e1585759fde0ed1f1495b36bccc8f2b4928974ce223579166581b0310869c452

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mẫu.SF1.exe
Size

14.2MB
MD5

0a4e27f26c263b57651a9659844c14e8
SHA1

b1c83f8240efb72452a676877c6952b80aa094c9
SHA256

61297d57b70e37c570296fd01448faf69bb1fe488181c193b23f1a57768fc6d2
SHA512

0deea24a36bb589dd55378166eff290ea88684dc5a662d5b3c4911c75420b8dd29df769ea7f056853860b78d0e82d7b84d5c2e46a54effad946170ce0ab994cc
SSDEEP

393216:K/t2DiYw87KVHu7/9kv/7ciYw87Kb/UU+UGvq:FDiK7KVM/KbciK7Kjr+UGvq

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiagnosticsHub.true	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiagnosticsHub.true	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2708	mẫu.SF1.tmp
1792	pythoncopy.exe
840	python_test.exe
1116	Process not Found
1520	nssm.exe
2300	nssm.exe
2756	nssm.exe
2640	pythoncopy.exe
2624	python_test.exe
1932	pythoncopy.exe
2996	python_test.exe

Loads dropped DLL 64 IoCs

pid	Process
2196	mẫu.SF1.exe
2708	mẫu.SF1.tmp
2708	mẫu.SF1.tmp
1204	Process not Found
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
840	python_test.exe
1116	Process not Found
1900	IEXPLORE.EXE
2640	pythoncopy.exe
2640	pythoncopy.exe
2640	pythoncopy.exe
2640	pythoncopy.exe
2640	pythoncopy.exe
2640	pythoncopy.exe
2640	pythoncopy.exe
2640	pythoncopy.exe
2640	pythoncopy.exe
2640	pythoncopy.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	pythoncopy.exe
File opened (read-only)	\??\S:	pythoncopy.exe
File opened (read-only)	\??\Y:	pythoncopy.exe
File opened (read-only)	\??\S:	pythoncopy.exe
File opened (read-only)	\??\U:	pythoncopy.exe
File opened (read-only)	\??\N:	pythoncopy.exe
File opened (read-only)	\??\O:	pythoncopy.exe
File opened (read-only)	\??\Q:	pythoncopy.exe
File opened (read-only)	\??\L:	pythoncopy.exe
File opened (read-only)	\??\I:	pythoncopy.exe
File opened (read-only)	\??\Y:	pythoncopy.exe
File opened (read-only)	\??\I:	pythoncopy.exe
File opened (read-only)	\??\M:	pythoncopy.exe
File opened (read-only)	\??\P:	pythoncopy.exe
File opened (read-only)	\??\W:	pythoncopy.exe
File opened (read-only)	\??\O:	pythoncopy.exe
File opened (read-only)	\??\W:	pythoncopy.exe
File opened (read-only)	\??\Z:	pythoncopy.exe
File opened (read-only)	\??\E:	pythoncopy.exe
File opened (read-only)	\??\K:	pythoncopy.exe
File opened (read-only)	\??\B:	pythoncopy.exe
File opened (read-only)	\??\G:	pythoncopy.exe
File opened (read-only)	\??\J:	pythoncopy.exe
File opened (read-only)	\??\K:	pythoncopy.exe
File opened (read-only)	\??\M:	pythoncopy.exe
File opened (read-only)	\??\R:	pythoncopy.exe
File opened (read-only)	\??\G:	pythoncopy.exe
File opened (read-only)	\??\R:	pythoncopy.exe
File opened (read-only)	\??\U:	pythoncopy.exe
File opened (read-only)	\??\X:	pythoncopy.exe
File opened (read-only)	\??\H:	pythoncopy.exe
File opened (read-only)	\??\Q:	pythoncopy.exe
File opened (read-only)	\??\V:	pythoncopy.exe
File opened (read-only)	\??\B:	pythoncopy.exe
File opened (read-only)	\??\H:	pythoncopy.exe
File opened (read-only)	\??\T:	pythoncopy.exe
File opened (read-only)	\??\E:	pythoncopy.exe
File opened (read-only)	\??\T:	pythoncopy.exe
File opened (read-only)	\??\V:	pythoncopy.exe
File opened (read-only)	\??\Z:	pythoncopy.exe
File opened (read-only)	\??\N:	pythoncopy.exe
File opened (read-only)	\??\P:	pythoncopy.exe
File opened (read-only)	\??\J:	pythoncopy.exe
File opened (read-only)	\??\X:	pythoncopy.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\winbigha\is-12CP6.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-8B1TR.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-U253I.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-H1EK1.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-E6N9K.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-O6PO5.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-TV86N.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-I82B2.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-6FQDU.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-9GFKP.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-GKFJP.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-PCT78.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-ACOVQ.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-M484E.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-4JN2T.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-6OD2R.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-V0HTT.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-DAH9P.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-AOF69.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-EUD95.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-M77G5.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-AMUAA.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-T6S3H.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-JLTOC.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-JGHV4.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-GQKFA.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-VQI70.