6a9b62894ee77e4131d0fbf4f43fe634e10c0c8ae616012a8e62a5047ba8b7a5

Analysis

max time kernel
44s
max time network
44s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Assetloader.exe
Size

9.5MB
MD5

824b1900fa0979a638e00b0aee1c32ea
SHA1

9621ce578f9561cb708f7806a5916970e1e012d1
SHA256

f3e1ed3f50fd06db77cd607b0bf4060ce1707a969fe27057ee33e1033437a761
SHA512

4c190f03dc0a0c713acc035ac199bcaba74a1aaa666aac47c582273e23cf97c59aacc49589230677003f3b6469228e70058b9690bcb527ec430f20dfb56486ca
SSDEEP

196608:L+k8xu3cwZhMWs+GGzLSHTqWdlmx0Q0Hbwq9xi/HX77r:jW8dGGi342Hkqm/Hr7

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2936	attrib.exe
2220	attrib.exe

Executes dropped EXE 8 IoCs

pid	Process
2036	vr2.exe
2600	sr2.exe
2588	ug2.exe
2428	bg.exe
1748	bg.exe
1152	Process not Found
1200	aids.exe
2692	$77svrhost.exe

Loads dropped DLL 10 IoCs

pid	Process
2324	Assetloader.exe
2428	bg.exe
1748	bg.exe
1748	bg.exe
1748	bg.exe
1748	bg.exe
1748	bg.exe
1748	bg.exe
1748	bg.exe
2628	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000192eb-103.dat	upx
behavioral1/files/0x00050000000192eb-104.dat	upx
behavioral1/memory/1748-109-0x000007FEF2A80000-0x000007FEF3068000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svrhost\\$77svrhost.exe\""	sr2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2036	vr2.exe
2600	sr2.exe
2588	ug2.exe
2600	sr2.exe
2036	vr2.exe
2588	ug2.exe
1200	aids.exe
1200	aids.exe
2692	$77svrhost.exe
2692	$77svrhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ug2.exe	Assetloader.exe
File created	C:\Windows\vr2.exe	Assetloader.exe
File created	C:\Windows\sr2.exe	Assetloader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1312	schtasks.exe
2196	schtasks.exe
1056	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
968	timeout.exe
2376	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2576	powershell.exe
2036	vr2.exe
2036	vr2.exe
2036	vr2.exe
2036	vr2.exe
2600	sr2.exe
2600	sr2.exe
2600	sr2.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe
1200	aids.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2036	vr2.exe
Token: SeDebugPrivilege	2588	ug2.exe
Token: SeIncreaseQuotaPrivilege	1224	wmic.exe
Token: SeSecurityPrivilege	1224	wmic.exe
Token: SeTakeOwnershipPrivilege	1224	wmic.exe
Token: SeLoadDriverPrivilege	1224	wmic.exe
Token: SeSystemProfilePrivilege	1224	wmic.exe
Token: SeSystemtimePrivilege	1224	wmic.exe
Token: SeProfSingleProcessPrivilege	1224	wmic.exe
Token: SeIncBasePriorityPrivilege	1224	wmic.exe
Token: SeCreatePagefilePrivilege	1224	wmic.exe
Token: SeBackupPrivilege	1224	wmic.exe
Token: SeRestorePrivilege	1224	wmic.exe
Token: SeShutdownPrivilege	1224	wmic.exe
Token: SeDebugPrivilege	1224	wmic.exe
Token: SeSystemEnvironmentPrivilege	1224	wmic.exe
Token: SeRemoteShutdownPrivilege	1224	wmic.exe
Token: SeUndockPrivilege	1224	wmic.exe
Token: SeManageVolumePrivilege	1224	wmic.exe
Token: 33	1224	wmic.exe
Token: 34	1224	wmic.exe
Token: 35	1224	wmic.exe
Token: SeIncreaseQuotaPrivilege	1224	wmic.exe
Token: SeSecurityPrivilege	1224	wmic.exe
Token: SeTakeOwnershipPrivilege	1224	wmic.exe
Token: SeLoadDriverPrivilege	1224	wmic.exe
Token: SeSystemProfilePrivilege	1224	wmic.exe
Token: SeSystemtimePrivilege	1224	wmic.exe
Token: SeProfSingleProcessPrivilege	1224	wmic.exe
Token: SeIncBasePriorityPrivilege	1224	wmic.exe
Token: SeCreatePagefilePrivilege	1224	wmic.exe
Token: SeBackupPrivilege	1224	wmic.exe
Token: SeRestorePrivilege	1224	wmic.exe
Token: SeShutdownPrivilege	1224	wmic.exe
Token: SeDebugPrivilege	1224	wmic.exe
Token: SeSystemEnvironmentPrivilege	1224	wmic.exe
Token: SeRemoteShutdownPrivilege	1224	wmic.exe
Token: SeUndockPrivilege	1224	wmic.exe
Token: SeManageVolumePrivilege	1224	wmic.exe
Token: 33	1224	wmic.exe
Token: 34	1224	wmic.exe
Token: 35	1224	wmic.exe
Token: SeBackupPrivilege	924	vssvc.exe
Token: SeRestorePrivilege	924	vssvc.exe
Token: SeAuditPrivilege	924	vssvc.exe
Token: SeDebugPrivilege	2036	vr2.exe
Token: SeDebugPrivilege	2600	sr2.exe
Token: SeDebugPrivilege	1200	aids.exe
Token: SeDebugPrivilege	1200	aids.exe
Token: SeDebugPrivilege	2692	$77svrhost.exe
Token: SeDebugPrivilege	1060	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1200	aids.exe
2692	$77svrhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2576	2324	Assetloader.exe	28
PID 2324 wrote to memory of 2576	2324	Assetloader.exe	28
PID 2324 wrote to memory of 2576	2324	Assetloader.exe	28
PID 2324 wrote to memory of 2576	2324	Assetloader.exe	28
PID 2324 wrote to memory of 2036	2324	Assetloader.exe	30
