Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

หาท�...��.exe

windows11-21h2-x64

10

หาท�...��.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    หาที่อยู่ด้วยเอบร์.exe

  • Size

    8.7MB

  • MD5

    1e936fe7c00a13a03d258247220333cb

  • SHA1

    0625868fe5e8541dca00a87b9dbc76e85a76a7a9

  • SHA256

    f21d3e6de139de0d92d8cdc675d7aa5693d375b1f075dee9deb664bf9961bacd

  • SHA512

    2f809796ebec18540570d9658742a91fb1ae42f44cd0193d7cd020a67f07dfc2f94740ed05aa1a12234063aa2173719953ee74203a794b94c7fc41a8037c5661

  • SSDEEP

    196608:yt20YhrbhcaAKkkdGDJtvMGn7+LCOGeosHnZouA7q:e2trlIKtdGDJCGgjBoEZouA

Score
10/10
xwormexecutionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.26.126:7000

Mutex

njhjW6ZcD4uLoqX9

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 17 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 54 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\หาที่อยู่ด้วยเอบร์.exe
    "C:\Users\Admin\AppData\Local\Temp\หาที่อยู่ด้วยเอบร์.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Roaming\GEN18+.exe
      "C:\Users\Admin\AppData\Roaming\GEN18+.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Users\Public\GEN18+.exe
        "C:\Users\Public\GEN18+.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Users\Public\GEN18+.exe
          "C:\Users\Public\GEN18+.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1028
      • C:\Users\Public\ตั่.exe
        "C:\Users\Public\ตั่.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3424
    • C:\Users\Admin\AppData\Roaming\ตั่.exe
      "C:\Users\Admin\AppData\Roaming\ตั่.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ตั่.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5048
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ตั่.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4532
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Sorillusexe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Sorillusexe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2880
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Sorillusexe" /tr "C:\Users\Admin\AppData\Roaming\Sorillusexe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4460
  • C:\Users\Admin\AppData\Roaming\Sorillusexe
    C:\Users\Admin\AppData\Roaming\Sorillusexe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1332
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
      PID:2088
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4856
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
        PID:4436
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:3688
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:984
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
        • Checks SCSI registry key(s)
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
      • C:\Users\Admin\AppData\Roaming\Sorillusexe
        C:\Users\Admin\AppData\Roaming\Sorillusexe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3124

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        10fb30dc297f99d6ebafa5fee8b24fa2

        SHA1

        76904509313a49a765edcde26b69c3a61f9fa225

        SHA256

        567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a

        SHA512

        c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        98baf5117c4fcec1692067d200c58ab3

        SHA1

        5b33a57b72141e7508b615e17fb621612cb8e390

        SHA256

        30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

        SHA512

        344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\VCRUNTIME140.dll
        Filesize

        116KB

        MD5

        be8dbe2dc77ebe7f88f910c61aec691a

        SHA1

        a19f08bb2b1c1de5bb61daf9f2304531321e0e40

        SHA256

        4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

        SHA512

        0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_bz2.pyd
        Filesize

        83KB

        MD5

        5bebc32957922fe20e927d5c4637f100

        SHA1

        a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

        SHA256

        3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

        SHA512

        afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_ctypes.pyd
        Filesize

        122KB

        MD5

        fb454c5e74582a805bc5e9f3da8edc7b

        SHA1

        782c3fa39393112275120eaf62fc6579c36b5cf8

        SHA256

        74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

        SHA512

        727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_decimal.pyd
        Filesize

        251KB

        MD5

        492c0c36d8ed1b6ca2117869a09214da

        SHA1

        b741cae3e2c9954e726890292fa35034509ef0f6

        SHA256

        b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

        SHA512

        b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_hashlib.pyd
        Filesize

        64KB

        MD5

        da02cefd8151ecb83f697e3bd5280775

        SHA1

        1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

        SHA256

        fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

        SHA512

        a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_lzma.pyd
        Filesize

        156KB

        MD5

        195defe58a7549117e06a57029079702

        SHA1

        3795b02803ca37f399d8883d30c0aa38ad77b5f2

        SHA256

        7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

        SHA512

        c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_multiprocessing.pyd
        Filesize