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-2012R.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-9BIK5.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-20SBB.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-8J33D.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-3S4NN.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\python_test.exe	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-1KAKD.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-JB05V.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-EKU4T.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-GVL6I.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-GENBQ.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-O7DSE.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-U6L8D.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-4BNDB.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-71POF.tmp	mẫu.SF1.tmp
File opened for modification	C:\Program Files\winbigha\python_test.exe	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-8LR5V.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-DO8P2.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-KBGKG.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-F9FCC.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-PF2AV.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-08PEA.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-M6UEM.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-60H4M.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-EENU2.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-M6LTR.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-HICTN.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-L8TPO.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-HP38B.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-L24QP.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-NNDJ1.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-MUDC6.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-QCI2A.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-GR6SR.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-4AUGF.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\is-D3AR3.tmp	mẫu.SF1.tmp
File created	C:\Program Files\winbigha\123123123123\is-NOQ0M.tmp	mẫu.SF1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mẫu.SF1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mẫu.SF1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
2516	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	pythoncopy.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0ec632ff1f6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	pythoncopy.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK = "0"	pythoncopy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B8090A1-62E4-11EF-ACB8-4605CC5911A3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000d33b6270e84eb1cc8e3fe339a3cc61dbbb2fe7d53223e0d550fbff26ef9438f5000000000e8000000002000020000000845b8f9c6e1aecc106d23063e1dd48c3b19c3ce9a33ef4a19fd65af89c81395690000000347a48684f137ab323a0a991006d3bfeaeb1445e4919bae6d055e0a5c7eb9253520c4592c2ebf09d210fa9b5334c7b9f9776ca2f99c5dd6f0589616e4bf000ee980f6637220d9e5cae6402f249c4f51427b15643b328e11d17f2f7af26eaea6749cf10a7a4983c9cb7cc972b829d7d76410d2a2a8f060fa7ccc54435489a511b0223d04c8d323c4217d1677707e8894b40000000ac8b7d6c6dbe12aa156a7aeaf8a27f1b35afe7090fcf945a4e3cf09178f1ab445f4d2cce723e3ef608f4823d90abe43662dd51a7eb0155645523adccf6017d13	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	pythoncopy.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings	pythoncopy.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002aec918cb9fa9248b7812ac80df2e74c00000000020000000000106600000001000020000000e0e11f922fc1114068aee8fd0b5e509aa3c36bb3806cc11cb1d19244f34ce632000000000e80000000020000200000006117c9f5100e1a8c59c12ae804eb0a214879597af74923dc0f3c21610adaf2a12000000090ea9819b0103acdd55aa1388ba3430cc3ecab36be3030e3ae702ebeb6e698cb4000000059dd836efa151eb2e8f72b7db0c402adac8b9a53a62cae31283ef6889ddadbf1fc6b0ae7ef7f5c41388ec19b3f8a0656b896f9ccc8ee40b8eb1e1f9b36ac2b5a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430753743"	iexplore.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Console	pythoncopy.exe
Key created	\REGISTRY\USER\.DEFAULT\Console\1	pythoncopy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	pythoncopy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit	pythoncopy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	pythoncopy.exe
