meduza | a3c37478d879d20b7d6c392c70c0acdf0ed7ef4fba94578d9a5a9131b873831b

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

meduza redline xworm fvcxcx collection credential_access discovery execution infostealer persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

meduza

193.3.19.151

Attributes

anti_dbg
true
anti_vm
true
build_name
hellres
extensions
.txt; .doc; .xlsx
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Extracted

Family

xworm

Version

5.0

45.141.26.234:7000

Mutex

2XLzSYLZvUJjDK3V

Attributes

Install_directory
%ProgramData%
install_file
Java Update (32bit).exe

aes.plain

Extracted

Family

redline

Botnet

fvcxcx

185.81.68.147:1912

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/memory/2968-341-0x00000000011C0000-0x00000000011D0000-memory.dmp	family_xworm
behavioral3/files/0x00100000000120ec-475.dat	family_xworm

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 12 IoCs

resource	yara_rule
behavioral3/memory/2556-81-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral3/memory/2556-80-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral3/memory/2556-77-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral3/memory/2556-74-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral3/memory/2556-73-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral3/memory/2556-72-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral3/memory/2556-71-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral3/files/0x00060000000195fd-86.dat	family_meduza
behavioral3/files/0x00080000000195ff-105.dat	family_meduza
behavioral3/memory/2556-108-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral3/files/0x000600000001a4bd-111.dat	family_meduza
behavioral3/memory/2556-519-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza

Meduza family
meduza
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral3/memory/5940-2696-0x0000000001070000-0x00000000010C2000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1984	powershell.exe
1776	powershell.exe
1052	powershell.exe
2800	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	frnd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe

Executes dropped EXE 22 IoCs

pid	Process
1700	frnd.exe
2556	frnd.exe
2480	hellres.exe
2000	duschno.exe
3032	resp.exe
2328	frnd1.exe
684	zx.exe
1864	TPB-1.exe
1720	zx.exe
1196	Process not Found
2508	TestExe.exe
2968	x.exe
2676	frnd1.exe
2700	frnd1.exe
1932	frnd1.exe
2920	frnd1.exe
1944	frnd1.exe
1540	PDFReader.exe
8052	system32.exe
3312	system32.exe
5940	fcxcx.exe
6248	Update.exe

Loads dropped DLL 47 IoCs

pid	Process
2400	New Text Document mod.exe
1700	frnd.exe
2400	New Text Document mod.exe
2400	New Text Document mod.exe
2400	New Text Document mod.exe
2400	New Text Document mod.exe
684	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
1720	zx.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2400	New Text Document mod.exe
8052	system32.exe
3312	system32.exe
3312	system32.exe
3312	system32.exe
3312	system32.exe
3312	system32.exe
3312	system32.exe
3312	system32.exe
1196	Process not Found
1196	Process not Found
2400	New Text Document mod.exe
2400	New Text Document mod.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe"	PDFReader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\B601059ED0E23994880753\\B601059ED0E23994880753.exe"	Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
26	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org
45	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 2556	1700	frnd.exe	33
PID 1540 set thread context of 896	1540	PDFReader.exe	63

