phorphiex | e4ec3a45621dd556deeea5f953fa05909c82630e9f17baf6b14272a0360d62d1

max time kernel
70s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

phorphiex redline xmrig xworm diamotrix unique24 discovery execution infostealer loader miner persistence pyinstaller rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

redline

Botnet

Diamotrix

176.111.174.140:1912

Extracted

Family

redline

Botnet

unique24

185.215.113.67:21405

Extracted

Family

xworm

super-nearest.gl.at.ply.gg:17835

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023cb5-472.dat	family_xworm
behavioral2/memory/5036-477-0x00000000001C0000-0x00000000001D6000-memory.dmp	family_xworm

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023ca9-391.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cef-176.dat	family_redline
behavioral2/memory/2192-183-0x0000000000580000-0x00000000005D2000-memory.dmp	family_redline
behavioral2/memory/916-418-0x0000000000F70000-0x0000000000FC2000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 3608 created 3436	3608	1313012070.exe	56
PID 3608 created 3436	3608	1313012070.exe	56
PID 3512 created 3436	3512	winupsecvmgr.exe	56
PID 3512 created 3436	3512	winupsecvmgr.exe	56
PID 3512 created 3436	3512	winupsecvmgr.exe	56

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/3512-556-0x00007FF73BAB0000-0x00007FF73C047000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4916	powershell.exe
4168	powershell.exe
1724	powershell.exe
2200	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svchost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	resex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	fuag.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk	Setup.exe

Executes dropped EXE 25 IoCs

pid	Process
5060	Obfuscated.exe
2540	Obfuscated.exe
5096	resex.exe
3448	Setup.exe
2192	B798.tmp.x.exe
4528	Reproduction.pif
4960	C777.tmp.zx.exe
3816	C777.tmp.zx.exe
3660	basx.exe
4532	basx.tmp
4324	npp.exe
1872	tdrpload.exe
2696	powerfulplayer32.exe
1788	2070231880.exe
916	RegAsm.exe
1580	sysnldcvmr.exe
4472	sysnldcvmr.exe
5064	14691501.exe
3116	1565022113.exe
5036	fuag.exe
2336	shttpsr_mg.exe
3608	1313012070.exe
2944	78119961.exe
3512	winupsecvmgr.exe
4668	1107731187.exe

Loads dropped DLL 12 IoCs

pid	Process
2540	Obfuscated.exe
2540	Obfuscated.exe
2540	Obfuscated.exe
2540	Obfuscated.exe
2540	Obfuscated.exe
3816	C777.tmp.zx.exe
3816	C777.tmp.zx.exe
3816	C777.tmp.zx.exe
3816	C777.tmp.zx.exe
3816	C777.tmp.zx.exe
4532	basx.tmp
2696	powerfulplayer32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{92D92193F1AF3283896264}\\{92D92193F1AF3283896264}.exe"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	tdrpload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysnldcvmr.exe"	2070231880.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
84	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4020	tasklist.exe
3660	tasklist.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 1784	3448	Setup.exe	92
PID 3512 set thread context of 1592	3512	winupsecvmgr.exe	145
PID 3512 set thread context of 704	3512	winupsecvmgr.exe	146

