7841722dfa8d0e968bcb86dec56aa2cd00453e980ff92895304e6a886f6dea03

Analysis

max time kernel
297s
max time network
282s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WDSyncService.exe
Size

153KB
MD5

37932fd952d6d845927f25f42cb3c628
SHA1

d0d7e1b7cfb13a0999ef4c4733b83275a1de2440
SHA256

cb807472bb6d4d1113fcbc209d6a08fa80ff9e53c83b1aa37f9d6f549affd68c
SHA512

403dce223d9cbb4241f21a773cfc55501e4141b161c3ba60397c75d533c3abbd420a8f526f6aac7f2a0a5b7b91361ed013641f0d40afc00680428db3c1dbb49b
SSDEEP

1536:UJSV1Mq4KjdA0ejIB+7YeEsczbruUdwpiOpiq3hlV:UJKMq4KjdA0ejIB2sbbiUqhrV

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
1168	TS.exe
1316	TS.exe
1328	GBFCZLQULRRZKAL.exe
1248	GBFCZLQULRRZKAL.tmp
1980	php.exe
956	php.exe
108	63c0425462d40.exe
436	63c04256e38a0.exe
812	rhc.exe
316	php.exe
1472	updx-v2.5.23-setup.exe
1008	updx-v2.5.23-setup.tmp
1580	WDDiscovery.exe

Patched UPX-packed file 3 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral2/files/0x00060000000149bc-122.dat	patched_upx
behavioral2/files/0x00060000000149bc-138.dat	patched_upx
behavioral2/files/0x00060000000149bc-121.dat	patched_upx

Loads dropped DLL 56 IoCs

pid	Process
1328	GBFCZLQULRRZKAL.exe
1248	GBFCZLQULRRZKAL.tmp
1804	Process not Found
1508	Process not Found
1980	php.exe
956	php.exe
1980	php.exe
956	php.exe
1980	php.exe
1980	php.exe
1980	php.exe
956	php.exe
956	php.exe
956	php.exe
1980	php.exe
1980	php.exe
1980	php.exe
1980	php.exe
1980	php.exe
956	php.exe
1980	php.exe
1980	php.exe
1980	php.exe
1980	php.exe
1980	php.exe
956	php.exe
956	php.exe
956	php.exe
956	php.exe
956	php.exe
956	php.exe
956	php.exe
956	php.exe
956	php.exe
2016	cmd.exe
2016	cmd.exe
2004	cmd.exe
2004	cmd.exe
1096	Process not Found
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
316	php.exe
1472	updx-v2.5.23-setup.exe
1008	updx-v2.5.23-setup.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1788	1696	WerFault.exe	27

