386383d05f446f2ced1cf5a6f5f2db71bb24631b14e76a68ac2fe63b0a3a2f47

Analysis

max time kernel
572s
max time network
565s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vmpdump.7z
Size

38.6MB
MD5

dc64a295999fc02fa96eb8061ee2c6c5
SHA1

c9a4c578f16003c89edd8101ffd7b095528a8ec8
SHA256

386383d05f446f2ced1cf5a6f5f2db71bb24631b14e76a68ac2fe63b0a3a2f47
SHA512

939c035c12c53a3e59cdf8f3b648a3a143a1feba14f54bed15c88b156cec61ab2532f5a86a47bf4e7170715f75a96a0bb6932ead888852fc2f16c9563e38932f
SSDEEP

786432:APo+katRsnFtkQQC6QmpmjwqXlht00/Sr/Q6qS7cr9d5oekCIDEoh:AP1kIRCk6672wqvR/uUYcr+eWh

Score

7^/10

persistence vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

x96dbg.exex96dbg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	x96dbg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	x96dbg.exe

Executes dropped EXE 8 IoCs

Processes:

x96dbg.exex96dbg.exeLoader (2).exex96dbg.exex64dbg.exeVMPDump.exeVMPDump.exeVMPDump.exe

pid process

3108 x96dbg.exe
3240 x96dbg.exe
3284 Loader (2).exe
3108 x96dbg.exe
3908 x64dbg.exe
392 VMPDump.exe
2488 VMPDump.exe
4860 VMPDump.exe

pid	process
3108	x96dbg.exe
3240	x96dbg.exe
3284	Loader (2).exe
3108	x96dbg.exe
3908	x64dbg.exe
392	VMPDump.exe
2488	VMPDump.exe
4860	VMPDump.exe

Loads dropped DLL 37 IoCs

Processes:

x64dbg.exe

pid	process
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe

Modifies system executable filetype association 2 TTPs 6 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

x96dbg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg	x96dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Command\ = "\"C:\\Users\\Admin\\Desktop\\release\\x96dbg.exe\" \"%1\""	x96dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Icon = "\"C:\\Users\\Admin\\Desktop\\release\\x96dbg.exe\",0"	x96dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\ = "Debug with x64dbg"	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Command	x96dbg.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Loader (2).exe	vmprotect
behavioral1/memory/3284-373-0x00007FF79E3A0000-0x00007FF79ED83000-memory.dmp	vmprotect
C:\Users\Admin\Desktop\Loader (2)_dump.exe	vmprotect
C:\Users\Admin\Desktop\Loader (2)_dump_SCY.exe	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2960 ipconfig.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3200 taskkill.exe

pid	process
2960	ipconfig.exe

pid	process
3200	taskkill.exe

Modifies registry class 64 IoCs

Processes:

x96dbg.exex64dbg.exeOpenWith.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Command	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dd32	x96dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	x64dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Icon = "\"C:\\Users\\Admin\\Desktop\\release\\x96dbg.exe\",0"	x96dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\ = "Debug with x64dbg"	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg	x96dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	x64dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg	x96dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile	x96dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	x64dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dd64\ = "x64dbg_db"	x96dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	x64dbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	x64dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dd32\ = "x64dbg_db"	x96dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dd64\DefaultIcon	x96dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	x64dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.dd32\DefaultIcon\ = "C:\\Users\\Admin\\Desktop\\release\\x32\\x32dbg.exe"	x96dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	x64dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg\ = "Debug with x64dbg"	x96dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	x64dbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	x64dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg\Icon = "\"C:\\Users\\Admin\\Desktop\\release\\x96dbg.exe\",0"	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dd32\DefaultIcon	x96dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	x64dbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Command\ = "\"C:\\Users\\Admin\\Desktop\\release\\x96dbg.exe\" \"%1\""	x96dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	x64dbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "4"	x64dbg.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	x64dbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	x64dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dd64	x96dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	x64dbg.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

x64dbg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	x64dbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	x64dbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	x64dbg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	x64dbg.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	x64dbg.exe