        34KB

        MD5

        2bd43e8973882e32c9325ef81898ae62

        SHA1

        1e47b0420a2a1c1d910897a96440f1aeef5fa383

        SHA256

        3c34031b464e7881d8f9d182f7387a86b883581fd020280ec56c1e3ec6f4cc2d

        SHA512

        9d51bbd25c836f4f5d1fb9b42853476e13576126b8b521851948bdf08d53b8d4b4f66d2c8071843b01aa5631abdf13dc53c708dba195656a30f262dce30a88ca

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_queue.pyd
        Filesize

        31KB

        MD5

        b7e5fbd7ef3eefff8f502290c0e2b259

        SHA1

        9decba47b1cdb0d511b58c3146d81644e56e3611

        SHA256

        dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173

        SHA512

        b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_socket.pyd
        Filesize

        81KB

        MD5

        dd8ff2a3946b8e77264e3f0011d27704

        SHA1

        a2d84cfc4d6410b80eea4b25e8efc08498f78990

        SHA256

        b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

        SHA512

        958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\_ssl.pyd
        Filesize

        174KB

        MD5

        c87c5890039c3bdb55a8bc189256315f

        SHA1

        84ef3c2678314b7f31246471b3300da65cb7e9de

        SHA256

        a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

        SHA512

        e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\base_library.zip
        Filesize

        1.3MB

        MD5

        43935f81d0c08e8ab1dfe88d65af86d8

        SHA1

        abb6eae98264ee4209b81996c956a010ecf9159b

        SHA256

        c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

        SHA512

        06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\certifi\cacert.pem
        Filesize

        284KB

        MD5

        181ac9a809b1a8f1bc39c1c5c777cf2a

        SHA1

        9341e715cea2e6207329e7034365749fca1f37dc

        SHA256

        488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

        SHA512

        e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\charset_normalizer\md.cp312-win_amd64.pyd
        Filesize

        10KB

        MD5

        d9e0217a89d9b9d1d778f7e197e0c191

        SHA1

        ec692661fcc0b89e0c3bde1773a6168d285b4f0d

        SHA256

        ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

        SHA512

        3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
        Filesize

        120KB

        MD5

        bf9a9da1cf3c98346002648c3eae6dcf

        SHA1

        db16c09fdc1722631a7a9c465bfe173d94eb5d8b

        SHA256

        4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

        SHA512

        7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\libcrypto-3.dll
        Filesize

        5.0MB

        MD5

        e547cf6d296a88f5b1c352c116df7c0c

        SHA1

        cafa14e0367f7c13ad140fd556f10f320a039783

        SHA256

        05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

        SHA512

        9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\libffi-8.dll
        Filesize

        38KB

        MD5

        0f8e4992ca92baaf54cc0b43aaccce21

        SHA1

        c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

        SHA256

        eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

        SHA512

        6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\libssl-3.dll
        Filesize

        768KB

        MD5

        19a2aba25456181d5fb572d88ac0e73e

        SHA1

        656ca8cdfc9c3a6379536e2027e93408851483db

        SHA256

        2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

        SHA512

        df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\pyexpat.pyd
        Filesize

        197KB

        MD5

        958231414cc697b3c59a491cc79404a7

        SHA1

        3dec86b90543ea439e145d7426a91a7aca1eaab6

        SHA256

        efd6099b1a6efdadd988d08dce0d8a34bd838106238250bccd201dc7dcd9387f

        SHA512

        fd29d0aab59485340b68dc4552b9e059ffb705d4a64ff9963e1ee8a69d9d96593848d07be70528d1beb02bbbbd69793ee3ea764e43b33879f5c304d8a912c3be

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\python312.dll
        Filesize

        6.6MB

        MD5

        d521654d889666a0bc753320f071ef60

        SHA1

        5fd9b90c5d0527e53c199f94bad540c1e0985db6

        SHA256

        21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

        SHA512

        7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\select.pyd
        Filesize

        30KB

        MD5

        d0cc9fc9a0650ba00bd206720223493b

        SHA1

        295bc204e489572b74cc11801ed8590f808e1618

        SHA256

        411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

        SHA512

        d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI8042\unicodedata.pyd
        Filesize

        1.1MB

        MD5

        cc8142bedafdfaa50b26c6d07755c7a6

        SHA1

        0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

        SHA256

        bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

        SHA512

        c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2b5ysj3u.noz.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\images\image_1737519529629.jpg
        Filesize

