571018b65a1137c05d0f256bc01ed26dc091e42b6cdcab8e91e9ff80d3da01d6

Resubmissions

12-01-2023 13:20

230112-qk7arsbg9w 8

12-01-2023 10:30

230112-mjzyhsbe5s 8

Analysis

max time kernel
290s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2023 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_4681_One_Night_Stand_Li_Shaw - Hwang_Chung_Wa_Studio - By_Gal_Dong_Min_Photographer.exe
Size

153KB
MD5

37932fd952d6d845927f25f42cb3c628
SHA1

d0d7e1b7cfb13a0999ef4c4733b83275a1de2440
SHA256

cb807472bb6d4d1113fcbc209d6a08fa80ff9e53c83b1aa37f9d6f549affd68c
SHA512

403dce223d9cbb4241f21a773cfc55501e4141b161c3ba60397c75d533c3abbd420a8f526f6aac7f2a0a5b7b91361ed013641f0d40afc00680428db3c1dbb49b
SSDEEP

1536:UJSV1Mq4KjdA0ejIB+7YeEsczbruUdwpiOpiq3hlV:UJKMq4KjdA0ejIB2sbbiUqhrV

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 16 IoCs

pid	Process
3628	TS.exe
4900	TS.exe
4916	WTTPNDKJFHHQRVX.exe
4328	WTTPNDKJFHHQRVX.tmp
1548	php.exe
3044	php.exe
616	63c0178233315.exe
5028	63c01787151be.exe
2716	63c0178766858.exe
420	rhc.exe
1664	php.exe
4472	updx-v2.5.23-setup.exe
3660	updx-v2.5.23-setup.tmp
3472	WDDiscovery.exe
4628	rhc.exe
4344	php.exe

Patched UPX-packed file 3 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral3/files/0x0006000000022e55-201.dat	patched_upx
behavioral3/files/0x0006000000022e55-199.dat	patched_upx
behavioral3/files/0x0006000000022e55-195.dat	patched_upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	IMG_4681_One_Night_Stand_Li_Shaw - Hwang_Chung_Wa_Studio - By_Gal_Dong_Min_Photographer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	TS.exe

Loads dropped DLL 64 IoCs

pid	Process
3044	php.exe
1548	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
1548	php.exe
3044	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1548	php.exe
3044	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
1664	php.exe
3472	WDDiscovery.exe
3472	WDDiscovery.exe
3472	WDDiscovery.exe
3472	WDDiscovery.exe
3472	WDDiscovery.exe
3472	WDDiscovery.exe
4344	php.exe
4344	php.exe
4344	php.exe
4344	php.exe
4344	php.exe
4344	php.exe
4344	php.exe
4344	php.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4336	1208	WerFault.exe	80

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	php.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	php.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	php.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\091E8EA1B256A312962AF6C140C0FBF079A407B3	php.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\091E8EA1B256A312962AF6C140C0FBF079A407B3\Blob = 030000000100000014000000091e8ea1b256a312962af6c140c0fbf079a407b31400000001000000140000005af3ed2bfc36c23779b95230ea546fcf55cb2eac04000000010000001000000090d366640488fcf876bdbd3a19c5fbf10f000000010000003000000012b85ed5575d4cdefb24db1d405f6a317aeceea0c9aebe00b22763a5b77e107ed1244ecb4e5fe050bcec52d3bac2574c190000000100000010000000bbb14e7405b947a5ae7063c3ee8858a75c00000001000000040000008001000018000000010000001000000070d4f0bec2078234214bd651643b02402000000001000000ca020000308202c63082024da003020102021100b3bddff8a7845bbce903a04135b34a45300a06082a8648ce3d040303304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205832301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b30090603550403130245313076301006072a8648ce3d020106052b8104002203620004245c2da22afd1c4ba65d97732731acb2a06962ef65e8a6b0f0ac4b9fff1c0b700fd3982f4dfc0f009b37f074055732972e05ef2a4325a3fb6e342713f64f7e69d302995eeb244792c1249be6b1218fc12481fc68cc1f69ba58f51922f774c616a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604145af3ed2bfc36c23779b95230ea546fcf55cb2eac301f0603551d230418301680147c4296aede4b483bfa92f89e8ccf6d8ba9723795303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78322e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78322e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300a06082a8648ce3d040303036700306402307b74d552138d61fe0dba3f03009df3d79884d9572ebde90f9c5c480421f2cbb360728e97d6124fca44f642c9d37b86a902305ab1b1b4edea609920b13803ca3da026b8ee6e2d4af6c6661f339adb924ad5f52913c6706228ba238ccf3d2fcb82e97f	php.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	php.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	php.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4328	WTTPNDKJFHHQRVX.tmp
4328	WTTPNDKJFHHQRVX.tmp
3660	updx-v2.5.23-setup.tmp
3660	updx-v2.5.23-setup.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3472	WDDiscovery.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4328	WTTPNDKJFHHQRVX.tmp
3660	updx-v2.5.23-setup.tmp

