nanocore | 9f8c98828eecab0beeb2f6db642a2820ba10160379663756cc7723d7df1f7de6

Resubmissions

08-07-2024 18:48

240708-xfyamatapr 10

08-07-2024 18:25

240708-w2l9tascqp 10

Analysis

max time kernel
29s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BloodFMx64x.exe
Size

21.9MB
MD5

702ab1cadcca9c85d9d3e577d28371c6
SHA1

606addfb7b10515f41e61e5832fdf45abc483bee
SHA256

9f8c98828eecab0beeb2f6db642a2820ba10160379663756cc7723d7df1f7de6
SHA512

7f4304ff36f1a5c9302ecd67d9bc1b3b9e3e15733819d904642856d2b740b827abb8cff7368f3c99e74520bf87fc247297bf6f4b97443a4ac5100ceb9142ce79
SSDEEP

393216:iu7L/sQ1DKmr2pu0tTtdQuslRl99oWOv+9ge6DRXAbejH:iCL0Q1DKmr2puI5dQuqDorvSghRwbO

Score

10^/10

nanocore evasion keylogger persistence pyinstaller spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

mygabs.ddns.net:1337

127.0.0.1:1337

Mutex

2c2d7d9f-a39a-411b-bc9e-7abd8ca06f3c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-03-05T18:11:37.504819036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1337
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2c2d7d9f-a39a-411b-bc9e-7abd8ca06f3c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mygabs.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BloodFMx64x.exeREGEDIT.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	BloodFMx64x.exe
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	REGEDIT.EXE

Drops startup file 3 IoCs

Processes:

Client.exeSCHIOST.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SCHIOST.EXE	SCHIOST.EXE

Executes dropped EXE 7 IoCs

Processes:

BLOODFMX.EXEHOME X64 BUILD.EXEREGEDIT.EXESCHIOST.EXESVCHOST.EXESCHIOST.EXEClient.exe

pid process

3540 BLOODFMX.EXE
1060 HOME X64 BUILD.EXE
3632 REGEDIT.EXE
2592 SCHIOST.EXE
5008 SVCHOST.EXE
872 SCHIOST.EXE
2140 Client.exe

Loads dropped DLL 49 IoCs

Processes:

SCHIOST.EXE

pid	process
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE
872	SCHIOST.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BLOODFMX.EXEHOME X64 BUILD.EXEClient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	BLOODFMX.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	HOME X64 BUILD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe\" .."	Client.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

HOME X64 BUILD.EXEBLOODFMX.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HOME X64 BUILD.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BLOODFMX.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 33 IoCs

Web Service

T1102

Processes:

flow	ioc
38	discord.com
44	discord.com
80	discord.com
96	discord.com
102	discord.com
29	discord.com
40	discord.com
58	discord.com
76	discord.com
85	discord.com
103	discord.com
45	discord.com
46	discord.com
93	discord.com
28	discord.com
35	discord.com
55	discord.com
81	discord.com
104	discord.com
24	discord.com
82	discord.com
43	discord.com
47	discord.com
90	discord.com
92	discord.com
25	discord.com
31	discord.com
30	discord.com
42	discord.com
75	discord.com
77	discord.com
86	discord.com
97	discord.com

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.ipify.org
18 api.ipify.org
39 api.ipify.org
72 api.ipify.org
88 api.ipify.org

flow	ioc
17	api.ipify.org
18	api.ipify.org
39	api.ipify.org
72	api.ipify.org
88	api.ipify.org

Drops file in Program Files directory 4 IoCs

Processes:

HOME X64 BUILD.EXEBLOODFMX.EXE

description	ioc	process
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	HOME X64 BUILD.EXE
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	HOME X64 BUILD.EXE
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	BLOODFMX.EXE
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	BLOODFMX.EXE

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SCHIOST.EXE	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4332 tasklist.exe

pid	process
4332	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Runs regedit.exe 1 IoCs

Processes:

REGEDIT.EXE

pid process

3632 REGEDIT.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2216 schtasks.exe
5072 schtasks.exe

pid	process
3632	REGEDIT.EXE

pid	process
2216	schtasks.exe
5072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

BLOODFMX.EXEHOME X64 BUILD.EXEmsedge.exemsedge.exeidentity_helper.exe

pid	process
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
3608	msedge.exe
3608	msedge.exe
4672	msedge.exe
4672	msedge.exe
1060	HOME X64 BUILD.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
1060	HOME X64 BUILD.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
4012	identity_helper.exe
4012	identity_helper.exe
1060	HOME X64 BUILD.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
1060	HOME X64 BUILD.EXE
3540	BLOODFMX.EXE
1060	HOME X64 BUILD.EXE
3540	BLOODFMX.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
1060	HOME X64 BUILD.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE
3540	BLOODFMX.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

