meduza | a3c37478d879d20b7d6c392c70c0acdf0ed7ef4fba94578d9a5a9131b873831b

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

meduza metasploit redline xworm fvcxcx backdoor collection credential_access discovery execution infostealer persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

meduza

193.3.19.151

Attributes

anti_dbg
true
anti_vm
true
build_name
hellres
extensions
.txt; .doc; .xlsx
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Extracted

Family

xworm

Version

5.0

45.141.26.234:7000

Mutex

2XLzSYLZvUJjDK3V

Attributes

Install_directory
%ProgramData%
install_file
Java Update (32bit).exe

aes.plain

Extracted

Family

redline

Botnet

fvcxcx

185.81.68.147:1912

Extracted

Family

metasploit

Version

metasploit_stager

176.122.27.90:8888

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral5/memory/1380-329-0x0000000000A40000-0x0000000000A50000-memory.dmp	family_xworm
behavioral5/files/0x001200000000f868-529.dat	family_xworm

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

resource	yara_rule
behavioral5/files/0x00070000000173f1-75.dat	family_meduza
behavioral5/files/0x00070000000173f4-94.dat	family_meduza
behavioral5/files/0x0006000000019244-101.dat	family_meduza

Meduza family
meduza
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral5/memory/4308-2705-0x0000000000DD0000-0x0000000000E22000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
1308	powershell.exe
2836	powershell.exe
3064	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	hellres.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe

Executes dropped EXE 21 IoCs

pid	Process
1808	frnd.exe
1720	frnd.exe
2912	hellres.exe
1732	duschno.exe
2076	resp.exe
544	frnd1.exe
2384	zx.exe
2336	TPB-1.exe
1508	zx.exe
2136	TestExe.exe
1380	x.exe
2920	PDFReader.exe
8308	frnd1.exe
8540	system32.exe
9164	system32.exe
1228	Process not Found
4308	fcxcx.exe
4424	Update.exe
5312	main.exe
5724	main.exe
5764	tmp.exe

Loads dropped DLL 48 IoCs

pid	Process
2652	New Text Document mod.exe
1808	frnd.exe
2652	New Text Document mod.exe
2652	New Text Document mod.exe
2652	New Text Document mod.exe
2652	New Text Document mod.exe
2384	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
1508	zx.exe
544	frnd1.exe
2652	New Text Document mod.exe
8540	system32.exe
9164	system32.exe
9164	system32.exe
9164	system32.exe
9164	system32.exe
9164	system32.exe
9164	system32.exe
9164	system32.exe
1228	Process not Found
2652	New Text Document mod.exe
2652	New Text Document mod.exe
2652	New Text Document mod.exe
5340	Process not Found
5312	main.exe
5724	main.exe
2652	New Text Document mod.exe
2652	New Text Document mod.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe"	PDFReader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\A4D477D02E843761441847\\A4D477D02E843761441847.exe"	Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	raw.githubusercontent.com
27	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.ipify.org
14	api.ipify.org
49	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 1720	1808	frnd.exe	32
PID 2920 set thread context of 1120	2920	PDFReader.exe	57
PID 544 set thread context of 8308	544	frnd1.exe	58

