darktrack | d3f31c512033046c4209c5af1352f3ce36d1af39f84946c22ca3e25da6539734

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/02/2025, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinWord.exe
Size

6.9MB
MD5

389390bf696737deedaaf10a90d407d1
SHA1

87758da2fe832f302032e904eb13994c70023825
SHA256

d3f31c512033046c4209c5af1352f3ce36d1af39f84946c22ca3e25da6539734
SHA512

4b1ff3b939a22250222afc6ded49e636b76cc602ea67a587a70dac2deafabf5446f1eb27feb688b3d7759b9b4bcd46f016c8f98b42cba29920045031da6551b0
SSDEEP

196608:I/9sLB5t3JJQGR2nroh1L9cDIw4v6N+ED6JwtPnoDAMzvaqx/D:u6tdJ2rIcIw4vjbJCfoF+KD

Score

10^/10

darktrack stealerium bootkit defense_evasion discovery persistence rat stealer trojan upx

Malware Config

Extracted

Family

stealerium

https://discord.com/api/webhooks/1038709348303650857/DLQdA51dlH2mWOgr-jjNC0jvu25-oWapgKwxpsqsFwOSYLm4gQOEdFE6XXg7_sReK0AB

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 11 IoCs

resource	yara_rule
behavioral1/memory/1056-74-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-79-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-102-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-82-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-69-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-65-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-63-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-61-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-59-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-57-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack
behavioral1/memory/1056-55-0x0000000000090000-0x0000000000138000-memory.dmp	family_darktrack

Darktrack family
darktrack
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WinWord.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Hgmuvfd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Lmfekeldirxz.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Hgmuvfd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Lmfekeldirxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Lmfekeldirxz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WinWord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WinWord.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Hgmuvfd.exe

Executes dropped EXE 8 IoCs

pid	Process
2848	Hgmuvfd.exe
2980	Djejga.exe
2748	Kgnzgrpvr.exe
2640	Lmfekeldirxz.exe
1056	Hgmuvfd.exe
1368	Djejga.exe
1780	ctfmon.exe
2880	ctfmon.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	WinWord.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	Hgmuvfd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	Lmfekeldirxz.exe

Loads dropped DLL 8 IoCs

pid	Process
2376	WinWord.exe
2376	WinWord.exe
2376	WinWord.exe
2376	WinWord.exe
2980	Djejga.exe
2848	Hgmuvfd.exe
1368	Djejga.exe
1780	ctfmon.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2096	icacls.exe
1980	icacls.exe
2956	icacls.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WinWord.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hgmuvfd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Lmfekeldirxz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WinWord.exe
File opened for modification	\??\PhysicalDrive0	Hgmuvfd.exe
File opened for modification	\??\PhysicalDrive0	Lmfekeldirxz.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2748-46-0x0000000000400000-0x0000000000541000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2376	WinWord.exe
2848	Hgmuvfd.exe
2640	Lmfekeldirxz.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2848 set thread context of 1056	2848	Hgmuvfd.exe	41
PID 2980 set thread context of 1368	2980	Djejga.exe	40
PID 1780 set thread context of 2880	1780	ctfmon.exe	51