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023cd0-482.dat	upx
behavioral2/memory/2336-484-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral2/memory/2336-538-0x0000000000400000-0x000000000047D000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	tdrpload.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	tdrpload.exe
File created	C:\Windows\sysnldcvmr.exe	2070231880.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023c9c-8.dat	pyinstaller
behavioral2/files/0x0007000000023cf6-216.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Reproduction.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basx.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1565022113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shttpsr_mg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2070231880.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1107731187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14691501.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B798.tmp.x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78119961.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrpload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	resex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3448	Setup.exe
3448	Setup.exe
3448	Setup.exe
3448	Setup.exe
3448	Setup.exe
3448	Setup.exe
3448	Setup.exe
3448	Setup.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe
1784	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3436	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	4363463463464363463463463.exe
Token: SeIncreaseQuotaPrivilege	3448	Setup.exe
Token: SeSecurityPrivilege	3448	Setup.exe
Token: SeTakeOwnershipPrivilege	3448	Setup.exe
Token: SeLoadDriverPrivilege	3448	Setup.exe
Token: SeSystemProfilePrivilege	3448	Setup.exe
Token: SeSystemtimePrivilege	3448	Setup.exe
Token: SeProfSingleProcessPrivilege	3448	Setup.exe
Token: SeIncBasePriorityPrivilege	3448	Setup.exe
Token: SeCreatePagefilePrivilege	3448	Setup.exe
Token: SeBackupPrivilege	3448	Setup.exe
Token: SeRestorePrivilege	3448	Setup.exe
Token: SeShutdownPrivilege	3448	Setup.exe
Token: SeDebugPrivilege	3448	Setup.exe
Token: SeSystemEnvironmentPrivilege	3448	Setup.exe
Token: SeRemoteShutdownPrivilege	3448	Setup.exe
Token: SeUndockPrivilege	3448	Setup.exe
Token: SeManageVolumePrivilege	3448	Setup.exe
Token: 33	3448	Setup.exe
Token: 34	3448	Setup.exe
Token: 35	3448	Setup.exe
Token: 36	3448	Setup.exe
Token: SeDebugPrivilege	1784	svchost.exe
Token: SeDebugPrivilege	3436	Explorer.EXE
Token: SeDebugPrivilege	4020	tasklist.exe
Token: SeDebugPrivilege	3660	tasklist.exe
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeDebugPrivilege	2192	B798.tmp.x.exe
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4528	Reproduction.pif
3436	Explorer.EXE
3436	Explorer.EXE
4528	Reproduction.pif
4528	Reproduction.pif
3436	Explorer.EXE
3436	Explorer.EXE
4532	basx.tmp
2336	shttpsr_mg.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
4528	Reproduction.pif
4528	Reproduction.pif
4528	Reproduction.pif
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE
3436	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5036	fuag.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3436	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 5060	4900	4363463463464363463463463.exe	84
PID 4900 wrote to memory of 5060	4900	4363463463464363463463463.exe	84
PID 5060 wrote to memory of 2540	5060	Obfuscated.exe	86
PID 5060 wrote to memory of 2540	5060	Obfuscated.exe	86
PID 4900 wrote to memory of 5096	4900	4363463463464363463463463.exe	87
PID 4900 wrote to memory of 5096	4900	4363463463464363463463463.exe	87
PID 4900 wrote to memory of 5096	4900	4363463463464363463463463.exe	87
PID 5096 wrote to memory of 768	5096	resex.exe	89
PID 5096 wrote to memory of 768	5096	resex.exe	89
PID 5096 wrote to memory of 768	5096	resex.exe	89
