Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dd792996cc...7c.exe

windows7-x64

8

dd792996cc...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2025, 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe

  • Size

    3.6MB

  • MD5

    89ba5e9d24155628896c522b926506d1

  • SHA1

    b87e119f7bd9e421b8fa7c3666ae0921287231fb

  • SHA256

    dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c

  • SHA512

    6c023b78473e0689690825d3a50eb96aded1307a66e2082c127000574d8819642ba927763016b38b9a3cb5a6e6c27c2abe8205a742db20d6ab8e2ac833a28361

  • SSDEEP

    98304:0rhw8VTDKJjizmvxgWHAfbCai0bZG5h3N10zpKVraQ:0lwceizmvxgWHAfg

Score
10/10
xmrigdefense_evasiondiscoveryexecutionminerpersistenceupx

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file 1 IoCs
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe
    "C:\Users\Admin\AppData\Local\Temp\dd792996cc7a4240cbf2a275344a13a393d304736034fb09fe280372e34a107c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\main'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4880
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'C:\Programdata'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Programdata'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
    • C:\ProgramData\Tempsphere\loader.exe
      "C:\ProgramData\Tempsphere\loader.exe"
      2⤵
      • Downloads MZ/PE file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\ProgramData\Tempsphere\runhost.exe
        "runhost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:180
          • C:\Windows\system32\mode.com
            mode 65,10
            5⤵
              PID:4400
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e file.zip -p116401457132732233221366211788 -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:3496
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_8.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:3900
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_7.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1644
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_6.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:3884
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_5.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:4532
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_4.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:8
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_3.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1124
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_2.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:1040
            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
              7z.exe e extracted/file_1.zip -oextracted
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of AdjustPrivilegeToken
              PID:3912
            • C:\Windows\system32\attrib.exe
              attrib +H "svchosts64.exe"
              5⤵
              • Views/modifies file attributes
              PID:4328
            • C:\Users\Admin\AppData\Local\Temp\main\svchosts64.exe
              "svchosts64.exe"
              5⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              PID:4940
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3164
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3528
                • C:\Windows\system32\wusa.exe
                  wusa /uninstall /kb:890830 /quiet /norestart
                  7⤵
                    PID:3792
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop UsoSvc
                  6⤵
                  • Launches sc.exe
                  PID:4620
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop WaaSMedicSvc
                  6⤵
                  • Launches sc.exe
                  PID:1940
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop wuauserv
                  6⤵
                  • Launches sc.exe
                  PID:2892
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop bits
                  6⤵
                  • Launches sc.exe
                  PID:4964
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop dosvc
                  6⤵
                  • Launches sc.exe
                  PID:792
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:620
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1448
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5072
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                  6⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1788
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe delete "MRDNTHEZ"
                  6⤵
                  • Launches sc.exe
                  PID:4244
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe create "MRDNTHEZ" binpath= "C:\ProgramData\pfxskvlrwymw\akeukanvzwhg.exe" start= "auto"
                  6⤵
                  • Launches sc.exe
                  PID:1344
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop eventlog
                  6⤵
                  • Launches sc.exe
                  PID:1440
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe start "MRDNTHEZ"
                  6⤵
                  • Launches sc.exe
                  PID:2496
        • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
          "C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
          2⤵
          • Executes dropped EXE
          PID:2904
      • C:\ProgramData\pfxskvlrwymw\akeukanvzwhg.exe
        C:\ProgramData\pfxskvlrwymw\akeukanvzwhg.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2640
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3488
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4664
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            3⤵
              PID:3676
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            2⤵
            • Launches sc.exe
            PID:4584
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            2⤵
            • Launches sc.exe
            PID:464
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            2⤵
            • Launches sc.exe
            PID:452
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            2⤵
            • Launches sc.exe
            PID:4736
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            2⤵
            • Launches sc.exe
            PID:1736
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1884
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:4868
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1872
          • C:\Windows\system32\powercfg.exe
            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
            2⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:624
          • C:\Windows\system32\conhost.exe
            C:\Windows\system32\conhost.exe
            2⤵
              PID:3692
            • C:\Windows\explorer.exe
              explorer.exe
              2⤵
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4260

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Tempsphere\libcurl.dll
            Filesize