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral5/memory/9164-2536-0x000007FEF1720000-0x000007FEF1B8E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral5/files/0x0005000000019259-113.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcxcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frnd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestExe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2804	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2912	hellres.exe
2336	TPB-1.exe
3004	powershell.exe
1308	powershell.exe
2836	powershell.exe
3064	powershell.exe
1380	x.exe
4424	Update.exe
4424	Update.exe
4308	fcxcx.exe
4308	fcxcx.exe
4308	fcxcx.exe
4424	Update.exe
4424	Update.exe
4424	Update.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	New Text Document mod.exe
Token: SeDebugPrivilege	2912	hellres.exe
Token: SeImpersonatePrivilege	2912	hellres.exe
Token: SeDebugPrivilege	1732	duschno.exe
Token: SeImpersonatePrivilege	1732	duschno.exe
Token: SeDebugPrivilege	2076	resp.exe
Token: SeImpersonatePrivilege	2076	resp.exe
Token: SeDebugPrivilege	544	frnd1.exe
Token: SeDebugPrivilege	1380	x.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1380	x.exe
Token: SeDebugPrivilege	1120	csc.exe
Token: SeDebugPrivilege	8308	frnd1.exe
Token: SeImpersonatePrivilege	8308	frnd1.exe
Token: SeIncreaseQuotaPrivilege	4424	Update.exe
Token: SeSecurityPrivilege	4424	Update.exe
Token: SeTakeOwnershipPrivilege	4424	Update.exe
Token: SeLoadDriverPrivilege	4424	Update.exe
Token: SeSystemProfilePrivilege	4424	Update.exe
Token: SeSystemtimePrivilege	4424	Update.exe
Token: SeProfSingleProcessPrivilege	4424	Update.exe
Token: SeIncBasePriorityPrivilege	4424	Update.exe
Token: SeCreatePagefilePrivilege	4424	Update.exe
Token: SeBackupPrivilege	4424	Update.exe
Token: SeRestorePrivilege	4424	Update.exe
Token: SeShutdownPrivilege	4424	Update.exe
Token: SeDebugPrivilege	4424	Update.exe
Token: SeSystemEnvironmentPrivilege	4424	Update.exe
Token: SeRemoteShutdownPrivilege	4424	Update.exe
Token: SeUndockPrivilege	4424	Update.exe
Token: SeManageVolumePrivilege	4424	Update.exe
Token: 33	4424	Update.exe
Token: 34	4424	Update.exe
Token: 35	4424	Update.exe
Token: SeDebugPrivilege	4308	fcxcx.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1380	x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1808	2652	New Text Document mod.exe	31
PID 2652 wrote to memory of 1808	2652	New Text Document mod.exe	31
PID 2652 wrote to memory of 1808	2652	New Text Document mod.exe	31
PID 1808 wrote to memory of 1720	1808	frnd.exe	32
PID 1808 wrote to memory of 1720	1808	frnd.exe	32
PID 1808 wrote to memory of 1720	1808	frnd.exe	32
PID 1808 wrote to memory of 1720	1808	frnd.exe	32
PID 2652 wrote to memory of 2912	2652	New Text Document mod.exe	33
PID 2652 wrote to memory of 2912	2652	New Text Document mod.exe	33
PID 2652 wrote to memory of 2912	2652	New Text Document mod.exe	33
PID 2652 wrote to memory of 1732	2652	New Text Document mod.exe	34
PID 2652 wrote to memory of 1732	2652	New Text Document mod.exe	34
PID 2652 wrote to memory of 1732	2652	New Text Document mod.exe	34
PID 2652 wrote to memory of 2076	2652	New Text Document mod.exe	36
PID 2652 wrote to memory of 2076	2652	New Text Document mod.exe	36
PID 2652 wrote to memory of 2076	2652	New Text Document mod.exe	36
PID 2652 wrote to memory of 544	2652	New Text Document mod.exe	37
PID 2652 wrote to memory of 544	2652	New Text Document mod.exe	37
PID 2652 wrote to memory of 544	2652	New Text Document mod.exe	37
PID 2652 wrote to memory of 544	2652	New Text Document mod.exe	37
PID 2652 wrote to memory of 544	2652	New Text Document mod.exe	37
PID 2652 wrote to memory of 544	2652	New Text Document mod.exe	37
PID 2652 wrote to memory of 544	2652	New Text Document mod.exe	37
PID 2652 wrote to memory of 2384	2652	New Text Document mod.exe	38
PID 2652 wrote to memory of 2384	2652	New Text Document mod.exe	38
PID 2652 wrote to memory of 2384	2652	New Text Document mod.exe	38
PID 2652 wrote to memory of 2336	2652	New Text Document mod.exe	39
PID 2652 wrote to memory of 2336	2652	New Text Document mod.exe	39
PID 2652 wrote to memory of 2336	2652	New Text Document mod.exe	39
PID 2652 wrote to memory of 2336	2652	New Text Document mod.exe	39
PID 2384 wrote to memory of 1508	2384	zx.exe	40
PID 2384 wrote to memory of 1508	2384	zx.exe	40
PID 2384 wrote to memory of 1508	2384	zx.exe	40
PID 2652 wrote to memory of 2136	2652	New Text Document mod.exe	41
PID 2652 wrote to memory of 2136	2652	New Text Document mod.exe	41
PID 2652 wrote to memory of 2136	2652	New Text Document mod.exe	41
PID 2652 wrote to memory of 2136	2652	New Text Document mod.exe	41
PID 2652 wrote to memory of 1380	2652	New Text Document mod.exe	42
PID 2652 wrote to memory of 1380	2652	New Text Document mod.exe	42
PID 2652 wrote to memory of 1380	2652	New Text Document mod.exe	42
PID 2652 wrote to memory of 2920	2652	New Text Document mod.exe	44
PID 2652 wrote to memory of 2920	2652	New Text Document mod.exe	44
PID 2652 wrote to memory of 2920	2652	New Text Document mod.exe	44
PID 2652 wrote to memory of 2920	2652	New Text Document mod.exe	44
PID 2652 wrote to memory of 2920	2652	New Text Document mod.exe	44
PID 2652 wrote to memory of 2920	2652	New Text Document mod.exe	44
PID 2652 wrote to memory of 2920	2652	New Text Document mod.exe	44
PID 1380 wrote to memory of 3004	1380	x.exe	46
PID 1380 wrote to memory of 3004	1380	x.exe	46
PID 1380 wrote to memory of 3004	1380	x.exe	46
PID 1380 wrote to memory of 1308	1380	x.exe	48
PID 1380 wrote to memory of 1308	1380	x.exe	48
PID 1380 wrote to memory of 1308	1380	x.exe	48
PID 1380 wrote to memory of 2836	1380	x.exe	50
PID 1380 wrote to memory of 2836	1380	x.exe	50
PID 1380 wrote to memory of 2836	1380	x.exe	50
PID 1380 wrote to memory of 3064	1380	x.exe	52
PID 1380 wrote to memory of 3064	1380	x.exe	52
PID 1380 wrote to memory of 3064	1380	x.exe	52
PID 2336 wrote to memory of 2992	2336	TPB-1.exe	54
PID 2336 wrote to memory of 2992	2336	TPB-1.exe	54
PID 2336 wrote to memory of 2992	2336	TPB-1.exe	54
PID 2336 wrote to memory of 2992	2336	TPB-1.exe	54
PID 2992 wrote to memory of 2804	2992	cmd.exe	56