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	php.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	php.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\091E8EA1B256A312962AF6C140C0FBF079A407B3	php.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\091E8EA1B256A312962AF6C140C0FBF079A407B3\Blob = 030000000100000014000000091e8ea1b256a312962af6c140c0fbf079a407b31400000001000000140000005af3ed2bfc36c23779b95230ea546fcf55cb2eac04000000010000001000000090d366640488fcf876bdbd3a19c5fbf10f000000010000003000000012b85ed5575d4cdefb24db1d405f6a317aeceea0c9aebe00b22763a5b77e107ed1244ecb4e5fe050bcec52d3bac2574c190000000100000010000000bbb14e7405b947a5ae7063c3ee8858a718000000010000001000000070d4f0bec2078234214bd651643b02402000000001000000ca020000308202c63082024da003020102021100b3bddff8a7845bbce903a04135b34a45300a06082a8648ce3d040303304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205832301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b30090603550403130245313076301006072a8648ce3d020106052b8104002203620004245c2da22afd1c4ba65d97732731acb2a06962ef65e8a6b0f0ac4b9fff1c0b700fd3982f4dfc0f009b37f074055732972e05ef2a4325a3fb6e342713f64f7e69d302995eeb244792c1249be6b1218fc12481fc68cc1f69ba58f51922f774c616a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604145af3ed2bfc36c23779b95230ea546fcf55cb2eac301f0603551d230418301680147c4296aede4b483bfa92f89e8ccf6d8ba9723795303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78322e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78322e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300a06082a8648ce3d040303036700306402307b74d552138d61fe0dba3f03009df3d79884d9572ebde90f9c5c480421f2cbb360728e97d6124fca44f642c9d37b86a902305ab1b1b4edea609920b13803ca3da026b8ee6e2d4af6c6661f339adb924ad5f52913c6706228ba238ccf3d2fcb82e97f	php.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	php.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02401800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	php.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1472	updx-v2.5.23-setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1248	GBFCZLQULRRZKAL.tmp
1248	GBFCZLQULRRZKAL.tmp
1008	updx-v2.5.23-setup.tmp
1008	updx-v2.5.23-setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1248	GBFCZLQULRRZKAL.tmp
1008	updx-v2.5.23-setup.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1168	1696	WDSyncService.exe	28
PID 1696 wrote to memory of 1168	1696	WDSyncService.exe	28
PID 1696 wrote to memory of 1168	1696	WDSyncService.exe	28
PID 1696 wrote to memory of 1788	1696	WDSyncService.exe	30
PID 1696 wrote to memory of 1788	1696	WDSyncService.exe	30
PID 1696 wrote to memory of 1788	1696	WDSyncService.exe	30
PID 1704 wrote to memory of 1316	1704	taskeng.exe	32
PID 1704 wrote to memory of 1316	1704	taskeng.exe	32
PID 1704 wrote to memory of 1316	1704	taskeng.exe	32
PID 1316 wrote to memory of 1328	1316	TS.exe	34
PID 1316 wrote to memory of 1328	1316	TS.exe	34
PID 1316 wrote to memory of 1328	1316	TS.exe	34
PID 1316 wrote to memory of 1328	1316	TS.exe	34
PID 1316 wrote to memory of 1328	1316	TS.exe	34
PID 1316 wrote to memory of 1328	1316	TS.exe	34
PID 1316 wrote to memory of 1328	1316	TS.exe	34
PID 1328 wrote to memory of 1248	1328	GBFCZLQULRRZKAL.exe	35
PID 1328 wrote to memory of 1248	1328	GBFCZLQULRRZKAL.exe	35
PID 1328 wrote to memory of 1248	1328	GBFCZLQULRRZKAL.exe	35
PID 1328 wrote to memory of 1248	1328	GBFCZLQULRRZKAL.exe	35
PID 1328 wrote to memory of 1248	1328	GBFCZLQULRRZKAL.exe	35
PID 1328 wrote to memory of 1248	1328	GBFCZLQULRRZKAL.exe	35
PID 1328 wrote to memory of 1248	1328	GBFCZLQULRRZKAL.exe	35
PID 1248 wrote to memory of 1980	1248	GBFCZLQULRRZKAL.tmp	36
PID 1248 wrote to memory of 1980	1248	GBFCZLQULRRZKAL.tmp	36
PID 1248 wrote to memory of 1980	1248	GBFCZLQULRRZKAL.tmp	36
PID 1248 wrote to memory of 1980	1248	GBFCZLQULRRZKAL.tmp	36
PID 1248 wrote to memory of 956	1248	GBFCZLQULRRZKAL.tmp	38
PID 1248 wrote to memory of 956	1248	GBFCZLQULRRZKAL.tmp	38
PID 1248 wrote to memory of 956	1248	GBFCZLQULRRZKAL.tmp	38
PID 1248 wrote to memory of 956	1248	GBFCZLQULRRZKAL.tmp	38
PID 1980 wrote to memory of 2016	1980	php.exe	40
PID 1980 wrote to memory of 2016	1980	php.exe	40
PID 1980 wrote to memory of 2016	1980	php.exe	40
PID 2016 wrote to memory of 108	2016	cmd.exe	41
PID 2016 wrote to memory of 108	2016	cmd.exe	41
PID 2016 wrote to memory of 108	2016	cmd.exe	41
PID 956 wrote to memory of 2004	956	php.exe	42
PID 956 wrote to memory of 2004	956	php.exe	42
PID 956 wrote to memory of 2004	956	php.exe	42
PID 2004 wrote to memory of 436	2004	cmd.exe	43
PID 2004 wrote to memory of 436	2004	cmd.exe	43
PID 2004 wrote to memory of 436	2004	cmd.exe	43
PID 1704 wrote to memory of 812	1704	taskeng.exe	44
PID 1704 wrote to memory of 812	1704	taskeng.exe	44
PID 1704 wrote to memory of 812	1704	taskeng.exe	44
PID 1704 wrote to memory of 812	1704	taskeng.exe	44
PID 812 wrote to memory of 316	812	rhc.exe	45
PID 812 wrote to memory of 316	812	rhc.exe	45
PID 812 wrote to memory of 316	812	rhc.exe	45
PID 812 wrote to memory of 316	812	rhc.exe	45
PID 316 wrote to memory of 796	316	php.exe	47
PID 316 wrote to memory of 796	316	php.exe	47
PID 316 wrote to memory of 796	316	php.exe	47
PID 796 wrote to memory of 1472	796	cmd.exe	48
PID 796 wrote to memory of 1472	796	cmd.exe	48
PID 796 wrote to memory of 1472	796	cmd.exe	48
PID 796 wrote to memory of 1472	796	cmd.exe	48
PID 796 wrote to memory of 1472	796	cmd.exe	48
PID 796 wrote to memory of 1472	796	cmd.exe	48
PID 796 wrote to memory of 1472	796	cmd.exe	48
PID 1472 wrote to memory of 1008	1472	updx-v2.5.23-setup.exe	49
PID 1472 wrote to memory of 1008	1472	updx-v2.5.23-setup.exe	49
PID 1472 wrote to memory of 1008	1472	updx-v2.5.23-setup.exe	49