            577KB

            MD5

            c82ec4147225a3265c65feb328b05e72

            SHA1

            3e4c30fce1f858ed7656ac46ef878733bb9ad9f1

            SHA256

            18ced2beab443eb8a57ef2bb04df34100e32deb34049ddd82ee9cc329a22fa7f

            SHA512

            4b1d6c431ac70236b7b5e742d89edc57efbaf61b209f7d813ae546602b98a58258218ef51dda16638cf3b19721dd27a9d6c02943bd6984db18c043efffac628d

            Download Submit

          • C:\ProgramData\Tempsphere\loader.exe
            Filesize

            214KB

            MD5

            92b4183563b3b9d42009806a79100396

            SHA1

            6882722eda6cb8c0255595488936dfdedc53f787

            SHA256

            958686bc633c06538ab233791ed5fd9dc45d7d3de6739487f1cb4acec950d460

            SHA512

            fd61c9bed17020f9326d32be99d8c143b2cac264f75e1031e93ce5d691bf1fb4c1c87e60127081b86b542fbd8768f4859baaf4ede6337e2dca9e0fc75840f7d0

            Download Submit

          • C:\ProgramData\Tempsphere\runhost.exe
            Filesize

            6.5MB

            MD5

            37f7c3155de3dfe24058e5c2fbb02457

            SHA1

            5473c15e4a452cdfaf367896767552b293fc1128

            SHA256

            342ed8a02a7d5b6e2bdbac703c670f1817c9f16651e91bcef401210e8d003861

            SHA512

            6ec9f4d81771ba523a63af11d835f83f7c441ccc6d3961e3825463fe03aa71d4704bce50d46e338da6548794872c2aeb7699c2d52d0b14760fef4c24c8a3f95f

            Download Submit

          • C:\ProgramData\Tempsphere\vcruntime140.dll
            Filesize

            86KB

            MD5

            c2bbcb5aae069c22711d8e49d6107401

            SHA1

            475944ffa91d04fc2ef99de22755e46c09b66ac5

            SHA256

            62713886db7fd51b3a1fdcf3a72596b85922fc86fc2128dd72b0ed6fcc8315ab

            SHA512

            15ba28f3ea593c002197c3bac2523d2f7869945364b135995e53620dd85e99e480a10d74cdce4422304db3fb1d02d2e1903c78ecf6c6cb47afe6a10857493c30

            Download Submit

          • C:\ProgramData\Tempsphere\zlib1.dll
            Filesize

            87KB

            MD5

            e3181ce9d8e7fe239d612869d4e4afc3

            SHA1

            1c1057d6442da09059dd1741d3a595ebd577a140

            SHA256

            88e31462b7d6cc43970a849c0e42205ab398a75bf4c6e78209af3dcf1ab2fe01

            SHA512

            daeca18827df5145e20f826bdb0177934205ed4811a2b9a0288b395219196576d2d98f90bfe97c6593ae346cc86919988e6309d1fd88d8f117a6d280c2f04807

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            8e36164c76778c19637405adc15c138d

            SHA1

            5a84b55368cc3c58c628aef578b658fede2a27f4

            SHA256

            bc9323059bc4e6793598b39d942be6720745037ded472e084f2b2b4b60d07f87

            SHA512

            d2dade91b8654b52857af12addc756817910463d5cd366fe9a13d6b23c3f2024ee2603b094bc03815b5f0f28891142d914aa65950e8a073961a4a5a312c25ff4

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            6d3e9c29fe44e90aae6ed30ccf799ca8

            SHA1

            c7974ef72264bbdf13a2793ccf1aed11bc565dce

            SHA256

            2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

            SHA512

            60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Xeno.exe
            Filesize

            140KB

            MD5

            f0d6a8ef8299c5f15732a011d90b0be1

            SHA1

            5d2e6cc0bd4f1e810808f2a284f6c2a30b21edcf

            SHA256

            326bae0bd1398234dcef4c3d71f00e30cc9b447fa963e21d6f29605f42bb7e5b

            SHA512

            5b9f1517949a7fa9fdb7413146632d21a4208dc92823b673af85963ae5cc7f827b3ba27f3e9c5554c45e726ad159aac77d30306acc3559bd8712534e41ff0f27

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_saveqjde.dul.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\7z.dll
            Filesize

