meduza | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Resubmissions

16-12-2024 05:27

241216-f5kx6awmh1 10

14-12-2024 20:23

14-12-2024 20:22

14-12-2024 20:13

14-12-2024 13:14

14-12-2024 13:12

12-12-2024 18:19

12-12-2024 18:16

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

meduza metasploit redline xworm fvcxcx backdoor collection credential_access discovery execution infostealer persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

meduza

193.3.19.151

Attributes

anti_dbg
true
anti_vm
true
build_name
hellres
extensions
.txt; .doc; .xlsx
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Extracted

Family

xworm

Version

5.0

45.141.26.234:7000

Mutex

2XLzSYLZvUJjDK3V

Attributes

Install_directory
%ProgramData%
install_file
Java Update (32bit).exe

aes.plain

Extracted

Family

redline

Botnet

fvcxcx

185.81.68.147:1912

Extracted

Family

metasploit

Version

metasploit_stager

176.122.27.90:8888

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/memory/2832-315-0x0000000000AB0000-0x0000000000AC0000-memory.dmp	family_xworm
behavioral3/files/0x00110000000190ce-460.dat	family_xworm

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

resource	yara_rule
behavioral3/files/0x0009000000016d25-73.dat	family_meduza
behavioral3/files/0x0008000000016d36-77.dat	family_meduza
behavioral3/files/0x00060000000173fc-83.dat	family_meduza

Meduza family
meduza
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral3/memory/1584-702-0x0000000000E20000-0x0000000000E72000-memory.dmp	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
688	powershell.exe
2316	powershell.exe
2188	powershell.exe
2420	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	hellres.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe

Executes dropped EXE 25 IoCs

pid	Process
2880	frnd.exe
2752	frnd.exe
2592	hellres.exe
1356	duschno.exe
1388	resp.exe
1992	frnd1.exe
1368	zx.exe
1536	TPB-1.exe
292	zx.exe
2768	TestExe.exe
2832	x.exe
2400	PDFReader.exe
2924	system32.exe
1780	system32.exe
1584	fcxcx.exe
2004	Update.exe
1252	Process not Found
1216	frnd1.exe
2660	frnd1.exe
2440	frnd1.exe
2032	frnd1.exe
1880	frnd1.exe
4048	main.exe
4428	tmp.exe
2708	main.exe

Loads dropped DLL 52 IoCs

pid	Process
2916	New Text Document mod.exe
2880	frnd.exe
2916	New Text Document mod.exe
2916	New Text Document mod.exe
2916	New Text Document mod.exe
2916	New Text Document mod.exe
1368	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
292	zx.exe
2916	New Text Document mod.exe
2924	system32.exe
1780	system32.exe
1780	system32.exe
1780	system32.exe
1780	system32.exe
1780	system32.exe
1780	system32.exe
1780	system32.exe
2916	New Text Document mod.exe
2916	New Text Document mod.exe
1252	Process not Found
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
2916	New Text Document mod.exe
4076	Process not Found
2916	New Text Document mod.exe
2916	New Text Document mod.exe
4048	main.exe
2708	main.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe"	PDFReader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\AB83E7C605CA378892841\\AB83E7C605CA378892841.exe"	Update.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
20	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org
38	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 2752	2880	frnd.exe	33
PID 2400 set thread context of 264	2400	PDFReader.exe	62