PID 2324 wrote to memory of 2036	2324	Assetloader.exe	30
PID 2324 wrote to memory of 2036	2324	Assetloader.exe	30
PID 2324 wrote to memory of 2036	2324	Assetloader.exe	30
PID 2324 wrote to memory of 2600	2324	Assetloader.exe	31
PID 2324 wrote to memory of 2600	2324	Assetloader.exe	31
PID 2324 wrote to memory of 2600	2324	Assetloader.exe	31
PID 2324 wrote to memory of 2600	2324	Assetloader.exe	31
PID 2324 wrote to memory of 2588	2324	Assetloader.exe	32
PID 2324 wrote to memory of 2588	2324	Assetloader.exe	32
PID 2324 wrote to memory of 2588	2324	Assetloader.exe	32
PID 2324 wrote to memory of 2588	2324	Assetloader.exe	32
PID 2324 wrote to memory of 2428	2324	Assetloader.exe	33
PID 2324 wrote to memory of 2428	2324	Assetloader.exe	33
PID 2324 wrote to memory of 2428	2324	Assetloader.exe	33
PID 2324 wrote to memory of 2428	2324	Assetloader.exe	33
PID 2428 wrote to memory of 1748	2428	bg.exe	34
PID 2428 wrote to memory of 1748	2428	bg.exe	34
PID 2428 wrote to memory of 1748	2428	bg.exe	34
PID 2588 wrote to memory of 1224	2588	ug2.exe	35
PID 2588 wrote to memory of 1224	2588	ug2.exe	35
PID 2588 wrote to memory of 1224	2588	ug2.exe	35
PID 2036 wrote to memory of 2924	2036	vr2.exe	41
PID 2036 wrote to memory of 2924	2036	vr2.exe	41
PID 2036 wrote to memory of 2924	2036	vr2.exe	41
PID 2036 wrote to memory of 692	2036	vr2.exe	42
PID 2036 wrote to memory of 692	2036	vr2.exe	42
PID 2036 wrote to memory of 692	2036	vr2.exe	42
PID 692 wrote to memory of 968	692	cmd.exe	45
PID 692 wrote to memory of 968	692	cmd.exe	45
PID 692 wrote to memory of 968	692	cmd.exe	45
PID 2924 wrote to memory of 1312	2924	cmd.exe	46
PID 2924 wrote to memory of 1312	2924	cmd.exe	46
PID 2924 wrote to memory of 1312	2924	cmd.exe	46
PID 2600 wrote to memory of 2936	2600	sr2.exe	47
PID 2600 wrote to memory of 2936	2600	sr2.exe	47
PID 2600 wrote to memory of 2936	2600	sr2.exe	47
PID 2600 wrote to memory of 2220	2600	sr2.exe	49
PID 2600 wrote to memory of 2220	2600	sr2.exe	49
PID 2600 wrote to memory of 2220	2600	sr2.exe	49
PID 692 wrote to memory of 1200	692	cmd.exe	51
PID 692 wrote to memory of 1200	692	cmd.exe	51
PID 692 wrote to memory of 1200	692	cmd.exe	51
PID 2600 wrote to memory of 2628	2600	sr2.exe	52
PID 2600 wrote to memory of 2628	2600	sr2.exe	52
PID 2600 wrote to memory of 2628	2600	sr2.exe	52
PID 2628 wrote to memory of 2376	2628	cmd.exe	54
PID 2628 wrote to memory of 2376	2628	cmd.exe	54
PID 2628 wrote to memory of 2376	2628	cmd.exe	54
PID 2628 wrote to memory of 2692	2628	cmd.exe	55
PID 2628 wrote to memory of 2692	2628	cmd.exe	55
PID 2628 wrote to memory of 2692	2628	cmd.exe	55
PID 2692 wrote to memory of 1468	2692	$77svrhost.exe	57
PID 2692 wrote to memory of 1468	2692	$77svrhost.exe	57
PID 2692 wrote to memory of 1468	2692	$77svrhost.exe	57
PID 2692 wrote to memory of 2196	2692	$77svrhost.exe	59
PID 2692 wrote to memory of 2196	2692	$77svrhost.exe	59
PID 2692 wrote to memory of 2196	2692	$77svrhost.exe	59
PID 2692 wrote to memory of 3064	2692	$77svrhost.exe	61
PID 2692 wrote to memory of 3064	2692	$77svrhost.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2220	attrib.exe
2936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Assetloader.exe
"C:\Users\Admin\AppData\Local\Temp\Assetloader.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAagBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZQBpACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\vr2.exe
  "C:\Windows\vr2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aids" /tr '"C:\Users\Admin\AppData\Roaming\aids.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "aids" /tr '"C:\Users\Admin\AppData\Roaming\aids.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1312
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3811.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:968
  - - C:\Users\Admin\AppData\Roaming\aids.exe
      "C:\Users\Admin\AppData\Roaming\aids.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1200
- C:\Windows\sr2.exe
  "C:\Windows\sr2.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svrhost"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2936
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svrhost\$77svrhost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2220
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8CC5.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2376
  - - C:\Users\Admin\svrhost\$77svrhost.exe
      "C:\Users\Admin\svrhost\$77svrhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svrhost.exe
        5⤵
        