            1.6MB

            MD5

            72491c7b87a7c2dd350b727444f13bb4

            SHA1

            1e9338d56db7ded386878eab7bb44b8934ab1bc7

            SHA256

            34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

            SHA512

            583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
            Filesize

            2.3MB

            MD5

            8d14f7a91aba7e003e317b6593999843

            SHA1

            82102a2fa3c69138d140318135d317468330fbaf

            SHA256

            940b1339332da8fc54f1ca9d53560ac7737fd1ea815ab60d8ea999ce5da749ec

            SHA512

            74d7240923a54f8b79c23751991791d1811edb9ed9e2a725e82b62de8f63ca444eefdb35d3e25f7ac06b785e58cc557feacbfea958c507b98cb890a0c4312cdb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
            Filesize

            4.0MB

            MD5

            e8516a55726347f63e0c6536d519613a

            SHA1

            a28c7479d55bf3444d8015772ba82f47ef504e50

            SHA256

            e2584c41f4c43a048172bb41b87961161a0b5992a94df9cbafb75d6cfc0e5d37

            SHA512

            8f516087f043fdf38fccc8a80abad98af6ed24e85fd25fc5315beb5eb463263e21a33c7e078672b601e3bd61aab3eaf6c2f2396df3b037f4dcc318210a8e72e3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
            Filesize

            4.0MB

            MD5

            dd85a17419518363ef9893b8112b7fce

            SHA1

            4f15afd281bc855a53fe349537d607f069fbd278

            SHA256

            3609072775830d7983f5c6471561a5ae3c0725439fdc1a491240ab00bb112657

            SHA512

            9fbeef9bb2271d59dcc51811f9ab40c530accc9d948eb221bf37eac68e73233da96d9bf3d72e2ea912ca9e603ef665737335564d17df94d8c0ad8b5f3a4bcdde

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
            Filesize

            4.0MB

            MD5

            48dec71072f350526afcd05a8e381540

            SHA1

            a7f9768d91cbd8dc949ce667f73f3f4644d27293

            SHA256

            fc58dc8ef5037a9d586f1bd0b752de7faf639db1c1b864743b32e21689a07f58

            SHA512

            b2c6f79845f14bd6eeb04c765e6d6e857f1232626cebc4aacf41294b753bfc71b1fb6d3054cf17c581126afe1e0f36ac2c7e1c6876b6132e4bdaa1fc8f82bd7e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
            Filesize

            4.0MB

            MD5

            49fcf760542d4d38e9dfbd40a1f597b3

            SHA1

            abc784eb0f9622680d3f016740edf30f5e4079dd

            SHA256

            1ef7f93f21594f20e5503bd61f0e23669e5e1036445e7f783dfe2898b78e45a3

            SHA512

            9b0e67296ff7920a6eb47e43055e411f8e9fe48b32c0494cbf597204638b045d87ea8360bc140ff276a316db72eadd700fa2f4cb0b30273fd3e5e56108e5bba0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
            Filesize

            4.0MB

            MD5

            69fc58b80d3be792193c998eede77412

            SHA1

            2ac25d0c4f4a764da32fe4885b0211c0d7eb806e

            SHA256

            066d64423179b9d04dfd7d734ecc3a6cdb64086033d53dfaf212be0979d5414c

            SHA512

            9b7ea5dacfcd572acca86755c1a021bee6659f0035a74a4b8d09b34ef4c87133c1c63fbc84bfb9b16254102d4a2a8adaf028f76d04872feec0082c48115da7ce

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
            Filesize

            4.0MB

            MD5

            a9fedb8bf08d56c089de16efd627adeb

            SHA1

            f65903701f717c4566c62cdd9f85c96a0a1b9a62

            SHA256

            04649ee54b85a8c2d1e0afaa68d4f7235bb7414f531bfdfdc6b66a5993e76d31

            SHA512

            0590f441e8e4dc71e0483821f431e8ecaf4545fff35316655caa10b38de5cf9770d07a5f9c0a5386000efae976f7ed9f05173dbdc0923ebfd00d7b1d74bd8d90