BLOODFMX.EXEHOME X64 BUILD.EXE

pid process

3540 BLOODFMX.EXE
1060 HOME X64 BUILD.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4672 msedge.exe
4672 msedge.exe
4672 msedge.exe
4672 msedge.exe
4672 msedge.exe
4672 msedge.exe
4672 msedge.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

HOME X64 BUILD.EXE

pid process

1060 HOME X64 BUILD.EXE

pid	process
1060	HOME X64 BUILD.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

BLOODFMX.EXEHOME X64 BUILD.EXEtasklist.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3540	BLOODFMX.EXE
Token: SeDebugPrivilege	1060	HOME X64 BUILD.EXE
Token: SeDebugPrivilege	4332	tasklist.exe
Token: SeDebugPrivilege	2140	Client.exe
Token: 33	2140	Client.exe
Token: SeIncBasePriorityPrivilege	2140	Client.exe
Token: 33	2140	Client.exe
Token: SeIncBasePriorityPrivilege	2140	Client.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe
4672	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BloodFMx64x.exeREGEDIT.EXESCHIOST.EXESCHIOST.EXEcmd.exeSVCHOST.EXEmsedge.exeClient.exe

description	pid	process	target process
PID 3256 wrote to memory of 3540	3256	BloodFMx64x.exe	BLOODFMX.EXE
PID 3256 wrote to memory of 3540	3256	BloodFMx64x.exe	BLOODFMX.EXE
PID 3256 wrote to memory of 3540	3256	BloodFMx64x.exe	BLOODFMX.EXE
PID 3256 wrote to memory of 1060	3256	BloodFMx64x.exe	HOME X64 BUILD.EXE
PID 3256 wrote to memory of 1060	3256	BloodFMx64x.exe	HOME X64 BUILD.EXE
PID 3256 wrote to memory of 1060	3256	BloodFMx64x.exe	HOME X64 BUILD.EXE
PID 3256 wrote to memory of 3632	3256	BloodFMx64x.exe	REGEDIT.EXE
PID 3256 wrote to memory of 3632	3256	BloodFMx64x.exe	REGEDIT.EXE
PID 3256 wrote to memory of 3632	3256	BloodFMx64x.exe	REGEDIT.EXE
PID 3632 wrote to memory of 2252	3632	REGEDIT.EXE	schtasks.exe
PID 3632 wrote to memory of 2252	3632	REGEDIT.EXE	schtasks.exe
PID 3632 wrote to memory of 2252	3632	REGEDIT.EXE	schtasks.exe
PID 3256 wrote to memory of 2592	3256	BloodFMx64x.exe	SCHIOST.EXE
PID 3256 wrote to memory of 2592	3256	BloodFMx64x.exe	SCHIOST.EXE
PID 3256 wrote to memory of 5008	3256	BloodFMx64x.exe	SVCHOST.EXE
PID 3256 wrote to memory of 5008	3256	BloodFMx64x.exe	SVCHOST.EXE
PID 3632 wrote to memory of 2216	3632	REGEDIT.EXE	schtasks.exe
PID 3632 wrote to memory of 2216	3632	REGEDIT.EXE	schtasks.exe
PID 3632 wrote to memory of 2216	3632	REGEDIT.EXE	schtasks.exe
PID 2592 wrote to memory of 872	2592	SCHIOST.EXE	SCHIOST.EXE
PID 2592 wrote to memory of 872	2592	SCHIOST.EXE	SCHIOST.EXE
PID 872 wrote to memory of 4372	872	SCHIOST.EXE	cmd.exe
PID 872 wrote to memory of 4372	872	SCHIOST.EXE	cmd.exe
PID 872 wrote to memory of 2348	872	SCHIOST.EXE	cmd.exe
PID 872 wrote to memory of 2348	872	SCHIOST.EXE	cmd.exe
PID 2348 wrote to memory of 4332	2348	cmd.exe	tasklist.exe
PID 2348 wrote to memory of 4332	2348	cmd.exe	tasklist.exe
PID 5008 wrote to memory of 4672	5008	SVCHOST.EXE	msedge.exe
PID 5008 wrote to memory of 4672	5008	SVCHOST.EXE	msedge.exe
PID 4672 wrote to memory of 5052	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 5052	4672	msedge.exe	msedge.exe
PID 3632 wrote to memory of 2140	3632	REGEDIT.EXE	Client.exe
PID 3632 wrote to memory of 2140	3632	REGEDIT.EXE	Client.exe
PID 3632 wrote to memory of 2140	3632	REGEDIT.EXE	Client.exe
PID 2140 wrote to memory of 1072	2140	Client.exe	schtasks.exe
PID 2140 wrote to memory of 1072	2140	Client.exe	schtasks.exe
PID 2140 wrote to memory of 1072	2140	Client.exe	schtasks.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe
PID 4672 wrote to memory of 3584	4672	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\BloodFMx64x.exe
"C:\Users\Admin\AppData\Local\Temp\BloodFMx64x.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\BLOODFMX.EXE
"C:\Users\Admin\AppData\Local\Temp\BLOODFMX.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Users\Admin\AppData\Local\Temp\HOME X64 BUILD.EXE
"C:\Users\Admin\AppData\Local\Temp\HOME X64 BUILD.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Admin\AppData\Local\Temp\REGEDIT.EXE
"C:\Users\Admin\AppData\Local\Temp\REGEDIT.EXE"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:2252