        PID:1468
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77svrhost.exe" /TR "C:\Users\Admin\svrhost\$77svrhost.exe \"\$77svrhost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2196
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svrhost.exe
        5⤵
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svrhost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Creates scheduled task(s)
        
        PID:1056
- C:\Windows\ug2.exe
  "C:\Windows\ug2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- C:\Users\Admin\AppData\Roaming\bg.exe
  "C:\Users\Admin\AppData\Roaming\bg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Roaming\bg.exe
    "C:\Users\Admin\AppData\Roaming\bg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB35F.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24282\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
7daa81e752613950b67903f4ea69a0da

SHA1
00f86240d69e15a9e319e4c79026b54edc3ea671

SHA256
e255d1b403a48dd600b58d2124e7ceaf2edc6ca0448096f4160d85dd3e38c6a3

SHA512
c1ae0b6537191cd175a6c072a17215c1efb1ed719a73a56cbf139da4928730cf2a3cfc6c0a1ac5ce00957777f5f32323fc171bed7849863ec3cb7184a08dec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24282\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
898964872c15b531ff4bce16ccb32f21

SHA1
6fe38ecd6e6e9f666418d42008f9baf7c5a9af64

SHA256
52f2c643e4e7e6a64441dfa6b00b7a53ba573e80357c752745c670d9382ec018

SHA512
d97268284e65cd15365d8ac21dbfdc9794391b0113d6f12b9f40ce9e1e31472437131911dae84e09c55bbe6c99593065f4d18e319b4a3abb6b89bb6e3e785cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24282\python311.dll

Filesize
1.0MB

MD5
2c6a4c91b79bd6aaa34c9d618da1fe0f

SHA1
ba4b67e15dc838ef1442c120d133d5dd48e0aef9

SHA256
8ecfa2d96560a2efbc8e1884cf1ac5898624682c50899cd690d4880676d24b8b

SHA512
c755de595b8d003e49b0a3b8fc9aa23ae55d11fe064f3a66383a74d53c081b294d2606ccb19e8b819e3e03721eb590a4d87d1784b45cd5240f065bdacfd5064c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24282\ucrtbase.dll