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/1780-654-0x000007FEEF830000-0x000007FEEFC9E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x000e00000001866e-111.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcxcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frnd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestExe.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1936	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TPB-1.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2592	hellres.exe
688	powershell.exe
2316	powershell.exe
2188	powershell.exe
2420	powershell.exe
1536	TPB-1.exe
2832	x.exe
2004	Update.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1992	frnd1.exe
1584	fcxcx.exe
2004	Update.exe
1584	fcxcx.exe
1584	fcxcx.exe
2004	Update.exe
2004	Update.exe
2004	Update.exe
2004	Update.exe
2004	Update.exe
2004	Update.exe
2004	Update.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	New Text Document mod.exe
Token: SeDebugPrivilege	2592	hellres.exe
Token: SeImpersonatePrivilege	2592	hellres.exe
Token: SeDebugPrivilege	1356	duschno.exe
Token: SeImpersonatePrivilege	1356	duschno.exe
Token: SeDebugPrivilege	1388	resp.exe
Token: SeImpersonatePrivilege	1388	resp.exe
Token: SeDebugPrivilege	1992	frnd1.exe
Token: SeDebugPrivilege	2832	x.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2832	x.exe
Token: SeIncreaseQuotaPrivilege	2004	Update.exe
Token: SeSecurityPrivilege	2004	Update.exe
Token: SeTakeOwnershipPrivilege	2004	Update.exe
Token: SeLoadDriverPrivilege	2004	Update.exe
Token: SeSystemProfilePrivilege	2004	Update.exe
Token: SeSystemtimePrivilege	2004	Update.exe
Token: SeProfSingleProcessPrivilege	2004	Update.exe
Token: SeIncBasePriorityPrivilege	2004	Update.exe
Token: SeCreatePagefilePrivilege	2004	Update.exe
Token: SeBackupPrivilege	2004	Update.exe
Token: SeRestorePrivilege	2004	Update.exe
Token: SeShutdownPrivilege	2004	Update.exe
Token: SeDebugPrivilege	2004	Update.exe
Token: SeSystemEnvironmentPrivilege	2004	Update.exe
Token: SeRemoteShutdownPrivilege	2004	Update.exe
Token: SeUndockPrivilege	2004	Update.exe
Token: SeManageVolumePrivilege	2004	Update.exe
Token: 33	2004	Update.exe
Token: 34	2004	Update.exe
Token: 35	2004	Update.exe
Token: SeDebugPrivilege	264	csc.exe
Token: SeDebugPrivilege	1584	fcxcx.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2832	x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2880	2916	New Text Document mod.exe	32
PID 2916 wrote to memory of 2880	2916	New Text Document mod.exe	32
PID 2916 wrote to memory of 2880	2916	New Text Document mod.exe	32
PID 2880 wrote to memory of 2752	2880	frnd.exe	33
PID 2880 wrote to memory of 2752	2880	frnd.exe	33
PID 2880 wrote to memory of 2752	2880	frnd.exe	33
PID 2880 wrote to memory of 2752	2880	frnd.exe	33
PID 2916 wrote to memory of 2592	2916	New Text Document mod.exe	34
PID 2916 wrote to memory of 2592	2916	New Text Document mod.exe	34
PID 2916 wrote to memory of 2592	2916	New Text Document mod.exe	34
PID 2916 wrote to memory of 1356	2916	New Text Document mod.exe	35
PID 2916 wrote to memory of 1356	2916	New Text Document mod.exe	35
PID 2916 wrote to memory of 1356	2916	New Text Document mod.exe	35
PID 2916 wrote to memory of 1388	2916	New Text Document mod.exe	37
PID 2916 wrote to memory of 1388	2916	New Text Document mod.exe	37
PID 2916 wrote to memory of 1388	2916	New Text Document mod.exe	37
PID 2916 wrote to memory of 1992	2916	New Text Document mod.exe	38
PID 2916 wrote to memory of 1992	2916	New Text Document mod.exe	38
PID 2916 wrote to memory of 1992	2916	New Text Document mod.exe	38
PID 2916 wrote to memory of 1992	2916	New Text Document mod.exe	38
PID 2916 wrote to memory of 1992	2916	New Text Document mod.exe	38
PID 2916 wrote to memory of 1992	2916	New Text Document mod.exe	38
PID 2916 wrote to memory of 1992	2916	New Text Document mod.exe	38
PID 2916 wrote to memory of 1368	2916	New Text Document mod.exe	39
PID 2916 wrote to memory of 1368	2916	New Text Document mod.exe	39
PID 2916 wrote to memory of 1368	2916	New Text Document mod.exe	39
PID 2916 wrote to memory of 1536	2916	New Text Document mod.exe	41
PID 2916 wrote to memory of 1536	2916	New Text Document mod.exe	41
PID 2916 wrote to memory of 1536	2916	New Text Document mod.exe	41
PID 2916 wrote to memory of 1536	2916	New Text Document mod.exe	41
PID 1368 wrote to memory of 292	1368	zx.exe	40
PID 1368 wrote to memory of 292	1368	zx.exe	40
PID 1368 wrote to memory of 292	1368	zx.exe	40
PID 2916 wrote to memory of 2768	2916	New Text Document mod.exe	42
PID 2916 wrote to memory of 2768	2916	New Text Document mod.exe	42
PID 2916 wrote to memory of 2768	2916	New Text Document mod.exe	42
PID 2916 wrote to memory of 2768	2916	New Text Document mod.exe	42
PID 2916 wrote to memory of 2832	2916	New Text Document mod.exe	43
PID 2916 wrote to memory of 2832	2916	New Text Document mod.exe	43
PID 2916 wrote to memory of 2832	2916	New Text Document mod.exe	43
PID 2916 wrote to memory of 2400	2916	New Text Document mod.exe	44
PID 2916 wrote to memory of 2400	2916	New Text Document mod.exe	44
PID 2916 wrote to memory of 2400	2916	New Text Document mod.exe	44
PID 2916 wrote to memory of 2400	2916	New Text Document mod.exe	44
PID 2916 wrote to memory of 2400	2916	New Text Document mod.exe	44
PID 2916 wrote to memory of 2400	2916	New Text Document mod.exe	44
PID 2916 wrote to memory of 2400	2916	New Text Document mod.exe	44
PID 2832 wrote to memory of 688	2832	x.exe	47
PID 2832 wrote to memory of 688	2832	x.exe	47
PID 2832 wrote to memory of 688	2832	x.exe	47
PID 2832 wrote to memory of 2316	2832	x.exe	49
PID 2832 wrote to memory of 2316	2832	x.exe	49
PID 2832 wrote to memory of 2316	2832	x.exe	49
PID 2832 wrote to memory of 2188	2832	x.exe	51
PID 2832 wrote to memory of 2188	2832	x.exe	51
PID 2832 wrote to memory of 2188	2832	x.exe	51
PID 2832 wrote to memory of 2420	2832	x.exe	53
PID 2832 wrote to memory of 2420	2832	x.exe	53
PID 2832 wrote to memory of 2420	2832	x.exe	53
PID 2916 wrote to memory of 2924	2916	New Text Document mod.exe	55
PID 2916 wrote to memory of 2924	2916	New Text Document mod.exe	55
PID 2916 wrote to memory of 2924	2916	New Text Document mod.exe	55
PID 2924 wrote to memory of 1780	2924	system32.exe	56
PID 2924 wrote to memory of 1780	2924	system32.exe	56