Runs net.exe
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

2016 regedit.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

x64dbg.exe

pid process

3908 x64dbg.exe

pid	process
2016	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

x64dbg.exe

pid	process
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7zFM.exex64dbg.exeregedit.exe

pid process

1268 7zFM.exe
3908 x64dbg.exe
2016 regedit.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zFM.exetaskkill.exex64dbg.exe

description	pid	process
Token: SeRestorePrivilege	1268	7zFM.exe
Token: 35	1268	7zFM.exe
Token: SeSecurityPrivilege	1268	7zFM.exe
Token: SeSecurityPrivilege	1268	7zFM.exe
Token: SeSecurityPrivilege	1268	7zFM.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	3908	x64dbg.exe
Token: SeDebugPrivilege	3908	x64dbg.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

7zFM.exex64dbg.exe

pid	process
1268	7zFM.exe
1268	7zFM.exe
1268	7zFM.exe
1268	7zFM.exe
1268	7zFM.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

OpenWith.exeLoader (2).exex64dbg.exeregedit.exe

pid	process
5092	OpenWith.exe
3284	Loader (2).exe
3284	Loader (2).exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
3908	x64dbg.exe
2016	regedit.exe
2016	regedit.exe
2016	regedit.exe
2016	regedit.exe
2016	regedit.exe
2016	regedit.exe
2016	regedit.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

x96dbg.exeLoader (2).execmd.exenet.execmd.execmd.execmd.exex96dbg.execmd.exex64dbg.exe

description	pid	process	target process
PID 3108 wrote to memory of 3240	3108	x96dbg.exe	x96dbg.exe
PID 3108 wrote to memory of 3240	3108	x96dbg.exe	x96dbg.exe
PID 3108 wrote to memory of 3240	3108	x96dbg.exe	x96dbg.exe
PID 3284 wrote to memory of 3908	3284	Loader (2).exe	cmd.exe
PID 3284 wrote to memory of 3908	3284	Loader (2).exe	cmd.exe
PID 3908 wrote to memory of 2272	3908	cmd.exe	net.exe
PID 3908 wrote to memory of 2272	3908	cmd.exe	net.exe
PID 2272 wrote to memory of 556	2272	net.exe	net1.exe
PID 2272 wrote to memory of 556	2272	net.exe	net1.exe
PID 3284 wrote to memory of 1028	3284	Loader (2).exe	cmd.exe
PID 3284 wrote to memory of 1028	3284	Loader (2).exe	cmd.exe
PID 1028 wrote to memory of 4300	1028	cmd.exe	w32tm.exe
PID 1028 wrote to memory of 4300	1028	cmd.exe	w32tm.exe
PID 3284 wrote to memory of 1196	3284	Loader (2).exe	cmd.exe
PID 3284 wrote to memory of 1196	3284	Loader (2).exe	cmd.exe
PID 1196 wrote to memory of 3200	1196	cmd.exe	taskkill.exe
PID 1196 wrote to memory of 3200	1196	cmd.exe	taskkill.exe
PID 3284 wrote to memory of 4484	3284	Loader (2).exe	cmd.exe
PID 3284 wrote to memory of 4484	3284	Loader (2).exe	cmd.exe
PID 4484 wrote to memory of 2960	4484	cmd.exe	ipconfig.exe
PID 4484 wrote to memory of 2960	4484	cmd.exe	ipconfig.exe
PID 3108 wrote to memory of 3908	3108	x96dbg.exe	x64dbg.exe
PID 3108 wrote to memory of 3908	3108	x96dbg.exe	x64dbg.exe
PID 3752 wrote to memory of 392	3752	cmd.exe	VMPDump.exe
PID 3752 wrote to memory of 392	3752	cmd.exe	VMPDump.exe
PID 3752 wrote to memory of 2488	3752	cmd.exe	VMPDump.exe
PID 3752 wrote to memory of 2488	3752	cmd.exe	VMPDump.exe
PID 3752 wrote to memory of 4860	3752	cmd.exe	VMPDump.exe
PID 3752 wrote to memory of 4860	3752	cmd.exe	VMPDump.exe
PID 3908 wrote to memory of 3284	3908	x64dbg.exe	Loader (2).exe
PID 3908 wrote to memory of 3284	3908	x64dbg.exe	Loader (2).exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\vmpdump.7z
1⤵
- Modifies registry class
PID:400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4680