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015f96-24.dat	upx
behavioral1/memory/2748-29-0x0000000000400000-0x0000000000541000-memory.dmp	upx
behavioral1/memory/2748-46-0x0000000000400000-0x0000000000541000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmfekeldirxz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgnzgrpvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgmuvfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djejga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinWord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djejga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgmuvfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1488	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1484	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2376	WinWord.exe
2848	Hgmuvfd.exe
2640	Lmfekeldirxz.exe
2640	Lmfekeldirxz.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	Djejga.exe
Token: SeDebugPrivilege	2640	Lmfekeldirxz.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1368	Djejga.exe
Token: SeDebugPrivilege	1780	ctfmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2848	2376	WinWord.exe	31
PID 2376 wrote to memory of 2848	2376	WinWord.exe	31
PID 2376 wrote to memory of 2848	2376	WinWord.exe	31
PID 2376 wrote to memory of 2848	2376	WinWord.exe	31
PID 2376 wrote to memory of 2848	2376	WinWord.exe	31
PID 2376 wrote to memory of 2848	2376	WinWord.exe	31
PID 2376 wrote to memory of 2848	2376	WinWord.exe	31
PID 2376 wrote to memory of 2980	2376	WinWord.exe	32
PID 2376 wrote to memory of 2980	2376	WinWord.exe	32
PID 2376 wrote to memory of 2980	2376	WinWord.exe	32
PID 2376 wrote to memory of 2980	2376	WinWord.exe	32
PID 2376 wrote to memory of 2980	2376	WinWord.exe	32
PID 2376 wrote to memory of 2980	2376	WinWord.exe	32
PID 2376 wrote to memory of 2980	2376	WinWord.exe	32
PID 2376 wrote to memory of 2748	2376	WinWord.exe	33
PID 2376 wrote to memory of 2748	2376	WinWord.exe	33
PID 2376 wrote to memory of 2748	2376	WinWord.exe	33
PID 2376 wrote to memory of 2748	2376	WinWord.exe	33
PID 2376 wrote to memory of 2748	2376	WinWord.exe	33
PID 2376 wrote to memory of 2748	2376	WinWord.exe	33
PID 2376 wrote to memory of 2748	2376	WinWord.exe	33
PID 2376 wrote to memory of 2640	2376	WinWord.exe	34
PID 2376 wrote to memory of 2640	2376	WinWord.exe	34
PID 2376 wrote to memory of 2640	2376	WinWord.exe	34
PID 2376 wrote to memory of 2640	2376	WinWord.exe	34
PID 2376 wrote to memory of 2640	2376	WinWord.exe	34
PID 2376 wrote to memory of 2640	2376	WinWord.exe	34
PID 2376 wrote to memory of 2640	2376	WinWord.exe	34
PID 2748 wrote to memory of 2572	2748	Kgnzgrpvr.exe	35
PID 2748 wrote to memory of 2572	2748	Kgnzgrpvr.exe	35
PID 2748 wrote to memory of 2572	2748	Kgnzgrpvr.exe	35
PID 2748 wrote to memory of 2572	2748	Kgnzgrpvr.exe	35
PID 2572 wrote to memory of 2096	2572	cmd.exe	37
PID 2572 wrote to memory of 2096	2572	cmd.exe	37
PID 2572 wrote to memory of 2096	2572	cmd.exe	37
PID 2572 wrote to memory of 2096	2572	cmd.exe	37
PID 2572 wrote to memory of 1980	2572	cmd.exe	39
PID 2572 wrote to memory of 1980	2572	cmd.exe	39
PID 2572 wrote to memory of 1980	2572	cmd.exe	39
PID 2572 wrote to memory of 1980	2572	cmd.exe	39
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2848 wrote to memory of 1056	2848	Hgmuvfd.exe	41
PID 2980 wrote to memory of 1368	2980	Djejga.exe	40
PID 2980 wrote to memory of 1368	2980	Djejga.exe	40
PID 2980 wrote to memory of 1368	2980	Djejga.exe	40
PID 2980 wrote to memory of 1368	2980	Djejga.exe	40
PID 2980 wrote to memory of 1368	2980	Djejga.exe	40
PID 2980 wrote to memory of 1368	2980	Djejga.exe	40
PID 2980 wrote to memory of 1368	2980	Djejga.exe	40
PID 2980 wrote to memory of 1368	2980	Djejga.exe	40