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\a\frnd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\frnd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\a\frnd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd.exe"
    3⤵
    - Executes dropped EXE
    PID:1720
- C:\Users\Admin\AppData\Local\Temp\a\hellres.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hellres.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2912
- C:\Users\Admin\AppData\Local\Temp\a\duschno.exe
  "C:\Users\Admin\AppData\Local\Temp\a\duschno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\a\resp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\resp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:8308
- C:\Users\Admin\AppData\Local\Temp\a\zx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1508
- C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe" & rd /s /q "C:\ProgramData\Q9R1VKFU3EKN" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2804
- C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\a\x.exe
  "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- C:\Users\Admin\AppData\Local\Temp\a\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8540
- - C:\Users\Admin\AppData\Local\Temp\a\system32.exe
    "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:9164
- C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Users\Admin\AppData\Local\Temp\a\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Users\Admin\AppData\Local\Temp\a\main.exe
  "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5312
- - C:\Users\Admin\AppData\Local\Temp\a\main.exe
    "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5724
- C:\Users\Admin\AppData\Local\Temp\a\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Java Update (32bit).exe

Filesize
40KB

MD5
f9a6811d7a9d5e06d73a68fc729ce66c

SHA1
c882143d5fde4b2e7edb5a9accb534ba17d754ef

SHA256
c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc

SHA512
4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69fe94e6c90e0e1ef84f4703c9f34d20