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3628	1208	IMG_4681_One_Night_Stand_Li_Shaw - Hwang_Chung_Wa_Studio - By_Gal_Dong_Min_Photographer.exe	84
PID 1208 wrote to memory of 3628	1208	IMG_4681_One_Night_Stand_Li_Shaw - Hwang_Chung_Wa_Studio - By_Gal_Dong_Min_Photographer.exe	84
PID 4900 wrote to memory of 4916	4900	TS.exe	95
PID 4900 wrote to memory of 4916	4900	TS.exe	95
PID 4900 wrote to memory of 4916	4900	TS.exe	95
PID 4916 wrote to memory of 4328	4916	WTTPNDKJFHHQRVX.exe	96
PID 4916 wrote to memory of 4328	4916	WTTPNDKJFHHQRVX.exe	96
PID 4916 wrote to memory of 4328	4916	WTTPNDKJFHHQRVX.exe	96
PID 4328 wrote to memory of 1548	4328	WTTPNDKJFHHQRVX.tmp	97
PID 4328 wrote to memory of 1548	4328	WTTPNDKJFHHQRVX.tmp	97
PID 4328 wrote to memory of 3044	4328	WTTPNDKJFHHQRVX.tmp	98
PID 4328 wrote to memory of 3044	4328	WTTPNDKJFHHQRVX.tmp	98
PID 1548 wrote to memory of 3748	1548	php.exe	101
PID 1548 wrote to memory of 3748	1548	php.exe	101
PID 3748 wrote to memory of 616	3748	cmd.exe	102
PID 3748 wrote to memory of 616	3748	cmd.exe	102
PID 3044 wrote to memory of 2096	3044	php.exe	103
PID 3044 wrote to memory of 2096	3044	php.exe	103
PID 2096 wrote to memory of 5028	2096	cmd.exe	104
PID 2096 wrote to memory of 5028	2096	cmd.exe	104
PID 3044 wrote to memory of 4984	3044	php.exe	105
PID 3044 wrote to memory of 4984	3044	php.exe	105
PID 4984 wrote to memory of 2716	4984	cmd.exe	106
PID 4984 wrote to memory of 2716	4984	cmd.exe	106
PID 420 wrote to memory of 1664	420	rhc.exe	108
PID 420 wrote to memory of 1664	420	rhc.exe	108
PID 1664 wrote to memory of 2224	1664	php.exe	110
PID 1664 wrote to memory of 2224	1664	php.exe	110
PID 2224 wrote to memory of 4472	2224	cmd.exe	111
PID 2224 wrote to memory of 4472	2224	cmd.exe	111
PID 2224 wrote to memory of 4472	2224	cmd.exe	111
PID 4472 wrote to memory of 3660	4472	updx-v2.5.23-setup.exe	112
PID 4472 wrote to memory of 3660	4472	updx-v2.5.23-setup.exe	112
PID 4472 wrote to memory of 3660	4472	updx-v2.5.23-setup.exe	112
PID 3660 wrote to memory of 3472	3660	updx-v2.5.23-setup.tmp	113
PID 3660 wrote to memory of 3472	3660	updx-v2.5.23-setup.tmp	113
PID 3660 wrote to memory of 3472	3660	updx-v2.5.23-setup.tmp	113
PID 4628 wrote to memory of 4344	4628	rhc.exe	115
PID 4628 wrote to memory of 4344	4628	rhc.exe	115