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\REGEDIT.EXE" /sc minute /mo 1
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
4⤵
PID:1072

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
4⤵
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Users\Admin\AppData\Local\Temp\SCHIOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SCHIOST.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\SCHIOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SCHIOST.EXE"
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
4⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
4⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SVCHOST.EXE&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2a4146f8,0x7ffb2a414708,0x7ffb2a414718
4⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
4⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
4⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
4⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
4⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
4⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
4⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
4⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
4⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
4⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11343157496931971248,905299172196817686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
4⤵
PID:2776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5b6ff6669a863812dff3a9e76cb311e4

SHA1
355f7587ad1759634a95ae191b48b8dbaa2f1631

SHA256
c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906

SHA512
d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fbc957a83b42f65c351e04ce810c1c11

SHA1
78dcdf88beec5a9c112c145f239aefb1203d55ad

SHA256
7bb59b74f42792a15762a77ca69f52bf5cc4506261a67f78cd673a2d398e6128

SHA512
efad54eb0bd521c30bc4a96b9d4cb474c4ca42b4c108e08983a60c880817f61bc19d97538cc09a54b2db95ab9c8996f790672e19fb3851a5d93f174acdfac0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6c71b0633d29c239925ed698dd6ae7f7

SHA1
bca7b84c58807c2d5babc300fb18a018be710141

SHA256
483ec9e8fa27fdb7bae2aa2a5cd04711f1fee91404d1b89902405f0ad2f94652

SHA512
e3444152644c494edfe4fa2fa8b18b4a8bdbbd2f087d7186b260a05a53639a174e5a06b832752c5d1bba93484570af66e6918899b723cedef0d1c97d325422d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1a26a2394b38cbebebd548629bfec695

SHA1
ec2116c1f73f1d360eb5c186f316096a924cb785

SHA256
cefc312344694ec654ecfa385be74568b9b36f0c256cab8964a81fcd3d118b7f

SHA512
8c6ab7bd47afbc8e90ee88d10864778f804b7050e1c325085085fa4716c8fa79c994a6df0eb9664a9590cee203743bd99e7fda95d0fa0765c8129122a822cadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
76f7a1f26b7d9e58350eec6a967ec302

SHA1
12d0c2561d16666e40ffd85c7d9a101ce9b7df90

SHA256
b87ca8916eb476fdd4f999bd602263d3656de6c7fbd730e1abcb821f716a50b3

SHA512
7ebfbc45dab5116296a7ca289b9b197c2663db782a6ac9e2e5963d47d5c77bf355a4c577b369e81314f3b166519961130463bd42aeb194952f380be5156fb71f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
42335a695f156df72e22ec56555b2f11

SHA1
583c2d7abb56659be9ede35114f7a01298e4c674

SHA256
ca4192e4529326a196b54fad9e4fc59fce0047c472a70c57e2a16a7ee1f87552

SHA512
abc1f39c539261d865e540c984a13bab4f463eb6ce6791681650dfba7495f1aaad524d2b3eb90f373260ddb6a72b22e8685b3e6bea6b4409ae303233afd90e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLOODFMX.EXE
Filesize
202KB

MD5
e73a6209451022ef1697860fe3a67753

SHA1
98b7e9f68167a3e6d768a50c2b4610ced53d1c6d

SHA256
b35f2d047c35b3f0d6feefade7cd1e69d9bf25340ddbd7be937cba0ee68317a7

SHA512
2f61121005d1283ee37569ffb491f4de0cc882cfa95b38b1c585b0a421455b469e041d14341d0bc086638dd44c6a57486c6776f373dea441bf819cd75fda411b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOME X64 BUILD.EXE
Filesize
202KB