SHA1
b4c8e3823b22912064e977d9237c5355209f97ff

SHA256
96487d8222365ba7db8fe97d8efaed7021b81f51a5acb3069ab606e5e49e391a

SHA512
72b3d19d4e8f54d63b4b4f51a3eb9c373e836b6786cf6ca4ff16fdeeb7fca81de416f6e42267562970cf7e89992a3c5257a93368dcd5e36b71835f06f789b12b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f8bcb67c0ef4e5aa7ddc3cfcf633f18

SHA1
5905be13a25cbb807daf27eb0cdee578dff6ccbb

SHA256
c36c8c4a88cfd333ab5e454c8d6cf6ceae9bc761a0af5d04181b67bd5c826e30

SHA512
14f385e5c288dcfce914a70239193c7793d309af6b74922408cac5df7b96af31d0c610a7bfd52230ea20d1c19925f84e1d9edb9c970a98f4b5ea5763b8f90368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1724ebbbdd88530ac81cca0b4a984c6

SHA1
14bc3a2aa2072e68260966b3708a92b67c42973c

SHA256
26d7024efc6ca2f4b4c488fb1d2a4fc1009729f57c68aaaf818b07b615ff57b3

SHA512
8ebd7730a9292da367589644e94397ed98dd0c65cd6c1d83a7b39499e9a0a6df9ea4142e912666b1bec3f7d25c351ab5636237a7f1a86c289aea6dc6ceec551c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a27f77de973a80126b7d0e7ac8527cb9

SHA1
835022e8a671bf1ee67293b41fb96055d6b05e6c

SHA256
86e4a3a402434bb4aea66153b126edea378e93a8b5a7506c01eb6a79389aebb8

SHA512
1b767b57746e0b5e5f08c33e80d4712deff3c9d577e0ac1d2b39d361341d9bcbdba1e528f4e2f2b9025bd0d4ff7f621a8077f6846f127ef298c1d2c9d6f214a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
266fd13e5d88c760dc3128001900f0a1

SHA1
d5f0b26676d0fcb9b98b9a723c1a7b528792c393

SHA256
cfa4fae4816af7c4eb2eff56d2814ef2e0d03163c6941f2c8cf7f733f88add3d

SHA512
b834b899714aed4120f9e9d66f250e024caed61330946a0c76e2fcc1bba95cfb7aea54b28e86a770439a11728778f6007fcf3a04700c39069dd9fdd3053f4c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2BC4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2BC7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
22bfe210b767a667b0f3ed692a536e4e

SHA1
88e0ff9c141d8484b5e34eaaa5e4be0b414b8adf

SHA256
f1a2499cc238e52d69c63a43d1e61847cf852173fe95c155056cfbd2cb76abc3

SHA512
cbea3c690049a73b1a713a2183ff15d13b09982f8dd128546fd3db264af4252ccd390021dee54435f06827450da4bd388bd6ff11b084c0b43d50b181c928fd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
da5e087677c8ebbc0062eac758dfed49

SHA1
ca69d48efa07090acb7ae7c1608f61e8d26d3985

SHA256
08a43a53a66d8acb2e107e6fc71213cedd180363055a2dc5081fe5a837940dce

SHA512
6262e9a0808d8f64e5f2dfad5242cd307e2f5eaa78f0a768f325e65c98db056c312d79f0b3e63c74e364af913a832c1d90f4604fe26cc5fb05f3a5a661b12573

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33a0fe1943c5a325f93679d6e9237fee

SHA1
737d2537d602308fc022dbc0c29aa607bcdec702

SHA256
5af7aa065ffdbf98d139246e198601bfde025d11a6c878201f4b99876d6c7eac

SHA512
cab7fcaa305a9ace1f1cc7077b97526bebc0921adf23273e74cd42d7fe99401d4f7ede8ecb9847b6734a13760b9ebe4dbd2465a3db3139ed232dbef68fb62c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
633dca52da4ebaa6f4bf268822c6dc88