PID 4900 wrote to memory of 3448	4900	4363463463464363463463463.exe	91
PID 4900 wrote to memory of 3448	4900	4363463463464363463463463.exe	91
PID 3448 wrote to memory of 1784	3448	Setup.exe	92
PID 3448 wrote to memory of 1784	3448	Setup.exe	92
PID 3448 wrote to memory of 1784	3448	Setup.exe	92
PID 1784 wrote to memory of 3436	1784	svchost.exe	56
PID 3436 wrote to memory of 2192	3436	Explorer.EXE	97
PID 3436 wrote to memory of 2192	3436	Explorer.EXE	97
PID 3436 wrote to memory of 2192	3436	Explorer.EXE	97
PID 768 wrote to memory of 4020	768	cmd.exe	98
PID 768 wrote to memory of 4020	768	cmd.exe	98
PID 768 wrote to memory of 4020	768	cmd.exe	98
PID 768 wrote to memory of 4240	768	cmd.exe	99
PID 768 wrote to memory of 4240	768	cmd.exe	99
PID 768 wrote to memory of 4240	768	cmd.exe	99
PID 768 wrote to memory of 3660	768	cmd.exe	100
PID 768 wrote to memory of 3660	768	cmd.exe	100
PID 768 wrote to memory of 3660	768	cmd.exe	100
PID 768 wrote to memory of 3092	768	cmd.exe	101
PID 768 wrote to memory of 3092	768	cmd.exe	101
PID 768 wrote to memory of 3092	768	cmd.exe	101
PID 768 wrote to memory of 4872	768	cmd.exe	102
PID 768 wrote to memory of 4872	768	cmd.exe	102
PID 768 wrote to memory of 4872	768	cmd.exe	102
PID 768 wrote to memory of 4492	768	cmd.exe	103
PID 768 wrote to memory of 4492	768	cmd.exe	103
PID 768 wrote to memory of 4492	768	cmd.exe	103
PID 768 wrote to memory of 1232	768	cmd.exe	104
PID 768 wrote to memory of 1232	768	cmd.exe	104
PID 768 wrote to memory of 1232	768	cmd.exe	104
PID 768 wrote to memory of 4528	768	cmd.exe	106
PID 768 wrote to memory of 4528	768	cmd.exe	106
PID 768 wrote to memory of 4528	768	cmd.exe	106
PID 768 wrote to memory of 4832	768	cmd.exe	107
PID 768 wrote to memory of 4832	768	cmd.exe	107
PID 768 wrote to memory of 4832	768	cmd.exe	107
PID 3436 wrote to memory of 4960	3436	Explorer.EXE	108
PID 3436 wrote to memory of 4960	3436	Explorer.EXE	108
PID 4960 wrote to memory of 3816	4960	C777.tmp.zx.exe	109
PID 4960 wrote to memory of 3816	4960	C777.tmp.zx.exe	109
PID 4528 wrote to memory of 916	4528	Reproduction.pif	112
PID 4528 wrote to memory of 916	4528	Reproduction.pif	112
PID 4528 wrote to memory of 916	4528	Reproduction.pif	112
PID 4528 wrote to memory of 916	4528	Reproduction.pif	112
PID 4900 wrote to memory of 3660	4900	4363463463464363463463463.exe	113
PID 4900 wrote to memory of 3660	4900	4363463463464363463463463.exe	113
PID 4900 wrote to memory of 3660	4900	4363463463464363463463463.exe	113
PID 3660 wrote to memory of 4532	3660	basx.exe	114
PID 3660 wrote to memory of 4532	3660	basx.exe	114
PID 3660 wrote to memory of 4532	3660	basx.exe	114
PID 4900 wrote to memory of 4324	4900	4363463463464363463463463.exe	115
PID 4900 wrote to memory of 4324	4900	4363463463464363463463463.exe	115
PID 4900 wrote to memory of 4324	4900	4363463463464363463463463.exe	115
PID 4900 wrote to memory of 1872	4900	4363463463464363463463463.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\Files\Obfuscated.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Obfuscated.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\Files\Obfuscated.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Obfuscated.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2540
- - C:\Users\Admin\AppData\Local\Temp\Files\resex.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\resex.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Cover Cover.bat & Cover.bat & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 377464
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "ComputerPlugScientistsAmazoncom" Oecd
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Occur + ..\Leo + ..\Apnic + ..\Collections + ..\Jerry + ..\Agreed + ..\Precision z
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\377464\Reproduction.pif
        
