bdaejec | 13c739544e392920c0e108aed613c98f097f985631c6cc118d796fcee59bab17

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spoofer/Cambiador de serial/kdmapper.exe
Size

107KB
MD5

d63c0a558ae60ae055d8f2aae1d0a494
SHA1

51ed78431c44402abcea6913ecf845e1662777ba
SHA256

779411d073c1aaefc7df224c9e972fd3ea848944b7fa92412c5cd71da512a729
SHA512

c2f421be696ac398d158a9da6fe6586b7bd1f528bc94f7b295d65f12d515584c4d78cb901ae667c925f60182e62815fe8c64b95c6806f95cd2facfd4db52f55b
SSDEEP

3072:Yppjdz7eqQfZ8G7A5G390uDmJTQSaMm5/6lWOax9gg:YppjdPsZ8qqWlQWx3

Score

10^/10

bdaejec aspackv2 backdoor discovery execution

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec

Detects Bdaejec Backdoor. 2 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral2/memory/1272-73-0x0000000000850000-0x0000000000859000-memory.dmp	family_bdaejec_backdoor
behavioral2/memory/4744-101-0x00000000007B0000-0x00000000007B9000-memory.dmp	family_bdaejec_backdoor

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2328	powershell.exe
4284	powershell.exe
2656	powershell.exe
4496	powershell.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000001db0d-3.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mNXfxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	FOwJYd.exe

Executes dropped EXE 2 IoCs

pid	Process
1272	FOwJYd.exe
4744	mNXfxi.exe

Loads dropped DLL 18 IoCs

pid	Process
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe
4500	log3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ip-api.com

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1256	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	FOwJYd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	mNXfxi.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	FOwJYd.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	mNXfxi.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	FOwJYd.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe	FOwJYd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	FOwJYd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE	FOwJYd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	mNXfxi.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	FOwJYd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mNXfxi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FOwJYd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	log2.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2328	powershell.exe
2328	powershell.exe
2328	powershell.exe
4284	powershell.exe
2656	powershell.exe
2656	powershell.exe
4496	powershell.exe
4496	powershell.exe
2656	powershell.exe
4496	powershell.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	1256	tasklist.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	WMIC.exe
Token: SeSecurityPrivilege	4024	WMIC.exe
Token: SeTakeOwnershipPrivilege	4024	WMIC.exe
Token: SeLoadDriverPrivilege	4024	WMIC.exe
Token: SeSystemProfilePrivilege	4024	WMIC.exe
Token: SeSystemtimePrivilege	4024	WMIC.exe
Token: SeProfSingleProcessPrivilege	4024	WMIC.exe
Token: SeIncBasePriorityPrivilege	4024	WMIC.exe
Token: SeCreatePagefilePrivilege	4024	WMIC.exe
Token: SeBackupPrivilege	4024	WMIC.exe
Token: SeRestorePrivilege	4024	WMIC.exe
Token: SeShutdownPrivilege	4024	WMIC.exe
Token: SeDebugPrivilege	4024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4024	WMIC.exe
Token: SeRemoteShutdownPrivilege	4024	WMIC.exe
Token: SeUndockPrivilege	4024	WMIC.exe
Token: SeManageVolumePrivilege	4024	WMIC.exe
Token: 33	4024	WMIC.exe
Token: 34	4024	WMIC.exe
Token: 35	4024	WMIC.exe
Token: 36	4024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4024	WMIC.exe
Token: SeSecurityPrivilege	4024	WMIC.exe
Token: SeTakeOwnershipPrivilege	4024	WMIC.exe
Token: SeLoadDriverPrivilege	4024	WMIC.exe
Token: SeSystemProfilePrivilege	4024	WMIC.exe
Token: SeSystemtimePrivilege	4024	WMIC.exe
Token: SeProfSingleProcessPrivilege	4024	WMIC.exe
Token: SeIncBasePriorityPrivilege	4024	WMIC.exe
Token: SeCreatePagefilePrivilege	4024	WMIC.exe
Token: SeBackupPrivilege	4024	WMIC.exe
Token: SeRestorePrivilege	4024	WMIC.exe
Token: SeShutdownPrivilege	4024	WMIC.exe
Token: SeDebugPrivilege	4024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4024	WMIC.exe
Token: SeRemoteShutdownPrivilege	4024	WMIC.exe
Token: SeUndockPrivilege	4024	WMIC.exe
Token: SeManageVolumePrivilege	4024	WMIC.exe
Token: 33	4024	WMIC.exe
Token: 34	4024	WMIC.exe
Token: 35	4024	WMIC.exe
Token: 36	4024	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1272	4808	log1.exe	97
PID 4808 wrote to memory of 1272	4808	log1.exe	97
PID 4808 wrote to memory of 1272	4808	log1.exe	97
PID 4808 wrote to memory of 2464	4808	log1.exe	98
PID 4808 wrote to memory of 2464	4808	log1.exe	98
PID 2464 wrote to memory of 2328	2464	cmd.exe	101
PID 2464 wrote to memory of 2328	2464	cmd.exe	101
PID 2464 wrote to memory of 4284	2464	cmd.exe	102
PID 2464 wrote to memory of 4284	2464	cmd.exe	102
PID 2464 wrote to memory of 1756	2464	cmd.exe	103
PID 2464 wrote to memory of 1756	2464	cmd.exe	103
PID 2464 wrote to memory of 1920	2464	cmd.exe	104
PID 2464 wrote to memory of 1920	2464	cmd.exe	104
PID 1576 wrote to memory of 4744	1576	log2.exe	107
PID 1576 wrote to memory of 4744	1576	log2.exe	107
PID 1576 wrote to memory of 4744	1576	log2.exe	107
PID 1576 wrote to memory of 532	1576	log2.exe	108
PID 1576 wrote to memory of 532	1576	log2.exe	108
PID 4744 wrote to memory of 4692	4744	mNXfxi.exe	113
PID 4744 wrote to memory of 4692	4744	mNXfxi.exe	113
PID 4744 wrote to memory of 4692	4744	mNXfxi.exe	113
PID 1284 wrote to memory of 4500	1284	log3.exe	116
PID 1284 wrote to memory of 4500	1284	log3.exe	116
PID 4500 wrote to memory of 5100	4500	log3.exe	117
PID 4500 wrote to memory of 5100	4500	log3.exe	117
PID 4500 wrote to memory of 4780	4500	log3.exe	118
PID 4500 wrote to memory of 4780	4500	log3.exe	118
PID 4500 wrote to memory of 4760	4500	log3.exe	120
PID 4500 wrote to memory of 4760	4500	log3.exe	120
PID 4780 wrote to memory of 2656	4780	cmd.exe	124
PID 4780 wrote to memory of 2656	4780	cmd.exe	124
PID 4760 wrote to memory of 1256	4760	cmd.exe	125
PID 4760 wrote to memory of 1256	4760	cmd.exe	125
PID 5100 wrote to memory of 4496	5100	cmd.exe	126
PID 5100 wrote to memory of 4496	5100	cmd.exe	126
PID 4500 wrote to memory of 3720	4500	log3.exe	127
PID 4500 wrote to memory of 3720	4500	log3.exe	127
PID 3720 wrote to memory of 4024	3720	cmd.exe	129
PID 3720 wrote to memory of 4024	3720	cmd.exe	129
PID 1272 wrote to memory of 2644	1272	FOwJYd.exe	135
PID 1272 wrote to memory of 2644	1272	FOwJYd.exe	135
PID 1272 wrote to memory of 2644	1272	FOwJYd.exe	135

C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe"
1⤵
PID:1764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\FOwJYd.exe
  C:\Users\Admin\AppData\Local\Temp\FOwJYd.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2b220d13.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E60A.tmp\E60B.tmp\E60C.bat "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log1.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File script.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File script.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Multi Theft Auto: San Andreas All\1.6\Settings\general" /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /f
    3⤵
    PID:1920

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe
  C:\Users\Admin\AppData\Local\Temp\mNXfxi.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0c41196b.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FD5B.tmp\FD5C.tmp\FD5D.bat "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log2.exe""
  2⤵
  PID:532

C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe
  "C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\log3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4024

C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe" "C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\spoofer.sys"
1⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe" "C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\spoofer.sys"
1⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe" "C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\spoofer.sys"
1⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\kdmapper.exe" "C:\Users\Admin\AppData\Local\Temp\Spoofer\Cambiador de serial\spoofer.sys"
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
31KB

MD5
17731f296dedc67cc80abf975d50d858

SHA1
9c1cc59231bde00c2583c6aedbf632a8786c7b2d

SHA256
641adc6e338e0313a1ce187bfc107b08f7b171c1cfbdd6838f9fce2c4883837f

SHA512
2126ef48813d53eeaeee9f12284cbd4df00d289c0053ad981c52547e697bb769b48f178bb4e2599414cef50dcb899e2677f6c0224f8a94e44643d7593c64b7e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
0af12004db5fe4272f4edb32014df51e

SHA1
d58f39958fb93f8b305ca7294bebb4978766dae6

SHA256
6e59b3f130a284b93d20a9ed46b3fa945f464dcc68f2f521df8eddbf5c8425bc

SHA512
a0ab53cd3cd7703584bc9d3ef2ede4ac60f536154434468cd861a1ed8d702cf6daea284641634a346b27b8a54411c7fedb762784ad596a7da296fb288553036c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\k1[2].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8ba3d14596643da2cf2f88f9e79a0aa

SHA1
bba2bcbc4b6af2581f7c918b9e707f7fc7689372

SHA256
c9e42c75fa91582056e10b14fbdd234bb1266ead8fd728d4008ac77432ff838d

SHA512
8a811ddbd3a8146c99c9fec0fbcc980272b652f3a891bd2bad6991af6fc977cf1225d03675417d9522037cbe90aa07414cef70bccdbd7a88d4b5a41403ff629a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c41196b.bat

Filesize
187B

MD5
17aa601113585595a2e4c785823ac7ec

SHA1
ba18decfd43c92c5eccd5a401cdbe0f072c37b3a

SHA256
81ac83724eaf90cb4f5cc5444d4694a79b8ed28d9f596f2c8e8c0e99d4550378

SHA512
a728e054139ddf63d9edde4b30b3a3c218bbebbea2e1b00df7c7a7af2a65c12b3f45529ea9c07102faa0668ee5e7ce191ca16ee2116935ab4a3bf16f817bfd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\44CB2DB8.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E60A.tmp\E60B.tmp\E60C.bat

Filesize
1KB

MD5
4fa3f51896539efc4e33072e36982ef2

SHA1
32f37a0c2eb87af2dc5e76d8c38d39475f6b4cc7

SHA256
faf2a2fa1e21ec5cb05a4ecf7cbd3e469bc79625b3601316fc3786f46c3845a3

SHA512
a3589076087fdd52d40b790912d8ed24d25c44311ac819c2deef1cd2eac8b7e243588021addf1fb60b1dea88dabe9d190ad3aa950b0c5c58f0a0362b395eb86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD5B.tmp\FD5C.tmp\FD5D.bat

Filesize
1KB

MD5
e0f0f24047c4f2cf11b740ae7f32efd1

SHA1
271b1e88a1dc89c395854b5808a97f7b0b162f06

SHA256
5f7e01455bd8c7604f8e5b2cc069179015360505f08ffdb9a14c3abbcd478e5f

SHA512
55c1b69e7136b0e18da87fc29d5ac9974adfc019574cae14b906f46efc8dec02694f1d251c9d3d755918994ec9964aeed63f06ece317b066e6828abbb468b7ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOwJYd.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spoofer\Remover Logs\script.ps1

Filesize
409B

MD5
af5aefbf4681c1058c1e33b8bf09d316

SHA1
d6a797fcdbac3f9ababc4afe28f8dc1b6647db5e

SHA256
49a4c5b8c350d5b93d848c2cf9f3d108642ee15cf334897ee12d88008fe60692

SHA512
d29e5e760ef3fc586dbf34573784dae6169a74d9aeefe9455798bba477ed37ba084156931da6d3aca4e72bbb202c918bcdfa0d0dfc1488729fdecafd2bf76b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\_ctypes.pyd

Filesize
128KB

MD5
a55e57d7594303c89b5f7a1d1d6f2b67

SHA1
904a9304a07716497cf3e4eaafd82715874c94f1

SHA256
f63c6c7e71c342084d8f1a108786ca6975a52cefef8be32cc2589e6e2fe060c8

SHA512
ffa61ad2a408a831b5d86b201814256c172e764c9c1dbe0bd81a2e204e9e8117c66f5dfa56bb7d74275d23154c0ed8e10d4ae8a0d0564434e9761d754f1997fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
3b3c26d2247b0a2928f643fda76264b1

SHA1
06d8d10ea6b23f886c832df4fe1122130e71bb22

SHA256
258ac28b71532d6f9419edce72961e2b9644b0f92de5ce002801cc9c3caf442e

SHA512
5b6dfc3fb97a4a2e906739531b6d3d066d9f12eab67d5051dbb99b260a2a51e5ca19ba449b8fd901fc1034fd2402ddfa2c87fd2ac6dc3e7bdd4e929d8426a0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
5f1e568d0cdcf0d5d4f52fd2e8690b4a

SHA1
d582714273b6254249cf0bfc8ec41272eca2bc29

SHA256
ed94f413f576835acf4dade22ead7e764dd2f0242581090e3a2424452b49b9fe

SHA512
d283d739210ab29802c9df8588a5e0188dd3fd3a3061ed0aa5b5b3633e686a66ac9aa0c6fd7bfa696af7ff16da1f870b775a3a44c3a015f33a3dd83a56cfc42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
d85b98d1e5746f36e8afb027756547cf

SHA1
91ef9250155d7685c5730c73c1a2de361e9ba772

SHA256
143c8bcc6ab0d6afa1dc03996b5256a6bccb3442dc4ff3182404fde8172de4b6

SHA512
6d1b507613ce85dedddb5d61a0ea3b926b79443c5688fe0ce9283ffae7ff27af93c418ec3b086f3a84e574afcc3a1170d0ab1d8b4d5976a71af79bbd351d7caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
1ca45137e611548c8d090ebaa178d462

SHA1
ee84cb3d6ad1e6180a6825d9d293e7c9418c7153

SHA256
3c186afd5cf0e4314d0e15bd55832e976368d162331d5cb065fe890b88c9cfbd

SHA512
139349c90590d17a73d0dca3bcb72febaea1a8cf2a4da24716dcfbaacdf6c85260c5e792bb04f923975e918163a46524ebeed1f2f02494d9f271d73f8b558bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
eb5e7affe24ab532089733f8b708a1ff

SHA1
f3b1f20d29d8b38d8c47cf66c75d650c5b855738

SHA256
17ad72adbef247080dd456bb54f11bc782801381fc2aa2abe005cca9db6254c0

SHA512
69c148749f9b1729187c3d39d2d00ba952d22163ae393716b2096a869a97ead4cfed8edde303cc65c13cb30d6e44fcb2e4cb896b03dc14aac7cb49958a23e699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
a8b0327931fd2c863693634b3081e6a0

SHA1
d66cd78c124e931667b6079d5bc5adf55a644293

SHA256
1fa836b3704b29e7ad1ea1b0b457f62aae4435c6a1d745707631552a2f83d5f6

SHA512
1b8331ac9b17d3553a5c7b4572f826bb232b339c28f6c9a31a870097c7612587cd1dbe59fe294501ce11cf5bba973d83784108309617b6f7104f2aae8f723961

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
eb4c279c8386d4f30aab6d76feec3e5a

SHA1
0c611e8f56591f64841b846df7d5c07fd75b55a4

SHA256
56bc7d3dd48d9cb209195f71be67d0a90ca929a8d4e6ae5a481f3ab0345da294

SHA512
1869b0c843df05ba849e79aa15b25855aa5c2c2e5a932c0de650b83c8abe2371585731b0213061b8f4d781a87b352ad3a09bf8555fcf0f9422a0bcc1a9062781

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
cef770449597ee64eed064e5edf3f76b

SHA1
f759143f09f539e032a680b376f7362610215fe3

SHA256
2b52bf5a8c0bc2e93cebcce597c6693a118667e9f16836e65d8b166d33d33f49

SHA512
f899e00ae697c44c8b127dab548c25181e2772a9cb80e6887ed2435be7a03a51d2e77820456e984921b0252d77f0fecb7b1c5b08615b49e3c08d531a09c67279

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
2143036c7d2ba3cc75ecbc66f60d5259

SHA1
dd9192d9b4c7e90290796431db0ef8cc06210c73

SHA256
c8adf90a32936eaf678ed9a091d422e091e6b80d0431ec120e60febe1f617ac3

SHA512
94e4618b574924ae48386dfd520de6faf2ba1a3347fa56ded559bcf24f0e14bf1a7f442bdfa68244af5294fd83e8e334d7cc4959c14434665d731c9d5beadeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
47e43806d67d182ab20e77fd2b705cdc

SHA1
bf7f4ffcaac83535146d372767db6f36bad3bb61

SHA256
52df3c5ded71786cf0f4f7545d59f5e6e168e6a499862c59b5985f6071f201ab

SHA512
28ea9b227b42e86ea7e16eabde3f6b01a86da21ca50119b173e98e736e4997a81f9ee20f7c11e5fdfe3c62255345c078bd9d9e51bd6b45911b14f90b0ed7b76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
7672f7af6df502bda30f98005487e24c

SHA1
d49003f56bd5d19ff265dab88fcf9d1bbd145a31

SHA256
52a11ca57d562ee1cfbb7d6c26253cbd67a39b55bf1a56cd0f9332136986e8cc

SHA512
0ee52bf600f70e16006ab159d4b3ea50241941fe9dc8031a78c8f0797374f6ae221ecb4be9789ae0b29fc1b8313951a79886b44b51cb6387e79059acc2e1e3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
a94626cbc9c0e1b62619a8cf49504ff8

SHA1
047e2b1f21f1258242238043143f1d892538bbc3

SHA256
a36792281c0aaab929635bb1f40ee3627225e7e35e6a199c188f3f782c7e6c27

SHA512
b208602f33f02c92df718e4c009e6e8055e538c9451ef6f9682ce21db5258d799c09f689aae2879470a934b60b4f3d44ea82704933fa40f2ff408cf42bd1c534

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
130b06c83791d63b703d54291b69c789

SHA1
314e29b408a93343fa8e0666eb0d128e8e2f83ac

SHA256
bbf2556eff6f0bc6a11d73821aca2c14d5c8235143ceeb16b55b47eee453f179

SHA512
46a513a466a43ed1581a4406795bcf79576e731fc486d0b055be2f75cd6b9e5f6221bc76873941b8c8418ebae4aaacd7f689c3a01b2f42d89beca55406184837

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
ead87c06066422461368fa5dc07be9c0

SHA1
3009d09b9727df50e586217e98edcda9f46a7b30

SHA256
b39d21f236d903c34770d50da02c14e8d226e695138f3f6ace4eae11b6d6796d

SHA512
4f1eabc514b18b5704f90f87a7d0231ce47e9125c7f490570699519d5ee70cdfbba067ab67c6d9878a86129181367e55fada55a377efc6873afccc40763459ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
585c47a83cb7b3a69d23b840dc56ee6e

SHA1
b75739a142d1cdeae815404e10d7ef28230451db

SHA256
3fa37c4d72451e968217c20ec64a01f5d4f1a5af7b44a107607cad3d3618aee1

SHA512
ef76ace5b820fabfa142ab67f6ad2c68ef29fd95ed1b8d0d0d31759b18b3b218675ae5d7a45b533a4784629adc8c394fb6b0d2689e926700e7bf04f833673f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
e345e6656aeac37c80a404f032ba550b

SHA1
371eaeeb74227dd2e7b1bcf36e7aa2cde446a0aa

SHA256
31fd144dc063f7fac651147f0c3826fb0b33ca8028bd4f70a78d63cfb53d81a8

SHA512
6af30635d25ba9552498e78ef3332b60e03d070d6e503903145c8ae30930efeda75b687082cf46c0c25590d6459463f8d873f3e5176bafc9194156d8aaeaa045

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
b16e6798ad40000698a09276961fc2c3

SHA1
b5184d9bdb1f5e7cfe17b2ec305c8554362067de

SHA256
f8b7122ca5e1d473818940fea4d1155af429463038ba61953908fbbbb7a8d613

SHA512
a4737a2236eb35e1b4935a5e333c7f1c51588852a8daf654fd2e7ca6e945e40df9d001394c2f3e3a9d023b8d4e34e9753f6472ed58df245b104623d7dbde7423

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
c06f8f8eed1581ffee9efd5fdbc44f5a

SHA1
b44aa8d6ab3a713c07bb68cbc153c78c634aebe8

SHA256
8b36bce1b7a881f85529eae56e5b75e32763eb14b6683f2203a957ec31336ce1

SHA512
13d369d61a953f92cb1a5935d8e69ec050d7291f8c83ffd09752112bfebcce8b8ae99fc168e969b00141816a1c6c3a981340cfaca319d4f7b188e3a20a43f950

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
1f79f843211cdbf6f109bc2e1eca522f

SHA1
b4a7a607e3eb04fb616d885768ec729273ec33ea

SHA256
5208000a52363b1de665d5d46cd6f4da45f0c19c74876918e165e23efed26e92

SHA512
4ac7797b2e84d2fade089bd6f4b44103eecd1369e47440f1abad3f06cfc2ea5408b8692af63b81769703898cef87068a1e8998efb91b13e60a93325e72dbdc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
6fc55f288e6124935beefdb24f98e4d6

SHA1
e9cff87ba41b04eaac6f7bbbdfdcb671857a2eb3

SHA256
6bf3e8a6cdb3ccaa52f05fa336bbe80e70351a3eb0c8a98ef599b596d11aaee5

SHA512
a675d0f195774ebe7e118d12932af97f15ebb982f7981552216aefc18b918934c863dd9cc35a67761ffb0dab6791f0363808256b2e708d2f93a5800c42475dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
9c69b176fdb21f68fbb36aedf237a18f

SHA1
aa25e9565d6fa887135318ab8c384180b575d916

SHA256
b48b10bfeda8c32e538b03a9db05864866f8a44d04824f63032f2dc33e39fa1b

SHA512
f34c0fe7b29f7c475d663e12dff71a9a93d76914072c69abca54e6780a81894e35d9650e855fd4be5485747dc4a24ed10cb658688432900a0ffe6489d622c1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
2d7db8919ceb847377e4c40c1ec7b842

SHA1
27371e9e311c7b8edc56084e41c25e7a87c7c265

SHA256
d3e6256c2dd7150cff8ffca9c9cc6ef477c1da72c0d32972d1022381927b8295

SHA512
b634c27cd0f50748c66f256e316d6aace23d358cbd9aedbab2a0bba9b1a77587422d77c6d161d129a57ca34dfb11507486e1cfbcb6d4ac9779c7a2989f3a29c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
44208a7738486bf56121c752df083658

SHA1
93665af04ce345174df47d7b39aac68327dd13a4

SHA256
85b8a6d64a66556f4501aaf120d699dba661841027d27becc6d7240dafb14138

SHA512
38680a4329da0ba501dd78a9005b3e8b54f1dec9fc8dbc08b969e70ebe480dc2444d3c4e66634b14e0e032573240524333e019e4b2c750d8dec1a9dd7b7632c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
f0f891d08e0e358327b323b38f3ffca2

SHA1
eb20f147c53f86c59603f5edbf60f936f768fb1b

SHA256
9c8461929b61e0fd269ce735d699e7e3b6c0159d3e2659f60d681290abf9eac5

SHA512
94e13c4d09ff35c2ded7fd2649b3542aade1414f05772e2034af7723f2622e662e8c0bb67e1eb288e230f8ae183d8f1296c2a134b7ae061a452fa3f7423d7694

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
1417705c75240630943aaedd35a4b406

SHA1
74047910e023f6ab2ac5242c47147c1cb47a7d48

SHA256
76748b18c61fac93fe1c0587711e3ec0b306b2c92198f0b8b4f6bad8c6d9ba8f

SHA512
918987aa8e72b6875d0c1c53cc3521757eda25c746ae477fea545428be5da692fae60aac665dc15c3af89bad43e491a72d00302beb349f45e35e7c89217deea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
184a6a9df3526464a3a5f2dc1c21e55b

SHA1
33101ece94c15d733d985fc71ddb13ba4b70b9c7

SHA256
25bbdabc7b8d8edf5cd05b5591edca13236724cad1011393e010df3c58fd6f7e

SHA512
2c2162dbd2e36d81054feb064ea6850547dab270b95faa3dc878a11e47a9c0558ae2039cbb3bb3d1974c1582117d0f3022512a340241da5dbacfd5f94f713f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
dad955bbd1a073f1920bdacc7e9d4b32

SHA1
1ce733a4450d5426a78ef2bd1cdbe5d5ff958fd0

SHA256
fe368e5edf476436afea571faacf80d5d12a4b064d5736ee482b972eee82a64c

SHA512
294e838dc41f97afeecb90b58df5fd5449ff1582cb80185d7efe7cadf354ef9f0a1e374c50bca5f72f1859d88a832330caaa9d7a25e1da49195530f0ec26a06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
36a4f9af7c7d93c49c973da11475d81e

SHA1
8167f90ee36a9c24c53ce78bac9427b8dafdd5d5

SHA256
29656b4f4f985952c5edee8e66ad7901e47c3c5619965dddc9939c5ce5ab7d58

SHA512
92449c67dba558b54c71c88bbfee5a245078238642fdd5368b1d0f41439dfb62fa9292b4fe00162605dbe3d14c8847c3bde4f14c1f06f5271d6392c81278d74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
f6c3b0cd6c578f544e94d75d9c9ffaec

SHA1
1b4b1babda538e23cbf2bc458303d7ae70741347

SHA256
6e65f088e4ecb0cf8306766c59190ce3efbc8a190fcbb53572cc61e35d2787f1

SHA512
0dfcfe028970dd70653b3dfecac4ac5672a3b5c6aae0252ca54a1226e19c4cd2bad5b32eb6ff75765cf82cd82ad986d95aef6d12e3a4a291baf6615cb6e96356

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
6d8959da747b68298f6d8f81cf23c077

SHA1
e7c7b64ef5e5faa0da00430a81dd85765661649c

SHA256
1bc96d86e373fcb77e3d2e48440f0eafb7e42a88a5a82e0ace01967acf236d3b

SHA512
0838c8adcea9127bb1f39a70d07ac7bde0ea23c4fd8f418517aef72f590c3f644e9fd7a1a571231e7d47311e66cca1f71187337e634c1e3fdbf8e0d0016b112b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd5fc38ed969ff4b3aca435c70eb2132

SHA1
becb1d7b94d4d99222cdd4c4c7472f0448c3a65c

SHA256
69e5f222dc622555c88e3bc4cfef42f64237728bd02d00c9281203e512ca77b2

SHA512
4680d5ff8d40bf58b6e1bd3a8bcef7caf9f0b652993faa22958d0315e259acf2177fe8e3e579065641bddd4bfc8eea34f47aca63ac8b07a56de7c952adeafd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
5f6c4318712ef0c644d39c088b660ebd

SHA1
44b166918cb8208bec51ff46ddbaa49cf023fbd1

SHA256
e4244f90307ab003cb5cc9bcd729ef897abcf26785df9277cbe389e328e0fe0b

SHA512
ad272ece4c4fd3f8362d8ff91d3c3e738e2df8281c319744d7d72792f203ac40cd0c4082550815690036320756b57ed8e51c9efb01ed4c2fe01138b98f9deba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
0ad8330a78941c63f4fed28440163005

SHA1
47a73d254ecd71273f71bfb67ca43dbd974d3791

SHA256
0dbe94bdfb49ba93ccd7db40323b824b4f1941cd340916d73ba2241a7d34fc1e

SHA512
bdfa386b2a5c3b31f29592e6c76e6e36a4489aeb2edb8d713d6dec99fbd3bb6cd97195fe81ab30bdfb2e26bbb57102c25961739734035c482227f40bad585a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
36cbafa7d455a21362af5153ff1c1367

