mimikatz | b406f26f01869d54e6fc2b9e1732dc2c2f78fc0f8a21edd74b5369de0a6d50b4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ayonigga.cmd
Size

44B
MD5

47890dcb8055d784b4d6a7cd40489881
SHA1

1bbb3241ae64d8b5979ecfce992c181b48009c51
SHA256

7c39af713d9b2983b7dbbefdbd6c0c36fffdc40bba97b7015dee2f4549510449
SHA512

bbe72e1fb1287a30920f6842cae2d00ab9ee31f2ffb1ee3b09c1f6db3008e81fec9ad7133ed72ae7532e0e181a4cbea8b5bbdbe66543ac932830c6ed08ea2107

Score

10^/10

mimikatz bootkit discovery persistence spyware stealer

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral4/files/0x0007000000023cb9-41.dat	mimikatz

Executes dropped EXE 2 IoCs

Processes:

A19F.tmpwww.exe

pid	Process
1020	A19F.tmp
2008	www.exe

Loads dropped DLL 14 IoCs

Processes:

rundll32.exewww.exe

pid	Process
3184	rundll32.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe
2008	www.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

rundll32.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in Program Files directory 57 IoCs

Processes:

rundll32.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	rundll32.exe
File opened for modification	C:\Program Files\SaveReceive.sql	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files\AssertConfirm.rtf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\ProtectUnregister.7z	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jawt.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	rundll32.exe
File opened for modification	C:\Program Files\RequestCheckpoint.vsdx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z	rundll32.exe

Drops file in Windows directory 4 IoCs

Processes:

Ransomware.NotPetya.exerundll32.exe

description	ioc	Process
File created	C:\Windows\perfc.dat	Ransomware.NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc	rundll32.exe
File created	C:\Windows\dllhost.dat	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exeRansomware.NotPetya.exerundll32.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ransomware.NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exeA19F.tmp

pid	Process
3184	rundll32.exe
3184	rundll32.exe
1020	A19F.tmp
1020	A19F.tmp
1020	A19F.tmp
1020	A19F.tmp
1020	A19F.tmp
1020	A19F.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeA19F.tmp

description	pid	Process
Token: SeShutdownPrivilege	3184	rundll32.exe
Token: SeDebugPrivilege	3184	rundll32.exe
Token: SeTcbPrivilege	3184	rundll32.exe
Token: SeDebugPrivilege	1020	A19F.tmp

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exeRansomware.NotPetya.exerundll32.exewww.execmd.exe

description	pid	Process	procid_target
PID 4716 wrote to memory of 4552	4716	cmd.exe	83
PID 4716 wrote to memory of 4552	4716	cmd.exe	83
PID 4716 wrote to memory of 2316	4716	cmd.exe	85
PID 4716 wrote to memory of 2316	4716	cmd.exe	85
PID 4716 wrote to memory of 2316	4716	cmd.exe	85
PID 2316 wrote to memory of 3184	2316	Ransomware.NotPetya.exe	86
PID 2316 wrote to memory of 3184	2316	Ransomware.NotPetya.exe	86
PID 2316 wrote to memory of 3184	2316	Ransomware.NotPetya.exe	86
PID 3184 wrote to memory of 1672	3184	rundll32.exe	87
PID 3184 wrote to memory of 1672	3184	rundll32.exe	87
PID 3184 wrote to memory of 1672	3184	rundll32.exe	87
PID 3184 wrote to memory of 1020	3184	rundll32.exe	88
PID 3184 wrote to memory of 1020	3184	rundll32.exe	88
PID 4552 wrote to memory of 2008	4552	www.exe	89
PID 4552 wrote to memory of 2008	4552	www.exe	89
PID 1672 wrote to memory of 2744	1672	cmd.exe	92
PID 1672 wrote to memory of 2744	1672	cmd.exe	92
PID 1672 wrote to memory of 2744	1672	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ayonigga.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Users\Admin\AppData\Local\Temp\www.exe
  www.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\www.exe
    C:\Users\Admin\AppData\Local\Temp\www.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2008
- C:\Users\Admin\AppData\Local\Temp\Ransomware.NotPetya.exe
  Ransomware.NotPetya.exe
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\perfc.dat,#1
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 06:19
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 06:19
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\A19F.tmp
      "C:\Users\Admin\AppData\Local\Temp\A19F.tmp" \\.\pipe\{8BA3CE09-F0EE-44E8-B713-9BF5ABE6075F}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A19F.tmp

Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
64KB

MD5
a25bc2b21b555293554d7f611eaa75ea

SHA1
a0dfd4fcfae5b94d4471357f60569b0c18b30c17

SHA256
43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d

SHA512
b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
30KB

MD5
7c14c7bc02e47d5c8158383cb7e14124

SHA1
5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3

SHA256
00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5

SHA512
af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbr_data.txt

Filesize
10KB

MD5
5b5c4188c5814259f66765aaf093a6b4

SHA1
6bac8c23519845330d0195bfcb54c9aed848bb3f

SHA256
b92315b3f34668f85944042534acfceecd7f93c04b92108bb6fceaf2d955b46b

SHA512
7ef8273c19a90e93f9b30cb7c2b36eac694cf6f27e3a402396e6c0e7a2f15c681e9ed688fd799e2f0c27ea650882f2f3764b30341e4b8726bf116b33b62c32c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\_brotli.pyd

Filesize
802KB

MD5
9ad5bb6f92ee2cfd29dde8dd4da99eb7

SHA1
30a8309938c501b336fd3947de46c03f1bb19dc8

SHA256
788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8

SHA512
a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\_bz2.pyd

Filesize
83KB

MD5
30f396f8411274f15ac85b14b7b3cd3d

SHA1
d3921f39e193d89aa93c2677cbfb47bc1ede949c

SHA256
cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f

SHA512
7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\_lzma.pyd

Filesize
156KB

MD5
9e94fac072a14ca9ed3f20292169e5b2

SHA1
1eeac19715ea32a65641d82a380b9fa624e3cf0d

SHA256
a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f

SHA512
b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\_queue.pyd

Filesize
31KB

MD5
e1c6ff3c48d1ca755fb8a2ba700243b2

SHA1
2f2d4c0f429b8a7144d65b179beab2d760396bfb

SHA256
0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa

SHA512
55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\_socket.pyd

Filesize
81KB

MD5
69801d1a0809c52db984602ca2653541

SHA1
0f6e77086f049a7c12880829de051dcbe3d66764

SHA256
67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3

SHA512
5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\_ssl.pyd

Filesize
174KB

MD5
90f080c53a2b7e23a5efd5fd3806f352

SHA1
e3b339533bc906688b4d885bdc29626fbb9df2fe

SHA256
fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4

SHA512
4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\unicodedata.pyd

Filesize
1.1MB

MD5
a8ed52a66731e78b89d3c6c6889c485d

SHA1
781e5275695ace4a5c3ad4f2874b5e375b521638

SHA256
bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7

SHA512
1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\vcruntime140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4552_133772445805371256\www.exe

Filesize
14.5MB

MD5
5ff92691ce8919b8ad899ce7d7dcecc5

SHA1
05255658f0340905f753b9a96fe6303196cb1f7f

SHA256
3140e5d3820e3e40957e4e638ffabea93d61994cf00f17f976e353ccf7c15930

SHA512
c1f2a96a8241e57669e2b8c8844799db5c944b8c82eea802c370a86c6b90c7e0ea45f33a007460872fd1fd83f7f0250b10e97f78d879f2530c1df1e0298f5548

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
memory/2316-0-0x0000000000F30000-0x0000000000F8F000-memory.dmp

Filesize
380KB

Download
memory/2316-2-0x0000000000F30000-0x0000000000F8F000-memory.dmp

Filesize
380KB

Download
memory/3184-51-0x0000000002880000-0x00000000028DE000-memory.dmp

Filesize
376KB

Download
memory/3184-6-0x0000000002880000-0x00000000028DE000-memory.dmp

Filesize
376KB

Download
memory/3184-27-0x0000000002880000-0x00000000028DE000-memory.dmp

Filesize
376KB

Download
memory/3184-37-0x0000000002880000-0x00000000028DE000-memory.dmp

Filesize
376KB

Download
memory/3184-35-0x0000000002880000-0x00000000028DE000-memory.dmp

Filesize
376KB

Download