Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

9cf9f7182f...c9.exe

windows7-x64

10

9cf9f7182f...c9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 18:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe

  • Size

    136KB

  • MD5

    79500f7c4b6cf21732b6ef0414c2dfa7

  • SHA1

    512a900a0b8bbddca9071fa91958fc2ed8e1e10c

  • SHA256

    9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9

  • SHA512

    2098e52b357864b22e3f40b6d5e1bb0a830aa874eb0c6b8ad44aa04e318b810885d33806a2a67b915ed142d146fa0f702fe5c1d2eb495c34fb030b69e5481dcc

  • SSDEEP

    1536:OWzOx6baIa9RIj00ljEwzGi1dD3DXgSAhA4OK4VVpuXQQdo3MU:OWLbaIa9ijNSi1dnQD9Rea3I

Score
8/10
discoveryevasionpersistenceprivilege_escalation

Malware Config

Signatures

  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 27 IoCs
    evasion
  • Checks computer location settings 2 TTPs 19 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 20 IoCs
  • Executes dropped EXE 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe
    "C:\Users\Admin\AppData\Local\Temp\9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:4156
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2364
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2204
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4888
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1516
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2880
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2888
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Users\Admin\AppData\Local\Temp\server.exe
              "C:\Users\Admin\AppData\Local\Temp\server.exe"
              6⤵
              • Checks computer location settings
              • Drops startup file
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of WriteProcessMemory
              PID:2736
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:3928
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:1396
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:2156
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:436
                • C:\Users\Admin\AppData\Local\Temp\server.exe
                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                  8⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of WriteProcessMemory
                  PID:636
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2480
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1216
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:1632
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1968
                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                      10⤵
                      • Checks computer location settings
                      • Drops startup file
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of WriteProcessMemory
                      PID:4044
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:3976
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1576
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1076
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3160
                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                          12⤵
                          • Checks computer location settings
                          • Drops startup file
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: GetForegroundWindowSpam
                          PID:808
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:1524
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:4524
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:3348
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3640
                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                              14⤵
                              • Checks computer location settings
                              • Drops startup file
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: GetForegroundWindowSpam
                              PID:2488
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:3612
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:3272
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:4432
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:3940
                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  PID:2308
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:3112
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:3664
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:5040
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    PID:3572
                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      PID:2368
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:4876
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2632
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:3384
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        PID:4496
                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                          20⤵
                                            PID:4308

    Network

    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      29.153.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.153.16.2.in-addr.arpa
      IN PTR
      Response
      29.153.16.2.in-addr.arpa
      IN PTR
      a2-16-153-29deploystaticakamaitechnologiescom
    • flag-us
      DNS
      245.131.30.184.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      245.131.30.184.in-addr.arpa
      IN PTR
      Response
      245.131.30.184.in-addr.arpa
      IN PTR
      a184-30-131-245deploystaticakamaitechnologiescom
    • flag-us
      DNS
      74.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      182.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      182.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      182.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      182.129.81.91.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      182.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      182.129.81.91.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      22.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.236.111.52.in-addr.arpa
      IN PTR
    No results found
    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      29.153.16.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      29.153.16.2.in-addr.arpa

    • 8.8.8.8:53
      245.131.30.184.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      245.131.30.184.in-addr.arpa

    • 8.8.8.8:53
      74.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      74.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      182.129.81.91.in-addr.arpa
      dns
      216 B
       147 B
       3
      1

      DNS Request

      182.129.81.91.in-addr.arpa

      DNS Request

      182.129.81.91.in-addr.arpa

      DNS Request

      182.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      22.236.111.52.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      22.236.111.52.in-addr.arpa

      DNS Request

      22.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log
      Filesize

      496B

      MD5

      a4467dea22bfd7e0083d680c571f5e7c

      SHA1

      59682ca656f04dd57f7ef4552b96f71d73196ea2

      SHA256

      d165b248678c73e289a7d4a8aa74acc5c09408e58b8f2abd668013ca12c00cc4

      SHA512

      73d25a179994c16b2b3a357e8b068ebf415418033cd601d7084b3a44d822cb99c33c396c9a27ad6fa2066748032e21f09ce89461bc3180ec071d2d64e68ad790

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log
      Filesize

      408B

      MD5

      661cab77d3b907e8057f2e689e995af3

      SHA1

      5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

      SHA256

      8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

      SHA512

      2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\melt.txt
      Filesize

      44B

      MD5

      298802dff6aa26d4fb941c7ccf5c0849

      SHA1

      11e518ca3409f1863ebc2d3f1be9fb701bad52c0

      SHA256

      df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

      SHA512

      0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\server.exe
      Filesize

      136KB

      MD5

      79500f7c4b6cf21732b6ef0414c2dfa7

      SHA1

      512a900a0b8bbddca9071fa91958fc2ed8e1e10c

      SHA256

      9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9

      SHA512

      2098e52b357864b22e3f40b6d5e1bb0a830aa874eb0c6b8ad44aa04e318b810885d33806a2a67b915ed142d146fa0f702fe5c1d2eb495c34fb030b69e5481dcc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\app
      Filesize

      5B

      MD5

      2099bb64fd1770d321df364f99b658d1

      SHA1

      3124edeaa14c060becfa8b980ed77db15d56a9e3

      SHA256

      d53ce6bdbd0c3cb4596ac3103f15824570a9858da95f63cedf64cec11dc44e2d

      SHA512

      3481f2a02f7b1255ad0f3cd8a716de9c7414753b6f8657f0bf99738ff6623f8717469bc10e737d6c0d1d13846e726d50baeb5e8ef73efcfce7be5c63327c4895

      Download Submit

    • memory/2356-1-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2356-2-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2356-13-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2356-0-0x0000000075212000-0x0000000075213000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4156-15-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4156-47-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4156-28-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4156-14-0x0000000075210000-0x00000000757C1000-memory.dmp

      Filesize

      5.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.