Key created	\REGISTRY\USER\.DEFAULT\Console\pInstallTime	pythoncopy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Console\pInstallTime\InstallTime = "2024-08-25 13:17"	pythoncopy.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.true\ = "AAATURE"	pythoncopy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAATURE	pythoncopy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AAATURE\ = "system file"	pythoncopy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAATURE\Shell	pythoncopy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAATURE\Shell\Open	pythoncopy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AAATURE\Shell\Open\Command	pythoncopy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AAATURE\Shell\Open\Command\ = "\"C:\\Program Files\\winbigha\\pythoncopy.exe\" \"%1\""	pythoncopy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.true	pythoncopy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
840	python_test.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe
1792	pythoncopy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	pythoncopy.exe
Token: SeDebugPrivilege	2640	pythoncopy.exe
Token: SeDebugPrivilege	1932	pythoncopy.exe
Token: SeDebugPrivilege	2516	taskkill.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2708	mẫu.SF1.tmp
764	iexplore.exe
764	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1792	pythoncopy.exe
764	iexplore.exe
764	iexplore.exe
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE
764	iexplore.exe
764	iexplore.exe
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE
2640	pythoncopy.exe
1932	pythoncopy.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2708	2196	mẫu.SF1.exe	30
PID 2196 wrote to memory of 2708	2196	mẫu.SF1.exe	30
PID 2196 wrote to memory of 2708	2196	mẫu.SF1.exe	30
PID 2196 wrote to memory of 2708	2196	mẫu.SF1.exe	30
PID 2196 wrote to memory of 2708	2196	mẫu.SF1.exe	30
PID 2196 wrote to memory of 2708	2196	mẫu.SF1.exe	30
PID 2196 wrote to memory of 2708	2196	mẫu.SF1.exe	30
PID 2708 wrote to memory of 1792	2708	mẫu.SF1.tmp	31
PID 2708 wrote to memory of 1792	2708	mẫu.SF1.tmp	31
PID 2708 wrote to memory of 1792	2708	mẫu.SF1.tmp	31
PID 2708 wrote to memory of 1792	2708	mẫu.SF1.tmp	31
PID 1792 wrote to memory of 840	1792	pythoncopy.exe	33
PID 1792 wrote to memory of 840	1792	pythoncopy.exe	33
PID 1792 wrote to memory of 840	1792	pythoncopy.exe	33
PID 764 wrote to memory of 1900	764	iexplore.exe	35
PID 764 wrote to memory of 1900	764	iexplore.exe	35
PID 764 wrote to memory of 1900	764	iexplore.exe	35
PID 764 wrote to memory of 1900	764	iexplore.exe	35
PID 1900 wrote to memory of 2288	1900	IEXPLORE.EXE	36
PID 1900 wrote to memory of 2288	1900	IEXPLORE.EXE	36
PID 1900 wrote to memory of 2288	1900	IEXPLORE.EXE	36
PID 1900 wrote to memory of 2288	1900	IEXPLORE.EXE	36
PID 1900 wrote to memory of 1520	1900	IEXPLORE.EXE	38
PID 1900 wrote to memory of 1520	1900	IEXPLORE.EXE	38
PID 1900 wrote to memory of 1520	1900	IEXPLORE.EXE	38
PID 1900 wrote to memory of 1520	1900	IEXPLORE.EXE	38
PID 1900 wrote to memory of 2300	1900	IEXPLORE.EXE	40
PID 1900 wrote to memory of 2300	1900	IEXPLORE.EXE	40
PID 1900 wrote to memory of 2300	1900	IEXPLORE.EXE	40
PID 1900 wrote to memory of 2300	1900	IEXPLORE.EXE	40
PID 2756 wrote to memory of 2640	2756	nssm.exe	44
PID 2756 wrote to memory of 2640	2756	nssm.exe	44
PID 2756 wrote to memory of 2640	2756	nssm.exe	44
PID 2640 wrote to memory of 2624	2640	pythoncopy.exe	45
PID 2640 wrote to memory of 2624	2640	pythoncopy.exe	45
PID 2640 wrote to memory of 2624	2640	pythoncopy.exe	45
PID 2640 wrote to memory of 1932	2640	pythoncopy.exe	46
PID 2640 wrote to memory of 1932	2640	pythoncopy.exe	46
PID 2640 wrote to memory of 1932	2640	pythoncopy.exe	46
PID 1932 wrote to memory of 2996	1932	pythoncopy.exe	48
PID 1932 wrote to memory of 2996	1932	pythoncopy.exe	48
PID 1932 wrote to memory of 2996	1932	pythoncopy.exe	48
PID 2708 wrote to memory of 2516	2708	mẫu.SF1.tmp	51
PID 2708 wrote to memory of 2516	2708	mẫu.SF1.tmp	51
PID 2708 wrote to memory of 2516	2708	mẫu.SF1.tmp	51
PID 2708 wrote to memory of 2516	2708	mẫu.SF1.tmp	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\mẫu.SF1.exe
"C:\Users\Admin\AppData\Local\Temp\mẫu.SF1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\is-473F1.tmp\mẫu.SF1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-473F1.tmp\mẫu.SF1.tmp" /SL5="$400E0,13711123,992256,C:\Users\Admin\AppData\Local\Temp\mẫu.SF1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Program Files\winbigha\pythoncopy.exe
    "C:\Program Files\winbigha\pythoncopy.exe" "C:\Program Files\winbigha\officehelper.py"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Program Files\winbigha\python_test.exe
      "C:\Program Files\winbigha\python_test.exe" "C:\Program Files\winbigha\scriptforge.py"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:840
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /IM mẫu.SF1.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /b /y "C:\ProgramData\DiagnosticsHub.true" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiagnosticsHub.true"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\ProgramData\nssm.exe
    "C:\ProgramData\nssm.exe" install MyPyService "C:\Program Files\winbigha\pythoncopy.exe" "\"C:\Program Files\winbigha\officehelper.py\""
    3⤵
    - Executes dropped EXE
    PID:1520
- - C:\ProgramData\nssm.exe
    "C:\ProgramData\nssm.exe" start MyPyService
    3⤵
    - Executes dropped EXE
    PID:2300