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\vmpdump.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1268

C:\Users\Admin\Desktop\release\x96dbg.exe
"C:\Users\Admin\Desktop\release\x96dbg.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\Desktop\release\x96dbg.exe
"C:\Users\Admin\Desktop\release\x96dbg.exe" ::install
2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
PID:3240

C:\Users\Admin\Desktop\Loader (2).exe
"C:\Users\Admin\Desktop\Loader (2).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net start w32time
2⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\system32\net.exe
net start w32time
3⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start w32time
4⤵
PID:556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c w32tm /resync /nowait
2⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\w32tm.exe
w32tm /resync /nowait
3⤵
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM RainbowSix.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\taskkill.exe
taskkill /IM RainbowSix.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:2960

C:\Users\Admin\Desktop\release\x96dbg.exe
"C:\Users\Admin\Desktop\release\x96dbg.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\Desktop\release\x64\x64dbg.exe
"C:\Users\Admin\Desktop\release\x64\x64dbg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\Desktop\VMPDump.exe
VMPDump.exe 3284 "" -ep=0x7FF79E6A2000 -disable-reloc
2⤵
- Executes dropped EXE
PID:392

C:\Users\Admin\Desktop\VMPDump.exe
VMPDump.exe 3284 "" -ep=00007FF79E6A2000
2⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\Desktop\VMPDump.exe
VMPDump.exe 3284 "" -ep=00007FF79ED81000
2⤵
- Executes dropped EXE
PID:4860

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Loader (2).exe
Filesize
4.9MB

MD5
c01c4d326d65d94e05361c30821b2dbd

SHA1
16c0e2a2dff1e06cbdc5036d13a7444edc469193

SHA256
6a79b18a0b6ce048bd93586272612296073c5b7c252e13f378914a9d2d7fc9a2

SHA512
69ef9d5870d76e8175f5749b8ab24e9574c021fa8c2a0b0ea088bcd2ad93373efac252295395eb6f0d5896474d9f22275948dd79baded12a634e97e72f50abed

Download Submit
C:\Users\Admin\Desktop\Loader (2)_dump.exe
Filesize
9.9MB

MD5
719695afe1abc9f99eb11355cd2ec8f5

SHA1
31c565d19fe0fc3c9fcfb2c1d840f9275628cc94

SHA256
f15ab9fcfb3721e84cf34aa49d4ae07b64edb59443774c7c2ecc68dffa5b1747

SHA512
3f4a56a94071ee467dbbd64bf92bb0a296a66243cc86a5e36206b313819cd6f4b646bd5a85b037a0b613547a09e9832374b01088d124ee4556caab0f0642c5e0

Download Submit
C:\Users\Admin\Desktop\Loader (2)_dump_SCY.exe
Filesize
9.9MB

MD5
33939855807336dfb3fd0dc9aebd5a6d

SHA1
84803041ae21ce8f1f7974dd2f78521aca455109

SHA256
8ddb210f8f49c1e354fd175cadc93939b33bce666a88d085d99cfcb136c2545a

SHA512
bff5eb817f8cd02acfdc61ddfd2d9cef89cdca3f4370306c275fb32172e2e4d8145e3f7bf3e90e5f003ee9c5f6d67f9744d5816cc1360e44f294d352939139a6