C:\Users\Admin\AppData\Local\Temp\IMG_4681_One_Night_Stand_Li_Shaw - Hwang_Chung_Wa_Studio - By_Gal_Dong_Min_Photographer.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_4681_One_Night_Stand_Li_Shaw - Hwang_Chung_Wa_Studio - By_Gal_Dong_Min_Photographer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\TS.exe
  "C:\Users\Admin\AppData\Local\Temp\TS.exe" t
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1208 -s 1808
  2⤵
  - Program crash
  PID:4336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1208 -ip 1208
1⤵
PID:4264

C:\Users\Admin\AppData\Roaming\Packages\TS.exe
C:\Users\Admin\AppData\Roaming\Packages\TS.exe d
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\WTTPNDKJFHHQRVX.exe
  "C:\Users\Admin\AppData\Local\Temp\WTTPNDKJFHHQRVX.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\is-S06GG.tmp\WTTPNDKJFHHQRVX.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-S06GG.tmp\WTTPNDKJFHHQRVX.tmp" /SL5="$1A01D8,18269102,832512,C:\Users\Admin\AppData\Local\Temp\WTTPNDKJFHHQRVX.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe
      "C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe" include.php
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tmp\63c0178233315.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\tmp\63c0178233315.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp\63c0178233315.exe
        6⤵
        Executes dropped EXE
        
        PID:616
  - - C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe
      "C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe" index.php
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tmp\63c0178712500\63c01787151be.exe /c RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABV5wUxcghyT4GP+E3m3cadAAAAAAIAAAAAABBmAAAAAQAAIAAAAJFxq456kCdUvA4CGEzjmzuzz6Wd4bMYwT4RSzV4v3cIAAAAAA6AAAAAAgAAIAAAACxZJBpNF2uxXAKtQ29F++5wlMgMLEZ2Q+sChRYJiWfVMAAAANOASKnZL7wrnC75xWuSsXLBIc19hVrAQ/eH/wwQdbzbWNYppDTKdA8U034OOahiN0AAAABUHonu8yE79zl6e4zIx1rqsIthUPL168kQoCdtdvdvl7EEbGReoIYnYxf1dWcnhDzyN1S8iwriCrWiEth3eOrJ"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\tmp\63c0178712500\63c01787151be.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp\63c0178712500\63c01787151be.exe /c RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABV5wUxcghyT4GP+E3m3cadAAAAAAIAAAAAABBmAAAAAQAAIAAAAJFxq456kCdUvA4CGEzjmzuzz6Wd4bMYwT4RSzV4v3cIAAAAAA6AAAAAAgAAIAAAACxZJBpNF2uxXAKtQ29F++5wlMgMLEZ2Q+sChRYJiWfVMAAAANOASKnZL7wrnC75xWuSsXLBIc19hVrAQ/eH/wwQdbzbWNYppDTKdA8U034OOahiN0AAAABUHonu8yE79zl6e4zIx1rqsIthUPL168kQoCdtdvdvl7EEbGReoIYnYxf1dWcnhDzyN1S8iwriCrWiEth3eOrJ
        6⤵
        Executes dropped EXE
        