SHA1
1ebfc0f881ce338d2f66fcc3f9c1cbb94cdc067e

SHA256
424fd5d3d3297a8ab1227007ef8ded5a4f194f24bd573a5211be71937aa55d22

SHA512
ed058525ee7b4cc7e12561c7d674c26759a4301322ff0b3239f3183911ce14993614e3199d8017b9bfde25c8cb9ac0990d318bb19f3992624b39ec0f084a8df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
43bf2037bfd3fb60e1fedac634c6f86e

SHA1
959eebe41d905ad3afa4254a52628ec13613cf70

SHA256
735703c0597da278af8a6359fc051b9e657627f50ad5b486185c2ef328ad571b

SHA512
7042846c009efea45ca5fafdc08016eca471a8c54486ba03f212abba47467f8744e9546c8f33214620f97dbcc994e3002788ad0db65b86d8a3e4ff0d8a9d0d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
487f72d0cf7dc1d85fa18788a1b46813

SHA1
0aabff6d4ee9a2a56d40ee61e4591d4ba7d14c0d

SHA256
560baf1b87b692c284ccbb82f2458a688757231b315b6875482e08c8f5333b3d

SHA512
b7f4e32f98bfdcf799331253faebb1fb08ec24f638d8526f02a6d9371c8490b27d03db3412128ced6d2bbb11604247f3f22c8380b1bf2a11fb3bb92f18980185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-process-l1-1-0.dll

Filesize
20KB

MD5
54a8fca040976f2aac779a344b275c80

SHA1
ea1f01d6dcdf688eb0f21a8cb8a38f03bc777883

SHA256
7e90e7acc69aca4591ce421c302c7f6cdf8e44f3b4390f66ec43dff456ffea29

SHA512
cb20bed4972e56f74de1b7bc50dc1e27f2422dbb302aecb749018b9f88e3e4a67c9fc69bbbb8c4b21d49a530cc8266172e7d237650512aafb293cdfe06d02228

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
21b509d048418922b92985696710afca

SHA1
c499dd098aab8c7e05b8b0fd55f994472d527203

SHA256
fe7336d2fb3b13a00b5b4ce055a84f0957daefdace94f21b88e692e54b678ac3

SHA512
c517b02d4e94cf8360d98fd093bca25e8ae303c1b4500cf4cf01f78a7d7ef5f581b99a0371f438c6805a0b3040a0e06994ba7b541213819bd07ec8c6251cb9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
120a5dc2682cd2a838e0fc0efd45506e

SHA1
8710be5d5e9c878669ff8b25b67fb2deb32cd77a

SHA256
c14f0d929a761a4505628c4eb5754d81b88aa1fdad2154a2f2b0215b983b6d89

SHA512
4330edf9b84c541e5ed3bb672548f35efa75c6b257c3215fc29ba6e152294820347517ec9bd6bde38411efa9074324a276cf0d7d905ed5dd88e906d78780760c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
f22faca49e4d5d80ec26ed31e7ecd0e0

SHA1
473bcbfb78e6a63afd720b5cbe5c55d9495a3d88

SHA256
1eb30ea95dae91054a33a12b1c73601518d28e3746db552d7ce120da589d4cf4

SHA512
c8090758435f02e3659d303211d78102c71754ba12b0a7e25083fd3529b3894dc3ab200b02a2899418cc6ed3b8f483d36e6c2bf86ce2a34e5fd9ad0483b73040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23842\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe

Filesize
2.5MB

MD5
ddce3b9704d1e4236548b1a458317dd0

SHA1
a48a65dbcba5a65d89688e1b4eac0deef65928c8

SHA256
972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce

SHA512
5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe

Filesize
203KB

MD5
8ba8994283713a778391d7607a039989

SHA1
86e2cc10ae3a8a7040bc5958c45e680fbdbd1c19

SHA256
5746d38d3f64fd37ad4aa158d119eec1378e6298bd105323d5ffc791b9f5e88a

SHA512
5b74b96cec6ce7424604c9903656dd8b26178b09ce76cf68cdbba2d39b28010c001c6818ac3fea9418ffa6c3a57a952c2b6afa5c53af5ca52157a940a734dee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe

Filesize
38KB

MD5
51aa89efb23c098b10293527e469c042

SHA1
dc81102e0c1bced6e1da055dab620316959d8e2a

SHA256
780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292

SHA512
93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Update.exe

Filesize
302KB

MD5
02701f8d91714c583decdd43635ff407

SHA1
855b8eeffcd217735d1ba6395bbb6647140ecca4

SHA256
41ba86941c72b5e160359e4b851251350958ca56e1d5aa897f0917eb51c5bd2e

SHA512
42930c89943297413933857c8ceac9eec924ce3093fd78da8f75930abdda540407781caf2fe32d4e7019cbd20171485a9d6389b4c03b0600edbaac597577c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\frnd.exe

Filesize
4.1MB

MD5
298f1cd4f1804f025564bdb392538183

SHA1
cc6cac6c7e6be5f6b00a3714c856c1155b6d7e17

SHA256
8d5fd6e273be8cea765bc75fd9af3db49e58578305cb9d08fa357709f0b7ce35

SHA512
6eead00ed3d0c5c9b829191d025095c1468697169c388dac0a1325d955737311ab7db21ddbf1dae723f13801b78d63f98ba9725ab3affffe1011cee4e71c4535

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe

Filesize
4.7MB

MD5
8ceaf0f122909e63199c9f21f45e5098

SHA1
5ff6ef7983db06cd0ecf4e622db3b7a541c2a6a6

SHA256
36fbd1bed8e9cbccb8a2d0cb4530a0669faa97fac45efb44c9635e8ba1552d5e

SHA512
f56eecda400f58e9d632bac9d73fb510670c28aa6ba6ba2c422045bba567b9d33450e7dcc883a7f5ae2aa971d1751b1b31ff217d9736c3a5ca6f0a3edbf98870

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hellres.exe

Filesize
1.2MB

MD5
2511d20918fe5495f4cec12ed8e010df

SHA1
1a1d3f5c67f93021868e9fa4682f576f482ba86e

SHA256
0ab815e72b9490ff95cc216c08aa6503d1610e052793d433732a3b28c25c5d71

SHA512
849994cd3e0aa394041f0f23908fdc2440366685c3a3035c224cf1048f7eb73f6c30ac670de72b9a276fe080e965fba3b500d0c49dab91892683377b9db90402

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\resp.exe

Filesize
1.2MB

MD5
bee040fc0caf73ee0cb2e55d4c703f22

SHA1
6bf7f1fa9dcf930190cabfba9abde2e7faab486f

SHA256
940d413dd95bc28d5c724d814f2cd1ecca005d2cb58ed28788d9c07d962d829b

SHA512
ec45afc4a8626dc813462a3c65b57a75f96233e9e66a0d9d60953fa2e29ec1a1c48c9ccf00f8f0e0ad3ff37e8c98c673c5b2309ff77475896ec57897d73551b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tmp.exe

Filesize
7KB

MD5
459976dc3440b9fe9614d2e7c246af02

SHA1
ea72df634719681351c66aea8b616349bf4b1cba

SHA256
d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811

SHA512
368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zx.exe

Filesize
5.6MB

MD5
bb0be25bdd2121fa0bddf6ac59d4fa8d

SHA1
c24f80b6344ecc9d6daacf5f838f0a279b146c13

SHA256
50f3af8a4b14a6e63cdc7817ecb482d7045458b43d786d580b51e8f12d762106

SHA512
6c7b69845cc483a06c68b319b87345240a2288c6183adfdbaaedcb3489af6e80247456bb31529b3981c86a05bb13ea958b1e90b012071fcc7b9267c8b54f0dab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8GQKU7LE6XTCNJYM7ZJA.temp