Download Submit
C:\Users\Admin\Desktop\release\x32\x32dbg.exe
Filesize
149KB

MD5
34cfd7ec7100b547e24ed3dfdcb542c1

SHA1
36ad5e2bef4a70ffc14a57d57e739a452418a0d9

SHA256
8b751c1c576f791b8d6f53841ad5558da15b9131219e1b072102bad1bb84ead3

SHA512
13b218250f7a4a77993fb44ba8b118cf24eea534c5956685368a5c32e5c47a478d1de17b9be189c86c8e624f9121a62f0faa58652ae9ec613bfe3d0053e3bee8

Download Submit
C:\Users\Admin\Desktop\release\x64\DeviceNameResolver.dll
Filesize
74KB

MD5
1a4a1e71f2e948608ba80e901bb2b969

SHA1
6dbd88b0dd59ea30647ccda1830d33d454044990

SHA256
c6702029a705fb5db2775f31331b8314566dd84d9702b0c6ff513515c160629c

SHA512
a285f2ae8d9021da5c2e05ecef5b62945e442cf62c234fb748a8644f77d55462b129c6583e290cc6e7aa43055509c9d75f6eafa2a76bdd324fac1d8b5a07ee8a

Download Submit
C:\Users\Admin\Desktop\release\x64\LLVMDemangle.dll
Filesize
593KB

MD5
1228e59df447f4e6476546ae24638071

SHA1
7ec87e01e60f8f571684cc929fec414c224156e9

SHA256
8de391f11ceeafa007badf71b62560368f8c71623486ff1c2e4c5373fe482834

SHA512
acccedd27f10123e9f572d868fe11cd5d600b4f1a45a9e38fc263dd4d75cde022eb0d3c74fc3700148b4cfba7146c45d4591cda5fcbef8814427980658975c60

Download Submit
C:\Users\Admin\Desktop\release\x64\Qt5Core.dll
Filesize
5.3MB

MD5
2f997eb6ba34065496cb088f1489aebb

SHA1
29fd1c8a3e71cfbc49c9f160dce2749cecaf0cb6

SHA256
7a4cb4ced60598ed0a4f31dfdc01a8019df5cca6cbbfd3ec7f629edd99db6007

SHA512
4b1fd309cae1205bd3eff3b48b21893a20211356779b29c9f7739bbe6eabfa3e83e256e8406aa0af0b223b1376ec139e9605a0451359c0cccd21d3360477c233

Download Submit
C:\Users\Admin\Desktop\release\x64\Qt5Gui.dll
Filesize
5.7MB

MD5
0097fe1fdf80e2b515ab5ab2f6bad47c

SHA1
fce79b37dfc8b142dfd32c233c9ac9eec248bd6d

SHA256
3506bd2e291fe85a675d268e705f46dd0da7c274ec43dcb2330b8cee2b8c1d24

SHA512
cddb67a0d4bc60d7c26dfb4f03fbccc7d82ace7605b9d8fa20b46a970ffca134d5904303b91caa1e19b9c153a4b61ece3bde27095075dce344835e2cdbc531fc

Download Submit
C:\Users\Admin\Desktop\release\x64\Qt5Network.dll
Filesize
1.0MB

MD5
911b28d088a35d3f56a23a63ee837dca

SHA1
c110efd1c33bd8ffc2062f92a95c8f915a8db6f7

SHA256
4708ed9604e731f3b7b9b1fd774f3962a80bdf36a1845a3bb7684e8507eb0be0

SHA512
f645cfee2c5a348f01b1aa0ff3b7a039dd47117c86390b7d5fedf253ffaac1894edc36949b29776a0ab24680d022ad468d9468fe9e470d05f7178a5e9ac8df6a

Download Submit
C:\Users\Admin\Desktop\release\x64\Qt5Svg.dll
Filesize
312KB

MD5
b2c941e7a8b23664b36c70a655acd958

SHA1
3fb796251fec2ed2b2bc9c87008361992616e945

SHA256
78a031f1a8254e20c3e63357a2a87f8f6f2ba807e8edd74df6c2539b019ec309

SHA512
bfea52e55261f1fbfc9b6c8c5bde587dc0fcc29dbda5a4cb05bd30fb3ebc8ad024cf75cb9bffb04b5f8228c17adb1fa1cc1023178297f6a3efbfaf3a86a37edc