C:\Users\Admin\AppData\Local\Temp\WDSyncService.exe
"C:\Users\Admin\AppData\Local\Temp\WDSyncService.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\TS.exe
  "C:\Users\Admin\AppData\Local\Temp\TS.exe" t
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1696 -s 1164
  2⤵
  - Program crash
  PID:1788

C:\Windows\system32\taskeng.exe
taskeng.exe {9D77C714-3C0F-442A-9DF9-F6C9C6E8D363} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\Packages\TS.exe
  C:\Users\Admin\AppData\Roaming\Packages\TS.exe d
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\GBFCZLQULRRZKAL.exe
    "C:\Users\Admin\AppData\Local\Temp\GBFCZLQULRRZKAL.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\is-5BRB0.tmp\GBFCZLQULRRZKAL.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5BRB0.tmp\GBFCZLQULRRZKAL.tmp" /SL5="$B0118,18268790,832512,C:\Users\Admin\AppData\Local\Temp\GBFCZLQULRRZKAL.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe
        
        "C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe" include.php
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tmp\63c0425462d40.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp\63c0425462d40.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp\63c0425462d40.exe
        7⤵
        Executes dropped EXE
        
        PID:108
    - - C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe
        
        "C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe" index.php
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:956
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tmp\63c04256dbec0\63c04256e38a0.exe /c RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA7rZ5YEEEaQbQFvch8Ow64AAAAAAIAAAAAABBmAAAAAQAAIAAAAI2jF2YIAVWfN0ukq3M0IBExTNVCXzZag6SejDfJYXKiAAAAAA6AAAAAAgAAIAAAAHKPDT23CU+g6uVyzixvxv0nM/aVLLVxFASl0eNgXG84MAAAAIZUxFXM4531XpdyNRFaOj+Snv7UEEaOyeYjPuEe7e+hl072df2vzvTO18MH+JTyREAAAAD6zW2zQtkL5thSJkCNSEXGn89E01llLVc+qfdZ4hCMJ8QaslAemgROT5GepRqVk57B+iHSs4/uNWduTM7mhFTi"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp\63c04256dbec0\63c04256e38a0.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp\63c04256dbec0\63c04256e38a0.exe /c RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA7rZ5YEEEaQbQFvch8Ow64AAAAAAIAAAAAABBmAAAAAQAAIAAAAI2jF2YIAVWfN0ukq3M0IBExTNVCXzZag6SejDfJYXKiAAAAAA6AAAAAAgAAIAAAAHKPDT23CU+g6uVyzixvxv0nM/aVLLVxFASl0eNgXG84MAAAAIZUxFXM4531XpdyNRFaOj+Snv7UEEaOyeYjPuEe7e+hl072df2vzvTO18MH+JTyREAAAAD6zW2zQtkL5thSJkCNSEXGn89E01llLVc+qfdZ4hCMJ8QaslAemgROT5GepRqVk57B+iHSs4/uNWduTM7mhFTi
        7⤵
        Executes dropped EXE
        