Filesize
1.1MB

MD5
337b243eda185e326d5f972fcbeba07b

SHA1
5c8ec0fe64cb88911509703570775a626444cb99

SHA256
41225f978be3cbb7ce05c0666de8f88909e9973bed0df45fcb4e94b76761b208

SHA512
4111a269483217aa856daeef9fb3d561ca736e7789a46d758e20a3a56773bbcdacacbbbfef9dc7d2a2ea3a5b36d7cc29ee731b22c2bda2c0f2f6a9fd3d2282b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3811.tmp.bat

Filesize
148B

MD5
e375c1e313fcc7e9bfb8cc0303192d4b

SHA1
543a4d1b6919f96bcdeb1dd76155531c36547f9e

SHA256
f13d4808c6a772660f704b41f8ae11555673364610079e047be271ed4b8fd6d6

SHA512
887c1f21f8ac5b64aaa762cc22b068373d23b22bb22fbab3184ef7185cee5e5b761a454871ded64a63a00dfb615234857f961d99319da94266aaa7cca845ae60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CC5.tmp.bat

Filesize
146B

MD5
87389b888245a72a2e64c9cf8a429fce

SHA1
9159a1871c813fd5606f9d0c4f9cab83fb2c8150

SHA256
c46a7f55c8f6476e9f57a8adc902120b56a7e74714f02e0b88f9be02273ab71a

SHA512
c9f8e5aa2a6179c7909a49b1b2919b673f80e48c1d9e89692b196bc97ef5f93a3d65311edb7e801f7937bdbfebac56bb61924149bfcc58857af89525d6ae9338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N5MQGM5JE2EI5ED7LJ6A.temp

Filesize
7KB

MD5
58df82f90faf4364ffeebb6981d8a152

SHA1
fda3eba0d17a89dc711f49c2a94940b164e4f2f3

SHA256
d772a567af27a0f2af22c58307fcc78a82744f2f9f430e6937dc850a8320de45

SHA512
7ba7fe12fa7e4ff65b014d9638e40d9bf0f3a6a29c002d876cd01a7c8db2b503c48e19745b071887f3cc56bd75de853943ac07635d2c4149ef5eece4733574c3

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\aids.exe

Filesize
326KB

MD5
0513658a5eabf01146ef5778ddc3f9e3

SHA1
b0ed1fad294c9eb9375702c55a87a13ae9f5bfb8

SHA256
704e20dc6bb1e68c6b0f4528a83c9c8396df723c86217df6190c2227a4fec3b9

SHA512
7bbd0f12b17657fcb14191fa4e972493e0bcd543a5fa7821dfde63a113005091da58f44b449798ad02833488e802091e1d063d7d2f45b140f4c421280d107a4e

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
8KB

MD5
0c9873034ca51c20d936dc632d1ce0e6

SHA1
a1e5f7c165e2cd60b12f974b1b9ddf02535ea222

SHA256
d3be774a0aa77ab20d88c277a5b59fd19f401045dae2b72433c8bc9c9e8b9f4b

SHA512
d63a1b34d41c02f39e38a526b621309254b896b4bd0c397afdfe7a5099e88a8bb56d13b8865648adcc9b5aad7d036181e5ba3e449a21609c71680d604336a10c

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
2.0MB

MD5
f4b906dc78f8b24c302c6c61f190d85c

SHA1
b6ff0e2887e303c86288d31dc7d36e92adf217f1

SHA256
886522a65f04587b4dbbaedb844353e147d248f32133d1f184af527a5af67e6b

SHA512
1957ea9ffa671a14eee1b10e59c864bd92cedff631bedc25c5af808c79b9e7ff0c861f31b29f7c1aea0232478096c45c2fd3dd1cb03d4d72469f4eb22b1b8b14

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
1.0MB

MD5
cf7c7b757dedd2a462e7a121908c2234

SHA1
a5ef4ec3513bb8c5ad8550161b586b33c530ad6c

SHA256
5c33d2be440be709a96a35d001aa76fda2b7ba7b84c2bdaa70f3955095ad7c50

SHA512
4d5ef7965048ad53bb66e5aad88eababd46efc67df7e40e4603862ed3127eda5b4987a96e166e1dacfd63f22c2338f2a45b6d70362cce8322ec51b12bdafa4aa