C:\ProgramData\nssm.exe
C:\ProgramData\nssm.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files\winbigha\pythoncopy.exe
  "C:\Program Files\winbigha\pythoncopy.exe" "C:\Program Files\winbigha\officehelper.py"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files\winbigha\python_test.exe
    "C:\Program Files\winbigha\python_test.exe" "C:\Program Files\winbigha\scriptforge.py"
    3⤵
    - Executes dropped EXE
    PID:2624
- - C:\Program Files\winbigha\pythoncopy.exe
    "C:\Program Files\winbigha\pythoncopy.exe" "C:\Program Files\winbigha\officehelper.py"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Program Files\winbigha\python_test.exe
      "C:\Program Files\winbigha\python_test.exe" "C:\Program Files\winbigha\scriptforge.py"
      4⤵
      Executes dropped EXE
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\winbigha\VCRUNTIME140.dll

Filesize
93KB

MD5
ade7aac069131f54e4294f722c17a412

SHA1
fede04724bdd280dae2c3ce04db0fe5f6e54988d

SHA256
92d50f7c4055718812cd3d823aa2821d6718eb55d2ab2bac55c2e47260c25a76

SHA512
76a810a41eb739fba2b4c437ed72eda400e71e3089f24c79bdabcb8aab0148d80bd6823849e5392140f423addb7613f0fc83895b9c01e85888d774e0596fc048

Download Submit
C:\Program Files\winbigha\_ctypes.pyd

Filesize
124KB

MD5
291a0a9b63bae00a4222a6df71a22023

SHA1
7a6a2aad634ec30e8edb2d2d8d0895c708d84551

SHA256
820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324

SHA512
d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

Download Submit
C:\Program Files\winbigha\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
07aa9916d3383d7e040a88665a6df67f

SHA1
549c5cd800dc3b51ffb552333777d92cddfb299d

SHA256
650555a4c89bfa77054e453ea61f2fe9f095f15a13629f964b903ec7fc07dd12

SHA512
d4c70acb84004d27cfe5db22dddccd90217f95d6d2425bbe4359f318056817b669c98907e2679111c49ccf0321011a60cac88c7156566e825b1ea9b1a12e2189

Download Submit
C:\Program Files\winbigha\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
3c40a9d1ae0b5e72b2f90761a0fd49cf

SHA1
567282eedcb721a7137dde2f135704a50f3cd883

SHA256
91c4f107fe8e8c902728e131672bd6953d94964b7a0f1edcc004ae5f471a2a42

SHA512
d8f69f1c6ea2837e56c98a2591dbd3a336c40e2ad0af45550406cd00c70fbbc3d7c7594509bef4418aa45e0faf0cb7ce739e6e986ab505b4cd32ce595c236243

Download Submit
C:\Program Files\winbigha\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
25cd5a26ea59e6f4c082b8945b16fc3a

SHA1
851ea9bfebbbc901edc98f928d59fb03d15a0037

SHA256
093b7168f6b64c655464d9bbf51bbc29456772ff747763c112ed206e023c69cf

SHA512
dc001828c40e4a85791644d100eea7132951b2644b59f7f147f17feac515d405313289d5aafbf147ffb1913ce855a501ae79acf832c32ed08d348352c80e9cf3