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/3312-2526-0x000007FEEF6A0000-0x000007FEEFB0E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x000500000001a4c1-125.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcxcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frnd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestExe.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2516	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2556	frnd.exe
1984	powershell.exe
1776	powershell.exe
1052	powershell.exe
2800	powershell.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
2328	frnd1.exe
1864	TPB-1.exe
2968	x.exe
6248	Update.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	New Text Document mod.exe
Token: SeDebugPrivilege	2556	frnd.exe
Token: SeImpersonatePrivilege	2556	frnd.exe
Token: SeDebugPrivilege	2480	hellres.exe
Token: SeImpersonatePrivilege	2480	hellres.exe
Token: SeDebugPrivilege	2000	duschno.exe
Token: SeImpersonatePrivilege	2000	duschno.exe
Token: SeDebugPrivilege	3032	resp.exe
Token: SeImpersonatePrivilege	3032	resp.exe
Token: SeDebugPrivilege	2328	frnd1.exe
Token: SeDebugPrivilege	2968	x.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2968	x.exe
Token: SeDebugPrivilege	896	csc.exe
Token: SeIncreaseQuotaPrivilege	6248	Update.exe
Token: SeSecurityPrivilege	6248	Update.exe
Token: SeTakeOwnershipPrivilege	6248	Update.exe
Token: SeLoadDriverPrivilege	6248	Update.exe
Token: SeSystemProfilePrivilege	6248	Update.exe
Token: SeSystemtimePrivilege	6248	Update.exe
Token: SeProfSingleProcessPrivilege	6248	Update.exe
Token: SeIncBasePriorityPrivilege	6248	Update.exe
Token: SeCreatePagefilePrivilege	6248	Update.exe
Token: SeBackupPrivilege	6248	Update.exe
Token: SeRestorePrivilege	6248	Update.exe
Token: SeShutdownPrivilege	6248	Update.exe
Token: SeDebugPrivilege	6248	Update.exe
Token: SeSystemEnvironmentPrivilege	6248	Update.exe
Token: SeRemoteShutdownPrivilege	6248	Update.exe
Token: SeUndockPrivilege	6248	Update.exe
Token: SeManageVolumePrivilege	6248	Update.exe
Token: 33	6248	Update.exe
Token: 34	6248	Update.exe
Token: 35	6248	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2968	x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1700	2400	New Text Document mod.exe	32
PID 2400 wrote to memory of 1700	2400	New Text Document mod.exe	32
PID 2400 wrote to memory of 1700	2400	New Text Document mod.exe	32
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 1700 wrote to memory of 2556	1700	frnd.exe	33
PID 2400 wrote to memory of 2480	2400	New Text Document mod.exe	34
PID 2400 wrote to memory of 2480	2400	New Text Document mod.exe	34
PID 2400 wrote to memory of 2480	2400	New Text Document mod.exe	34
PID 2400 wrote to memory of 2000	2400	New Text Document mod.exe	36
PID 2400 wrote to memory of 2000	2400	New Text Document mod.exe	36
PID 2400 wrote to memory of 2000	2400	New Text Document mod.exe	36
PID 2400 wrote to memory of 3032	2400	New Text Document mod.exe	37
PID 2400 wrote to memory of 3032	2400	New Text Document mod.exe	37
PID 2400 wrote to memory of 3032	2400	New Text Document mod.exe	37
PID 2400 wrote to memory of 2328	2400	New Text Document mod.exe	38
PID 2400 wrote to memory of 2328	2400	New Text Document mod.exe	38
PID 2400 wrote to memory of 2328	2400	New Text Document mod.exe	38
PID 2400 wrote to memory of 2328	2400	New Text Document mod.exe	38
PID 2400 wrote to memory of 2328	2400	New Text Document mod.exe	38
PID 2400 wrote to memory of 2328	2400	New Text Document mod.exe	38
PID 2400 wrote to memory of 2328	2400	New Text Document mod.exe	38
PID 2400 wrote to memory of 684	2400	New Text Document mod.exe	39
PID 2400 wrote to memory of 684	2400	New Text Document mod.exe	39
PID 2400 wrote to memory of 684	2400	New Text Document mod.exe	39
PID 2400 wrote to memory of 1864	2400	New Text Document mod.exe	40
PID 2400 wrote to memory of 1864	2400	New Text Document mod.exe	40
PID 2400 wrote to memory of 1864	2400	New Text Document mod.exe	40
PID 2400 wrote to memory of 1864	2400	New Text Document mod.exe	40
PID 684 wrote to memory of 1720	684	zx.exe	41
PID 684 wrote to memory of 1720	684	zx.exe	41
PID 684 wrote to memory of 1720	684	zx.exe	41
PID 2400 wrote to memory of 2508	2400	New Text Document mod.exe	42
PID 2400 wrote to memory of 2508	2400	New Text Document mod.exe	42
PID 2400 wrote to memory of 2508	2400	New Text Document mod.exe	42
PID 2400 wrote to memory of 2508	2400	New Text Document mod.exe	42
PID 2400 wrote to memory of 2968	2400	New Text Document mod.exe	43
PID 2400 wrote to memory of 2968	2400	New Text Document mod.exe	43
PID 2400 wrote to memory of 2968	2400	New Text Document mod.exe	43
PID 2968 wrote to memory of 1984	2968	x.exe	46
PID 2968 wrote to memory of 1984	2968	x.exe	46
PID 2968 wrote to memory of 1984	2968	x.exe	46
PID 2968 wrote to memory of 1776	2968	x.exe	48
PID 2968 wrote to memory of 1776	2968	x.exe	48
PID 2968 wrote to memory of 1776	2968	x.exe	48
PID 2968 wrote to memory of 1052	2968	x.exe	50
PID 2968 wrote to memory of 1052	2968	x.exe	50
PID 2968 wrote to memory of 1052	2968	x.exe	50
PID 2968 wrote to memory of 2800	2968	x.exe	52
PID 2968 wrote to memory of 2800	2968	x.exe	52
PID 2968 wrote to memory of 2800	2968	x.exe	52
PID 2328 wrote to memory of 2676	2328	frnd1.exe	54
PID 2328 wrote to memory of 2676	2328	frnd1.exe	54
PID 2328 wrote to memory of 2676	2328	frnd1.exe	54
PID 2328 wrote to memory of 2676	2328	frnd1.exe	54
PID 2328 wrote to memory of 2676	2328	frnd1.exe	54