Download Submit
C:\Windows\sr2.exe

Filesize
465KB

MD5
3612aafe99f7c5bd7657821bd61ab3f7

SHA1
e766cf16e04105323fa92fdbeebcbc3cdf0ae9e0

SHA256
78ebd2f96fa47fdd6b221dee7acd9b634287584acf109bd16abb2d1940cdfb9b

SHA512
1e953ae58a9e86ef4d1dbfdefa991db160dc063835cc9a4dc955c4e74274b0493dc99ff4ea32c7ae314fe0e89e7ca4e41e5dead04b7f4e2bd405767290f6fce0

Download Submit
C:\Windows\ug2.exe

Filesize
779KB

MD5
cb17890e3a0628d17484632467a584b4

SHA1
5044894ac4a0ee17a265df066b1ca2f85f811465

SHA256
d38a9fb2193fbd4ec28d229e4eb8c134ba51861d5f9fb2c87ad22703c0da2ef6

SHA512
46823b75bf6a615d5abfdf70b9af756fd1aecc2ec41818e0bfadbe570046885a7b43ec45bf8525d9be6739f93410fe48deb0006ae9cc182909b931dd46d8fb1b

Download Submit
C:\Windows\vr2.exe

Filesize
525KB

MD5
580515ffee63af73ff50115767e4befd

SHA1
c616ad338a1c4d602b3c8c483258d27fbc1ea87e

SHA256
990117ee841d6897cc9790552abe248d200e46feb0d80609788df61d66271d1a

SHA512
56e9c3572bf3fd6eaac2d63bfd1a952f4ea52cee98f6aa44cebca39d5a62f4eaeb378c7bcfded70a44d19b2de2325508cfb2f7beb74ab8aa915daf696c90fafc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24282\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
0d6d4654c98caa8ff93eebbc744bfb8b

SHA1
e4662e675a2ae93e66bddb0743fb81c0cf1e31d4

SHA256
1686b1b0a72655c89348bd5a2e5c88e6e5ca228f407c02f9700b43a045e60aab

SHA512
db3d59af607e9428b646b8993547b1129e92bb1aad12684cd69c0050517f6d8a1832393323c7f99d0b1dfa6ae801c8921234a3e470063b6715435e99e0b03ae6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24282\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
1bde33f0454eb6a02549107c97fab7d1

SHA1
7276a41d76780da4aecce0a9f0386274d5ae47cd

SHA256
25ea41b07fb34008ac9f4d28aadc0ff0c6f03b10c12b56c1a7e6b5e730f5d48b

SHA512
df836a5ea3008e5df9fc0194a2381ee9cd80f892f6b77af6f57f3aff72c99924b872fd9bd8a45c72b3787c381bc1c324346758d631fe780c0a8dc23381d43590

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24282\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2b3375caffd7eff2bffcd5336006a6ee

SHA1
8494cd20af1d86330558cc86cc2566adee00b594

SHA256
89970b77351d562b264f4e534feb80bcfbab98330fb4eb814ea4773953676b26

SHA512
f0525a19105eb8e0fdcbe8d16553fa9dfbc85742f923bd635637650068b437bc91790209000c1352d732397f0e68b5d96f1928fe98b1c59e001b733feb0fd61f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI24282\python311.dll

Filesize
1.1MB

MD5
d8e29bea60b4671f51591e820ea43451

SHA1
ad4b5983f240aa45697f72890cfd241a0ca78be0

SHA256
21984dd7fe17fadee8f941044951ae4d01f08643fcc4cd51b80e44caffe0b906

SHA512
8dae90df2947493007c47bea85501209f73d244d5f65ad35fccb74186dc424dad0ec722f826798d4f644fc4a2d1a9e67bada0a5f5f553e01085896840fa37cd3

Download Submit
\Users\Admin\AppData\Roaming\bg.exe

Filesize
423KB

MD5
18e8b2999cc1a82342561c17b007f721

SHA1
2a305b255d310faf4a0d9908306cfe1e3a19a73b

SHA256
48249c101569905e3da88da5b34599c71694854dfbccae494ae68e43d316d057

SHA512
48516b2abd247841677fb3cd7cebe3f8f85f417d98012f9c457a37884165f0e739433c8a7e57a89b10ed811b136b43d609036c5cf71d5050793b336c5a5a3283