C:\Users\Admin\AppData\Local\Temp\WinWord.exe
"C:\Users\Admin\AppData\Local\Temp\WinWord.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe
  "C:\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe
    "C:\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1056
- C:\Users\Admin\AppData\Local\Temp\Djejga.exe
  "C:\Users\Admin\AppData\Local\Temp\Djejga.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\Djejga.exe
    "C:\Users\Admin\AppData\Local\Temp\Djejga.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
  - - C:\Users\Admin\AppData\Roaming\ctfmon.exe
      "C:\Users\Admin\AppData\Roaming\ctfmon.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1780
    - - C:\Users\Admin\AppData\Roaming\ctfmon.exe
        
        "C:\Users\Admin\AppData\Roaming\ctfmon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2880
- C:\Users\Admin\AppData\Local\Temp\Kgnzgrpvr.exe
  "C:\Users\Admin\AppData\Local\Temp\Kgnzgrpvr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2096
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:1980
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Roaming\Certificates" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2956
- C:\Users\Admin\AppData\Local\Temp\Lmfekeldirxz.exe
  "C:\Users\Admin\AppData\Local\Temp\Lmfekeldirxz.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp201E.tmp.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2496
  - - C:\Windows\SysWOW64\taskkill.exe
      TaskKill /F /IM 2640
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Windows\SysWOW64\timeout.exe
      Timeout /T 2 /Nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1488

C:\Windows\system32\taskeng.exe
taskeng.exe {C712F4C5-74E5-4C9F-B537-D35D9CE5506F} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mntemp

Filesize
16B

MD5
636613c40c1b5affc836b6d8608c78f4

SHA1
93b49a30a30fe5d44bc2682fa1cd611459fd99db

SHA256
d00a935f81c1a3ff358c7cef5783bbbe380287b5ed8a7e87097418bf48eb3be2

SHA512
1705d9d593e4c6f173a5f617246fe94bbf44de02e6a940492b60adbb7abec1c32086744440827d6a508bd7baec87f653d59561b4d79a22c1554e686302ba7c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Djejga.exe

Filesize
224KB

MD5
14bc123a8209f7c21aacea4cd179fbec

SHA1
e602df06e8f03dfa99d5234544e93c63f45ab97b

SHA256
eeb5a75e3231ee95a2340be3767ca41c3aec92c2d46b90f1d67fdfec0d254f7e

SHA512
63b71f24b5876432d80de7eff3a78d40d308baf208566945f6a331f4254aff886a18763d6becc503dda02bfd251588221c9a10a59fd96d495ed4e205d06ad6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lmfekeldirxz.exe

Filesize
3.0MB

MD5
0372cb4f806947727400d1937f3e8063

SHA1
89aee134a5226e103f702f434a059c601eebf336

SHA256
5f2b46e3cfb853b3be645309ea8378f6535bf7128e0794ff9ab2ef0972554e8a

SHA512
b92f743d4fd4101bee6e6a8becba6be698f36ac83a18b0913bf0bc22d8a0ca57ea1bf659936a9398f729ed6b0f323bb437e6a67b4e0d5a79efba0baadf093fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp201E.tmp.bat

Filesize
57B

MD5
36410191e1fd20449b6337114986e329

SHA1
ca631ba3ff0121ca0b7ef2f40ad1d5199d36227f

SHA256
a7ac3a27fbfdc9c3fea80c72431fff73e7ce3c7e95645d114e379bde144c28df

SHA512
6a93cd85d4e6d9b45c9fddfe29c0cb723f0b0ab9cbe648012f90a5659c45faf752670a12c241fb53d4ad1d873ecc6bbf618d36eac0695b8fa528a4f5bf5ad44c

Download Submit
\Users\Admin\AppData\Local\Temp\Hgmuvfd.exe

Filesize
2.1MB

MD5
78d3152616dedb9801ce61015324ae8a

SHA1
e8a31f392db771e8ca7759c11de53519a48e0fc0

SHA256
98d8fec346fc1865dc8b620f74826f484fe9c0c705dc9d58c5f44df934a01208

SHA512
20ab9c27d1b1774859adf5304f10118e63c43db978d6d884aa1deb5c53b1884d5529350a3f0d8fd66b0d99dc19653c431d5f508b0ebc718783bd16083f52daf3