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\a\frnd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\frnd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\a\frnd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2556
- C:\Users\Admin\AppData\Local\Temp\a\hellres.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hellres.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\a\duschno.exe
  "C:\Users\Admin\AppData\Local\Temp\a\duschno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\a\resp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\resp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:1944
- C:\Users\Admin\AppData\Local\Temp\a\zx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1720
- C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe" & rd /s /q "C:\ProgramData\0ZUSR1VAI58Q" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2516
- C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\a\x.exe
  "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- C:\Users\Admin\AppData\Local\Temp\a\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8052
- - C:\Users\Admin\AppData\Local\Temp\a\system32.exe
    "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3312
- C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5940
- C:\Users\Admin\AppData\Local\Temp\a\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Java Update (32bit).exe

Filesize
40KB

MD5
f9a6811d7a9d5e06d73a68fc729ce66c

SHA1
c882143d5fde4b2e7edb5a9accb534ba17d754ef

SHA256
c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc

SHA512
4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0af0bcb6f746d213921aaa85562002a3

SHA1
f856b0abf0d63ae57d6e1b3149d504735407cc88

SHA256
20e47c8ac70a61cb633746fdb2cd53dd67985e03c65be5fe1f66f649c7742091

SHA512
355e202a8c5182c0dcab289b619e0d2c760ebde68fd71f0764312383cf5ffc75cc8a76c72ee61eeadb010fb86f2d9ad43fc36384e39582d5fc6673084b7ae3ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19f8a43dd7462b0d3f41540495463015

SHA1
9c5fc99483e3c1760e0869a99e0b4093ecdb43f2

SHA256
a266883ee274a255c6e58788ef9bf8b1e43ec38d8864dd4a106799701fb31363

SHA512
c9b540cb1c9a08a1847af07f2b9685fa3f2bb1c4e018b04d1b72f57f0ce46e2fa6af7598a84eb0af822a17f64cd131ce66fc1e85a4ac16e47e03570dfd4a732b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1d0ac17ce19d32f2e3742f1954f606c7

SHA1
80592acf96abb5af5d5380322d72d72954325592

SHA256
fea87df64b523d9d0618706bd46344356e38acf36e32df94be5cce6309d2f977

SHA512
adb3efa33e2b6497abd4e81876567af844a7fde39bb03e3a25389a53984f01ec7b9547b78cb09799844b218ea1a55af902a92e980092604f34ce86725679bf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD616.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD638.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
633dca52da4ebaa6f4bf268822c6dc88

SHA1
1ebfc0f881ce338d2f66fcc3f9c1cbb94cdc067e

SHA256
424fd5d3d3297a8ab1227007ef8ded5a4f194f24bd573a5211be71937aa55d22

SHA512
ed058525ee7b4cc7e12561c7d674c26759a4301322ff0b3239f3183911ce14993614e3199d8017b9bfde25c8cb9ac0990d318bb19f3992624b39ec0f084a8df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
43bf2037bfd3fb60e1fedac634c6f86e