        PID:436
- C:\Users\Admin\AppData\Local\WAAS\v2519\rhc.exe
  C:\Users\Admin\AppData\Local\WAAS\v2519\rhc.exe php.exe index.php
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe
    php.exe index.php
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c "updx-v2.5.23-setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Users\Admin\AppData\Local\WAAS\v2519\updx-v2.5.23-setup.exe
        
        updx-v2.5.23-setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Users\Admin\AppData\Local\Temp\is-KQNQK.tmp\updx-v2.5.23-setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KQNQK.tmp\updx-v2.5.23-setup.tmp" /SL5="$60150,2220728,832512,C:\Users\Admin\AppData\Local\WAAS\v2519\updx-v2.5.23-setup.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\UPDX\v3-5\WDDiscovery.exe
        
        "C:\Users\Admin\AppData\Roaming\UPDX\v3-5\WDDiscovery.exe"
        7⤵
        Executes dropped EXE
        
        PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GBFCZLQULRRZKAL.exe

Filesize
18.2MB

MD5
a402c7b50c92a159fa33f6ccb8235c64

SHA1
529d40463f6d3d119a2a45414bc213b66bf10eec

SHA256
a1afb9b8db6527a9ca41a9eeb106be4e3f073513ab94e68c4677f7b59efcdf6a

SHA512
6b9d887474cdb112f6c7fc49e9c4030f3609f9cb23ba4ff3dc3574b004d8f8ae9e1a640f459a3396083058fa50a9edbf5dd6a51ca2bb778cd44df6b7a26ad9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBFCZLQULRRZKAL.exe

Filesize
18.2MB

MD5
a402c7b50c92a159fa33f6ccb8235c64

SHA1
529d40463f6d3d119a2a45414bc213b66bf10eec

SHA256
a1afb9b8db6527a9ca41a9eeb106be4e3f073513ab94e68c4677f7b59efcdf6a

SHA512
6b9d887474cdb112f6c7fc49e9c4030f3609f9cb23ba4ff3dc3574b004d8f8ae9e1a640f459a3396083058fa50a9edbf5dd6a51ca2bb778cd44df6b7a26ad9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TS.exe

Filesize
24.0MB

MD5
98ccf33d3910959d4c9e498fe83e222d

SHA1
dde589ee91ef311423c4bf6cc43cf2b275d69875

SHA256
d0867a6d5f54f0636f6ea57aff775d425873189cd7506e61e4b498418f23fd6a

SHA512
f55e7c5f92696eaab78289df5dc8a738916ea5c1d53d6b0027ae178e8f2fd9c345c908e832c09480175394a5a11cb78c3f1da8d545344ec4ff4e4bb8394cd028

Download Submit
C:\Users\Admin\AppData\Local\Temp\TS.exe

Filesize
24.0MB

MD5
98ccf33d3910959d4c9e498fe83e222d

SHA1
dde589ee91ef311423c4bf6cc43cf2b275d69875

SHA256
d0867a6d5f54f0636f6ea57aff775d425873189cd7506e61e4b498418f23fd6a

SHA512
f55e7c5f92696eaab78289df5dc8a738916ea5c1d53d6b0027ae178e8f2fd9c345c908e832c09480175394a5a11cb78c3f1da8d545344ec4ff4e4bb8394cd028

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5BRB0.tmp\GBFCZLQULRRZKAL.tmp