MD5
6048ded327cec10d49240206f6eeea39

SHA1
a1f4905f99654d0042e03b1eb85f190055cb5862

SHA256
52e993009984fb3cbd9189b44d25e24e1cc27f7042b132a6d5691a34a64ac8b9

SHA512
b2c77b1d2a614c75110c57e2c56d8dbe0b9db4f9b9fe6bc65eda57c3b4eadc9ce36d8a41fd65cfbeb583641837b53b33c1a95246d9a765707cbc7c8663fff3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGEDIT.EXE
Filesize
165KB

MD5
8853d52e63139ea98d401aedaca361dc

SHA1
9052fa1383930da8fe69b1d85ad06050cef0ed8e

SHA256
e23251179fc24709c6909763d9db607fc035fcfd38fd429c04a7f2d2d395a779

SHA512
3081595b34c0294525c3573ae81537b36b6cda1e5dce7af000baeea6c2a6f25adb122079117417fe48f77d010f8566222e0ae6200b8f2e1db3e8a9b5c61fa86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SCHIOST.EXE
Filesize
18.0MB

MD5
4817b3f9ced0d3aa3322b3a764fdccb5

SHA1
1bac5e7f5b8122fa89f595ae60dd7b4c00c86a48

SHA256
354c7dba94787431be1f65c97499055980ffd96acf99e2f77616150515c3e1d0

SHA512
dd4a4ba244ac49b3eb9540fd02c9e10f5bdf774abc0f2f7d5f180084060ee878239340a7b80e265ee6ed926d7357ff00d999ef80e936f3fc7ccfb15d08d0d639

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE
Filesize
3.1MB

MD5
79e7f4a70bb7966605e64367da0d4839

SHA1
0f0c54bfac6933d3e7ecef5f5d40b00d7faeb1f5

SHA256
97c27121a07217e52d701604bf3f5ec33125fbb7cc5cff58571007f2054f775f

SHA512
37a9dffe3c3fe677d8ce967ec2138f3d04f6fa4ce7d3ac04bf8867e88ba5b739521cc69f37467f596626d8f08fa3ed0bf3f0556c9f2e5164189a6bc6d088523d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_bz2.pyd
Filesize
81KB

MD5
bbe89cf70b64f38c67b7bf23c0ea8a48

SHA1
44577016e9c7b463a79b966b67c3ecc868957470

SHA256
775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

SHA512
3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_ctypes.pyd
Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\_lzma.pyd
Filesize
153KB

MD5
0a94c9f3d7728cf96326db3ab3646d40

SHA1
8081df1dca4a8520604e134672c4be79eb202d14

SHA256
0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

SHA512
6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-console-l1-1-0.dll
Filesize
12KB

MD5
3b3c26d2247b0a2928f643fda76264b1

SHA1
06d8d10ea6b23f886c832df4fe1122130e71bb22

SHA256
258ac28b71532d6f9419edce72961e2b9644b0f92de5ce002801cc9c3caf442e

SHA512
5b6dfc3fb97a4a2e906739531b6d3d066d9f12eab67d5051dbb99b260a2a51e5ca19ba449b8fd901fc1034fd2402ddfa2c87fd2ac6dc3e7bdd4e929d8426a0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-datetime-l1-1-0.dll
Filesize
11KB

MD5
5f1e568d0cdcf0d5d4f52fd2e8690b4a

SHA1
d582714273b6254249cf0bfc8ec41272eca2bc29

SHA256
ed94f413f576835acf4dade22ead7e764dd2f0242581090e3a2424452b49b9fe

SHA512
d283d739210ab29802c9df8588a5e0188dd3fd3a3061ed0aa5b5b3633e686a66ac9aa0c6fd7bfa696af7ff16da1f870b775a3a44c3a015f33a3dd83a56cfc42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-debug-l1-1-0.dll
Filesize
11KB

MD5
d85b98d1e5746f36e8afb027756547cf

SHA1
91ef9250155d7685c5730c73c1a2de361e9ba772

SHA256
143c8bcc6ab0d6afa1dc03996b5256a6bccb3442dc4ff3182404fde8172de4b6

SHA512
6d1b507613ce85dedddb5d61a0ea3b926b79443c5688fe0ce9283ffae7ff27af93c418ec3b086f3a84e574afcc3a1170d0ab1d8b4d5976a71af79bbd351d7caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
11KB

MD5
1ca45137e611548c8d090ebaa178d462

SHA1
ee84cb3d6ad1e6180a6825d9d293e7c9418c7153

SHA256
3c186afd5cf0e4314d0e15bd55832e976368d162331d5cb065fe890b88c9cfbd

SHA512
139349c90590d17a73d0dca3bcb72febaea1a8cf2a4da24716dcfbaacdf6c85260c5e792bb04f923975e918163a46524ebeed1f2f02494d9f271d73f8b558bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-file-l1-1-0.dll
Filesize
15KB