Download Submit
\Users\Admin\AppData\Local\Temp\Kgnzgrpvr.exe

Filesize
652KB

MD5
f9a67d8b903d4c3b27b55d1bfdd5c70c

SHA1
d78b8da5b3ffdd55bd30912a36c69d5a5752fa95

SHA256
e8b943f45cc37ddc9e594eb3ccc7057820f54939bd9b38b1b3703a14da52e01f

SHA512
63d762e4f0fb7302c1731e8e907f2efb207be5ea7f57aa29aad2a34e7c09d0d1976ef429e1668bd0869d2f9c341ac5c1da953725c3cd83cf655875a8cdab90e3

Download Submit
memory/1056-65-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-82-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-102-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-103-0x0000000000190000-0x00000000005AE000-memory.dmp

Filesize
4.1MB

Download
memory/1056-53-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-55-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-57-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-59-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-61-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-63-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1056-69-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-79-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-51-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1056-81-0x0000000000190000-0x00000000005AE000-memory.dmp

Filesize
4.1MB

Download
memory/1056-74-0x0000000000090000-0x0000000000138000-memory.dmp

Filesize
672KB

Download
memory/1368-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1368-83-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1368-87-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1368-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1368-89-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1368-91-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1368-97-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1368-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1780-118-0x0000000000210000-0x000000000024E000-memory.dmp

Filesize
248KB

Download
memory/2376-41-0x0000000000400000-0x0000000000CE0000-memory.dmp

Filesize
8.9MB

Download
memory/2376-3-0x0000000000402000-0x0000000000986000-memory.dmp

Filesize
5.5MB

Download
memory/2376-5-0x0000000000400000-0x0000000000CE0000-memory.dmp

Filesize
8.9MB

Download
memory/2376-1-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/2376-26-0x000000000AB50000-0x000000000AC91000-memory.dmp

Filesize
1.3MB

Download
memory/2376-11-0x000000000B070000-0x000000000B48E000-memory.dmp

Filesize
4.1MB

Download
memory/2376-4-0x0000000000400000-0x0000000000CE0000-memory.dmp

Filesize
8.9MB

Download
memory/2376-35-0x000000000B070000-0x000000000B582000-memory.dmp

Filesize
5.1MB

Download
memory/2376-0-0x0000000000400000-0x0000000000CE0000-memory.dmp

Filesize
8.9MB

Download
memory/2376-42-0x0000000000402000-0x0000000000986000-memory.dmp

Filesize
5.5MB

Download
memory/2640-100-0x0000000001230000-0x0000000001742000-memory.dmp

Filesize
5.1MB

Download
memory/2640-110-0x0000000001230000-0x0000000001742000-memory.dmp

Filesize
5.1MB

Download
memory/2640-38-0x0000000001230000-0x0000000001742000-memory.dmp

Filesize
5.1MB

Download
memory/2640-101-0x0000000001230000-0x0000000001742000-memory.dmp

Filesize
5.1MB

Download
memory/2640-104-0x0000000001230000-0x0000000001742000-memory.dmp

Filesize
5.1MB

Download
memory/2748-29-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2748-46-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/2848-13-0x0000000000190000-0x00000000005AE000-memory.dmp

Filesize
4.1MB

Download
memory/2848-99-0x0000000000190000-0x00000000005AE000-memory.dmp

Filesize
4.1MB

Download
memory/2848-80-0x00000000078F0000-0x0000000007D0E000-memory.dmp

Filesize
4.1MB

Download
memory/2848-43-0x0000000000190000-0x00000000005AE000-memory.dmp

Filesize
4.1MB

Download
memory/2848-44-0x0000000000190000-0x00000000005AE000-memory.dmp

Filesize
4.1MB

Download
memory/2880-130-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-136-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/2880-139-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/2980-47-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2980-23-0x0000000000B00000-0x0000000000B3E000-memory.dmp

Filesize
248KB

Download