        Reproduction.pif z
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Users\Admin\AppData\Local\Temp\377464\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\377464\RegAsm.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:916
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
- - C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
      4⤵
      Drops file in Drivers directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1784
- - C:\Users\Admin\AppData\Local\Temp\Files\basx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\basx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Users\Admin\AppData\Local\Temp\is-3VLGQ.tmp\basx.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3VLGQ.tmp\basx.tmp" /SL5="$8006C,3474168,54272,C:\Users\Admin\AppData\Local\Temp\Files\basx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:4532
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause powerful_player_1243
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause powerful_player_1243
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
    - - C:\Users\Admin\AppData\Local\Powerful Player 3.0.3.22\powerfulplayer32.exe
        
        "C:\Users\Admin\AppData\Local\Powerful Player 3.0.3.22\powerfulplayer32.exe" -i
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2696
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\2070231880.exe
      C:\Users\Admin\AppData\Local\Temp\2070231880.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1788
    - - C:\Users\Admin\sysnldcvmr.exe
        
        C:\Users\Admin\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\14691501.exe
        
        C:\Users\Admin\AppData\Local\Temp\14691501.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\1565022113.exe
        
        C:\Users\Admin\AppData\Local\Temp\1565022113.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\1313012070.exe
        
        C:\Users\Admin\AppData\Local\Temp\1313012070.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:3608
      - C:\Users\Admin\AppData\Local\Temp\78119961.exe
        
        C:\Users\Admin\AppData\Local\Temp\78119961.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\1107731187.exe
        
        C:\Users\Admin\AppData\Local\Temp\1107731187.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4668
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1872
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1580
- - C:\Users\Admin\AppData\Local\Temp\Files\fuag.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\fuag.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\fuag.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fuag.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2200
- - C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2336
- C:\Users\Admin\AppData\Local\Temp\B798.tmp.x.exe
  "C:\Users\Admin\AppData\Local\Temp\B798.tmp.x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\C777.tmp.zx.exe
  "C:\Users\Admin\AppData\Local\Temp\C777.tmp.zx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\C777.tmp.zx.exe
    "C:\Users\Admin\AppData\Local\Temp\C777.tmp.zx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4916
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4168
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1592
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:704

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\377464\Reproduction.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\377464\z

Filesize
565KB

MD5
4382a0b1cf5f73e453a6126a71dee1fb

SHA1
c9ba6a756d13a8943424dce2ffd293f6fefd85dd

SHA256
6af0d772952906287c3eb13f4f91b556f235c831103db8d67d974521704afb83

SHA512
0eaf984cab4ec8fbb4e127e346e241b9914d48bc43dda9ca0009f1a0fb781b24337a0dd4491b231fa399b509f941f8658dd460ef1516b7178c1251205ae2653b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agreed

Filesize
79KB

MD5
7ae3dce1543cc57f1328868b8d911514

SHA1
e9f112c7a4f3b92776af061fbfe591148be3cf02

SHA256
1f5e4ce0c6f04efc8d5685035575481cca2994640ea687cf30791e7ef9883c0b

SHA512
510f23f65ab627ad7b9aee5c841c52170f8e916431bace9c20fe5faebd0e4be70d15fe3fa57b99d5b6139acf9898b998b8b442536b5186d18bda821ed011d828

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apnic

Filesize
68KB

MD5
6c712f8940cdc0dd85b8eb471b8ad37b

SHA1
74a67859e8ab941e318061e33c6fd02a5f973bc6

SHA256
d287bc65fb2621d52e83e0fb9f47e01fa2dd975a7cad18a87104cfd04bd189a0

SHA512
c14e75940559bc9d9030d9f0de44204bd2bce056476f81e4314e41ba7a96522daabcb91a3a078b03c73826224c517fc64c0a6120052a8d90430416757f486949

Download Submit
C:\Users\Admin\AppData\Local\Temp\B798.tmp.x.exe

Filesize
300KB

MD5
97eb7baa28471ec31e5373fcd7b8c880

SHA1
397efcd2fae0589e9e29fc2153ffb18a86a9b709

SHA256
9053b6bbaf941a840a7af09753889873e51f9b15507990979537b6c982d618cb

SHA512
323389357a9ffc5e96f5d6ef78ceb2ec5c62e4dcc1e868524b4188aff2497810ad16de84e498a3e49640ad0d58eadf2ba9c6ec24e512aa64d319331f003d7ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\C777.tmp.zx.exe

Filesize
5.6MB

MD5
d9ae4ab7e356e38950359025308c78f9

SHA1
4b3ddd44f69c2aa575a1f0ecb96e0050002f16d3

SHA256
c1b55b6f15c2ae193752a3ea651033224962002e8e67020e4d71229af64126ab

SHA512
a5816eb10f4894b5989b4eace3d9dbd6d08897ffb22225bd1aef9f5415b0c5c3d4ac1c44885369e7539368c4f879d80082fdccd394d94161cebf38effe884340