Filesize
7KB

MD5
5ba1754ac1e254da4449242e4407ba62

SHA1
f8edd196c18f707c0819f8b4bb74c3db5356f877

SHA256
094ceb6e3abccfe26875686b03fdca9f2c1499658285a4b15f1648d457cec986

SHA512
ccff2e79bca4ad6711c9bb97190c2078fac74e2d6d88c56de2c5f3ae526c9f432b139acd97e6b125246dc116f0f3594a2870aa9ae5957d75de3698a2593ddd06

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23842\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
d51bc845c4efbfdbd68e8ccffdad7375

SHA1
c82e580ec68c48e613c63a4c2f9974bb59182cf6

SHA256
89d9f54e6c9ae1cb8f914da1a2993a20de588c18f1aaf4d66efb20c3a282c866

SHA512
2e353cf58ad218c3e068a345d1da6743f488789ef7c6b96492d48571dc64df8a71ad2db2e5976cfd04cf4b55455e99c70c7f32bd2c0f4a8bed1d29c2dafc17b0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23842\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
2fd0da47811b8ed4a0abdf9030419381

SHA1
46e3f21a9bd31013a804ba45dc90cc22331a60d1

SHA256
de81c4d37833380a1c71a5401de3ab4fe1f8856fc40d46d0165719a81d7f3924

SHA512
2e6f900628809bfd908590fe1ea38e0e36960235f9a6bbccb73bbb95c71bfd10f75e1df5e8cf93a682e4ada962b06c278afc9123ab5a4117f77d1686ff683d6f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23842\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
\Users\Admin\AppData\Local\Temp\a\duschno.exe

Filesize
1.2MB

MD5
c6813da66eba357d0deaa48c2f7032b8

SHA1
6812e46c51f823ff0b0ee17bfce0af72f857af66

SHA256
1420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178

SHA512
19391c6b12ba8f34a5faf326f8986ef8de4729d614d72bf438c6efa569b3505159ca55f580fe2a02642e5e7a0f1b38a7a9db9f0d66d67ba548d84c230183159e

Download Submit
memory/544-108-0x0000000000B00000-0x0000000000FB6000-memory.dmp

Filesize
4.7MB

Download
memory/544-2362-0x0000000005C00000-0x0000000005E3A000-memory.dmp

Filesize
2.2MB

Download
memory/544-2363-0x00000000003B0000-0x00000000003D2000-memory.dmp

Filesize
136KB

Download
memory/1120-575-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-577-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-2379-0x0000000000FA0000-0x0000000000FF6000-memory.dmp

Filesize
344KB

Download
memory/1120-2380-0x00000000025D0000-0x000000000261C000-memory.dmp

Filesize
304KB

Download
memory/1120-543-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-545-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-547-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-551-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-553-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-555-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-538-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/1120-536-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/1120-535-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/1120-534-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1120-532-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download
memory/1120-539-0x0000000000CA0000-0x0000000000D66000-memory.dmp

Filesize
792KB

Download
memory/1120-540-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-541-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-549-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-561-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-581-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-595-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-593-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-591-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-589-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-587-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-585-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-583-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-579-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-557-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-559-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-573-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-571-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-569-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-567-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-565-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1120-563-0x0000000000CA0000-0x0000000000D60000-memory.dmp

Filesize
768KB

Download
memory/1308-481-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1308-482-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/1380-329-0x0000000000A40000-0x0000000000A50000-memory.dmp

Filesize
64KB

Download
memory/1720-68-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2136-262-0x0000000000860000-0x0000000000870000-memory.dmp

Filesize
64KB

Download
memory/2336-527-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2336-122-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/2652-58-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-2761-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2652-57-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2652-0-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/2652-2799-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2652-2798-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2652-1-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/2652-2-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/2652-2760-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/3004-465-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/3004-466-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/4308-2705-0x0000000000DD0000-0x0000000000E22000-memory.dmp

Filesize
328KB

Download
memory/5764-2762-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/9164-2536-0x000007FEF1720000-0x000007FEF1B8E000-memory.dmp

Filesize
4.4MB

Download