Download Submit
C:\Users\Admin\Desktop\release\x64\Qt5Widgets.dll
Filesize
5.3MB

MD5
82a8cd1f9b519d1aa8e6ad779c9e5c4f

SHA1
536da03f5389ea83009436a3197ec860ac6f0448

SHA256
6fbc262e506dc957dfdf72852cfc3b2c8b7850ec5eef4dc30f9fc9e066a8b911

SHA512
a7f178291f65edc4d4de2dddba624dc1b0c51c1b45ed92c0c35d5b3ecb496a0b8308fc1244b8846991d7580a684a9dadda1aab6f04bf4cac13ddc0cd2be31429

Download Submit
C:\Users\Admin\Desktop\release\x64\Qt5WinExtras.dll
Filesize
284KB

MD5
de7154814975f02e171f637f8222f8b1

SHA1
33198b358078341748ce5ea01ed8caf85501e0ce

SHA256
8dc1c6ad37a164639ef75093d8a0179f6f8efdf1a22877c59bac745968738e6d

SHA512
dde3c8e0fa96627dfe9ffe1067a9afacde3a69fc7ddc43d5823d091e4c449182b4c90a3fe7823f8480d889da2ae72a835b088ead54e135a197e5ad63efd4f4cf

Download Submit
C:\Users\Admin\Desktop\release\x64\TitanEngine.dll
Filesize
616KB

MD5
9140a45af6c323d407b7af06aae4d816

SHA1
f88bbb6fcab811ba3b3459f35b390fd6bbe561f5

SHA256
a1e643f082115df56c10238246fd2da0a65547ee9859024e3140de0b2843019c

SHA512
156122f7e55316235e3599cc9bceb9e7e49f3ad66555f26cf4b62b86d4399cc7fecb20c6de7e3af1bb4494cdab930745926e8fc4c216643df289003b00273aa9

Download Submit
C:\Users\Admin\Desktop\release\x64\XEDParse.dll
Filesize
1.4MB

MD5
e9d2d4b4e5c2eaed37f9e27232339858

SHA1
b6ef7424c927b788e5875198c690e96be1f23f99

SHA256
7237ace651d8ae8e3285c9a0256bf34d50e7a4c9722ce016bbcf74e80c3071d6

SHA512
5444f5516c74a96cd3152039469ea79f0e7d9262f21410a8e92593e4f870c2da3b8c67a4c85c742338ee6af582fc905ecb4f3704096dca3a791377e48aa1dd2a

Download Submit
C:\Users\Admin\Desktop\release\x64\dbghelp.dll
Filesize
1.4MB

MD5
65ce67f745501049e0ca0f970e3d283f

SHA1
dc2ee958785e5b5ec2da602daae2e86a37bc156f

SHA256
5dff20c99a370dc5cc37949c2d749b084d2d7af1c29758121cb0e16ee15034f0

SHA512
4248bfa9797a248a450686ba5c35d09dad1a76c52f94f1eed374e2f40c379fe929ebeedcebb090422fb61f49b898bb05f4ab25455f8ad5214d4439961bbbb015

Download Submit
C:\Users\Admin\Desktop\release\x64\imageformats\qgif.dll
Filesize
38KB

MD5
506a7c157ca05b5478b513b6b52f7b71

SHA1
54d5d132a7aaa857d33c0e118a56283a862be84a

SHA256
c2fce71c35bd6e22e2ea3a7e0554fe9a726f55d7027bcdbe587fab8983c3e421

SHA512
d4207de7eb2fff4f305209a3f4e51190eb6d2168a333dfaafe5cf00ffd838a0f6d324d3db50a35e696cd1dec4bce593201155ce231270679a15f0deaaaa1a42e

Download Submit
C:\Users\Admin\Desktop\release\x64\imageformats\qicns.dll
Filesize
45KB

