eff920ad73b1bd4d2def6b79a52c4fe0f449902044c8efbbdf65afbdf93ef410

Analysis

max time kernel
70s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinRAR Pro 2024 - Full Active.exe
Size

68.0MB
MD5

cb99bf277bf6e71fb3edf8a199f7adc5
SHA1

a6078f9bf44068575038e69e92f0909e3bf7d865
SHA256

651a4891b463ac1de513bf3d72375e7dc65edf276f02b10276474df11dae1dca
SHA512

495cb91b49fcd517b425e59e6289440941e4b105041c26f691257f469b6477f4d97356d07f01b455fb0423da909f6dc7b002843a40f95267c8308245b05a9fd6
SSDEEP

393216:rgCu0Q3uHpM43Gftr3YXekHkY8WY/wsp6AeSrpXZx4CwWcr+LLHizaCuzLzKoenv:0rb1NrPJzW8DKLtElx7hEjV5P7h5

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2168	powershell.exe
2976	powershell.exe
2168	powershell.exe
2976	powershell.exe
2608	powershell.exe
1392	powershell.exe
3044	powershell.exe

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral3/files/0x000400000001cd2c-440.dat	patched_upx

Executes dropped EXE 4 IoCs

pid	Process
1480	e7za.exe
1636	php.exe
2824	rhc.exe
2916	php.exe

Loads dropped DLL 34 IoCs

pid	Process
1392	powershell.exe
1392	powershell.exe
1392	powershell.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
1636	php.exe
2156	Process not Found
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe
2916	php.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2728	WMIC.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2168	powershell.exe
2168	powershell.exe
2168	powershell.exe
2976	powershell.exe
2608	powershell.exe
1392	powershell.exe
3044	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeIncreaseQuotaPrivilege	2728	WMIC.exe
Token: SeSecurityPrivilege	2728	WMIC.exe
Token: SeTakeOwnershipPrivilege	2728	WMIC.exe
Token: SeLoadDriverPrivilege	2728	WMIC.exe
Token: SeSystemProfilePrivilege	2728	WMIC.exe
Token: SeSystemtimePrivilege	2728	WMIC.exe
Token: SeProfSingleProcessPrivilege	2728	WMIC.exe
Token: SeIncBasePriorityPrivilege	2728	WMIC.exe
Token: SeCreatePagefilePrivilege	2728	WMIC.exe
Token: SeBackupPrivilege	2728	WMIC.exe
Token: SeRestorePrivilege	2728	WMIC.exe
Token: SeShutdownPrivilege	2728	WMIC.exe
Token: SeDebugPrivilege	2728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2728	WMIC.exe
Token: SeRemoteShutdownPrivilege	2728	WMIC.exe
Token: SeUndockPrivilege	2728	WMIC.exe
Token: SeManageVolumePrivilege	2728	WMIC.exe
Token: 33	2728	WMIC.exe
Token: 34	2728	WMIC.exe
Token: 35	2728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2728	WMIC.exe
Token: SeSecurityPrivilege	2728	WMIC.exe
Token: SeTakeOwnershipPrivilege	2728	WMIC.exe
Token: SeLoadDriverPrivilege	2728	WMIC.exe
Token: SeSystemProfilePrivilege	2728	WMIC.exe
Token: SeSystemtimePrivilege	2728	WMIC.exe
Token: SeProfSingleProcessPrivilege	2728	WMIC.exe
Token: SeIncBasePriorityPrivilege	2728	WMIC.exe
Token: SeCreatePagefilePrivilege	2728	WMIC.exe
Token: SeBackupPrivilege	2728	WMIC.exe
Token: SeRestorePrivilege	2728	WMIC.exe
Token: SeShutdownPrivilege	2728	WMIC.exe
Token: SeDebugPrivilege	2728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2728	WMIC.exe
Token: SeRemoteShutdownPrivilege	2728	WMIC.exe
Token: SeUndockPrivilege	2728	WMIC.exe
Token: SeManageVolumePrivilege	2728	WMIC.exe
Token: 33	2728	WMIC.exe
Token: 34	2728	WMIC.exe
Token: 35	2728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2168	WMIC.exe
Token: SeSecurityPrivilege	2168	WMIC.exe
Token: SeTakeOwnershipPrivilege	2168	WMIC.exe
Token: SeLoadDriverPrivilege	2168	WMIC.exe
Token: SeSystemProfilePrivilege	2168	WMIC.exe
Token: SeSystemtimePrivilege	2168	WMIC.exe
Token: SeProfSingleProcessPrivilege	2168	WMIC.exe
Token: SeIncBasePriorityPrivilege	2168	WMIC.exe
Token: SeCreatePagefilePrivilege	2168	WMIC.exe
Token: SeBackupPrivilege	2168	WMIC.exe
Token: SeRestorePrivilege	2168	WMIC.exe
Token: SeShutdownPrivilege	2168	WMIC.exe
Token: SeDebugPrivilege	2168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2168	WMIC.exe
Token: SeRemoteShutdownPrivilege	2168	WMIC.exe
Token: SeUndockPrivilege	2168	WMIC.exe
Token: SeManageVolumePrivilege	2168	WMIC.exe
Token: 33	2168	WMIC.exe
Token: 34	2168	WMIC.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2692	552	WinRAR Pro 2024 - Full Active.exe	30
PID 552 wrote to memory of 2692	552	WinRAR Pro 2024 - Full Active.exe	30
PID 552 wrote to memory of 2692	552	WinRAR Pro 2024 - Full Active.exe	30
PID 552 wrote to memory of 2168	552	WinRAR Pro 2024 - Full Active.exe	31
PID 552 wrote to memory of 2168	552	WinRAR Pro 2024 - Full Active.exe	31
PID 552 wrote to memory of 2168	552	WinRAR Pro 2024 - Full Active.exe	31
PID 552 wrote to memory of 2736	552	WinRAR Pro 2024 - Full Active.exe	33
PID 552 wrote to memory of 2736	552	WinRAR Pro 2024 - Full Active.exe	33
PID 552 wrote to memory of 2736	552	WinRAR Pro 2024 - Full Active.exe	33
PID 2168 wrote to memory of 2976	2168	powershell.exe	34