Filesize
3.0MB

MD5
f26aad9db694ca8ce502f951c8e20ca3

SHA1
e74453f1fd1c6b201fd37566010a64bc3ad5e407

SHA256
57da2d84a5c1ccb78c020af95c4826cf4cec5f19c84b2545e98627f0634becfb

SHA512
8a9337ea0c06f13b28fb184b3c8cbd44a2aa3476652359ec70b664611c7577f6e2c6b20bbd1c6f47d5154c6c0381d69bac32644011e49965620330bcb10f37cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5BRB0.tmp\GBFCZLQULRRZKAL.tmp

Filesize
3.0MB

MD5
f26aad9db694ca8ce502f951c8e20ca3

SHA1
e74453f1fd1c6b201fd37566010a64bc3ad5e407

SHA256
57da2d84a5c1ccb78c020af95c4826cf4cec5f19c84b2545e98627f0634becfb

SHA512
8a9337ea0c06f13b28fb184b3c8cbd44a2aa3476652359ec70b664611c7577f6e2c6b20bbd1c6f47d5154c6c0381d69bac32644011e49965620330bcb10f37cd

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_com_dotnet.DLL

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\include.php

Filesize
10KB

MD5
6398ee20ea5bbb627921f9c2db1e63e2

SHA1
da0b5e2c838183045ae7ba2105bccfb6a2c50e55

SHA256
5d600ab2c174bc98d4dbfdcdacd4eaa158f66881644ff0e1136f473d4a9d0520

SHA512
1d732d17f1f30c3e080a5c96a015a17ad7c469c04134bb3be65575121a53cb020e28ca4b14f631d58081f6c4832adb0b97193015ba6946ccbe5901326c6af637

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\index.php

Filesize
86KB

MD5
3417c6217390f5aeb6aa9867a41a214f

SHA1
3d5f6fdc55a6399af220d987f6b2a8469fcbdf18

SHA256
39f542d04b566bcb436b44566c3be8be029bc43c4a47ff028b78cc3ba66397c8

SHA512
df2cfb2a51baf896d3cd851eaa36a0c073d92329611de354c58a4fc040805f29560f8eaa8a0487b4eb0c01a6513a8425aad158ef91c10b1fc061ed56aca6a47a

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php.ini

Filesize
70KB

MD5
5fa10fbd9cdcdefa94e497a4b2d2b813

SHA1
2b278a10e9967b9076a027e69f910bf215f2a035

SHA256
e9796c19589b948b7fdd5f300e055c0bbbafbfbabbb36b109d13e185fec0e4ed

SHA512
c6664f68bff8009a0b75d2c1b440d00141ffe903a6fc6c0782bfa9a96cf74d0dbc5e6b52727afb0953e2a74c558001fb56b8fd4386fd562c027bd4aa913f510c

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\rss.txt

Filesize
483KB

MD5
8fc16fd81b57309ddc7b1deb3f690130

SHA1
f9a0313fe37cc35158d5674d2d4ceb2bbe7ef8c3

SHA256
c40804c68fac760eab7a5c82c341e66fc326f263d7c5089e057047a369436913

SHA512
34e0b333989a8e6b1c9d6cd917606e36cb24d0fc76d50fbdaee3920c07bbb4a9b19c23ed067a7e86a20442aa996627902621a17d3c0c6a1c7e221df6f28ec1eb

Download Submit
C:\Users\Admin\AppData\Local\WAAS\v2519\tag

Filesize
8B

MD5
ca3ad98e8c7c43321932232e9d7d4f47

SHA1
56585e97e88ef3596adca882b73dd47d47498c29

SHA256
f231b010c671da9c9cd75ea0f3a9980561b4bfdf896c713a5502f044b40e5b34

SHA512
20227ce8b12347b0213f1248bf16de205bc21df7f903f28b48f59807dfdbc46974e3a60f0685384c776b2846deaebe20c5a55eb556d968b96b61b91914e511f8