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hellres.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\a\frnd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\frnd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\a\frnd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd.exe"
    3⤵
    - Executes dropped EXE
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\a\hellres.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hellres.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\a\duschno.exe
  "C:\Users\Admin\AppData\Local\Temp\a\duschno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\a\resp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\resp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:1216
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:2440
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    PID:1880
- C:\Users\Admin\AppData\Local\Temp\a\zx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:292
- C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe" & rd /s /q "C:\ProgramData\OP8QIECJ5XBI" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1936
- C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\a\x.exe
  "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- C:\Users\Admin\AppData\Local\Temp\a\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\a\system32.exe
    "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1780
- C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\a\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\a\main.exe
  "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\a\main.exe
    "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\a\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Java Update (32bit).exe

Filesize
40KB

MD5
f9a6811d7a9d5e06d73a68fc729ce66c

SHA1
c882143d5fde4b2e7edb5a9accb534ba17d754ef

SHA256
c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc

SHA512
4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
759dcba68c8e3997a1a408a455bb92f4

SHA1
875931a81d00d4d3676520a48cb22e881a35e70a

SHA256
29559b41e33625c91ad4524875e69a48c2fea9b5eba1ba88149d1fd2ed38c781

SHA512
783e8571366ab8930c0d94c44642f8a982590b2bc13ba9ce9508f700057a64f2e01399d80d0222612837829e3e7603f42d6ae69801eef2221b16defdda63a291

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
771a258e04b48c822904a4c9d2857a53

SHA1
893eca28975f2e423854e718c94f63dd2a574ce8

SHA256
7848762cec505a3cb438525dcf65820cce90c49a8b1d4fcca199d0122cc8ddca

SHA512
1ccfe1472a259f331ed9c64a9017b6bcc4c2a4ca1e33024d7b6e3e3cc5e6edfaa1f38102bc7d5722517d94ee40755c65dd432e4eddaabae310eb3511a0b1ea7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4f6089abd2f7bb5d06fa9a69e627c84

SHA1
a4ad09f795828884b571778da767b188ba3eb4b9

SHA256
327b7608965a0095dc0452c265963c45a9d6a62d788203a4d5c49addd50ed1e4

SHA512
efbaf73ecf31a66b11c4053a3d038dbbf57f24aa77446ced4ff385d56071687044818430dbc548970552654caaeea19a0fce013037bb149123a1c11167a293ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8AE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8C0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13682\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13682\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe

Filesize
2.5MB

MD5
ddce3b9704d1e4236548b1a458317dd0

SHA1
a48a65dbcba5a65d89688e1b4eac0deef65928c8

SHA256
972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce

SHA512
5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe

Filesize
203KB

MD5
8ba8994283713a778391d7607a039989

SHA1
86e2cc10ae3a8a7040bc5958c45e680fbdbd1c19

SHA256
5746d38d3f64fd37ad4aa158d119eec1378e6298bd105323d5ffc791b9f5e88a

SHA512
5b74b96cec6ce7424604c9903656dd8b26178b09ce76cf68cdbba2d39b28010c001c6818ac3fea9418ffa6c3a57a952c2b6afa5c53af5ca52157a940a734dee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Update.exe

Filesize
302KB

MD5
02701f8d91714c583decdd43635ff407

SHA1
855b8eeffcd217735d1ba6395bbb6647140ecca4

SHA256
41ba86941c72b5e160359e4b851251350958ca56e1d5aa897f0917eb51c5bd2e

SHA512
42930c89943297413933857c8ceac9eec924ce3093fd78da8f75930abdda540407781caf2fe32d4e7019cbd20171485a9d6389b4c03b0600edbaac597577c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe

Filesize
4.7MB

MD5
8ceaf0f122909e63199c9f21f45e5098

SHA1
5ff6ef7983db06cd0ecf4e622db3b7a541c2a6a6

SHA256
36fbd1bed8e9cbccb8a2d0cb4530a0669faa97fac45efb44c9635e8ba1552d5e

SHA512
f56eecda400f58e9d632bac9d73fb510670c28aa6ba6ba2c422045bba567b9d33450e7dcc883a7f5ae2aa971d1751b1b31ff217d9736c3a5ca6f0a3edbf98870

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hellres.exe

Filesize
1.2MB

MD5
2511d20918fe5495f4cec12ed8e010df

SHA1
1a1d3f5c67f93021868e9fa4682f576f482ba86e

SHA256
0ab815e72b9490ff95cc216c08aa6503d1610e052793d433732a3b28c25c5d71

SHA512
849994cd3e0aa394041f0f23908fdc2440366685c3a3035c224cf1048f7eb73f6c30ac670de72b9a276fe080e965fba3b500d0c49dab91892683377b9db90402

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tmp.exe

Filesize
7KB

MD5
459976dc3440b9fe9614d2e7c246af02

SHA1
ea72df634719681351c66aea8b616349bf4b1cba

SHA256
d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811

SHA512
368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W0PCFUXOWN09W1D0CMBQ.temp

Filesize
7KB

MD5
7a1425f30e4c6769962825f15eaf2661

SHA1
7e101fc3e786a4c02487c866fd9d685a35f2ce0b

SHA256
7f4e663c15c7fba87690cf33363f6d5618574412cedff073b8b87842b0cad696

SHA512
f4aa6a6e934f15c1eda094b00b3fef467e994c36b5ac74c9d960cb2174ba110d49e07252b38480f3955893d1e73f88b7ed16a5f5c2c96ac85fff9cbd0481c407

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
22bfe210b767a667b0f3ed692a536e4e

SHA1
88e0ff9c141d8484b5e34eaaa5e4be0b414b8adf

SHA256
f1a2499cc238e52d69c63a43d1e61847cf852173fe95c155056cfbd2cb76abc3

SHA512
cbea3c690049a73b1a713a2183ff15d13b09982f8dd128546fd3db264af4252ccd390021dee54435f06827450da4bd388bd6ff11b084c0b43d50b181c928fd25

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
da5e087677c8ebbc0062eac758dfed49

SHA1
ca69d48efa07090acb7ae7c1608f61e8d26d3985

SHA256
08a43a53a66d8acb2e107e6fc71213cedd180363055a2dc5081fe5a837940dce

SHA512
6262e9a0808d8f64e5f2dfad5242cd307e2f5eaa78f0a768f325e65c98db056c312d79f0b3e63c74e364af913a832c1d90f4604fe26cc5fb05f3a5a661b12573

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33a0fe1943c5a325f93679d6e9237fee

SHA1
737d2537d602308fc022dbc0c29aa607bcdec702

SHA256
5af7aa065ffdbf98d139246e198601bfde025d11a6c878201f4b99876d6c7eac

SHA512
cab7fcaa305a9ace1f1cc7077b97526bebc0921adf23273e74cd42d7fe99401d4f7ede8ecb9847b6734a13760b9ebe4dbd2465a3db3139ed232dbef68fb62c54

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
633dca52da4ebaa6f4bf268822c6dc88