Download Submit
C:\Users\Admin\AppData\Local\Temp\Collections

Filesize
63KB

MD5
0e84078a86d9e45d0312e93d8735f47b

SHA1
bf8ce51d4a14169479a7607c1328a51c36b1a74a

SHA256
c41b214e4465da2040573ac0128dc1a8834abfe4bda91926de8150c9d812c68f

SHA512
8fcfbce4c17e3e3d9bed1328b62028e31bbf942f67766470c4d1de9cc732e6929a6ae0b263627b0542218d6891ed43733258bf1109c524e495734794796da1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cover

Filesize
27KB

MD5
5928c4855e231ffc4db8d0b47690dd74

SHA1
506216eed701edcc8291b0d47c484bbe551d791f

SHA256
88857f93af61bbd0431d0ce7c43d45dce68a3f62fe0362b211ad656149e75bae

SHA512
0b89861f676193d8ea3512f592e4f02debb24cd6d478d91d80274aad342b7a3b47edd8a8365e3b3c7385edbfb379fdb1b78b9009968c02bc191bc10a31493868

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Obfuscated.exe

Filesize
6.5MB

MD5
99281e4321e4db848261aab188b614e1

SHA1
069b89e3bd8f928824a3c1d64233c3551960915a

SHA256
f96c5b9eb0d13acbfb988c52c976a721cb5a035d3867c8ec3abaab5c8b0c1781

SHA512
5bd8a3d99b22702f71d0a2bc67b91d9b9e949d5920a4a1ebbd3b27f19166c3bb049622b3b3427a09009c06377674551c1eb1b173787fbd106e431450a89fb96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Setup.exe

Filesize
279KB

MD5
d0cce7870080bd889dba1f4cfd2b3b26

SHA1
a973389aa0908d7b56115aff9cd4878fbd9381f9

SHA256
8ff3039072ecb32c50f446d6857aceef55547486f0572fe70feb5b1fa4c4727a

SHA512
5fde0ed0ad44569d290972f336d0ca29c38f49bacefe7ba974cbb17d6db7a1a57a8e4f8618f438820c2ff386a6b9c5b8b702c24ee8718cae51379d1566729548

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\basx.exe

Filesize
3.6MB

MD5
6220543d415ef28746571e661206fbd4

SHA1
0bdc018ceb28595cb937b055bfe6817eae4be00b

SHA256
3e755d9dc05dd52387809a5d5f4a52b9fea1e80a9ad63f700c13bb4fba120069

SHA512
9e7539eb35fb0c8a8a18b05c6e6308f44517315ffc8f2538145fe94261b9771300eef028f579b881ad5d8544b92705451978d9695723758714e524a30886937b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fuag.exe

Filesize
59KB

MD5
704fc6581ce5b91c95110ba5607ff535

SHA1
f06dda23fab99f10435c4c9ca148b2b4950830e0

SHA256
eb243f6a889dc5af392ca649256cd8f5643e073e30fd3e7b26704e61ace4e97c

SHA512
6420fb2e93bba35924f262b8d4036ec5101626d1b3fcb1cfc3093791dd8ad770fd16e1b3ce47e877d0d1c93289f2245a808829bc690e6307c65ac63ca99acfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\npp.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\resex.exe

Filesize
1.5MB

MD5
d417175785147e64361541f2978629df

SHA1
bae856a6f07e9c0d1f1413fcad038590a035c48e

SHA256
525207b0d7f9df796999b8e184b3a1a2c285ae37e61a29eab0573898b3368e17

SHA512
dff17928fc801276ed582746d3a54eb4bb07d6a38c5071a21fe6cf755aff21c2a5521d3c75feb7c01c8f61491f7ef3edc9f8d393e37556fbe7077573abd0ed72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe

Filesize
186KB

MD5
2dcfbac83be168372e01d4bd4ec6010c

SHA1
5f0cf3f5be05b478dec3a55b7e1757ca7c1a7fd3

SHA256
68fbb7d4c5af27b3941f4db758e2007decdd35849ab025a9e06d2ad4718b8b63

SHA512
a5acad6b7f97472367f59e85e8d61e7bbf25d6a1fc9054910780593440a2345d9ec8bb22a7f41b5b8f85eacbab9f8971dbe31c11c4c887647f86140f98e5a143

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harper

Filesize
871KB

MD5
cc368fadcec3f8c4384a717267a9da28

SHA1
59164c81b693c59e7ea845decbd63dec4edd6618

SHA256
250ae7adfcd708c3523d46463940715648b937edc737349ce670ced4903337b7

SHA512
ba901125e8f312ef8aa7b0491333fd5b97b1cf90e41736b36861b0d823c95f7a4b0f8ee6ac2e15df8dd65970e6bb69ded9ac1c6067f674c5aca81d65f474d864

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jerry

Filesize
89KB

MD5
1cac3d4e6161be994d24be3144356849

SHA1
b2425a390a22e7626e1a79e4a5536f03f7021535

SHA256
6e29aaaa3aeaa4000c2c28b68813b802c27e83339e940a1872aad6eb45404d08

SHA512
6a04f48cd9c6bab5c42457c19472255dbeb436ac56fb89a1cc1567ff64b70fc4f9f43424ffb1e44889772110f5dd3fcf22736039a711fd37d27e9db721bd5cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leo

Filesize
82KB

MD5
a1aeab527fac92aadcd2d783c98543e7

SHA1
dab69ddfc7562b074561b1acf378bae8cb63557e

SHA256
e448f38efac7f5935bd444ce6be67f96be6d32962c0949d051a76c640444ab40

SHA512
76425ff51b9eb7e7f8ddf8888fa95224f66ba9ce35975d5415be23d673c2d33bd3a102d913e447b4e0dac039f01b99b47a7cf264f7185b4cd0a9b6866930facb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occur

Filesize
93KB

MD5
bf752e8f299fff0514f5393d71ef34f6

SHA1
de5e8b64879a4b560952fedd803f3b32fae23658

SHA256
8c7e674425dd3af9c7a5f931ec901f115e3676344ee1ad7987be07dcd88b37c0

SHA512
cc5c7cd1b3c3dc985fd36b504ac1704eeb61783cb9c46f2854c8cbe122518c2742f6d0432950056e9cfaf6f224132825755c1c16774ea4bd8147231e03a47d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oecd

Filesize
955B

MD5
b5726c6c8cd196f32ddb1711f48817b6

SHA1
2c0ce46af7c9cf6e818b35a76f122c93f05d50c7

SHA256
0227acb267a3d8501689d5721811644cc7a6e15d278d770144713b4c61852828

SHA512
65e5f3a355a9cb19201f7a3d0542c1970c13945eb4fbd097ddb93ef5162ae67335c75dd218424c1e4434c1d0f379622b29d148006bb7a5be895a6b320f0fe217

Download Submit
C:\Users\Admin\AppData\Local\Temp\Precision

Filesize
91KB

MD5
b7db8b1fb4edcd0ff7b6a7dabd593c40

SHA1
3f07d335b94fb1c843b1b6507ee4f13e08bc3d1d

SHA256
a220fb27a42c91c23302df989d53a91826ad92f5be58a00038f361775f910f2e

SHA512
90f983ec38e840e1eddd2450ae32ce5c05745591c4eb39e945849c2523403eb14f117266b73e6b031fa61449a8a4a7a7ea2b4e51fc8745c8fa342e61a01c4579

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1855.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
b56d69079d2001c1b2af272774b53a64

SHA1
67ede1c5a71412b11847f79f5a684eabaf00de01

SHA256
f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143

SHA512
7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5af784f599437629deea9fe4e8eb4799

SHA1
3c891b920fd2703edd6881117ea035ced5a619f6

SHA256
7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c

SHA512
4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e1ca15cf0597c6743b3876af23a96960

SHA1
301231f7250431bd122b12ed34a8d4e8bb379457

SHA256
990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d

SHA512
7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8d6599d7c4897dcd0217070cca074574