Download Submit
C:\Program Files\winbigha\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
6b9e8a0da794b28096305c1a081b5a97

SHA1
880271c1424e8b6e003e7339adab6a4211b6001b

SHA256
ca9f1319ba004b82b4445f8bbee2ef67b74be6c39fe4e043f14b12c42a62f705

SHA512
1198638501a22b6519da634b8698e5a08d167b69a15cea7ceed53a06266b261792560eb3f04be82e47e234a45c53c8754e6f1663af2c6903a8cbce6d9ae28b59

Download Submit
C:\Program Files\winbigha\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
cf403b7b90696ab2ded707ffdea27112

SHA1
8d25084c7d24143cf95303bfa0654a42d9cb0ca2

SHA256
f5f5e3cfa9237bb04bd485f28cecd07892212335648d32e9e3e1b248784baeb6

SHA512
0004a31e0982fc4007c7fdaf0d06b6d3a19dc35ca00feeb8f161b62695b063bb07fb409c0926a1f95a4698ca57c22f773d9a431eee586633b075366de0cbacca

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
ed14b64c94f543974b7fdc592fa0594b

SHA1
dc66ca3de44c021d89ebd5160c447aaedc565514

SHA256
9165248996814b72f6a334750e65994b39f971267ffc95f759e529356fa3125c

SHA512
5d20bedcfb8d2f603b3f27d874a9e0e3a7ca7df4809aab52b02af630c0037b37923536cc93c78c9deb014df28e378d16d67e99688f8b656e3e7bfd1e2e914dcc

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
1908861649e67cdc20c563c234a89914

SHA1
471ae3b9a3b40e63c880362892865ecf8bd80f67

SHA256
4aea1cedd976ef15a47a3433f3a2e176b1c5e495a54497dba27247b35a1b8449

SHA512
dec24d5c3f31c90cbec3810290506309a1db5677022c600d3bdd2e92b73078dc6353023f2aeefa408aceac7c9f7ed5a2ff07a399b446e177ff93e5fa1b3f9353

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
f97e7878a2b372291b1269d80327bbf6

SHA1
cee6f776fe0aa5a6d4854058f20f675253f48998

SHA256
c4e195d297d163a49514847ef166da614499404d28bc9419e3e6a28a8e03e9b6

SHA512
475898e60ffc291362fda45ab710b9ddaf1cf5e82f66dfcc04998ded583c54692ecfcac6cc4fe21b32bdd0e4dce8ac32fd9aecca2b0b60f129415180350d7825

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
761ddd8669a661d57d9cf9c335949c06

SHA1
251bbcad15771d80492f1deb001491a7abb6c563

SHA256
fe51064e0728d553d0f3e96967671f7e6ae4ebd35d821679292014dd4c3bb8e3

SHA512
5ad590a5f81532f8bf21fb4f62bc248e71bbf657dfb1720b2d9f1628033afe39426a1c27a89d9a06e50849bd0ed2242afa93e4cf2bc83f03a922b8204f0f4f2a

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
56556659c691dd043dbe24b0a195d64c

SHA1
117b9a201d1e8bb9e5fadeae808141d3fa41fb60

SHA256
2e1664e05c238d529393162f23640a51def436279184d2e2c16cfbf92ab736c1

SHA512
a8d4c4a24e126c62b387120bae0edd5cbce6d33b026590ff7470d72eb171ffe62b8b2b01e745079c9a06cf1eb78a166707514715e17bbd512981792a1d2127e0

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
6631c212f79350458589a5281374b38b

SHA1
88be6865aac123ffbdafec32a6fba34a26428875

SHA256
52cc325a4c2158b687c95f9702f4be2e3ec41c80207e50f252f5620ba1784649

SHA512
e53d7bfa2639efccdb66d37957972fd1f8eb2beea3a81145588ed622501ee50261e05a06611ee7126564b11a5301b109f295d062f1a2dc1e44a2847000fd7298

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
bbae7b5436d6d1b0fc967ff67e35415f

SHA1
f67bc165cefb119ad767b6bec27a1102c0fd2bac

SHA256
8150a238851d7da74bc8f6f13262a8d6568373dc509f67544ab6a62398f20c4f

SHA512
4201a8edfe303057545d04de683bbdf0acb68cf4d2e894192f899a70398df18299432c0f6caee72d917a986882bbc0585035a9b934d4579f67a1c98cc894dee2

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
53e9526af1fdce39f799bfe9217397a8