SHA1
1ebfc0f881ce338d2f66fcc3f9c1cbb94cdc067e

SHA256
424fd5d3d3297a8ab1227007ef8ded5a4f194f24bd573a5211be71937aa55d22

SHA512
ed058525ee7b4cc7e12561c7d674c26759a4301322ff0b3239f3183911ce14993614e3199d8017b9bfde25c8cb9ac0990d318bb19f3992624b39ec0f084a8df1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
43bf2037bfd3fb60e1fedac634c6f86e

SHA1
959eebe41d905ad3afa4254a52628ec13613cf70

SHA256
735703c0597da278af8a6359fc051b9e657627f50ad5b486185c2ef328ad571b

SHA512
7042846c009efea45ca5fafdc08016eca471a8c54486ba03f212abba47467f8744e9546c8f33214620f97dbcc994e3002788ad0db65b86d8a3e4ff0d8a9d0d05

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
d51bc845c4efbfdbd68e8ccffdad7375

SHA1
c82e580ec68c48e613c63a4c2f9974bb59182cf6

SHA256
89d9f54e6c9ae1cb8f914da1a2993a20de588c18f1aaf4d66efb20c3a282c866

SHA512
2e353cf58ad218c3e068a345d1da6743f488789ef7c6b96492d48571dc64df8a71ad2db2e5976cfd04cf4b55455e99c70c7f32bd2c0f4a8bed1d29c2dafc17b0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
487f72d0cf7dc1d85fa18788a1b46813

SHA1
0aabff6d4ee9a2a56d40ee61e4591d4ba7d14c0d

SHA256
560baf1b87b692c284ccbb82f2458a688757231b315b6875482e08c8f5333b3d

SHA512
b7f4e32f98bfdcf799331253faebb1fb08ec24f638d8526f02a6d9371c8490b27d03db3412128ced6d2bbb11604247f3f22c8380b1bf2a11fb3bb92f18980185

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-process-l1-1-0.dll

Filesize
20KB

MD5
54a8fca040976f2aac779a344b275c80

SHA1
ea1f01d6dcdf688eb0f21a8cb8a38f03bc777883

SHA256
7e90e7acc69aca4591ce421c302c7f6cdf8e44f3b4390f66ec43dff456ffea29

SHA512
cb20bed4972e56f74de1b7bc50dc1e27f2422dbb302aecb749018b9f88e3e4a67c9fc69bbbb8c4b21d49a530cc8266172e7d237650512aafb293cdfe06d02228

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
21b509d048418922b92985696710afca

SHA1
c499dd098aab8c7e05b8b0fd55f994472d527203

SHA256
fe7336d2fb3b13a00b5b4ce055a84f0957daefdace94f21b88e692e54b678ac3

SHA512
c517b02d4e94cf8360d98fd093bca25e8ae303c1b4500cf4cf01f78a7d7ef5f581b99a0371f438c6805a0b3040a0e06994ba7b541213819bd07ec8c6251cb9bb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
120a5dc2682cd2a838e0fc0efd45506e

SHA1
8710be5d5e9c878669ff8b25b67fb2deb32cd77a

SHA256
c14f0d929a761a4505628c4eb5754d81b88aa1fdad2154a2f2b0215b983b6d89

SHA512
4330edf9b84c541e5ed3bb672548f35efa75c6b257c3215fc29ba6e152294820347517ec9bd6bde38411efa9074324a276cf0d7d905ed5dd88e906d78780760c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
f22faca49e4d5d80ec26ed31e7ecd0e0

SHA1
473bcbfb78e6a63afd720b5cbe5c55d9495a3d88

SHA256
1eb30ea95dae91054a33a12b1c73601518d28e3746db552d7ce120da589d4cf4

SHA512
c8090758435f02e3659d303211d78102c71754ba12b0a7e25083fd3529b3894dc3ab200b02a2899418cc6ed3b8f483d36e6c2bf86ce2a34e5fd9ad0483b73040

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
2fd0da47811b8ed4a0abdf9030419381

SHA1
46e3f21a9bd31013a804ba45dc90cc22331a60d1

SHA256
de81c4d37833380a1c71a5401de3ab4fe1f8856fc40d46d0165719a81d7f3924

SHA512
2e6f900628809bfd908590fe1ea38e0e36960235f9a6bbccb73bbb95c71bfd10f75e1df5e8cf93a682e4ada962b06c278afc9123ab5a4117f77d1686ff683d6f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13682\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
\Users\Admin\AppData\Local\Temp\a\duschno.exe