SHA1
25eacaaa4c6f89945e97388796a8c85ba6fb01fb

SHA256
a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928

SHA512
e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
642b29701907e98e2aa7d36eba7d78b8

SHA1
16f46b0e057816f3592f9c0a6671111ea2f35114

SHA256
5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c

SHA512
1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
7bc1b8712e266db746914db48b27ef9c

SHA1
c76eb162c23865b3f1bd7978f7979d6ba09ccb60

SHA256
f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9

SHA512
db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
b071e761cea670d89d7ae80e016ce7e6

SHA1
c675be753dbef1624100f16674c2221a20cf07dd

SHA256
63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e

SHA512
f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
1dccf27f2967601ce6666c8611317f03

SHA1
d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b

SHA256
6a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387

SHA512
70b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
569a7ac3f6824a04282ff708c629a6d2

SHA1
fc0d78de1075dfd4c1024a72074d09576d4d4181

SHA256
84c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2

SHA512
e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
623283471b12f1bdb83e25dbafaf9c16

SHA1
ecbba66f4dca89a3faa3e242e30aefac8de02153

SHA256
9ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7

SHA512
54b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
61f70f2d1e3f22e976053df5f3d8ecb7

SHA1
7d224b7f404cde960e6b7a1c449b41050c8e9c58

SHA256
2695761b010d22fdfda2b5e73cf0ac7328ccc62b4b28101d5c10155dd9a48020

SHA512
1ddc568590e9954db198f102be99eabb4133b49e9f3b464f2fc7f31cc77d06d5a7132152f4b331332c42f241562ee6c7bf1c2d68e546db3f59ab47eaf83a22cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
20KB

MD5
1322690996cf4b2b7275a7950bad9856

SHA1
502e05ed81e3629ea3ed26ee84a4e7c07f663735

SHA256
5660030ee4c18b1610fb9f46e66f44d3fc1cf714ecce235525f08f627b3738d7

SHA512
7edc06bfa9e633351291b449b283659e5dd9e706dd57ade354bce3af55df4842491af27c7721b2acc6948078bdfc8e9736fec46e0641af368d419c7ed6aebd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
95612a8a419c61480b670d6767e72d09

SHA1
3b94d1745aff6aafeff87fed7f23e45473f9afc9

SHA256
6781071119d66757efa996317167904697216ad72d7c031af4337138a61258d4

SHA512
570f15c2c5aa599332dd4cfb3c90da0dd565ca9053ecf1c2c05316a7f623615dd153497e93b38df94971c8abf2e25bc1aaaf3311f1cda432f2670b32c767012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49602\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\base_library.zip

Filesize
1.0MB

MD5
9823bcf5819b0bdab7fd732c017b7178

SHA1
a367be0f393387487bd85b54f71a4f2e66042a03

SHA256
49b2c3646efdfc37a971ee02704c12d296a5077b83edd6922b420c86a8151886

SHA512
6164a18218745c5d3889fe2096cfb23c054dc53cd2704b63e78515f3ee806e5bebcc12acdddadb961194833dc6623ee9933f70a79c839e3fb389bd955cd0a990

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50602\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zj3rtrw.eh2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
207d80ff4a32a477e15abbc33c7f2847

SHA1
a0913aa5b349cd5c525ae1ede81f6c3e0316f751

SHA256
a7d3fbc87c3a9c776f81806e6f32ea10420bdee95c1f7bef75981f27fbefff67

SHA512
506ff28d94855ca85c69aa804dfbf6c165169c4ed2e07cbaf385d7466ae1ce6b4b6dc95c1dc125316bb780aa93e00940879840b78aabe3f610d852de4d7753fc

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
2bff3c666839302c0e9cf28782340fcb

SHA1
04e5d5d31a30c66e0c5eaa40d37ce3041bfef456

SHA256
aaa7361297107e64cc46772ad8034db55d9842358f4921f7944d8ac78b7d8720

SHA512
92ee40642fa77860b09c906b1904a5f1738eb0e229b6c31f1fbfe655a6ac14c736f6c5db1c89b528c71d39d0e9c49a62b4e61aa4f1a19d6d2c1c3deee1d13447