MD5
eb5e7affe24ab532089733f8b708a1ff

SHA1
f3b1f20d29d8b38d8c47cf66c75d650c5b855738

SHA256
17ad72adbef247080dd456bb54f11bc782801381fc2aa2abe005cca9db6254c0

SHA512
69c148749f9b1729187c3d39d2d00ba952d22163ae393716b2096a869a97ead4cfed8edde303cc65c13cb30d6e44fcb2e4cb896b03dc14aac7cb49958a23e699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-file-l1-2-0.dll
Filesize
11KB

MD5
a8b0327931fd2c863693634b3081e6a0

SHA1
d66cd78c124e931667b6079d5bc5adf55a644293

SHA256
1fa836b3704b29e7ad1ea1b0b457f62aae4435c6a1d745707631552a2f83d5f6

SHA512
1b8331ac9b17d3553a5c7b4572f826bb232b339c28f6c9a31a870097c7612587cd1dbe59fe294501ce11cf5bba973d83784108309617b6f7104f2aae8f723961

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-file-l2-1-0.dll
Filesize
11KB

MD5
eb4c279c8386d4f30aab6d76feec3e5a

SHA1
0c611e8f56591f64841b846df7d5c07fd75b55a4

SHA256
56bc7d3dd48d9cb209195f71be67d0a90ca929a8d4e6ae5a481f3ab0345da294

SHA512
1869b0c843df05ba849e79aa15b25855aa5c2c2e5a932c0de650b83c8abe2371585731b0213061b8f4d781a87b352ad3a09bf8555fcf0f9422a0bcc1a9062781

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-handle-l1-1-0.dll
Filesize
11KB

MD5
cef770449597ee64eed064e5edf3f76b

SHA1
f759143f09f539e032a680b376f7362610215fe3

SHA256
2b52bf5a8c0bc2e93cebcce597c6693a118667e9f16836e65d8b166d33d33f49

SHA512
f899e00ae697c44c8b127dab548c25181e2772a9cb80e6887ed2435be7a03a51d2e77820456e984921b0252d77f0fecb7b1c5b08615b49e3c08d531a09c67279

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-heap-l1-1-0.dll
Filesize
11KB

MD5
2143036c7d2ba3cc75ecbc66f60d5259

SHA1
dd9192d9b4c7e90290796431db0ef8cc06210c73

SHA256
c8adf90a32936eaf678ed9a091d422e091e6b80d0431ec120e60febe1f617ac3

SHA512
94e4618b574924ae48386dfd520de6faf2ba1a3347fa56ded559bcf24f0e14bf1a7f442bdfa68244af5294fd83e8e334d7cc4959c14434665d731c9d5beadeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-interlocked-l1-1-0.dll
Filesize
11KB

MD5
47e43806d67d182ab20e77fd2b705cdc

SHA1
bf7f4ffcaac83535146d372767db6f36bad3bb61

SHA256
52df3c5ded71786cf0f4f7545d59f5e6e168e6a499862c59b5985f6071f201ab

SHA512
28ea9b227b42e86ea7e16eabde3f6b01a86da21ca50119b173e98e736e4997a81f9ee20f7c11e5fdfe3c62255345c078bd9d9e51bd6b45911b14f90b0ed7b76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
12KB

MD5
7672f7af6df502bda30f98005487e24c

SHA1
d49003f56bd5d19ff265dab88fcf9d1bbd145a31

SHA256
52a11ca57d562ee1cfbb7d6c26253cbd67a39b55bf1a56cd0f9332136986e8cc

SHA512
0ee52bf600f70e16006ab159d4b3ea50241941fe9dc8031a78c8f0797374f6ae221ecb4be9789ae0b29fc1b8313951a79886b44b51cb6387e79059acc2e1e3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-localization-l1-2-0.dll
Filesize
14KB

MD5
a94626cbc9c0e1b62619a8cf49504ff8

SHA1
047e2b1f21f1258242238043143f1d892538bbc3

SHA256
a36792281c0aaab929635bb1f40ee3627225e7e35e6a199c188f3f782c7e6c27

SHA512
b208602f33f02c92df718e4c009e6e8055e538c9451ef6f9682ce21db5258d799c09f689aae2879470a934b60b4f3d44ea82704933fa40f2ff408cf42bd1c534

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-memory-l1-1-0.dll
Filesize
11KB