SHA1
959eebe41d905ad3afa4254a52628ec13613cf70

SHA256
735703c0597da278af8a6359fc051b9e657627f50ad5b486185c2ef328ad571b

SHA512
7042846c009efea45ca5fafdc08016eca471a8c54486ba03f212abba47467f8744e9546c8f33214620f97dbcc994e3002788ad0db65b86d8a3e4ff0d8a9d0d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
f22faca49e4d5d80ec26ed31e7ecd0e0

SHA1
473bcbfb78e6a63afd720b5cbe5c55d9495a3d88

SHA256
1eb30ea95dae91054a33a12b1c73601518d28e3746db552d7ce120da589d4cf4

SHA512
c8090758435f02e3659d303211d78102c71754ba12b0a7e25083fd3529b3894dc3ab200b02a2899418cc6ed3b8f483d36e6c2bf86ce2a34e5fd9ad0483b73040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
2fd0da47811b8ed4a0abdf9030419381

SHA1
46e3f21a9bd31013a804ba45dc90cc22331a60d1

SHA256
de81c4d37833380a1c71a5401de3ab4fe1f8856fc40d46d0165719a81d7f3924

SHA512
2e6f900628809bfd908590fe1ea38e0e36960235f9a6bbccb73bbb95c71bfd10f75e1df5e8cf93a682e4ada962b06c278afc9123ab5a4117f77d1686ff683d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6842\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe

Filesize
2.5MB

MD5
ddce3b9704d1e4236548b1a458317dd0

SHA1
a48a65dbcba5a65d89688e1b4eac0deef65928c8

SHA256
972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce

SHA512
5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe

Filesize
203KB

MD5
8ba8994283713a778391d7607a039989

SHA1
86e2cc10ae3a8a7040bc5958c45e680fbdbd1c19

SHA256
5746d38d3f64fd37ad4aa158d119eec1378e6298bd105323d5ffc791b9f5e88a

SHA512
5b74b96cec6ce7424604c9903656dd8b26178b09ce76cf68cdbba2d39b28010c001c6818ac3fea9418ffa6c3a57a952c2b6afa5c53af5ca52157a940a734dee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Update.exe

Filesize
302KB

MD5
02701f8d91714c583decdd43635ff407

SHA1
855b8eeffcd217735d1ba6395bbb6647140ecca4

SHA256
41ba86941c72b5e160359e4b851251350958ca56e1d5aa897f0917eb51c5bd2e

SHA512
42930c89943297413933857c8ceac9eec924ce3093fd78da8f75930abdda540407781caf2fe32d4e7019cbd20171485a9d6389b4c03b0600edbaac597577c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\frnd.exe

Filesize
4.1MB

MD5
298f1cd4f1804f025564bdb392538183

SHA1
cc6cac6c7e6be5f6b00a3714c856c1155b6d7e17

SHA256
8d5fd6e273be8cea765bc75fd9af3db49e58578305cb9d08fa357709f0b7ce35

SHA512
6eead00ed3d0c5c9b829191d025095c1468697169c388dac0a1325d955737311ab7db21ddbf1dae723f13801b78d63f98ba9725ab3affffe1011cee4e71c4535

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe

Filesize
4.7MB

MD5
8ceaf0f122909e63199c9f21f45e5098

SHA1
5ff6ef7983db06cd0ecf4e622db3b7a541c2a6a6

SHA256
36fbd1bed8e9cbccb8a2d0cb4530a0669faa97fac45efb44c9635e8ba1552d5e

SHA512
f56eecda400f58e9d632bac9d73fb510670c28aa6ba6ba2c422045bba567b9d33450e7dcc883a7f5ae2aa971d1751b1b31ff217d9736c3a5ca6f0a3edbf98870

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hellres.exe

Filesize
1.2MB

MD5
2511d20918fe5495f4cec12ed8e010df

SHA1
1a1d3f5c67f93021868e9fa4682f576f482ba86e

SHA256
0ab815e72b9490ff95cc216c08aa6503d1610e052793d433732a3b28c25c5d71

SHA512
849994cd3e0aa394041f0f23908fdc2440366685c3a3035c224cf1048f7eb73f6c30ac670de72b9a276fe080e965fba3b500d0c49dab91892683377b9db90402