Download Submit
C:\Users\Admin\AppData\Roaming\Packages\TS.exe

Filesize
24.0MB

MD5
98ccf33d3910959d4c9e498fe83e222d

SHA1
dde589ee91ef311423c4bf6cc43cf2b275d69875

SHA256
d0867a6d5f54f0636f6ea57aff775d425873189cd7506e61e4b498418f23fd6a

SHA512
f55e7c5f92696eaab78289df5dc8a738916ea5c1d53d6b0027ae178e8f2fd9c345c908e832c09480175394a5a11cb78c3f1da8d545344ec4ff4e4bb8394cd028

Download Submit
C:\Users\Admin\AppData\Roaming\Packages\TS.exe

Filesize
24.0MB

MD5
98ccf33d3910959d4c9e498fe83e222d

SHA1
dde589ee91ef311423c4bf6cc43cf2b275d69875

SHA256
d0867a6d5f54f0636f6ea57aff775d425873189cd7506e61e4b498418f23fd6a

SHA512
f55e7c5f92696eaab78289df5dc8a738916ea5c1d53d6b0027ae178e8f2fd9c345c908e832c09480175394a5a11cb78c3f1da8d545344ec4ff4e4bb8394cd028

Download Submit
\Users\Admin\AppData\Local\Temp\is-5BRB0.tmp\GBFCZLQULRRZKAL.tmp

Filesize
3.0MB

MD5
f26aad9db694ca8ce502f951c8e20ca3

SHA1
e74453f1fd1c6b201fd37566010a64bc3ad5e407

SHA256
57da2d84a5c1ccb78c020af95c4826cf4cec5f19c84b2545e98627f0634becfb

SHA512
8a9337ea0c06f13b28fb184b3c8cbd44a2aa3476652359ec70b664611c7577f6e2c6b20bbd1c6f47d5154c6c0381d69bac32644011e49965620330bcb10f37cd

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_com_dotnet.dll

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_com_dotnet.dll

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\vcruntime140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
\Users\Admin\AppData\Local\WAAS\v2519\vcruntime140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
memory/316-155-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/956-124-0x0000000004430000-0x000000000446C000-memory.dmp

Filesize
240KB

Download
memory/1008-163-0x0000000074B91000-0x0000000074B93000-memory.dmp

Filesize
8KB

Download
memory/1168-66-0x0000000000E20000-0x0000000002620000-memory.dmp

Filesize
24.0MB

Download
memory/1248-86-0x0000000074B81000-0x0000000074B83000-memory.dmp

Filesize
8KB

Download
memory/1316-71-0x0000000000A70000-0x0000000002270000-memory.dmp

Filesize
24.0MB

Download
memory/1316-73-0x000007FEFC0B1000-0x000007FEFC0B3000-memory.dmp

Filesize
8KB

Download
memory/1316-72-0x000000001C8C0000-0x000000001E118000-memory.dmp

Filesize
24.3MB

Download
memory/1328-76-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1328-85-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1328-80-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1328-101-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1328-77-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1472-166-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1472-159-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1472-165-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1580-167-0x00000000010B0000-0x0000000001182000-memory.dmp

Filesize
840KB

Download
memory/1696-59-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1696-58-0x00000000003F0000-0x0000000000414000-memory.dmp

Filesize
144KB

Download
memory/1696-152-0x0000000000376000-0x0000000000395000-memory.dmp

Filesize
124KB

Download
memory/1696-60-0x0000000026A60000-0x0000000028A8A000-memory.dmp

Filesize
32.2MB

Download
memory/1696-61-0x0000000000376000-0x0000000000395000-memory.dmp

Filesize
124KB

Download
memory/1696-54-0x0000000000A60000-0x0000000000A88000-memory.dmp

Filesize
160KB

Download
memory/1696-55-0x000000001AD50000-0x000000001CDCE000-memory.dmp

Filesize
32.5MB

Download
memory/1696-56-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/1696-67-0x0000000000376000-0x0000000000395000-memory.dmp

Filesize
124KB

Download
memory/1696-57-0x0000000000350000-0x0000000000368000-memory.dmp

Filesize
96KB

Download
memory/1980-114-0x0000000004130000-0x000000000416C000-memory.dmp

Filesize
240KB

Download