MD5
130b06c83791d63b703d54291b69c789

SHA1
314e29b408a93343fa8e0666eb0d128e8e2f83ac

SHA256
bbf2556eff6f0bc6a11d73821aca2c14d5c8235143ceeb16b55b47eee453f179

SHA512
46a513a466a43ed1581a4406795bcf79576e731fc486d0b055be2f75cd6b9e5f6221bc76873941b8c8418ebae4aaacd7f689c3a01b2f42d89beca55406184837

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-namedpipe-l1-1-0.dll
Filesize
11KB

MD5
ead87c06066422461368fa5dc07be9c0

SHA1
3009d09b9727df50e586217e98edcda9f46a7b30

SHA256
b39d21f236d903c34770d50da02c14e8d226e695138f3f6ace4eae11b6d6796d

SHA512
4f1eabc514b18b5704f90f87a7d0231ce47e9125c7f490570699519d5ee70cdfbba067ab67c6d9878a86129181367e55fada55a377efc6873afccc40763459ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize
12KB

MD5
585c47a83cb7b3a69d23b840dc56ee6e

SHA1
b75739a142d1cdeae815404e10d7ef28230451db

SHA256
3fa37c4d72451e968217c20ec64a01f5d4f1a5af7b44a107607cad3d3618aee1

SHA512
ef76ace5b820fabfa142ab67f6ad2c68ef29fd95ed1b8d0d0d31759b18b3b218675ae5d7a45b533a4784629adc8c394fb6b0d2689e926700e7bf04f833673f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
13KB

MD5
e345e6656aeac37c80a404f032ba550b

SHA1
371eaeeb74227dd2e7b1bcf36e7aa2cde446a0aa

SHA256
31fd144dc063f7fac651147f0c3826fb0b33ca8028bd4f70a78d63cfb53d81a8

SHA512
6af30635d25ba9552498e78ef3332b60e03d070d6e503903145c8ae30930efeda75b687082cf46c0c25590d6459463f8d873f3e5176bafc9194156d8aaeaa045

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
12KB

MD5
b16e6798ad40000698a09276961fc2c3

SHA1
b5184d9bdb1f5e7cfe17b2ec305c8554362067de

SHA256
f8b7122ca5e1d473818940fea4d1155af429463038ba61953908fbbbb7a8d613

SHA512
a4737a2236eb35e1b4935a5e333c7f1c51588852a8daf654fd2e7ca6e945e40df9d001394c2f3e3a9d023b8d4e34e9753f6472ed58df245b104623d7dbde7423

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-profile-l1-1-0.dll
Filesize
10KB

MD5
c06f8f8eed1581ffee9efd5fdbc44f5a

SHA1
b44aa8d6ab3a713c07bb68cbc153c78c634aebe8

SHA256
8b36bce1b7a881f85529eae56e5b75e32763eb14b6683f2203a957ec31336ce1

SHA512
13d369d61a953f92cb1a5935d8e69ec050d7291f8c83ffd09752112bfebcce8b8ae99fc168e969b00141816a1c6c3a981340cfaca319d4f7b188e3a20a43f950

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize
11KB

MD5
1f79f843211cdbf6f109bc2e1eca522f

SHA1
b4a7a607e3eb04fb616d885768ec729273ec33ea

SHA256
5208000a52363b1de665d5d46cd6f4da45f0c19c74876918e165e23efed26e92

SHA512
4ac7797b2e84d2fade089bd6f4b44103eecd1369e47440f1abad3f06cfc2ea5408b8692af63b81769703898cef87068a1e8998efb91b13e60a93325e72dbdc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-string-l1-1-0.dll
Filesize
11KB

MD5
6fc55f288e6124935beefdb24f98e4d6

SHA1
e9cff87ba41b04eaac6f7bbbdfdcb671857a2eb3

SHA256
6bf3e8a6cdb3ccaa52f05fa336bbe80e70351a3eb0c8a98ef599b596d11aaee5

SHA512
a675d0f195774ebe7e118d12932af97f15ebb982f7981552216aefc18b918934c863dd9cc35a67761ffb0dab6791f0363808256b2e708d2f93a5800c42475dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-synch-l1-1-0.dll
Filesize
13KB

MD5
9c69b176fdb21f68fbb36aedf237a18f

SHA1
aa25e9565d6fa887135318ab8c384180b575d916

SHA256
b48b10bfeda8c32e538b03a9db05864866f8a44d04824f63032f2dc33e39fa1b

SHA512
f34c0fe7b29f7c475d663e12dff71a9a93d76914072c69abca54e6780a81894e35d9650e855fd4be5485747dc4a24ed10cb658688432900a0ffe6489d622c1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-synch-l1-2-0.dll
Filesize
11KB

