F0000-0x0000000000B40000-memory.dmp

Filesize
2.3MB

Download
memory/3332-3703-0x0000000000F90000-0x000000000134D000-memory.dmp

Filesize
3.7MB

Download
memory/3332-3863-0x0000000000F90000-0x000000000134D000-memory.dmp

Filesize
3.7MB

Download
memory/3336-1827-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3392-1658-0x000000013F050000-0x000000013F069000-memory.dmp

Filesize
100KB

Download
memory/3392-1485-0x000000013F050000-0x000000013F069000-memory.dmp

Filesize
100KB

Download
memory/3440-4038-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/3440-2677-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/3472-1661-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3472-1821-0x0000000001270000-0x0000000001286000-memory.dmp

Filesize
88KB

Download
memory/3472-1665-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3568-1329-0x00000000009D0000-0x00000000009E6000-memory.dmp

Filesize
88KB

Download
memory/3608-3760-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-3756-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-4039-0x0000000000EA0000-0x0000000000EA5000-memory.dmp

Filesize
20KB

Download
memory/3608-2838-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/3608-2839-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/3608-3748-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/3608-3747-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/3608-2479-0x00000000002C0000-0x000000000096E000-memory.dmp

Filesize
6.7MB

Download
memory/3608-2837-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/3608-3761-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-2832-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-2769-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/3608-2833-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-3759-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-3758-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-2768-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/3608-3757-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-3841-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/3608-2834-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-3842-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/3608-2835-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3608-3781-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/3608-2836-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/3720-2287-0x0000000000C90000-0x0000000000CDE000-memory.dmp

Filesize
312KB

Download
memory/3804-1591-0x0000000000890000-0x00000000008DE000-memory.dmp

Filesize
312KB

Download
memory/3812-2749-0x0000000001050000-0x0000000001068000-memory.dmp

Filesize
96KB

Download
memory/3908-1838-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/3908-1839-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/3960-1655-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3996-1848-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/4044-1598-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/4044-1597-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/4072-1232-0x0000000001310000-0x0000000001634000-memory.dmp

Filesize
3.1MB

Download
memory/4144-3767-0x0000000000390000-0x00000000006C2000-memory.dmp

Filesize
3.2MB

Download
memory/4620-3766-0x000007FEF6CB0000-0x000007FEF7115000-memory.dmp

Filesize
4.4MB

Download
memory/4664-3772-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads