xworm | 8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe
Size

8.4MB
MD5

606521d55f5758265083588d0943dfe9
SHA1

009dbfdbf2f41087f41d677024f9710e6a60c2c7
SHA256

8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801
SHA512

4758d7a384d916cef8a5bf4e83290ab0be7f486ac191c35d0f9caa1be9173dfdb530dd023fef4f3896160af8d5d914074669669abfbc8926e9e4d28a22076ff9
SSDEEP

196608:I3eDL8u4LhYeeorukYMmaIbzeMs2V6d+9of9NMj:oKUOpCulMmFXkdvf9+

Score

10^/10

xworm discovery execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

109.206.246.102:3387

Mutex

5dZEpmVHmiVKYX3w

Attributes

Install_directory
%AppData%
install_file
骇客开发.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000700000001211a-5.dat	family_xworm
behavioral1/memory/1648-7-0x0000000000980000-0x00000000009B0000-memory.dmp	family_xworm
behavioral1/memory/1752-1068-0x0000000000800000-0x0000000000830000-memory.dmp	family_xworm
behavioral1/memory/2548-1071-0x00000000002D0000-0x0000000000300000-memory.dmp	family_xworm
behavioral1/memory/292-1072-0x00000000011E0000-0x0000000001210000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1560	powershell.exe
1524	powershell.exe
672	powershell.exe
2008	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
1648	美国100.exe
2344	luanma.exe
1852	luanma.exe
1752	骇客开发.exe
2548	骇客开发.exe
292	骇客开发.exe

Loads dropped DLL 22 IoCs

pid	Process
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe
1852	luanma.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\骇客开发 = "C:\\Users\\Admin\\AppData\\Roaming\\骇客开发.exe"	美国100.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000016cd1-12.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luanma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luanma.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
880	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1648	美国100.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1560	powershell.exe
1524	powershell.exe
672	powershell.exe
2008	powershell.exe
1648	美国100.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	美国100.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1752	骇客开发.exe
Token: SeDebugPrivilege	2548	骇客开发.exe
Token: SeDebugPrivilege	292	骇客开发.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1648	美国100.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1648	2904	8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe	28
PID 2904 wrote to memory of 1648	2904	8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe	28
PID 2904 wrote to memory of 1648	2904	8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe	28
PID 2904 wrote to memory of 2344	2904	8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe	29
PID 2904 wrote to memory of 2344	2904	8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe	29
PID 2904 wrote to memory of 2344	2904	8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe	29
PID 2904 wrote to memory of 2344	2904	8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe	29
PID 2344 wrote to memory of 1852	2344	luanma.exe	30
PID 2344 wrote to memory of 1852	2344	luanma.exe	30
PID 2344 wrote to memory of 1852	2344	luanma.exe	30
PID 2344 wrote to memory of 1852	2344	luanma.exe	30
PID 1648 wrote to memory of 1560	1648	美国100.exe	31
PID 1648 wrote to memory of 1560	1648	美国100.exe	31
PID 1648 wrote to memory of 1560	1648	美国100.exe	31
PID 1648 wrote to memory of 1524	1648	美国100.exe	33
PID 1648 wrote to memory of 1524	1648	美国100.exe	33
PID 1648 wrote to memory of 1524	1648	美国100.exe	33
PID 1648 wrote to memory of 672	1648	美国100.exe	35
PID 1648 wrote to memory of 672	1648	美国100.exe	35
PID 1648 wrote to memory of 672	1648	美国100.exe	35
PID 1648 wrote to memory of 2008	1648	美国100.exe	37
PID 1648 wrote to memory of 2008	1648	美国100.exe	37
PID 1648 wrote to memory of 2008	1648	美国100.exe	37
PID 1648 wrote to memory of 880	1648	美国100.exe	39
PID 1648 wrote to memory of 880	1648	美国100.exe	39
PID 1648 wrote to memory of 880	1648	美国100.exe	39
PID 2796 wrote to memory of 1752	2796	taskeng.exe	43
PID 2796 wrote to memory of 1752	2796	taskeng.exe	43
PID 2796 wrote to memory of 1752	2796	taskeng.exe	43
PID 2796 wrote to memory of 2548	2796	taskeng.exe	46
PID 2796 wrote to memory of 2548	2796	taskeng.exe	46
PID 2796 wrote to memory of 2548	2796	taskeng.exe	46
PID 2796 wrote to memory of 292	2796	taskeng.exe	47
PID 2796 wrote to memory of 292	2796	taskeng.exe	47
PID 2796 wrote to memory of 292	2796	taskeng.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe
"C:\Users\Admin\AppData\Local\Temp\8c2ab35065a3333cd09bbdc83f6fa6415a132e3ba20d7997613dd96652f0e801.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Roaming\美国100.exe
  "C:\Users\Admin\AppData\Roaming\美国100.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\美国100.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '美国100.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\骇客开发.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '骇客开发.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "骇客开发" /tr "C:\Users\Admin\AppData\Roaming\骇客开发.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:880
- C:\Users\Admin\AppData\Roaming\luanma.exe
  "C:\Users\Admin\AppData\Roaming\luanma.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Roaming\luanma.exe
    "C:\Users\Admin\AppData\Roaming\luanma.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1852

C:\Windows\system32\taskeng.exe
taskeng.exe {D979CF52-7A07-4F29-B322-079ED1567723} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\骇客开发.exe
  C:\Users\Admin\AppData\Roaming\骇客开发.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Users\Admin\AppData\Roaming\骇客开发.exe
  C:\Users\Admin\AppData\Roaming\骇客开发.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Users\Admin\AppData\Roaming\骇客开发.exe
  C:\Users\Admin\AppData\Roaming\骇客开发.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23442\VCRUNTIME140.dll

Filesize
74KB

MD5
e4ca3dce43b1184bb18ff01f3a0f1a40

SHA1
604611d559ca41e73b12c362de6acf84db9aee43

SHA256
0778c7e17016895bb6962a9774acc5568afa1a50ba309b7d9726c89dad70bdbf

SHA512
137c884afa1b0b731bbd523abb47b83f31487a6ca051487292bc2a9eb7f103a0d3974fa743014018bd564be957210bdcd62c822f4ffb6441aee23b444c23e812

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\_tkinter.pyd

Filesize
60KB

MD5
bf79e6c7448dffec25a0fbab65c72a50

SHA1
c021bab17aef993b751ba85f9832e1505773fff1

SHA256
9a127aabd1135b970365894ad64227c31cb4146906385bf61fec8bc4c9adacaa

SHA512
3e3d8d3071cb298372af3157b37090a778571f0d5c6efb2cb3f9de950dfd339754e2ad56dd24a5138597e07be42cb77d865cc0d7dd745c50933e4c7a16367c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
395d39f6ec3e09c5194899434150cdf7

SHA1
abd262b486e1adc39b40dbfe012a551c732dfd69

SHA256
ecc40b2c80300b94615b450d5a97ed15ce51aa929c73da22c906ab01856f8223

SHA512
0f55725eb8609ae52c45ff7e255c3e23bff0b9e049f2f37cb4fc12841ad9f5ed8264307961cbd27031997c29ce04677b646f9c859fc629b25186ec52f735ba36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
f2cd3227975bd33ae08e34221d223ca6

SHA1
26b19fd814ea86825244e7a7cf82e7eddc189895

SHA256
f88209bb4993bfbcfc9727d101a4f1ecf84649ca5fd15b264faac11daf19ac7f

SHA512
690408ba6d88ad97334a8f9012c5db5c4d46d70cd9519f1d8e9131d1044805dce992d89167ef12d0192f4e5ab079722b88700df9601c05674267fc4f8d5486e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
b178f49844a5168d29d5cce20a6303e3

SHA1
29dd5bd890addbba1d8a9aeacb68716f8208da73

SHA256
9358400795afcc41f5e748e20b139cfbb1ac976b3e460597b0b21893d647276d

SHA512
b65308d482342291069314e9f99964c3479ea41579db17d3cbe3888318bb7605ee67c11a40f14609665a419f44a61809513bddb8b3657b24a4bac16bb274664f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
da1c671169dd183afca9ac76f46fd86e

SHA1
47a1bd0c45d5b87351870b8dd2122da30638ec83

SHA256
e5c2478571ab260776b547579acd847bdecac9b4b9b4590d4ac7c80135c68930

SHA512
5e6eb5525a77ac63bbae2288fecfd5712aff5c194e55d93239ae6171b8602de9d029ca725f15efb03890dff57a34c07435687e87a20839d614cc9c90fdf06f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
c54a336fdc425291b1d972f6fbaca6c7

SHA1
ea3872c198f3f41e41dcc42cf92aabbc6540579d

SHA256
8d1f5410f8b4326876410b45fcdcabb96bea4941f71ea5b11cb6dae80e6bdd49

SHA512
abe7694493ce2e367582be1155fb5100a7840e67eb1f646dbd5360a47b430ec03634a3f1a940a8a5f555d96da0fdab66a4a2de544b847234e38b588cf597e0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-convert-l1-1-0.dll

Filesize
22KB

MD5
6486f7508afd3ea4791ccd434c5ee39c

SHA1
071ff44f4a625ff5b0ac601efc8210648d5309bc

SHA256
82c4085866e4293759d9c9a5fed599f3fbff3abfa15f6c6ff0a8a82600592e37

SHA512
fe9d16bb25942f5b08509cdfae37c2a2846e2798142c9749b4965d244bccd65b7d7e5e6c82d73489c2c858d7313ee3f2543d3bbc4148646385ffaeb14f9b159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
e1c852f7771c28cea12da3084345b9a5

SHA1
5413f005fce127893c547927a4c7324ad07f1ad4

SHA256
f1634bfc7d08c588e85b6b6745084dd1b59bd5ece9fb2817243eb3b877601fdb

SHA512
46b457b05168ca2ba4efbbe4fdf3dd094c955a6494e3275508a0f98153d6432263d8cff8a07c557c713ed3005db905279581f4302398f05687655c0639d75995

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
20KB

MD5
c4d92c5ccf85f577b213b8f93f7db782

SHA1
94958c96a31b716c2a1d3d4f08739d7e95e100fa

SHA256
86fc8c1ed25712db755c21d3d61e597a115d5750261de443ee55a2f8d10ee640

SHA512
3a16f9f9c9def96c090286181b9a6affc8670a1781db7f57c1bfd4ee97ea9e159bc406c561f9e05bea60de41699b5539a36abcdcdffd3a9fb5aef14c9e19b200

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
c3aa45f69ceeedae8799c3c71ce4d64b

SHA1
92b24bedb8782f7b4baa73679b7f43e39dcf3b09

SHA256
4e756b8ab0e0047c838a29bc809e68945e9c10a4d054f33ee3ebd9b79546a23b

SHA512
4249079f1c4fe4b25361b73442ddd60c12651dfe5190b928a8fd97c78ca09f017420c78f714b90d043e11e17b075667617a7f9a9cf0fa8f0342e5f11cb8c2dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
8f1bf32b70d388ec06393d04e16eec0a

SHA1
7b2dafe0e97d192e51d7c4bf0c7ab61319740d9e

SHA256
33f5a6d56bee34de3866587fabc5be9040d30d69638b53d0301028f113ed2613

SHA512
a03f9673861f6e42461e102f7ca6d11aac9c23648930fe5f7f6eaffc9bff19aee4ee005d20c272bf6a733ad1030ebf197bf3116ac3b055bba5621188f3f3f6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
c723f17218f1c0ce46c69b76783bc15a

SHA1
bc0f24d817a8641069a1f92a09ba47bd6618c46f

SHA256
6c38011a0bcf7d46fb2262029466d8fd731cf9ed9d10062c55894df68adfaa22

SHA512
135ee4afcf04793e4141c1a75f28b152a8819d3411d3221670ea160a6a9b6802128528e023cca01f6425dae1dffeccae335f7c4f0e49d04a4d7249995a0731d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
da9cb6b2a96ca5f3d8ef55ef2f7165ba

SHA1
eccc29dc737032ac602bdb6da1561064dc2aec49

SHA256
057991c1da75cefbe544992d78db72ba476f6861819055aa011875abea3195cc

SHA512
580ed6a8b779b4be7380f159f2cb22b729fe6f6c30e01cd824ef34873816ac9aa4b20c62d4c611aae9e229804407e181f89b146089cabae3e1e86dbf8480ea48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
24KB

MD5
5e7bdf944b1c9a987665156393680e01

SHA1
4bb997c4ecc09a76b38005431bbdf5a69b0e8aec

SHA256
daf29d2df289a7794f7e52ad2cf3644f7fdff36efe54e9771cc1a5c7467c93ae

SHA512
22af27df1d05f037e1363a4ae4dd3bd23dff82ff257d6f72acc6bd087f6f8085d2f68b35f68ea37143ec50a14fe15628ad25514a291e5c12b57dcba5a1667cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
e27ce56b6565c66171f7fa29b240cf98

SHA1
1c1ae84e7d9d68674f3ca156dbba675dc913b5cd

SHA256
58e11bcc6ce7a7a2cad717340b7e3e31ab017e8c242b7c72cea19a2ba0c664ac

SHA512
afb75f8e8ccc8d790aa32a9a5f821532d4128fb291721b5ac0bc09a542da954cd9e32a47099bc243cdb2471528337686f3f4888ea0f1d3d4605445271121734b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
ad41d7793e8e931d6edb8fe72d70c190

SHA1
750fdf2dcc52d40be1ac6764bbd96f5ddab6ba20

SHA256
df4524b35b88023f7bc4c8741776e1b4f933fe5ebf241e1ed5230fd10205b133

SHA512
f7e81989944f15cf2e590b54bc53b934683f31f0aceb672541c1138b7654d63cc3703369c39be3ccbc49232f7ffaaf9f51fdcbbe30d77f6238e671261fcf84b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\api-ms-win-crt-utility-l1-1-0.dll

Filesize
19KB

MD5
371dfcd9218a52fa7a4cf2b187926b47

SHA1
a7e0726383e4caffaa8b7ae87248f5ae5a62ab7e

SHA256
7043b82592d65977d920579a2bcf695d1321515e4733ee9881cdf65ee5dc7818

SHA512
faa3e4cc6a4db7c976d1c14877f3557cafeb83547ba1a3965a292af75731307552ee0e4c3de81c59239e1d5b9ba705cc4faaf4b845232f6e33457de2d5128559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\base_library.zip

Filesize
1007KB

MD5
be3794d99fdfb84f1aa6054b2e54d6bf

SHA1
a28a9fe5f482340af478a42dcf344922d7a4576a

SHA256
824ad8d8766f081554d2ef2b4aab59eadd5d099c1b2c451a43e3d628319c7f91

SHA512
3705fdc6b86fcfc09ae170a25fe75a6cc09c2417d083550f665192c45e6549335a632ac827cd32e15978a8adf833167353b7cb460b0bac3b0ffea3c13c89ff93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\python38.dll

Filesize
3.9MB

MD5
2b5f50cc676c7fe476062064155da697

SHA1
d04fe5c342549e83bceb15294f029382946ba3c8

SHA256
59db58d5a51d258ee980298fd429f40bf373a0ba81c5e0625925fc7a46c809a7

SHA512
1d98e097cb054fd9428b4ffa6241eeed87bc160b0968c5eecffc5288ec88df8d3632d77c759a0919bfddf50ca989d4c542361dcccfa669b6ea30f2211707947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl86t.dll

Filesize
1.3MB

MD5
30195aa599dd12ac2567de0815ade5e6

SHA1
aa2597d43c64554156ae7cdb362c284ec19668a7

SHA256
e79443e9413ba9a4442ca7db8ee91a920e61ac2fb55be10a6ab9a9c81f646dbb

SHA512
2373b31d15b39ba950c5dea4505c3eaa2952363d3a9bd7ae84e5ea38245320be8f862dba9e9ad32f6b5a1436b353b3fb07e684b7695724a01b30f5ac7ba56e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl8\8.5\msgcat-1.6.1.tm

Filesize
33KB

MD5
db52847c625ea3290f81238595a915cd

SHA1
45a4ed9b74965e399430290bcdcd64aca5d29159

SHA256
4fdf70fdcedef97aa8bd82a02669b066b5dfe7630c92494a130fc7c627b52b55

SHA512
5a8fb4ada7b2efbf1cadd10dbe4dc7ea7acd101cb8fd0b80dad42be3ed8804fc8695c53e6aeec088c2d4c3ee01af97d148b836289da6e4f9ee14432b923c7e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl\auto.tcl

Filesize
20KB

MD5
5e9b3e874f8fbeaadef3a004a1b291b5

SHA1
b356286005efb4a3a46a1fdd53e4fcdc406569d0

SHA256
f385515658832feb75ee4dce5bd53f7f67f2629077b7d049b86a730a49bd0840

SHA512
482c555a0da2e635fa6838a40377eef547746b2907f53d77e9ffce8063c1a24322d8faa3421fc8d12fdcaff831b517a65dafb1cea6f5ea010bdc18a441b38790

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
5900f51fd8b5ff75e65594eb7dd50533

SHA1
2e21300e0bc8a847d0423671b08d3c65761ee172

SHA256
14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0

SHA512
ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl\http1.0\pkgIndex.tcl

Filesize
735B

MD5
10ec7cd64ca949099c818646b6fae31c

SHA1
6001a58a0701dff225e2510a4aaee6489a537657

SHA256
420c4b3088c9dacd21bc348011cac61d7cb283b9bee78ae72eed764ab094651c

SHA512
34a0acb689e430ed2903d8a903d531a3d734cb37733ef13c5d243cb9f59c020a3856aad98726e10ad7f4d67619a3af1018f6c3e53a6e073e39bd31d088efd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl\init.tcl

Filesize
23KB

MD5
b900811a252be90c693e5e7ae365869d

SHA1
345752c46f7e8e67dadef7f6fd514bed4b708fc5

SHA256
bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a

SHA512
36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl\opt0.4\pkgIndex.tcl

Filesize
607B

MD5
92ff1e42cfc5fecce95068fc38d995b3

SHA1
b2e71842f14d5422a9093115d52f19bcca1bf881

SHA256
eb9925a8f0fcc7c2a1113968ab0537180e10c9187b139c8371adf821c7b56718

SHA512
608d436395d055c5449a53208f3869b8793df267b8476ad31bcdd9659a222797814832720c495d938e34bf7d253ffc3f01a73cc0399c0dfb9c85d2789c7f11c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl\package.tcl

Filesize
22KB

MD5
55e2db5dcf8d49f8cd5b7d64fea640c7

SHA1
8fdc28822b0cc08fa3569a14a8c96edca03bfbbd

SHA256
47b6af117199b1511f6103ec966a58e2fd41f0aba775c44692b2069f6ed10bad

SHA512
824c210106de7eae57a480e3f6e3a5c8fb8ac4bbf0a0a386d576d3eb2a3ac849bdfe638428184056da9e81767e2b63eff8e18068a1cf5149c9f8a018f817d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl\tclIndex

Filesize
5KB

MD5
e127196e9174b429cc09c040158f6aab

SHA1
ff850f5d1bd8efc1a8cb765fe8221330f0c6c699

SHA256
abf7d9d1e86de931096c21820bfa4fd70db1f55005d2db4aa674d86200867806

SHA512
c4b98ebc65e25df41e6b9a93e16e608cf309fa0ae712578ee4974d84f7f33bcf2a6ed7626e88a343350e13da0c5c1a88e24a87fcbd44f7da5983bb3ef036a162

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tcl\tm.tcl

Filesize
11KB

MD5
f9ed2096eea0f998c6701db8309f95a6

SHA1
bcdb4f7e3db3e2d78d25ed4e9231297465b45db8

SHA256
6437bd7040206d3f2db734fa482b6e79c68bcc950fba80c544c7f390ba158f9b

SHA512
e4fb8f28dc72ea913f79cedf5776788a0310608236d6607adc441e7f3036d589fd2b31c446c187ef5827fd37dcaa26d9e94d802513e3bf3300e94dd939695b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tk86t.dll

Filesize
1.1MB

MD5
6cadec733f5be72697d7112860a0905b

SHA1
6a6beeef3b1bb7c85c63f4a3410e673fce73f50d

SHA256
19f70dc79994e46d3e1ef6be352f5933866de5736d761faa8839204136916b3f

SHA512
e6b3e52968c79d4bd700652c1f2ebd0366b492fcda4e05fc8b198791d1169b20f89b85ec69cefa7e099d06a78bf77ff9c3274905667f0c94071f47bafad46d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tk\button.tcl

Filesize
20KB

MD5
309ab5b70f664648774453bccbe5d3ce

SHA1
51bf685dedd21de3786fe97bc674ab85f34bd061

SHA256
0d95949cfacf0df135a851f7330acc9480b965dac7361151ac67a6c667c6276d

SHA512
d5139752bd7175747a5c912761916efb63b3c193dd133ad25d020a28883a1dea6b04310b751f5fcbe579f392a8f5f18ae556116283b3e137b4ea11a2c536ec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tk\entry.tcl

Filesize
16KB

MD5
be28d16510ee78ecc048b2446ee9a11a

SHA1
4829d6e8ab8a283209fb4738134b03b7bd768bad

SHA256
8f57a23c5190b50fad00bdee9430a615ebebfc47843e702374ae21beb2ad8b06

SHA512
f56af7020531249bc26d88b977baffc612b6566146730a681a798ff40be9ebc04d7f80729bafe0b9d4fac5b0582b76f9530f3fe376d42a738c9bc4b3b442df1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tk\icons.tcl

Filesize
10KB

MD5
2652aad862e8fe06a4eedfb521e42b75

SHA1
ed22459ad3d192ab05a01a25af07247b89dc6440

SHA256
a78388d68600331d06bb14a4289bc1a46295f48cec31ceff5ae783846ea4d161

SHA512
6ecfbb8d136444a5c0dbbce2d8a4206f1558bdd95f111d3587b095904769ac10782a9ea125d85033ad6532edf3190e86e255ac0c0c81dc314e02d95cca86b596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tk\pkgIndex.tcl

Filesize
363B

MD5
a6448af2c8fafc9a4f42eaca6bf6ab2e

SHA1
0b295b46b6df906e89f40a907022068bc6219302

SHA256
cd44ee7f76c37c0c522bd0cfca41c38cdeddc74392b2191a3af1a63d9d18888e

SHA512
5b1a8ca5b09b7281de55460d21d5195c4ee086bebdc35fa561001181490669ffc67d261f99eaa900467fe97e980eb733c5ffbf9d8c541ede18992bf4a435c749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\tk\tk.tcl

Filesize
22KB

MD5
3250ec5b2efe5bbe4d3ec271f94e5359

SHA1
6a0fe910041c8df4f3cdc19871813792e8cc4e4c

SHA256
e1067a0668debb2d8e8ec3b7bc1aec3723627649832b20333f9369f28e4dfdbf

SHA512
f8e403f3d59d44333bce2aa7917e6d8115bec0fe5ae9a1306f215018b05056467643b7aa228154ddced176072bc903dfb556cb2638f5c55c1285c376079e8fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23442\ucrtbase.dll

Filesize
1.1MB

MD5
d4cf3fd5e8ee95431cfea69fa84ae57d

SHA1
80f5188570001e4fd5fdad9cbf38479dd4edd255

SHA256
71358d729b01bdf38dbe5440705ea68ea9225f93c834f45c5687b0ea2b417c4e

SHA512
a30488c43ca41ed36ee2917fe8e7a5280e0565859f719a1f709b13c18c3398f323c8ef24608e8f696214d9fe882c32b1a8686800490ca781196810220b30d43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RRJ2B48V9VPJBSV32OQE.temp

Filesize
7KB

MD5
d9de81cac0ace8d16d6bc6e7b642216b

SHA1
0d133961b9c64a27d7edc4bc7028028c89c032d7

SHA256
91631919a1aa6a88109a0f71839e953b291559c28ee0e4ee9b75a4fd215a1cb0

SHA512
87cea5ed5c437576a53c3fef56a6ceb59b43c470f3b943bf17cd3e02ca40d8729994ee70049b791bcf799c4c89a881cc89279859094f41b8dc504deb14498fcd

Download Submit
C:\Users\Admin\AppData\Roaming\luanma.exe

Filesize
7.9MB

MD5
23bc8b4f550b07ef97d37d76e4881e92

SHA1
b9149f8253c5eb756df9c5fc9c1d0c0596fda44e

SHA256
6dbee566923f41af9b6f15066c8a4123b8dcd77b08bd09352fbef102f87b9cb7

SHA512
d2c66c5fb40d2a81352b26e90234bfb202af2b13d7818ea6cfcbaecce9f4404fe038b8f4bffb093dde11d3bd290e29ac42d062b1f576ddd00e2ac6a405c6c9de

Download Submit
C:\Users\Admin\AppData\Roaming\美国100.exe

Filesize
171KB

MD5
0687a9de4300cfc94bf1bc37a1722fb0

SHA1
d671eeaf53fbbb98c9b3a105184ba017d3575ae0

SHA256
13aa75d6ae60f6ad11570474ace43123ed0bf7855d779327dda6764902230dfa

SHA512
c203ffac669201a0d8575fedd5ed30bb3768a66c256afd129fd6c7482423d33f3f5e5b8ad1a5e0c3670eb10bbc330fd517ce8d5afa9e4ac21cdf682df887f136

Download Submit
memory/292-1072-0x00000000011E0000-0x0000000001210000-memory.dmp

Filesize
192KB

Download
memory/1524-1055-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1524-1056-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1560-1049-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1560-1050-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1648-7-0x0000000000980000-0x00000000009B0000-memory.dmp

Filesize
192KB

Download
memory/1648-308-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/1648-1066-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/1648-1069-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/1648-1070-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/1752-1068-0x0000000000800000-0x0000000000830000-memory.dmp

Filesize
192KB

Download
memory/2548-1071-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/2904-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x0000000000020000-0x0000000000888000-memory.dmp

Filesize
8.4MB

Download