MD5
f33b24d2e545afe46385879a57f8dbc7

SHA1
0ae0880f9ac8f5c2c2c1064479b20f88e280101d

SHA256
0a0f36c046fff544e335a0d0d80a2c36ac6064f474793426172899fe85d3e91d

SHA512
069ff4d9acd3adf9eed58bc210d758b5c35d8e34bdf2305cb8514593be3c3b41ece216895dbed3f986bebaf3839b7c5efb5f4f02e8b4999c75e6d4595d910ad8

Download Submit
C:\Users\Admin\Desktop\release\x64\imageformats\qico.dll
Filesize
39KB

MD5
e16542376c59af7240393f39ee36781a

SHA1
cf35dd7d08bc091d8a48cfd46f1b0eb9f14ff5fb

SHA256
98aa16bc5192ec26ba1ba6b290acd984d50732a91e563eaa1016bcf923643f7e

SHA512
96482eef825dada740e5cbf67d69125f7f038a93b75f76027a8f7af71156b0b9f0b5fd83c9138c1b40a5ecfdc2719c1349a29cd5a9240189b884d167b8511adb

Download Submit
C:\Users\Admin\Desktop\release\x64\imageformats\qjpeg.dll
Filesize
240KB

MD5
e082093ac545273490e3dcd92116b8e1

SHA1
c97a9e505482cd655bcc485ce3230a1649c7df28

SHA256
1a0d4ded8487a727b27dff67ef2f3794d40e1bab2e4d42b8250cc1e8525f5faa

SHA512
cf28e70d29230eb82229db372781429ab1c3cd9f1ed9a577c12641155484c12e6052cc3061ddf3ebd970bd84768b157dcd71ca41113102259d5fa2a0b94fdc60

Download Submit
C:\Users\Admin\Desktop\release\x64\imageformats\qsvg.dll
Filesize
32KB

MD5
db0ea846f201e4eb446160d18e80fa3a

SHA1
0f3075f63b70cf02297c9f22ad1896bfc996eac4

SHA256
0548ef18dec7ee2d6d2ff51cd0e78136f9f6002fa389158df2ac841425201ec5

SHA512
81bcccf2d8be8857cdeb524b616175f3c707a7340b1b0753db1fa800b7d01c0e2fd66d32ad48f5935bb6f2c0cdb4eb1c64dc54e18d65391001a9ffd0492dcb38

Download Submit
C:\Users\Admin\Desktop\release\x64\imageformats\qtga.dll
Filesize
31KB

MD5
c179cb633c05651ff0cdec84cdd71b5a

SHA1
cd9510003824b3ed2257770a86ad5f2c29f6e676

SHA256
37d36178f5c4e0bc546e05951c4da799ca21fa82690c0fdef1f1761703fd1b66

SHA512
37ee1faaea5297d3a77ce259ec14dc528c901f59f427bb448333f5bd6298eb21958f918d1846f147968c1695fef09886453d6a741886d9e4a8b87bf7053200cb

Download Submit
C:\Users\Admin\Desktop\release\x64\imageformats\qtiff.dll
Filesize
355KB

MD5
f860955e157bbc2972d9804486c54bd9

SHA1
40b9340cd934046b944c7ec1abf19a355f082892

SHA256
b9a79722472ffaa7a8e3025254fcd053ee1193ffd59353d8e9f28de99ffe7ed4

SHA512
3e4731196932f93955895b2eccae29b18a6d90eee1f8dbb4a1044cf833afab69ffced1f4f673cefdd7689d4f40ad81acd642944cda01811bbbb892c70e4379b5

Download Submit
C:\Users\Admin\Desktop\release\x64\jansson.dll
Filesize
146KB

MD5
89d701f3bcd052251e023441d5fdf97f

SHA1
3771038e2de2135d9bfb62254fe83e5c996a9e53

SHA256
eb704b761c638dc9cc4690941dd0de71e4f0575280d41243a5b0d40ebd38f4e8

SHA512
ea377bb175ba51a63625352156ed4c848868def18af9bfdcb0eb76bab6b4b63ef091ef5ece49f47de652d508bd437f2f113766b86fe53ca1174fb1c13cd4b122