SHA1
f4a7fbd2d9384873f708f1eeaeb041a3fbe2c144

SHA256
de44561e4587c588bc140502fd6cd52e5955abeec63d415be38a6d03f35f808f

SHA512
8167ee463506fe0e9d145cc4e0dc8a86f1837ae87bc9efe61632fb39ef996303e2f2a889b6b02ff4a201faf73f3e76e52b1b9af0263c6fcfdac9e6ea32b0859f

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
eccf5973b80d771a79643732017cea9a

SHA1
e7a28aa17e81965ca2d43f906ed5ab51ac34ee7c

SHA256
038b93e611704cc5b9f70a91ebf06e9db62ef40180ec536d9e5ab68eb4bb1333

SHA512
b95f5efc083716cb9daba160b8fa7b94f80d93ab5de65a9fb0356c7fb32c0d45fe8d5d551e625a4d6d8e96b314bae2d38df58b457b6ced17a95d11f6f2f5370e

Download Submit
C:\Program Files\winbigha\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
090dd0bb2bddee3eaae5b6ff15fae209

SHA1
ddc5ac01227970a4925a08f29ba65eb10344edb1

SHA256
957177c4fe21ae182dfe3a2a13a1ff020f143048fc14499ae9856e523605083e

SHA512
2e0b8567231e320b2e52af3b86047cfab16824e2db1d1bb17bafe7a1c6c5f0bf62d76656206a3d7ef1d3849b479bf5e09db1f0f4e4cd0aa2df09838d35c877f3

Download Submit
C:\Program Files\winbigha\bxsdk64.dll

Filesize
2.0MB

MD5
baf222b8198f8c2bf00bbba9890d0282

SHA1
a9665568618226c58421d16eeff242096e6ef911

SHA256
538b28f4eb0c43fd892b44a53b8f968ccd93cef76f02c005b1ae1ae0733e50fb

SHA512
7f2afb9d6bf039ed9818552cc8f148de28181493dfa81c5cf9e29e05434ac8cdcfe7c0489e7bfd229a78d8a629b5d75b43697ad84229e5504153148d725c0c8d

Download Submit
C:\Program Files\winbigha\hello.zip

Filesize
1.2MB

MD5
2db8e0eda52841ef5ec324703d1c1e96

SHA1
c8ced47945c4dc034456c376892965e2ed2a8173

SHA256
5eb61b9dc55dcd5d4ff26a83cc6fe8b965436bc36000e76f807dae673b497dd8

SHA512
3dd6bc0fe92a8d743c342cde790774b7b30dec3ce22f35f5070a50111cce330620a20a82a59b11c7a4b676a33a39eb8d1dceb95521133da36f95365bd2d2fdb0

Download Submit
C:\Program Files\winbigha\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Program Files\winbigha\officehelper.py

Filesize
4KB

MD5
8870064f7582692e18fab0f400a1712a

SHA1
88a7d02edb92daa265a1f773c558f9d10affbdf8

SHA256
4f4dc75447d40c43a6ae3743d442a70aa57f8299728031e2d01056ca04ba60f1

SHA512
e2d12968b159c977565b51c2009c34c9d3e3ca4ebf3cbb1d5e0071c78d2d27ba820011cc5e8f2d081b2b82accdc009f3bb332af327fb551c7bf54e6f53a47f64

Download Submit
C:\Program Files\winbigha\python3.DLL

Filesize
58KB

MD5
c9f0b55fce50c904dff9276014cef6d8

SHA1
9f9ae27df619b695827a5af29414b592fc584e43

SHA256
074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e

SHA512
8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799

Download Submit
C:\Program Files\winbigha\python38._pth

Filesize
78B

MD5
69cc09a78b1f90ba3c2655f598667348

SHA1
5fdf8302aaa08f1ff4824abfb3033d02f04300a8

SHA256
c8961b67520e33fd9141ed2f1c9795107229c1f71ec3749c89f4dbf37cf0a0dd

SHA512
9da3d2104a2c506e971ab26a506d1e570b455c9f757be823b5637da5a1d8e46cdd94f969fcee347b71025092b73c1ff6f0034872b4c868e2fac7d8c595640d11