MD5
2d7db8919ceb847377e4c40c1ec7b842

SHA1
27371e9e311c7b8edc56084e41c25e7a87c7c265

SHA256
d3e6256c2dd7150cff8ffca9c9cc6ef477c1da72c0d32972d1022381927b8295

SHA512
b634c27cd0f50748c66f256e316d6aace23d358cbd9aedbab2a0bba9b1a77587422d77c6d161d129a57ca34dfb11507486e1cfbcb6d4ac9779c7a2989f3a29c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-sysinfo-l1-1-0.dll
Filesize
12KB

MD5
44208a7738486bf56121c752df083658

SHA1
93665af04ce345174df47d7b39aac68327dd13a4

SHA256
85b8a6d64a66556f4501aaf120d699dba661841027d27becc6d7240dafb14138

SHA512
38680a4329da0ba501dd78a9005b3e8b54f1dec9fc8dbc08b969e70ebe480dc2444d3c4e66634b14e0e032573240524333e019e4b2c750d8dec1a9dd7b7632c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-timezone-l1-1-0.dll
Filesize
11KB

MD5
f0f891d08e0e358327b323b38f3ffca2

SHA1
eb20f147c53f86c59603f5edbf60f936f768fb1b

SHA256
9c8461929b61e0fd269ce735d699e7e3b6c0159d3e2659f60d681290abf9eac5

SHA512
94e13c4d09ff35c2ded7fd2649b3542aade1414f05772e2034af7723f2622e662e8c0bb67e1eb288e230f8ae183d8f1296c2a134b7ae061a452fa3f7423d7694

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-core-util-l1-1-0.dll
Filesize
11KB

MD5
1417705c75240630943aaedd35a4b406

SHA1
74047910e023f6ab2ac5242c47147c1cb47a7d48

SHA256
76748b18c61fac93fe1c0587711e3ec0b306b2c92198f0b8b4f6bad8c6d9ba8f

SHA512
918987aa8e72b6875d0c1c53cc3521757eda25c746ae477fea545428be5da692fae60aac665dc15c3af89bad43e491a72d00302beb349f45e35e7c89217deea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-crt-conio-l1-1-0.dll
Filesize
12KB

MD5
184a6a9df3526464a3a5f2dc1c21e55b

SHA1
33101ece94c15d733d985fc71ddb13ba4b70b9c7

SHA256
25bbdabc7b8d8edf5cd05b5591edca13236724cad1011393e010df3c58fd6f7e

SHA512
2c2162dbd2e36d81054feb064ea6850547dab270b95faa3dc878a11e47a9c0558ae2039cbb3bb3d1974c1582117d0f3022512a340241da5dbacfd5f94f713f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-crt-convert-l1-1-0.dll
Filesize
15KB

MD5
dad955bbd1a073f1920bdacc7e9d4b32

SHA1
1ce733a4450d5426a78ef2bd1cdbe5d5ff958fd0

SHA256
fe368e5edf476436afea571faacf80d5d12a4b064d5736ee482b972eee82a64c

SHA512
294e838dc41f97afeecb90b58df5fd5449ff1582cb80185d7efe7cadf354ef9f0a1e374c50bca5f72f1859d88a832330caaa9d7a25e1da49195530f0ec26a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-crt-environment-l1-1-0.dll
Filesize
11KB

MD5
36a4f9af7c7d93c49c973da11475d81e

SHA1
8167f90ee36a9c24c53ce78bac9427b8dafdd5d5

SHA256
29656b4f4f985952c5edee8e66ad7901e47c3c5619965dddc9939c5ce5ab7d58

SHA512
92449c67dba558b54c71c88bbfee5a245078238642fdd5368b1d0f41439dfb62fa9292b4fe00162605dbe3d14c8847c3bde4f14c1f06f5271d6392c81278d74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
13KB

MD5
f6c3b0cd6c578f544e94d75d9c9ffaec

SHA1
1b4b1babda538e23cbf2bc458303d7ae70741347

SHA256
6e65f088e4ecb0cf8306766c59190ce3efbc8a190fcbb53572cc61e35d2787f1

SHA512
0dfcfe028970dd70653b3dfecac4ac5672a3b5c6aae0252ca54a1226e19c4cd2bad5b32eb6ff75765cf82cd82ad986d95aef6d12e3a4a291baf6615cb6e96356

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-crt-heap-l1-1-0.dll
Filesize
12KB