PID 2168 wrote to memory of 2976	2168	powershell.exe	34
PID 2168 wrote to memory of 2976	2168	powershell.exe	34
PID 552 wrote to memory of 2608	552	WinRAR Pro 2024 - Full Active.exe	36
PID 552 wrote to memory of 2608	552	WinRAR Pro 2024 - Full Active.exe	36
PID 552 wrote to memory of 2608	552	WinRAR Pro 2024 - Full Active.exe	36
PID 2608 wrote to memory of 1480	2608	powershell.exe	38
PID 2608 wrote to memory of 1480	2608	powershell.exe	38
PID 2608 wrote to memory of 1480	2608	powershell.exe	38
PID 2608 wrote to memory of 1480	2608	powershell.exe	38
PID 552 wrote to memory of 1392	552	WinRAR Pro 2024 - Full Active.exe	39
PID 552 wrote to memory of 1392	552	WinRAR Pro 2024 - Full Active.exe	39
PID 552 wrote to memory of 1392	552	WinRAR Pro 2024 - Full Active.exe	39
PID 1392 wrote to memory of 1636	1392	powershell.exe	41
PID 1392 wrote to memory of 1636	1392	powershell.exe	41
PID 1392 wrote to memory of 1636	1392	powershell.exe	41
PID 1636 wrote to memory of 1156	1636	php.exe	42
PID 1636 wrote to memory of 1156	1636	php.exe	42
PID 1636 wrote to memory of 1156	1636	php.exe	42
PID 1156 wrote to memory of 3044	1156	cmd.exe	43
PID 1156 wrote to memory of 3044	1156	cmd.exe	43
PID 1156 wrote to memory of 3044	1156	cmd.exe	43
PID 552 wrote to memory of 1080	552	WinRAR Pro 2024 - Full Active.exe	44
PID 552 wrote to memory of 1080	552	WinRAR Pro 2024 - Full Active.exe	44
PID 552 wrote to memory of 1080	552	WinRAR Pro 2024 - Full Active.exe	44
PID 2516 wrote to memory of 2824	2516	taskeng.exe	47
PID 2516 wrote to memory of 2824	2516	taskeng.exe	47
PID 2516 wrote to memory of 2824	2516	taskeng.exe	47
PID 2516 wrote to memory of 2824	2516	taskeng.exe	47
PID 2824 wrote to memory of 2916	2824	rhc.exe	48
PID 2824 wrote to memory of 2916	2824	rhc.exe	48
PID 2824 wrote to memory of 2916	2824	rhc.exe	48
PID 2824 wrote to memory of 2916	2824	rhc.exe	48
PID 2916 wrote to memory of 1084	2916	php.exe	50
PID 2916 wrote to memory of 1084	2916	php.exe	50
PID 2916 wrote to memory of 1084	2916	php.exe	50
PID 1084 wrote to memory of 2728	1084	cmd.exe	51
PID 1084 wrote to memory of 2728	1084	cmd.exe	51
PID 1084 wrote to memory of 2728	1084	cmd.exe	51
PID 2916 wrote to memory of 1704	2916	php.exe	53
PID 2916 wrote to memory of 1704	2916	php.exe	53
PID 2916 wrote to memory of 1704	2916	php.exe	53
PID 1704 wrote to memory of 2168	1704	cmd.exe	54
PID 1704 wrote to memory of 2168	1704	cmd.exe	54
PID 1704 wrote to memory of 2168	1704	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe" --type=gpu-process --enable-features=FixAltGraph --no-sandbox --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=6D495AFD9945164F6EC8E48E9D8CEF12 --mojo-platform-channel-handle=900 /prefetch:2
  2⤵
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Start-Process powershell -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath \"\"\"C:\Users\Admin\AppData\Local\"\"\";Set-MpPreference -MAPSReporting Disable;Set-MpPreference -SubmitSamplesConsent NeverSend;' -Verb RunAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath """C:\Users\Admin\AppData\Local""";Set-MpPreference -MAPSReporting Disable;Set-MpPreference -SubmitSamplesConsent NeverSend;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe" --type=gpu-process --enable-features=FixAltGraph --no-sandbox --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --service-request-channel-token=807C08A6E5597A4BEF6ECC7C5A068B37 --mojo-platform-channel-handle=872 /prefetch:2
  2⤵
  PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "& 'C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe' x plendix -p\"zkT5QjZ7w8I0A9m6yK2p\" -aoa"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe
    "C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe" x plendix -p"zkT5QjZ7w8I0A9m6yK2p" -aoa
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "& 'C:\Users\Admin\AppData\Local\Sredmiker\php.exe' include.php"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Sredmiker\php.exe
    "C:\Users\Admin\AppData\Local\Sredmiker\php.exe" include.php
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c "PowerShell -executionpolicy bypass -File time.ps1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -executionpolicy bypass -File time.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
- C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe" --type=renderer --no-sandbox --enable-features=FixAltGraph --service-pipe-token=F3907C226F3BE6E579A6D5C62D5B5DD8 --lang --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration=false --webview-tag=false --no-sandbox --context-isolation --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=F3907C226F3BE6E579A6D5C62D5B5DD8 --renderer-client-id=5 --mojo-platform-channel-handle=1220 /prefetch:1
  2⤵
  PID:1080