Download Submit
C:\Program Files\winbigha\python38.dll

Filesize
4.0MB

MD5
26ba25d468a778d37f1a24f4514d9814

SHA1
b64fe169690557656ede3ae50d3c5a197fea6013

SHA256
2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128

SHA512
80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

Download Submit
C:\Program Files\winbigha\python38.zip

Filesize
501KB

MD5
7111a95f7c248a3253c1136b4bc42fa9

SHA1
0e28ebf8785bf06a4cb1bbd7be85239519ab5fdd

SHA256
a583bd6554a6f8bd99464fe79c3f05aec4f09953645a5acd152c63f74680dacd

SHA512
a383a414fb6e0f808cf7d8f5dd3498ba9563c5927893ad0a1dc564673bafba74935d7e90215197ca1928384103c74c5c26c99292b25b43e4a6e96c460352bf04

Download Submit
C:\Program Files\winbigha\python_test.exe

Filesize
102KB

MD5
918efb028bf3d9d037b4583cb5b6886e

SHA1
f3783915dbc51d0c385dc45fee8b82c32c5b49e7

SHA256
e97d3caf8a0266b900000398c84863f57dc76313f627f983b62f656b63abdc76

SHA512
46905e214dead8b630fc153c9b30b344e836296acfb7f10fdf0a2ee9abec32e2f342efeecbad49398f80198fdbb4f11cc9c45216b0bf388a7616f60cb0bdeb04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e22438b1d4a7847b7b07df34beea4f44

SHA1
03d3681622c2871c0d58a6fc7baa0913d762c744

SHA256
48a1e412693b385a7cec5324e914f226617e5020176292fad0474915ee3173f7

SHA512
abe5f76f1ef8dc3b71e42615841fccbedda395dab01b2990ee0524ea92d9477d3469c7ad71b07c5970bfd0b3b713abc8c661fb189bac5cd321a9ce7bd172d4f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dd78d512095ce6402a640cc1abaa93d3

SHA1
fd6ce69c62ace89f011136ebdf1dc653307c4fbe

SHA256
d7bea96a10bec2270376530a1a3a4bbde4fc4f5b7867c051a1ff28d0405633ab

SHA512
e2571ea72bc9fd01a634bf0020fac21ea6faddd45472ddd95208197eb4328dc339947d73cee23da979daccc844787eb93a117b3e36ec2442823d59b5abc70bf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c10cb2c5fdf7c1b870cf1a340be6d660

SHA1
0e0bc1ffa79f7c829e45347e7aec58d312ece13d

SHA256
87607cbd6b22e0640047ffa01889b4334e78529b93ac5851bca837b45dc9dad2

SHA512
83e374b212b70a5a4578cd5b50ab6b19bc148adc33cbf6f173fbbeee9b5945fe028f06afdd1885ecc8e76e47a1c6cc39e550b8a2730617686d1bdfc313a81d1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d4f4d1874fa5e3802ee1e1618eafbfc9

SHA1
413995ab374d8af7a8c96213522f56e250c6032c

SHA256
3e53ea05f1b18e5a27559d37aec0591c1043a94d912306980bbdde9cf6e0eafb

SHA512
fb00deb0eb1c9034ea267caed172b473f42b3164fbc791583f8c4d430fde0b80fa887ff32c76892c36acd21f04324cc515927045152a5e1c60b9c82556d9c6b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e14fda64f610c7de26e2808661c2b054

SHA1
319d0cf9f7b402a5c3257d8da0dc15fb3e9c56cc

SHA256
7d64d0fa628e349d3449cd8ac31d10a0466f4457574dbf846f620a88a838885d

SHA512
19e8e23a2095d07d05241c39a12420b6af1b4aa9dae173af410cd087d86d9c8b2fd22eaedcf556c22440c3bf4e9dc743c02a03f22ba55acece4220787045f6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4567613914b9d8e84709e70134136ba6

SHA1
db8b16a30c950e901d3d5d27b5c4e624974c2e11

SHA256
632acb2a09f9d327ee3d72916aff5704a4c69b019be3b3652f78a53993d30e95

SHA512
81085b6bc8feeca509404d149b3db89c1be0a57fd6f2064ac5c423ec3a2ec32475ca65b4623995f59fd99592a9638e88e4de0ae629d178c64d76df67e8af05d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
01f502afc0929af3b4e132168e3d2141

SHA1
1b50e92905830fd721b723a0b2078f224e2858da

SHA256
4abc7922177d855991d0a239ed34728aef3d40cb7341804b397bbde59d3faf14

SHA512
101d3ba05ef4a20bce7aea05fee93e1e67a63bff5f1c6ff7144f84a5e0ef41b39fb0f219eb55d5c08ee2b4633e64929bebca1139afebbce01d1c3d0df03ba6da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d06e372bf6d518ccf86f88c42713c273