        PID:5028
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tmp\63c0178764717\63c0178766858.exe /c RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABV5wUxcghyT4GP+E3m3cadEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAyKRb2cmRDyFnDRwWPnuSMmhsnf5xAjuysXHwIA9JdcoAAAAADoAAAAACAAAgAAAAzzWTZrsY3JY0hbGue2WxbFLDLcxvwJedlkQqniV22DswAAAAchsc9xJSq7coCGRAXM7rRWzIhrfpyWbU6nBdjLbtr36rwzR4oY5hceWjTqBa7qJAQAAAADNGIhAxZaaCTEZSU1mjBOtK40dgFkU+9MQ8Ez4cAF8N5jliNmp6yElyeD/WojCRcNFFpZETT4ppbAHlVzwdhSA="
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\tmp\63c0178764717\63c0178766858.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp\63c0178764717\63c0178766858.exe /c RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABV5wUxcghyT4GP+E3m3cadEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAyKRb2cmRDyFnDRwWPnuSMmhsnf5xAjuysXHwIA9JdcoAAAAADoAAAAACAAAgAAAAzzWTZrsY3JY0hbGue2WxbFLDLcxvwJedlkQqniV22DswAAAAchsc9xJSq7coCGRAXM7rRWzIhrfpyWbU6nBdjLbtr36rwzR4oY5hceWjTqBa7qJAQAAAADNGIhAxZaaCTEZSU1mjBOtK40dgFkU+9MQ8Ez4cAF8N5jliNmp6yElyeD/WojCRcNFFpZETT4ppbAHlVzwdhSA=
        6⤵
        Executes dropped EXE
        
        PID:2716

C:\Users\Admin\AppData\Local\WAAS\v2519\rhc.exe
C:\Users\Admin\AppData\Local\WAAS\v2519\rhc.exe php.exe index.php
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:420
- C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe
  php.exe index.php
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "updx-v2.5.23-setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Users\Admin\AppData\Local\WAAS\v2519\updx-v2.5.23-setup.exe
      updx-v2.5.23-setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\is-A53HF.tmp\updx-v2.5.23-setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A53HF.tmp\updx-v2.5.23-setup.tmp" /SL5="$1001C0,2220728,832512,C:\Users\Admin\AppData\Local\WAAS\v2519\updx-v2.5.23-setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Users\Admin\AppData\Roaming\UPDX\v3-5\WDDiscovery.exe
        
        "C:\Users\Admin\AppData\Roaming\UPDX\v3-5\WDDiscovery.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472

C:\Users\Admin\AppData\Local\WAAS\v2519\rhc.exe
C:\Users\Admin\AppData\Local\WAAS\v2519\rhc.exe php.exe index.php
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe
  php.exe index.php
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TS.exe.log

Filesize
621B

MD5
84ea4e5aedfded07182bbc69fa81eaff

SHA1
d82d998cb3d655c49dba4fb923a3fc360a285ea2

SHA256
299408135f6f265d6db7d42d5454a9be41bea2f72d8bb438d835de7c88c77653

SHA512
7f654f76cb24399a8e8d35c2f5571b1560b7cbc38656ff687c88bdae4dff49437cc218653441380247b6de484be6557b62b138bb725f8a94b4e776175c979a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\TS.exe

Filesize
24.0MB

MD5
8756a6c94b0fca6261a1a58d31e776da

SHA1
5d815c0af3ec117178118bfb20dd6ebcf298d116

SHA256
01bb63f7f8093ef99140a56bc1a3006441b576bff532920bdf7173efd1a7fbea

SHA512
96f314f840edfe51ff6cfcd385a654cb2f7399fcb377ebfa70f9a11665774f138ff84e35ef0f116e4151f8d2afd421ec4a528c0555c7f4ad64ac673b7406c570

Download Submit
C:\Users\Admin\AppData\Local\Temp\TS.exe

Filesize
24.0MB

MD5
8756a6c94b0fca6261a1a58d31e776da

SHA1
5d815c0af3ec117178118bfb20dd6ebcf298d116

SHA256
01bb63f7f8093ef99140a56bc1a3006441b576bff532920bdf7173efd1a7fbea

SHA512
96f314f840edfe51ff6cfcd385a654cb2f7399fcb377ebfa70f9a11665774f138ff84e35ef0f116e4151f8d2afd421ec4a528c0555c7f4ad64ac673b7406c570