Download Submit
\Users\Admin\AppData\Roaming\bg.exe

Filesize
5KB

MD5
ef2a9c4c060600a7bd18073cec9cef85

SHA1
76d6333110ffecf8d56fce2b29c12f09b235cea5

SHA256
9becaa9c5c0f3fd2898ba90b902b38445ef78c878e6d85dba8076c8e2df631c0

SHA512
3e13c6ec7d21baf36c44f9b43eb111f2c38a42b5f1658cff20b28e326adb9324bf7c589991166e30bf2373fb82bd69d0e85dd1a98db176840ec3545308ccdf81

Download Submit
\Users\Admin\AppData\Roaming\bg.exe

Filesize
1.4MB

MD5
7579e59c7e73954213a55ff974cb779b

SHA1
b92b3dedb4555140c6e34ece57e1fed05bbc145a

SHA256
489211897d6f44924a5a56fb24864be46828a180bca71e842a465ae56be09805

SHA512
8dcd60172165d897db7fdf22be21fe63a87f999d4709205defcaf672ba4da76f32d975cf12b9b5dfac8b00f419efdb055e4d58cfe75eca426cdd4273d9a70053

Download Submit
memory/1060-238-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1060-240-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1060-241-0x000007FEED020000-0x000007FEED9BD000-memory.dmp

Filesize
9.6MB

Download
memory/1060-239-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/1060-237-0x000007FEED020000-0x000007FEED9BD000-memory.dmp

Filesize
9.6MB

Download
memory/1060-236-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1060-235-0x000007FEED020000-0x000007FEED9BD000-memory.dmp

Filesize
9.6MB

Download
memory/1060-234-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/1060-233-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1200-227-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/1200-143-0x0000000000B30000-0x0000000000C0A000-memory.dmp

Filesize
872KB

Download
memory/1200-226-0x000000001A940000-0x000000001A9C0000-memory.dmp

Filesize
512KB

Download
memory/1200-217-0x000000001A940000-0x000000001A9C0000-memory.dmp

Filesize
512KB

Download
memory/1200-207-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1200-204-0x000000001A940000-0x000000001A9C0000-memory.dmp

Filesize
512KB

Download
memory/1200-205-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/1200-149-0x000000001A940000-0x000000001A9C0000-memory.dmp

Filesize
512KB

Download
memory/1200-146-0x000000001A940000-0x000000001A9C0000-memory.dmp

Filesize
512KB

Download
memory/1200-144-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-109-0x000007FEF2A80000-0x000007FEF3068000-memory.dmp

Filesize
5.9MB

Download
memory/2036-77-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2036-137-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/2036-20-0x0000000000970000-0x0000000000A4A000-memory.dmp

Filesize
872KB

Download
memory/2036-125-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2036-127-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/2036-117-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2036-119-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2036-136-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-110-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-121-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-106-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2576-107-0x00000000739A0000-0x0000000073F4B000-memory.dmp

Filesize
5.7MB

Download
memory/2576-108-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2576-111-0x00000000028E0000-0x0000000002920000-memory.dmp

Filesize
256KB

Download
memory/2588-17-0x0000000001290000-0x00000000013EC000-memory.dmp

Filesize
1.4MB

Download
memory/2588-122-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-105-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-115-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2588-120-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download
memory/2600-206-0x000000001BD30000-0x000000001BDB0000-memory.dmp

Filesize
512KB

Download
memory/2600-67-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-116-0x000000001BD30000-0x000000001BDB0000-memory.dmp

Filesize
512KB

Download
memory/2600-139-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2600-123-0x000000001BD30000-0x000000001BDB0000-memory.dmp

Filesize
512KB

Download
memory/2600-112-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2600-148-0x000000001BD30000-0x000000001BDB0000-memory.dmp

Filesize
512KB

Download
memory/2600-16-0x000000013FD20000-0x000000013FDDE000-memory.dmp

Filesize
760KB

Download
memory/2600-216-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-222-0x000000013F6C0000-0x000000013F77E000-memory.dmp

Filesize
760KB

Download
memory/2692-223-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-225-0x000000001AD10000-0x000000001AD90000-memory.dmp

Filesize
512KB

Download
memory/2692-228-0x000000001AD10000-0x000000001AD90000-memory.dmp

Filesize
512KB

Download
memory/2692-279-0x000000001AD10000-0x000000001AD90000-memory.dmp

Filesize
512KB

Download