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
5600feddd2a6368af869eb9e408338bf

SHA1
d74a31ea5121154cec987ab58f4512ecd846f517

SHA256
500dff000dc51ca25d036ff52c0cb19e605514c26be79354b594921df02456d3

SHA512
3faf1e091d8ca7d8fd30db18871bedb8e673316e1221bf4028b32f62b4c19be1bcca7060e079d0e4564749bf73957fa596f2e394591fbcd13f1c5e26980d1b1f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
7aed163a7c554d2c86de68d11a55d030

SHA1
8416928fbe1aa0ab181a6d6abe1e30ef82ea25ea

SHA256
b5f1a672f239b65afa1f8e8a0b7da5f793e9ff6f3f8aff2818c6c635f0b360b9

SHA512
6dc00db724ce2567754a79fc3f5e0e2133abad323ced5beed053fd51f93227c3e263e008ada5f853cf47a27080a66ef921c2c210be7386d589383fcb984b3cfd

Download Submit
memory/704-555-0x0000012D5E890000-0x0000012D5E8B0000-memory.dmp

Filesize
128KB

Download
memory/916-436-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/916-418-0x0000000000F70000-0x0000000000FC2000-memory.dmp

Filesize
328KB

Download
memory/916-435-0x0000000006120000-0x0000000006196000-memory.dmp

Filesize
472KB

Download
memory/916-439-0x0000000006B80000-0x0000000006BCC000-memory.dmp

Filesize
304KB

Download
memory/1724-498-0x0000026CB92E0000-0x0000026CB9302000-memory.dmp

Filesize
136KB

Download
memory/1784-303-0x00007FF7922B0000-0x00007FF7922FC000-memory.dmp

Filesize
304KB

Download
memory/2192-301-0x00000000071D0000-0x00000000076FC000-memory.dmp

Filesize
5.2MB

Download
memory/2192-188-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/2192-191-0x0000000005320000-0x000000000536C000-memory.dmp

Filesize
304KB

Download
memory/2192-190-0x0000000005190000-0x00000000051CC000-memory.dmp

Filesize
240KB

Download
memory/2192-189-0x0000000005130000-0x0000000005142000-memory.dmp

Filesize
72KB

Download
memory/2192-183-0x0000000000580000-0x00000000005D2000-memory.dmp

Filesize
328KB

Download
memory/2192-299-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/2192-300-0x0000000006AD0000-0x0000000006C92000-memory.dmp

Filesize
1.8MB

Download
memory/2192-187-0x00000000060C0000-0x00000000066D8000-memory.dmp

Filesize
6.1MB

Download
memory/2192-302-0x0000000006CA0000-0x0000000006CF0000-memory.dmp

Filesize
320KB

Download
memory/2192-184-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/2192-185-0x0000000004E80000-0x0000000004F12000-memory.dmp

Filesize
584KB

Download
memory/2192-186-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/2336-538-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2336-484-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2696-450-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/2696-560-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/2696-411-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/2696-412-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/2696-519-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/2696-465-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/2696-451-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3436-165-0x0000000002900000-0x000000000293E000-memory.dmp

Filesize
248KB

Download
memory/3436-208-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/3436-168-0x0000000007D80000-0x0000000007DC1000-memory.dmp

Filesize
260KB

Download
memory/3436-170-0x00000000083E0000-0x0000000008430000-memory.dmp

Filesize
320KB

Download
memory/3436-167-0x0000000007CF0000-0x0000000007D32000-memory.dmp

Filesize
264KB

Download
memory/3512-556-0x00007FF73BAB0000-0x00007FF73C047000-memory.dmp

Filesize
5.6MB

Download
memory/3608-532-0x00007FF739B50000-0x00007FF73A0E7000-memory.dmp

Filesize
5.6MB

Download
memory/3660-448-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3660-364-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4532-449-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4900-209-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/4900-3-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/4900-1-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/4900-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/4900-2-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/4900-192-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/5036-477-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download