SHA1
6842ed962111f40463d5b672d13542bca1909608

SHA256
48655a29504bcdb1a7f5c2b316f9cd71ab35ca521d2659df105f49c40b0f92f0

SHA512
e9deb4ba721524c633302028fb8ea0dd962e7e546016e0f145769648d3afd7f1a637ea47b520eae19af1f1d6ab11f11399d4c05c8206b8011140341c3ff3e488

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
71a78ca51c03c4b0b464fb33f146b111

SHA1
5c2a992dd6349d728d993e5074273939896806b5

SHA256
550ea9556ba9197b25b7eb9d12ca9dd9ad0e820e4dba91f94dd54b57a2e6934f

SHA512
7a8907c9c364b9436bc20a70084410100ac7b95eb028571046f2c1854cd6431bac560d0f28f47cd93b7e096c4aab9349da186f4abd503d768af9651a93faab41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-string-l1-1-0.dll

Filesize
18KB

MD5
cfe9e3331815616f392ce1db58e01adc

SHA1
2f4ea14189ff21adb507fb09f3cbcf92c7ecde63

SHA256
341f489491f992bece2879fea3b660ff2dcd04a59bdb5f3998d58e5ac8ce3341

SHA512
33c6c3babfdc5b01118f411070983579b01711b3f67f9cbcddb861ec655c3989ab670b62422aabac382a4f953887f4cf5549a23feb0683d4c6eee8965bf030a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
c492ee40814b7586f554ec0223b14430

SHA1
b8a929929c8936cbe387000d7d0cef5ba04abfaf

SHA256
2b7fed76ba52606e442d5069f42077f0cf304e49326dddcf3695a06530c4b5c1

SHA512
2b7873ebdb1873e718754477fee55fde7b9de752b23648554198ff6b69042565c47cc8ddf25fa75e1fb9b9f6f8ac2b7d972594b8c038d3ac65a0c9dbdb26f882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
294e2caf335a8a68b64d5623d0cb5fd3

SHA1
93888112a512afa6107ca303a343ddea70271c77

SHA256
47aa51ad00153edd4f3dd42bf89da2325f9e0106e9772396c066666182b22d07

SHA512
d2fc964a6523d15a5d471b1409d65e2278ae8b97279705c37a3e00afcf6d8d7671bfd174d59a7f36aace21c0caef9c01645e919ff2fa26cc32abc774c769cd2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\select.pyd

Filesize
30KB

MD5
20831703486869b470006941b4d996f2

SHA1
28851dfd43706542cd3ef1b88b5e2749562dfee0

SHA256
78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb

SHA512
4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\sqlite3.dll

Filesize
1.5MB

MD5
7e632f3263d5049b14f5edc9e7b8d356

SHA1
92c5b5f96f1cba82d73a8f013cbaf125cd0898b8

SHA256
66771fbd64e2d3b8514dd0cd319a04ca86ce2926a70f7482ddec64049e21be38

SHA512
ca1cc67d3eb63bca3ce59ef34becce48042d7f93b807ffcd4155e4c4997dc8b39919ae52ab4e5897ae4dbcb47592c4086fac690092caa7aa8d3061fba7fe04a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12842\ucrtbase.dll

Filesize
1011KB

MD5
7e39d82adf5da0b51a968c764e0e15c1

SHA1
79e75ccde95798f21a34e5650b29dbebe79c1b43

SHA256
d67926328a72816d2944d7c88df6ff4bfccd41a9ce39af0309a0639829d0e7fb

SHA512
1c58d53c40535f80f482a5f406ef5bf9c2f963b9db5969c37ef47b0c59522a1a9bde3f3589538a7ae7d99d567a43170b384761e572c740010feb86894ce7322a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y43ob5ue.lkp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1272-73-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/1272-5-0x0000000000850000-0x0000000000859000-memory.dmp

Filesize
36KB

Download
memory/1576-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2328-17-0x000002C745BF0000-0x000002C745C12000-memory.dmp

Filesize
136KB

Download
memory/4744-101-0x00000000007B0000-0x00000000007B9000-memory.dmp

Filesize
36KB

Download
memory/4744-56-0x00000000007B0000-0x00000000007B9000-memory.dmp

Filesize
36KB

Download
memory/4808-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4808-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download