Download Submit
C:\Users\Admin\AppData\Local\Temp\WTTPNDKJFHHQRVX.exe

Filesize
18.2MB

MD5
b6ac4695fbf306231644ba34ad81e7e5

SHA1
60e9d906c11576bc563aa67729381cd2cdefa6b0

SHA256
9bfd186ce7fbd983dec4a37735e641b0d94e22beba3973843ec89574959f3ad0

SHA512
78f52424207f4c73e608e124933e3e57ebde9549ec11a405a97e7e2b6ec2ba00d5cd5b2de2a63d6b471dcbcda4d8ef0a66ead0b7ff2d3f4cbb9361a77e7b1575

Download Submit
C:\Users\Admin\AppData\Local\Temp\WTTPNDKJFHHQRVX.exe

Filesize
18.2MB

MD5
b6ac4695fbf306231644ba34ad81e7e5

SHA1
60e9d906c11576bc563aa67729381cd2cdefa6b0

SHA256
9bfd186ce7fbd983dec4a37735e641b0d94e22beba3973843ec89574959f3ad0

SHA512
78f52424207f4c73e608e124933e3e57ebde9549ec11a405a97e7e2b6ec2ba00d5cd5b2de2a63d6b471dcbcda4d8ef0a66ead0b7ff2d3f4cbb9361a77e7b1575

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S06GG.tmp\WTTPNDKJFHHQRVX.tmp

Filesize
3.0MB

MD5
f26aad9db694ca8ce502f951c8e20ca3

SHA1
e74453f1fd1c6b201fd37566010a64bc3ad5e407

SHA256
57da2d84a5c1ccb78c020af95c4826cf4cec5f19c84b2545e98627f0634becfb

SHA512
8a9337ea0c06f13b28fb184b3c8cbd44a2aa3476652359ec70b664611c7577f6e2c6b20bbd1c6f47d5154c6c0381d69bac32644011e49965620330bcb10f37cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S06GG.tmp\WTTPNDKJFHHQRVX.tmp

Filesize
3.0MB

MD5
f26aad9db694ca8ce502f951c8e20ca3

SHA1
e74453f1fd1c6b201fd37566010a64bc3ad5e407

SHA256
57da2d84a5c1ccb78c020af95c4826cf4cec5f19c84b2545e98627f0634becfb

SHA512
8a9337ea0c06f13b28fb184b3c8cbd44a2aa3476652359ec70b664611c7577f6e2c6b20bbd1c6f47d5154c6c0381d69bac32644011e49965620330bcb10f37cd

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_com_dotnet.DLL

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_com_dotnet.dll

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_com_dotnet.dll

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\include.php

Filesize
10KB

MD5
6398ee20ea5bbb627921f9c2db1e63e2

SHA1
da0b5e2c838183045ae7ba2105bccfb6a2c50e55

SHA256
5d600ab2c174bc98d4dbfdcdacd4eaa158f66881644ff0e1136f473d4a9d0520

SHA512
1d732d17f1f30c3e080a5c96a015a17ad7c469c04134bb3be65575121a53cb020e28ca4b14f631d58081f6c4832adb0b97193015ba6946ccbe5901326c6af637

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\index.php

Filesize
86KB

MD5
3417c6217390f5aeb6aa9867a41a214f

SHA1
3d5f6fdc55a6399af220d987f6b2a8469fcbdf18

SHA256
39f542d04b566bcb436b44566c3be8be029bc43c4a47ff028b78cc3ba66397c8

SHA512
df2cfb2a51baf896d3cd851eaa36a0c073d92329611de354c58a4fc040805f29560f8eaa8a0487b4eb0c01a6513a8425aad158ef91c10b1fc061ed56aca6a47a

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php.ini

Filesize
70KB

MD5
5fa10fbd9cdcdefa94e497a4b2d2b813

SHA1
2b278a10e9967b9076a027e69f910bf215f2a035

SHA256
e9796c19589b948b7fdd5f300e055c0bbbafbfbabbb36b109d13e185fec0e4ed

SHA512
c6664f68bff8009a0b75d2c1b440d00141ffe903a6fc6c0782bfa9a96cf74d0dbc5e6b52727afb0953e2a74c558001fb56b8fd4386fd562c027bd4aa913f510c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\tag