C:\Windows\system32\taskeng.exe
taskeng.exe {83B4C739-266C-4B1C-8F19-E775125E00ED} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Sredmiker\rhc.exe
  C:\Users\Admin\AppData\Local\Sredmiker\rhc.exe php.exe index.php
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Sredmiker\php.exe
    php.exe index.php
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c "wmic CPU get NAME"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic CPU get NAME
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Sredmiker\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_com_dotnet.DLL

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\include.php

Filesize
8KB

MD5
9c8c85f8bb6826f431482fafd4da5a0a

SHA1
a94eec82fe6ff920af74611b621e47a57b7a9752

SHA256
09cf3947fc35ea136dfc1ec121fb0da9732d2c632b14f01be43164f30441ff7b

SHA512
8f109928c01f88a3b9b7040ef698efb345945a4bcc5b57d7ad1c40dfc9b902947d20f0b8d2f0d8626cd31f209f72840db9a06c446cc0c3f7dc64f1ebcc9608f4

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php.ini

Filesize
70KB

MD5
5fa10fbd9cdcdefa94e497a4b2d2b813

SHA1
2b278a10e9967b9076a027e69f910bf215f2a035

SHA256
e9796c19589b948b7fdd5f300e055c0bbbafbfbabbb36b109d13e185fec0e4ed

SHA512
c6664f68bff8009a0b75d2c1b440d00141ffe903a6fc6c0782bfa9a96cf74d0dbc5e6b52727afb0953e2a74c558001fb56b8fd4386fd562c027bd4aa913f510c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\plendix

Filesize
9.8MB

MD5
f890cab9cf204e2af5b422ed0d19c9b5

SHA1
fc1bb3df77d13af3fde9d1b2c5f29c6397611a31

SHA256
5820c778afb230843fc3d5c867b20da9beebe9debcc02ddb4690f8d80924a9ce

SHA512
1dba2f45c8308ac69e85d57ba01c2e6ea67f1d758ee1ca010a795f518a9932a79ebb03cf8ba6af59d33ceeb92d399dc39831c0bd6df1ff9d0a273866a5ca5014

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\rhc.exe

Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\time.ps1

Filesize
38B

MD5
c9f2ae7f3ca095206938e20163027e1f

SHA1
2e3c1978f5c683b7d025ff237adb6da0d812ab23

SHA256
5a7767a230d5d86b37818702585ac4316fdc3a35b8c579e2cdd2aed933d2487f

SHA512
0cf7eb83fd484dab1e1b3484e9db0695c1fbf6840293f77e08fe8baa6d86810f0dce9df49aa2d71bb08196a18e0186de63bec7578ab69a444039af068276d08c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
737aaa1fede8eb13fa92ec93895990de

SHA1
33cadb4a69ff6c6ff5bb6bc959ad7b462b0e42d8

SHA256
85497b1e4c601198e1d24f42c3e8a542a5fa48f04e4dd1e2baf586c1031220dd

SHA512
ceac0e61327f28574fd0b848256db545ea57c5376b98ebe2d4ab875dbc98f76566b3f3cd67aece8b1a76dae0ad31d023495244a6f6f3b2e0fbe778b819a1b91f

Download Submit
\Users\Admin\AppData\Local\Sredmiker\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
\Users\Admin\AppData\Local\Sredmiker\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
memory/552-0-0x000000013FD20000-0x0000000144195000-memory.dmp

Filesize
68.5MB

Download
memory/1636-433-0x00000000041D0000-0x000000000420C000-memory.dmp

Filesize
240KB

Download
memory/2168-10-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2168-8-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2824-466-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2916-475-0x0000000004420000-0x000000000445C000-memory.dmp

Filesize
240KB

Download
memory/2976-32-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2976-33-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download