Filesize
1.2MB

MD5
c6813da66eba357d0deaa48c2f7032b8

SHA1
6812e46c51f823ff0b0ee17bfce0af72f857af66

SHA256
1420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178

SHA512
19391c6b12ba8f34a5faf326f8986ef8de4729d614d72bf438c6efa569b3505159ca55f580fe2a02642e5e7a0f1b38a7a9db9f0d66d67ba548d84c230183159e

Download Submit
\Users\Admin\AppData\Local\Temp\a\frnd.exe

Filesize
4.1MB

MD5
298f1cd4f1804f025564bdb392538183

SHA1
cc6cac6c7e6be5f6b00a3714c856c1155b6d7e17

SHA256
8d5fd6e273be8cea765bc75fd9af3db49e58578305cb9d08fa357709f0b7ce35

SHA512
6eead00ed3d0c5c9b829191d025095c1468697169c388dac0a1325d955737311ab7db21ddbf1dae723f13801b78d63f98ba9725ab3affffe1011cee4e71c4535

Download Submit
\Users\Admin\AppData\Local\Temp\a\resp.exe

Filesize
1.2MB

MD5
bee040fc0caf73ee0cb2e55d4c703f22

SHA1
6bf7f1fa9dcf930190cabfba9abde2e7faab486f

SHA256
940d413dd95bc28d5c724d814f2cd1ecca005d2cb58ed28788d9c07d962d829b

SHA512
ec45afc4a8626dc813462a3c65b57a75f96233e9e66a0d9d60953fa2e29ec1a1c48c9ccf00f8f0e0ad3ff37e8c98c673c5b2309ff77475896ec57897d73551b2

Download Submit
\Users\Admin\AppData\Local\Temp\a\zx.exe

Filesize
5.6MB

MD5
bb0be25bdd2121fa0bddf6ac59d4fa8d

SHA1
c24f80b6344ecc9d6daacf5f838f0a279b146c13

SHA256
50f3af8a4b14a6e63cdc7817ecb482d7045458b43d786d580b51e8f12d762106

SHA512
6c7b69845cc483a06c68b319b87345240a2288c6183adfdbaaedcb3489af6e80247456bb31529b3981c86a05bb13ea958b1e90b012071fcc7b9267c8b54f0dab

Download Submit
memory/264-732-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-740-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-2541-0x0000000000CF0000-0x0000000000D46000-memory.dmp

Filesize
344KB

Download
memory/264-2542-0x00000000009A0000-0x00000000009EC000-memory.dmp

Filesize
304KB

Download
memory/264-746-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-748-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-750-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-752-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-754-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-756-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-758-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-760-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-762-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-764-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-766-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-768-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-717-0x0000000000150000-0x00000000001EA000-memory.dmp

Filesize
616KB

Download
memory/264-715-0x0000000000150000-0x00000000001EA000-memory.dmp

Filesize
616KB

Download
memory/264-714-0x0000000000150000-0x00000000001EA000-memory.dmp

Filesize
616KB

Download
memory/264-713-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/264-711-0x0000000000150000-0x00000000001EA000-memory.dmp

Filesize
616KB

Download
memory/264-718-0x0000000000B50000-0x0000000000C16000-memory.dmp

Filesize
792KB

Download
memory/264-730-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-728-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-726-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-724-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-722-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-720-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-719-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-744-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-742-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-770-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-738-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-736-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-734-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-772-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/264-774-0x0000000000B50000-0x0000000000C10000-memory.dmp

Filesize
768KB

Download
memory/688-425-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/688-426-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/1536-174-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/1536-701-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/1584-702-0x0000000000E20000-0x0000000000E72000-memory.dmp

Filesize
328KB

Download
memory/1780-654-0x000007FEEF830000-0x000007FEEFC9E000-memory.dmp

Filesize
4.4MB

Download
memory/1992-2688-0x0000000005D70000-0x0000000005FAA000-memory.dmp

Filesize
2.2MB

Download
memory/1992-2689-0x00000000009E0000-0x0000000000A02000-memory.dmp

Filesize
136KB

Download
memory/1992-108-0x0000000000380000-0x0000000000836000-memory.dmp

Filesize
4.7MB

Download
memory/2316-431-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2316-432-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2752-66-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

Filesize
4KB

Download
memory/2768-277-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2832-315-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2916-80-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/2916-74-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/2916-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2916-1-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2916-2741-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2916-2740-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2916-2744-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/2916-2745-0x0000000140000000-0x0000000140005000-memory.dmp

Filesize
20KB

Download
memory/4428-2742-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download