MD5
6d8959da747b68298f6d8f81cf23c077

SHA1
e7c7b64ef5e5faa0da00430a81dd85765661649c

SHA256
1bc96d86e373fcb77e3d2e48440f0eafb7e42a88a5a82e0ace01967acf236d3b

SHA512
0838c8adcea9127bb1f39a70d07ac7bde0ea23c4fd8f418517aef72f590c3f644e9fd7a1a571231e7d47311e66cca1f71187337e634c1e3fdbf8e0d0016b112b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-crt-locale-l1-1-0.dll
Filesize
11KB

MD5
dd5fc38ed969ff4b3aca435c70eb2132

SHA1
becb1d7b94d4d99222cdd4c4c7472f0448c3a65c

SHA256
69e5f222dc622555c88e3bc4cfef42f64237728bd02d00c9281203e512ca77b2

SHA512
4680d5ff8d40bf58b6e1bd3a8bcef7caf9f0b652993faa22958d0315e259acf2177fe8e3e579065641bddd4bfc8eea34f47aca63ac8b07a56de7c952adeafd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-crt-math-l1-1-0.dll
Filesize
20KB

MD5
5f6c4318712ef0c644d39c088b660ebd

SHA1
44b166918cb8208bec51ff46ddbaa49cf023fbd1

SHA256
e4244f90307ab003cb5cc9bcd729ef897abcf26785df9277cbe389e328e0fe0b

SHA512
ad272ece4c4fd3f8362d8ff91d3c3e738e2df8281c319744d7d72792f203ac40cd0c4082550815690036320756b57ed8e51c9efb01ed4c2fe01138b98f9deba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\api-ms-win-crt-multibyte-l1-1-0.dll
Filesize
19KB

MD5
4b189d01eddd9c21d2e56caba7b6cf50

SHA1
05dc00b2c5e8c85d9f4f339d4c83f0dbebac060f

SHA256
996b63255e2f1e366f520a6d09352d2829e92f6b34f2d98448c4fd33ae4c06d1

SHA512
70506b16c25a710defa47548c60a0ac4e6978ea8bc24472e0726d98c5754b8293fd60622d7798639bcdb878b035d468b799a2c9eb03d8b87828e7c8c08832731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\base_library.zip
Filesize
859KB

MD5
6d649e03da81ff46a818ab6ee74e27e2

SHA1
90abc7195d2d98bac836dcc05daab68747770a49

SHA256
afede0c40e05ce5a50ff541b074d878b07753b7c1b21d15f69d17f66101ba8fd

SHA512
e39621c9a63c9c72616ae1f960e928ad4e7bad57bfb5172b296a7cc49e8b8e873be44247a475e7e1ded6bc7e17aa351397cdeb40841258e75193586f4649d737

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\python3.dll
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\python310.dll
Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25922\ucrtbase.dll
Filesize
1011KB

MD5
7e39d82adf5da0b51a968c764e0e15c1

SHA1
79e75ccde95798f21a34e5650b29dbebe79c1b43

SHA256
d67926328a72816d2944d7c88df6ff4bfccd41a9ce39af0309a0639829d0e7fb

SHA512
1c58d53c40535f80f482a5f406ef5bf9c2f963b9db5969c37ef47b0c59522a1a9bde3f3589538a7ae7d99d567a43170b384761e572c740010feb86894ce7322a

Download Submit
C:\Users\Admin\AppData\Local\Temp\crcook.txt
Filesize
29B

MD5
155ea3c94a04ceab8bd7480f9205257d

SHA1
b46bbbb64b3df5322dd81613e7fa14426816b1c1

SHA256
445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b

SHA512
3d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05

Download Submit
C:\Users\Admin\AppData\Roaming\35358DD3-BD93-4B0E-873A-19F920CBEAF2\run.dat
Filesize
8B

MD5
a3b0cb4502ba03b2dae67fdd6388403f

SHA1
98dfa7c89eb40b2edd17d2ba172818c2939a9aeb

SHA256
f0c6a8242a4d1efd6656a977724de6d9a6ab9fd60edb62bb4e4c618411b61c7a

SHA512
863ed82a418ab5a84d227970d24098d5200c253faddf431f3a55e6bc57acd934d39d08687bb9231af6b61b27edaed14566ba1c723f002924720586c1589b38e5

Download Submit
memory/1060-28-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/1060-77-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/1060-410-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/1060-408-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/1060-406-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/1060-31-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/3540-32-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/3540-33-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/3540-407-0x0000000074062000-0x0000000074063000-memory.dmp

Filesize
4KB

Download
memory/3540-409-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/3540-23-0x0000000074062000-0x0000000074063000-memory.dmp

Filesize
4KB

Download
memory/3632-47-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download
memory/3632-281-0x0000000074060000-0x0000000074611000-memory.dmp

Filesize
5.7MB

Download