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zx.exe

Filesize
5.6MB

MD5
bb0be25bdd2121fa0bddf6ac59d4fa8d

SHA1
c24f80b6344ecc9d6daacf5f838f0a279b146c13

SHA256
50f3af8a4b14a6e63cdc7817ecb482d7045458b43d786d580b51e8f12d762106

SHA512
6c7b69845cc483a06c68b319b87345240a2288c6183adfdbaaedcb3489af6e80247456bb31529b3981c86a05bb13ea958b1e90b012071fcc7b9267c8b54f0dab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0DZ3SSZ15Q7LGW4C64ZI.temp

Filesize
7KB

MD5
3ee65727f66604ecafac1e8cb96d0451

SHA1
501b6f7ed89ec9b9f8105a3ab40d6efa6d0732a7

SHA256
39ce78ef64b12b9269422ad533b78104064dfb21cc72e9a986cfa7cba2fad553

SHA512
254da17b1d4fc4630158ec68d9ad9ccb07494a9758d4cebb46f42de2e6dc37976dbc280e6be380ae798b45027e934627c8c5d754dfb542e624e3c2c9156bb750

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
22bfe210b767a667b0f3ed692a536e4e

SHA1
88e0ff9c141d8484b5e34eaaa5e4be0b414b8adf

SHA256
f1a2499cc238e52d69c63a43d1e61847cf852173fe95c155056cfbd2cb76abc3

SHA512
cbea3c690049a73b1a713a2183ff15d13b09982f8dd128546fd3db264af4252ccd390021dee54435f06827450da4bd388bd6ff11b084c0b43d50b181c928fd25

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
da5e087677c8ebbc0062eac758dfed49

SHA1
ca69d48efa07090acb7ae7c1608f61e8d26d3985

SHA256
08a43a53a66d8acb2e107e6fc71213cedd180363055a2dc5081fe5a837940dce

SHA512
6262e9a0808d8f64e5f2dfad5242cd307e2f5eaa78f0a768f325e65c98db056c312d79f0b3e63c74e364af913a832c1d90f4604fe26cc5fb05f3a5a661b12573

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33a0fe1943c5a325f93679d6e9237fee

SHA1
737d2537d602308fc022dbc0c29aa607bcdec702

SHA256
5af7aa065ffdbf98d139246e198601bfde025d11a6c878201f4b99876d6c7eac

SHA512
cab7fcaa305a9ace1f1cc7077b97526bebc0921adf23273e74cd42d7fe99401d4f7ede8ecb9847b6734a13760b9ebe4dbd2465a3db3139ed232dbef68fb62c54

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
d51bc845c4efbfdbd68e8ccffdad7375

SHA1
c82e580ec68c48e613c63a4c2f9974bb59182cf6

SHA256
89d9f54e6c9ae1cb8f914da1a2993a20de588c18f1aaf4d66efb20c3a282c866

SHA512
2e353cf58ad218c3e068a345d1da6743f488789ef7c6b96492d48571dc64df8a71ad2db2e5976cfd04cf4b55455e99c70c7f32bd2c0f4a8bed1d29c2dafc17b0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
487f72d0cf7dc1d85fa18788a1b46813

SHA1
0aabff6d4ee9a2a56d40ee61e4591d4ba7d14c0d

SHA256
560baf1b87b692c284ccbb82f2458a688757231b315b6875482e08c8f5333b3d

SHA512
b7f4e32f98bfdcf799331253faebb1fb08ec24f638d8526f02a6d9371c8490b27d03db3412128ced6d2bbb11604247f3f22c8380b1bf2a11fb3bb92f18980185

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-process-l1-1-0.dll

Filesize
20KB

MD5
54a8fca040976f2aac779a344b275c80

SHA1
ea1f01d6dcdf688eb0f21a8cb8a38f03bc777883

SHA256
7e90e7acc69aca4591ce421c302c7f6cdf8e44f3b4390f66ec43dff456ffea29

SHA512
cb20bed4972e56f74de1b7bc50dc1e27f2422dbb302aecb749018b9f88e3e4a67c9fc69bbbb8c4b21d49a530cc8266172e7d237650512aafb293cdfe06d02228