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
            Filesize

            4.0MB

            MD5

            27b3cec95521dae2ff55823886efd19f

            SHA1

            fc4a88861a2ee0b71c74706510b33e3ca79a2730

            SHA256

            159730b4447b970a1fb6f149ea8c0a0fbbbef909b853bcec6d52b0f49b452023

            SHA512

            fc855fbecd5786a32392f3209ac31a4d3917e73df26065d70b981a23f27dd189ca25fa966bcb18ca12b949ba0893821b4922b18580ca00848871a4709fd4ad25

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
            Filesize

            5.6MB

            MD5

            a213e483224a94129d45a68cf87bf332

            SHA1

            ce5c1a202d6980c13f0a1f77c020477ba7854a3f

            SHA256

            5fab6f207605e692b5a9040d9ede241beb8bc8f2e4be18be5fd19e31e1f4d4e0

            SHA512

            c3e35d810f509f5c0928ceec09439863f94742e9d0567d555ebd8dd74762dda6f7a3195fd7d7ea628a5e5c7bed636a627dc9c3a34d40d02b57f615cc65be84d3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\extracted\svchosts64.exe
            Filesize

            5.0MB

            MD5

            269a52731eb2a65293b3c4e98da28b01

            SHA1

            d867da5ec5672967fbfa83d2ceb1f7183dd09c63

            SHA256

            a2b1b4454d3e8ef9442a0540130f8fe8fad3b7c162b98d168e566fc06fcbd5c2

            SHA512

            5037f192d0857df4d523e6b3c0cab3c1b0c245fdd8ebf72ae52fc58af553953d53c5a47849491c45d9ec37ffa7daf39f4ab35f24cf770f55484100c293467566

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\file.bin
            Filesize

            5.6MB

            MD5

            44798dd99b34d2cb61b18a5f33224a85

            SHA1

            7d53b6ec40b042a48e673389fb2e74adb8635dc8

            SHA256

            28d06a3ed54fc128fcacc62edef2b58f6146127f268ecf2ab762027f492844ff

            SHA512

            cb64dd445c86daf3da4cb8c0247fd38d1f2809fd2485c7eec6b430f30d46b47c2a00468f6b22953a6947eefb49b245bb69891114ef52c4a53730d3a33f5e8256

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\main\main.bat
            Filesize

            481B

            MD5

            5cab8c883ee58fd6b3236f0aae42951e

            SHA1

            51c670c42706bd3cc14fea4aed2c9c29a4b5a31a

            SHA256

            2ad7ff43d0aeae6cf231fee6c7c92059824261248dcce2263937e96c1b64ff5a

            SHA512

            f796bab96cb0f884b39b9f8d671869232bca88744c342ad9ccfae50bb6f1d288765758feb963ce7eb7b99733032e697cb31312c98d8df636c351437341f7e98e

            Download Submit

          • memory/2124-31-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2124-27-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2124-28-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2124-29-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3488-164-0x0000027EFFEF0000-0x0000027EFFF0C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3488-165-0x0000027EE7D40000-0x0000027EE7D4A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3488-169-0x0000027EE7D80000-0x0000027EE7D8A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3488-168-0x0000027E81400000-0x0000027E81406000-memory.dmp

            Filesize

            24KB

            Download

          • memory/3488-167-0x0000027E813F0000-0x0000027E813F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3488-166-0x0000027EFFF10000-0x0000027EFFF2A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3488-161-0x0000027E811D0000-0x0000027E811EC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3488-162-0x0000027E811F0000-0x0000027E812A5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3488-163-0x0000027EE7D30000-0x0000027EE7D3A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3692-175-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3692-176-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3692-174-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3692-173-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3692-172-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3692-179-0x0000000140000000-0x000000014000E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4004-48-0x00007FF67E0B0000-0x00007FF67E290000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/4260-191-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-182-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-194-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-193-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-192-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-187-0x0000000000C70000-0x0000000000C90000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4260-186-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-185-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-189-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-181-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-183-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-190-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-180-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-188-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4260-184-0x0000000140000000-0x0000000140848000-memory.dmp

            Filesize

            8.3MB

            Download

          • memory/4880-11-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4880-6-0x0000024D69060000-0x0000024D69082000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4880-12-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4880-15-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4880-0-0x00007FFFC7DC3000-0x00007FFFC7DC5000-memory.dmp

            Filesize

            8KB

            Download