        107KB

        MD5

        1fb30c94e60eb6bf0abab2ccfe4e031e

        SHA1

        a66ebd50f68556626d38cd839b769bd71ea2962a

        SHA256

        4fe446f1ce5bd38de5ec263961d1ab7139ddde833cb9e06d3914e37456932bc5

        SHA512

        643ea0e8521bce46a23c63024f988e6ed56951e7f9fe4cc301f9d4a85498fbdf93c5730757d81e08e8be4094a6251f7f951fab1912eddcc328b09b835a5bd9f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\images\image_1737519532348.jpg
        Filesize

        225KB

        MD5

        08b6aeb682d2a086aba4cd6be1738878

        SHA1

        2b3b000c24f543abe45c1dc82e329db9fa0c1510

        SHA256

        b07d7f8e059e0f9311b1e29a276dd6831da9a992d629cdc2b792d7951f6405b3

        SHA512

        967e1baefee818c23bce3658c2c798d92f999abaf240b3f1772679c264d6c5682b6d242732a2bf407794a38adba26bee35dfc6e8b030c6a1356c5b0f9788b72e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\images\image_1737519545745.jpg
        Filesize

        589KB

        MD5

        5f00250f4489a37342a1941776369280

        SHA1

        09fc2d14d2e8fd24a4652b44233c1b659caf509c

        SHA256

        32d95899aeb61755af7bbfa3f465fe543812959606f78eca08493e1f23687aee

        SHA512

        376fdf5ebbfa778b8002b02bbacc86a5f902d5bdcdde9530f1c75ebe46f4cc345b82891cbf0227fd596ed0a3f346c1926b805edf547c8ee99e4bcf5a201101d9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GEN18+.exe
        Filesize

        8.6MB

        MD5

        f05ed8b398245fe8f94d3227dd9a3bd6

        SHA1

        d9d33c82725d02ac98c958acf34d03a9ef98b3c9

        SHA256

        87a0882cd5f227f8e223381c4f4d1f5a9eafed619e442f16b98b18bb7a1481cd

        SHA512

        2f4052266c0ca780aec481091ae0ef5946acae95398d61eb73b18d50f9072821e8fb437d6e5f229b8b7af94bec0df59fd04378c264320cfa0f0daf05832412d6

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ตั่.exe
        Filesize

        41KB

        MD5

        949ed9fe677149c42d2a77d3f14dfc7d

        SHA1

        6aeb5488f1664c08b6463658679409e6f66bb46c

        SHA256

        0c96ec60c154ccb2bdba2a35bd96672383a8bc84566a02d8856900368712d93a

        SHA512

        392dab1ada16b5d3a76a611c319586831c8593c7866ff99b6b3e232efe65fa49074485979a43e47fed9c8fe2bba4ad1baf4b6b10d91fe886439b52d891e984c5

        Download Submit

      • C:\Users\Public\GEN18+.exe
        Filesize

        8.6MB

        MD5

        6b83f00de4a3333f9e87dfe1fb5ed6c5

        SHA1

        73c5e6db6530d1dfc27b6c7cc5b2bb93ae48512c

        SHA256

        6b89f78d271319c542e204b3f79308a9557c5e87957a8fb52afa4878f61657c0

        SHA512

        0cd16a98fbaef79594d78dffb4a5a4c481706ffaed3e384580b5b5adda29ad2d671a00eecf9e3755f97b11c617ce9d250bdd7564c34bc0182630a7999b783030

        Download Submit

      • memory/2112-48-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2112-25-0x0000000000900000-0x00000000011AC000-memory.dmp

        Filesize

        8.7MB

        Download

      • memory/2112-26-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2948-177-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2948-28-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2948-182-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2948-110-0x00007FF8FC720000-0x00007FF8FD1E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2948-27-0x0000000000660000-0x0000000000670000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3052-1-0x0000000000310000-0x0000000000BCA000-memory.dmp

        Filesize

        8.7MB

        Download

      • memory/3052-0-0x00007FF8FC723000-0x00007FF8FC725000-memory.dmp

        Filesize

        8KB

        Download

      • memory/5048-121-0x000001D96E200000-0x000001D96E222000-memory.dmp

        Filesize

        136KB

        Download