Download Submit
C:\Users\Admin\Desktop\release\x64\ldconvert.dll
Filesize
56KB

MD5
5ed39b88a4a05adde32153e5d583e424

SHA1
c139a5761b5e8e2cb06c3229d70ee6eea9bfad9d

SHA256
293539875b478fc2b554104f8c1e0e80a169e75c829a5b882e10b601e6e99744

SHA512
9c9e438abca22502e0430bae7cb3292ff768cb9de0ab06ec1bf261ac2b67750a0172b084b05e7b21f786feac622990edb674619602d118e94e8b0202cc5fd3e0

Download Submit
C:\Users\Admin\Desktop\release\x64\lz4.dll
Filesize
96KB

MD5
be36901afd7394b0355d787c407d2d5f

SHA1
1d9c3bb6d06efd4b56a55140361f747e0b40d475

SHA256
5cfae56f5319dc343799ac7e9738bc367f9843ce4bf4e795d2ee2ca268fa9c5d

SHA512
1356c7cc6ab1625d0fa055ed57fb79e4009fd354b72c4e4357d07a9c8c40e8dc2389cc9134638daea4a6f065d5457d60985a9c378fd9d53748621a4c9a14c019

Download Submit
C:\Users\Admin\Desktop\release\x64\msdia140.dll
Filesize
1.5MB

MD5
73e0349829750676b7791ac210e304e8

SHA1
38d8faa45f57ea050bff328bf0f23a8cd1f4e73f

SHA256
46351bd350799dc196481cbe2b26f628b489a280a9e2f49bace71930f3dc80d3

SHA512
7ae086c3dec0fb33a648cc2bd5fde69804b6b752e05c6ef4f45c00780b13ba086183a9adc4c432e38748d05c551107c3ab01fcbb8e29d966588a3ab220e4e311

Download Submit
C:\Users\Admin\Desktop\release\x64\msvcp120.dll
Filesize
644KB

MD5
edef53778eaafe476ee523be5c2ab67f

SHA1
58c416508913045f99cdf559f31e71f88626f6de

SHA256
92faedd18a29e1bd2dd27a1d805ea5aa3e73b954a625af45a74f49d49506d20f

SHA512
7fc931c69aca6a09924c84f57a4a2bcf506859ab02f622d858e9e13d5917c5d3bdd475ba88f7a7e537bdae84ca3df9c3a7c56b2b0ca3c2d463bd7e9b905e2ef8

Download Submit
C:\Users\Admin\Desktop\release\x64\msvcr120.dll
Filesize
940KB

MD5
aeb29ccc27e16c4fd223a00189b44524

SHA1
45a6671c64f353c79c0060bdafea0ceb5ad889be

SHA256
d28c7ab34842b6149609bd4e6b566ddab8b891f0d5062480a253ef20a6a2caaa

SHA512
2ec4d768a07cfa19d7a30cbd1a94d97ba4f296194b9c725cef8e50a2078e9e593a460e4296e033a05b191dc863acf6879d50c2242e82fe00054ca1952628e006

Download Submit
C:\Users\Admin\Desktop\release\x64\platforms\qwindows.dll
Filesize
1.2MB

MD5
0cdac0e449902682182f78a552c35de2

SHA1
c370e79c472c4973178a9b666194edceb1c02a62

SHA256
85dbcaf6965fb146cde7825465add3e890e13d2c67390b8b3c6fbcaecd503c68

SHA512
9516091abb61b91dd0c90d2e85f6de1463f075e64451dab48b535a119d5a04e66cfe674ee85c8ac41772c98d22c946f8be85f0d80c2e50c247939fc66aaa7cff