SHA1
1925bb998e799c57897ba1ca678340d44fbe281c

SHA256
e4d82983de05522e0188fc654cd22e955fd3e10c5ee74741e8ce993fee89eaa2

SHA512
a24285f2c4d775ea332d8b2b8763fe0c4fcfb458ebbb6786263754b6c8fe56863be1630954f3f299d3838b8a86e3560cd552191c1bc45acd1e3dfa611d6a60a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
49625df7d49b5bb00e65774e5941e357

SHA1
5be83d191a83f4900a387f1483f1de692e0de90e

SHA256
912c6a4ed57bf4a846f1e7a771e1a66123d57fac7718aa6b58a0b0a5b671061b

SHA512
dff46127cc6c51e7e41873f181b0dffb6c7073d58355864ed386f99c011f5288e073734c48c905c9690451dbe3c11bbe812b6e1c798ab5ffa3342e9aff08be38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
197ddcc1bbf0ea6a50a872b097c8a2da

SHA1
d5479098b81e54cd0d42b1bd55097f090cf386ce

SHA256
32313f6bcc9f93f4228e0c77f946a17182bcb8e5dd19e6ccdc7378c9a52a3647

SHA512
2dfe95a6c4f12aaefae3a5c57c302da4dec1f233e7df67adf62690f3b0705318ed97e245f13eccf8f0a6d3d125d4f57feffc5939e21038e775276500f8860f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabADC0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE7E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files\winbigha\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
966f1686b72929b452c7c0999791d42f

SHA1
20961fd566d789b5657f65595c3a39622c569a22

SHA256
2f7553fc7b0e511813ef7639cab9b2466348eeb78ffc534a12e2e271af8e7ce8

SHA512
b427eea99d197889e4a4b8801a45baebd20824983f38794ef0e81723c9592c28d75f39744691f650e220208e5f072d61470add4fc99221383e0a89369de5ab93

Download Submit
\Program Files\winbigha\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
af851dfd0d9fecb76ff2b403f3c30f5b

SHA1
30f79fb4d4c91af847963c46882d095d1f42efbe

SHA256
6a3fd4b050f19ec5c53c15544b1f1b1540ac84f6061c0ec353983eb891330fda

SHA512
04509b02115ec9b5bc4ee2f90e49e799ccf85884fe1f11f762f0614a96764b8f2b08f96895c467c5b11f20273183096b2bcceb0b769df9d65b56c378cb32b0f5

Download Submit
\Program Files\winbigha\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
0f143310fade4de116070a3917a79c18

SHA1
b9a092e885c73cb6d33c9e17d429ede950cf3a26

SHA256
2def5140c289b89c9a27a2112a2cc01ad1a902944c597d6204bed4efbc09ff7a

SHA512
f87104272aa2326641e46450a0333626567ab3fa85a89b81f7a7c0b1f90a47a70ea189ce3f6bf5db6bb5cccda6d190fb2276edeb44334245b210e7faca05fc60

Download Submit
\Users\Admin\AppData\Local\Temp\is-473F1.tmp\mẫu.SF1.tmp

Filesize
3.1MB

MD5
8b9986c0ff360e7797c0dd05b17be235

SHA1
5aa53515b92e731b412763d14d103d6d2812f85c

SHA256
a62dce8c472cda98aa2ab170b94839c150541de08825a2d9471a76bea738ab81

SHA512
dc6ed7fec411380990b56c8ad7caf52a7feadcfc2e40c7cf21c544394a3d665065cb643db54dcf532536b77a7dcdc5b0672dcd2c86dee34b949eeb3c2b24f09f

Download Submit
\Users\Admin\AppData\Local\Temp\is-CMVIN.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/1792-221-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/1792-245-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-241-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-239-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-235-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-233-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-257-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-258-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-259-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-265-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-271-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-273-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-219-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/1792-243-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-253-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-230-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-237-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-229-0x0000000180000000-0x00000001801FD000-memory.dmp

Filesize
2.0MB

Download
memory/1792-214-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/1792-215-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/1792-217-0x0000000002AB0000-0x0000000002AB5000-memory.dmp

Filesize
20KB

Download
memory/2196-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2196-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2708-316-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download
memory/2708-8-0x0000000000400000-0x0000000000722000-memory.dmp

Filesize
3.1MB

Download