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
21b509d048418922b92985696710afca

SHA1
c499dd098aab8c7e05b8b0fd55f994472d527203

SHA256
fe7336d2fb3b13a00b5b4ce055a84f0957daefdace94f21b88e692e54b678ac3

SHA512
c517b02d4e94cf8360d98fd093bca25e8ae303c1b4500cf4cf01f78a7d7ef5f581b99a0371f438c6805a0b3040a0e06994ba7b541213819bd07ec8c6251cb9bb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI6842\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
120a5dc2682cd2a838e0fc0efd45506e

SHA1
8710be5d5e9c878669ff8b25b67fb2deb32cd77a

SHA256
c14f0d929a761a4505628c4eb5754d81b88aa1fdad2154a2f2b0215b983b6d89

SHA512
4330edf9b84c541e5ed3bb672548f35efa75c6b257c3215fc29ba6e152294820347517ec9bd6bde38411efa9074324a276cf0d7d905ed5dd88e906d78780760c

Download Submit
\Users\Admin\AppData\Local\Temp\a\duschno.exe

Filesize
1.2MB

MD5
c6813da66eba357d0deaa48c2f7032b8

SHA1
6812e46c51f823ff0b0ee17bfce0af72f857af66

SHA256
1420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178

SHA512
19391c6b12ba8f34a5faf326f8986ef8de4729d614d72bf438c6efa569b3505159ca55f580fe2a02642e5e7a0f1b38a7a9db9f0d66d67ba548d84c230183159e

Download Submit
\Users\Admin\AppData\Local\Temp\a\resp.exe

Filesize
1.2MB

MD5
bee040fc0caf73ee0cb2e55d4c703f22

SHA1
6bf7f1fa9dcf930190cabfba9abde2e7faab486f

SHA256
940d413dd95bc28d5c724d814f2cd1ecca005d2cb58ed28788d9c07d962d829b

SHA512
ec45afc4a8626dc813462a3c65b57a75f96233e9e66a0d9d60953fa2e29ec1a1c48c9ccf00f8f0e0ad3ff37e8c98c673c5b2309ff77475896ec57897d73551b2

Download Submit
memory/896-558-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-547-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-556-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-541-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/896-576-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-580-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-582-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-584-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-586-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-588-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-554-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-552-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-2369-0x00000000011D0000-0x0000000001226000-memory.dmp

Filesize
344KB

Download
memory/896-539-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/896-2370-0x0000000000E60000-0x0000000000EAC000-memory.dmp

Filesize
304KB

Download
memory/896-590-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-592-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-579-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-550-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-560-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-562-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-570-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-572-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-548-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-564-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-546-0x0000000001110000-0x00000000011D6000-memory.dmp

Filesize
792KB

Download
memory/896-574-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-566-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/896-543-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/896-545-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/896-542-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/896-568-0x0000000001110000-0x00000000011D0000-memory.dmp

Filesize
768KB

Download
memory/1776-408-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1776-407-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1864-178-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/1864-538-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/1984-383-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1984-384-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2328-453-0x0000000005B10000-0x0000000005D4A000-memory.dmp

Filesize
2.2MB

Download
memory/2328-454-0x0000000000AB0000-0x0000000000AD2000-memory.dmp

Filesize
136KB

Download
memory/2328-120-0x00000000000D0000-0x0000000000586000-memory.dmp

Filesize
4.7MB

Download
memory/2400-58-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-57-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2400-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/2400-2-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2508-303-0x00000000011E0000-0x00000000011F0000-memory.dmp

Filesize
64KB

Download
memory/2556-74-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-77-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-519-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-69-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-80-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-81-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-68-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-75-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2556-108-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-73-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-72-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-71-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2556-70-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2968-341-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/3312-2526-0x000007FEEF6A0000-0x000007FEEFB0E000-memory.dmp

Filesize
4.4MB

Download
memory/5940-2696-0x0000000001070000-0x00000000010C2000-memory.dmp

Filesize
328KB

Download