Download Submit
C:\Users\Admin\Desktop\release\x64\x64bridge.dll
Filesize
79KB

MD5
58a5476c8e0b246c94af424bf6ac702c

SHA1
01892338b713c4bee324cb66e10219ca388a86b4

SHA256
1083e59d245346dfd3ef63be9f1356566d7477dd01b590af6fa561906db340ff

SHA512
eeee314efa5b51bd0750c00a7033768d626576879d3128c178cb0938b0dc8d6f25691a373114f84705fe1f288e3b46395ea8f7848fe91cc0383667040fc432d1

Download Submit
C:\Users\Admin\Desktop\release\x64\x64dbg.dll
Filesize
2.3MB

MD5
6354d60af7f57c4632c747b89bbbec67

SHA1
ab39ad955c55414e11ef35d604fb7a7909e02580

SHA256
71311f45295cab63218b09249c91d10db550a3e0e256b374ea6c5245df4cb098

SHA512
7dfc65f53fb86218e78323c675e06444b35469bb6864f50e090e257b34a78e79314e0a0b71106976c8531d12892d7b9d6298badce10b533ee981680dbbb7bb81

Download Submit
C:\Users\Admin\Desktop\release\x64\x64dbg.exe
Filesize
168KB

MD5
482234b3d240cb76ba010d5c6a311203

SHA1
3931de392e3aec3375bd44abd6891e173c2ac8c0

SHA256
2be029aff5ca913a79a505c234ecafd815aa9db2c9a7f5840c7cdcbc3c5b725a

SHA512
d570022a18a9fd72a0a332d158ab5b24dd43841454cbed21de114fc97af838d66145570b6bb0b123ee1ba4d8603ab3eced47a0aca319757768c4ded656f4840f

Download Submit
C:\Users\Admin\Desktop\release\x96dbg.exe
Filesize
157KB

MD5
ca6a7c940d14398ea38a64f553bbb42a

SHA1
55555cd5e6586101e1a59972241906c1533f07c9

SHA256
f5f705c491a6cb11e14e1ea30523e76351996aa23ded1382382dfd96d01678ca

SHA512
9f7db35c4fe0b7717912f6d51fba104ed7771b368265a2f21ff104e3949ad0291adffd6fc268c412fa5c7e4110052e9677f9bfc95522fd324f58ef556f6ff8fb

Download Submit
C:\Users\Admin\Desktop\release\x96dbg.ini
Filesize
122B

MD5
45c1e010baaeb6b086b93c73cbfa1433

SHA1
6570b66b77103aac30dc7cccfacde1e42413890a

SHA256
672875a23347e407ff4a54c6baa35090c7041fa45568437f12b86b50bc2fbebc

SHA512
6b00d4050ad80dc575b056e40b3fdae831e57d1b035fc7500c1523c70c7f03f344e8b53b070ec3c8482fcb7c300d401260502ba4c04076ee23db66c236d3ad50

Download Submit
memory/3284-373-0x00007FF79E3A0000-0x00007FF79ED83000-memory.dmp

Filesize
9.9MB

Download
memory/3908-432-0x000000005EB70000-0x000000005F0BA000-memory.dmp

Filesize
5.3MB

Download
memory/3908-455-0x000000005F620000-0x000000005F635000-memory.dmp

Filesize
84KB

Download
memory/3908-456-0x0000012E1D130000-0x0000012E1D131000-memory.dmp

Filesize
4KB

Download
memory/3908-459-0x0000012E1D130000-0x0000012E1D131000-memory.dmp

Filesize
4KB

Download
memory/3908-453-0x00007FF9C80F0000-0x00007FF9C8675000-memory.dmp

Filesize
5.5MB

Download
memory/3908-510-0x0000012E1D120000-0x0000012E1D130000-memory.dmp

Filesize
64KB

Download
memory/3908-511-0x000000005F620000-0x000000005F635000-memory.dmp

Filesize
84KB

Download
memory/3908-522-0x000000005F620000-0x000000005F635000-memory.dmp

Filesize
84KB

Download
memory/3908-523-0x0000012E1D120000-0x0000012E1D130000-memory.dmp

Filesize
64KB

Download