Filesize
4B

MD5
bcc7faebbb60089b6754063f9d466237

SHA1
ebd2177df7f11c4ad795222a4a771704b0b18f05

SHA256
c3a68e3c240f74da5586274549d8832dd6ccb56ed7bd92fdd5d555fdb49c64cb

SHA512
3c9a73d421fac6d3b58f7b809deeabb6821e53ca8fe6bbfc34d94b1b9f71ff7df2e6887643a065b798cbdf66b8db7db9244bf6dab835d04c711bdc9f2b6c15d2

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\vcruntime140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\vcruntime140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Roaming\Packages\TS.exe

Filesize
24.0MB

MD5
8756a6c94b0fca6261a1a58d31e776da

SHA1
5d815c0af3ec117178118bfb20dd6ebcf298d116

SHA256
01bb63f7f8093ef99140a56bc1a3006441b576bff532920bdf7173efd1a7fbea

SHA512
96f314f840edfe51ff6cfcd385a654cb2f7399fcb377ebfa70f9a11665774f138ff84e35ef0f116e4151f8d2afd421ec4a528c0555c7f4ad64ac673b7406c570

Download Submit
C:\Users\Admin\AppData\Roaming\Packages\TS.exe

Filesize
24.0MB

MD5
8756a6c94b0fca6261a1a58d31e776da

SHA1
5d815c0af3ec117178118bfb20dd6ebcf298d116

SHA256
01bb63f7f8093ef99140a56bc1a3006441b576bff532920bdf7173efd1a7fbea

SHA512
96f314f840edfe51ff6cfcd385a654cb2f7399fcb377ebfa70f9a11665774f138ff84e35ef0f116e4151f8d2afd421ec4a528c0555c7f4ad64ac673b7406c570

Download Submit
memory/1208-145-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/1208-139-0x0000020CED6B0000-0x0000020CED700000-memory.dmp

Filesize
320KB

Download
memory/1208-133-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/1208-134-0x0000020CEF5F0000-0x0000020CF166E000-memory.dmp

Filesize
32.5MB

Download
memory/1208-135-0x0000020CD2830000-0x0000020CD283C000-memory.dmp

Filesize
48KB

Download
memory/1208-136-0x0000020CD4080000-0x0000020CD4092000-memory.dmp

Filesize
72KB

Download
memory/1208-137-0x0000020CED670000-0x0000020CED6AC000-memory.dmp

Filesize
240KB

Download
memory/1208-132-0x0000020CD2430000-0x0000020CD2458000-memory.dmp

Filesize
160KB

Download
memory/1208-138-0x0000020CED8A0000-0x0000020CED9AA000-memory.dmp

Filesize
1.0MB

Download
memory/1548-194-0x0000024696177000-0x0000024696186000-memory.dmp

Filesize
60KB

Download
memory/1664-228-0x00000256FCF70000-0x00000256FCFAC000-memory.dmp

Filesize
240KB

Download
memory/3044-198-0x00000241E7F40000-0x00000241E7F7C000-memory.dmp

Filesize
240KB

Download
memory/3472-238-0x0000000005060000-0x00000000050F2000-memory.dmp

Filesize
584KB

Download
memory/3472-241-0x0000000005EB0000-0x0000000005F04000-memory.dmp

Filesize
336KB

Download
memory/3472-236-0x00000000000E0000-0x00000000001B2000-memory.dmp

Filesize
840KB

Download
memory/3472-240-0x0000000004FF0000-0x0000000005012000-memory.dmp

Filesize
136KB

Download
memory/3472-237-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

Filesize
72KB

Download
memory/3628-144-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/3628-143-0x0000000000C30000-0x0000000002430000-memory.dmp

Filesize
24.0MB

Download
memory/3628-146-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/4344-243-0x000002275D8F7000-0x000002275D906000-memory.dmp

Filesize
60KB

Download
memory/4472-239-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4472-231-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4472-234-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4900-223-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/4900-150-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/4916-221-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4916-153-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4916-158-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download