amadey | 3ae87c4d09741bd34d70d3dcda4a422cb9116f50ef96d4fb134be85bf7ea1fb0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe
Size

14.8MB
MD5

4e745efd0aae40ef661716606f42c192
SHA1

e1fff852f1f9a5dfd3f207bc439eb9515f64c992
SHA256

3ae87c4d09741bd34d70d3dcda4a422cb9116f50ef96d4fb134be85bf7ea1fb0
SHA512

27d41c13ac6916719606ea06ad77c6c0e38126ea954efbbe07c286356bc17af4e631c4a9a64b3589b2e5927f095a582489dde910baa490bc7cdba73bb550777b
SSDEEP

393216:InRHi9WJdoyMxtDDAx/k588YwFV/dIa8wp2j09qXAyYDHMDYrsdb:SHY+doy2AN8YYVSa8bjVABHAdb

Score

10^/10

amadey svcstealer 2128e7 defense_evasion discovery downloader persistence pyinstaller spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

5.30

Botnet

2128e7

http://185.81.68.156

Attributes

install_dir
f917d25a84
install_file
Gxtuum.exe
strings_key
18df5e065d410729e56d0ce2b95f56d8
url_paths
/jb87ejvjdsS/index.php

rc4.plain

Extracted

Family

svcstealer

Version

3.2

185.81.68.156

176.113.115.149

Attributes

url_paths
/svcstealer/get.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects SvcStealer Payload 64 IoCs

SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

resource	yara_rule
behavioral2/files/0x000800000002422c-7.dat	family_svcstealer
behavioral2/memory/2248-10-0x00007FF622580000-0x00007FF62261F000-memory.dmp	family_svcstealer
behavioral2/memory/3508-21-0x0000000002FB0000-0x0000000003055000-memory.dmp	family_svcstealer
behavioral2/memory/3508-30-0x0000000002FB0000-0x0000000003055000-memory.dmp	family_svcstealer
behavioral2/memory/2248-31-0x00007FF622580000-0x00007FF62261F000-memory.dmp	family_svcstealer
behavioral2/memory/3508-28-0x0000000002FB0000-0x0000000003055000-memory.dmp	family_svcstealer
behavioral2/memory/4812-157-0x00007FF72E560000-0x00007FF72E5FF000-memory.dmp	family_svcstealer
behavioral2/memory/5372-159-0x00007FF622580000-0x00007FF62261F000-memory.dmp	family_svcstealer
behavioral2/memory/5116-175-0x00007FF7D0DD0000-0x00007FF7D0E6F000-memory.dmp	family_svcstealer
behavioral2/memory/5116-174-0x00007FF7D0DD0000-0x00007FF7D0E6F000-memory.dmp	family_svcstealer
behavioral2/memory/3508-24-0x0000000002FB0000-0x0000000003055000-memory.dmp	family_svcstealer
behavioral2/memory/3508-14-0x0000000002FB0000-0x0000000003055000-memory.dmp	family_svcstealer
behavioral2/memory/3508-15-0x0000000002FB0000-0x0000000003055000-memory.dmp	family_svcstealer
behavioral2/memory/5504-178-0x00007FF6094D0000-0x00007FF60956F000-memory.dmp	family_svcstealer
behavioral2/memory/1276-181-0x00007FF7F5780000-0x00007FF7F581F000-memory.dmp	family_svcstealer
behavioral2/memory/896-199-0x00007FF67AC40000-0x00007FF67AD45000-memory.dmp	family_svcstealer
behavioral2/memory/3140-198-0x00007FF67AC40000-0x00007FF67AD45000-memory.dmp	family_svcstealer
behavioral2/memory/3508-197-0x0000000002FB0000-0x0000000003055000-memory.dmp	family_svcstealer
behavioral2/files/0x004d0000000237fc-196.dat	family_svcstealer
behavioral2/memory/3508-185-0x0000000002FB0000-0x0000000003055000-memory.dmp	family_svcstealer
behavioral2/memory/4320-207-0x00007FF7938E0000-0x00007FF7939E5000-memory.dmp	family_svcstealer
behavioral2/memory/4320-206-0x00007FF7938E0000-0x00007FF7939E5000-memory.dmp	family_svcstealer
behavioral2/memory/4416-214-0x00007FF7E57E0000-0x00007FF7E58E5000-memory.dmp	family_svcstealer
behavioral2/memory/436-221-0x00007FF675610000-0x00007FF675715000-memory.dmp	family_svcstealer
behavioral2/memory/436-220-0x00007FF675610000-0x00007FF675715000-memory.dmp	family_svcstealer
behavioral2/memory/4620-236-0x00000148537C0000-0x00000148538F0000-memory.dmp	family_svcstealer
behavioral2/memory/4620-235-0x00000148537C0000-0x00000148538F0000-memory.dmp	family_svcstealer
behavioral2/memory/4636-284-0x00007FF661610000-0x00007FF661715000-memory.dmp	family_svcstealer
behavioral2/memory/4636-285-0x00007FF661610000-0x00007FF661715000-memory.dmp	family_svcstealer
behavioral2/memory/5884-295-0x00007FF6A3460000-0x00007FF6A3565000-memory.dmp	family_svcstealer
behavioral2/memory/5884-294-0x00007FF6A3460000-0x00007FF6A3565000-memory.dmp	family_svcstealer
behavioral2/memory/4456-304-0x00007FF671B80000-0x00007FF671C85000-memory.dmp	family_svcstealer
behavioral2/memory/4456-302-0x00007FF671B80000-0x00007FF671C85000-memory.dmp	family_svcstealer
behavioral2/memory/4540-317-0x00007FF6B4C70000-0x00007FF6B4D75000-memory.dmp	family_svcstealer
behavioral2/memory/4540-316-0x00007FF6B4C70000-0x00007FF6B4D75000-memory.dmp	family_svcstealer
behavioral2/memory/5504-323-0x00007FF6D5180000-0x00007FF6D5285000-memory.dmp	family_svcstealer
behavioral2/memory/5504-324-0x00007FF6D5180000-0x00007FF6D5285000-memory.dmp	family_svcstealer
behavioral2/memory/2376-330-0x00007FF65C580000-0x00007FF65C685000-memory.dmp	family_svcstealer
behavioral2/memory/2376-331-0x00007FF65C580000-0x00007FF65C685000-memory.dmp	family_svcstealer
behavioral2/memory/4040-337-0x00007FF684CC0000-0x00007FF684DC5000-memory.dmp	family_svcstealer
behavioral2/memory/4040-338-0x00007FF684CC0000-0x00007FF684DC5000-memory.dmp	family_svcstealer
behavioral2/memory/3196-345-0x00007FF683750000-0x00007FF683855000-memory.dmp	family_svcstealer
behavioral2/memory/1252-351-0x00007FF6D0EA0000-0x00007FF6D0FA5000-memory.dmp	family_svcstealer
behavioral2/memory/1252-352-0x00007FF6D0EA0000-0x00007FF6D0FA5000-memory.dmp	family_svcstealer
behavioral2/memory/3056-358-0x00007FF6E2950000-0x00007FF6E2A55000-memory.dmp	family_svcstealer
behavioral2/memory/3056-359-0x00007FF6E2950000-0x00007FF6E2A55000-memory.dmp	family_svcstealer
behavioral2/memory/3256-371-0x00007FF694DB0000-0x00007FF694EB5000-memory.dmp	family_svcstealer
behavioral2/memory/3256-372-0x00007FF694DB0000-0x00007FF694EB5000-memory.dmp	family_svcstealer
behavioral2/memory/4684-379-0x00007FF754F60000-0x00007FF755065000-memory.dmp	family_svcstealer
behavioral2/memory/4684-380-0x00007FF754F60000-0x00007FF755065000-memory.dmp	family_svcstealer
behavioral2/memory/4600-394-0x00007FF79B3D0000-0x00007FF79B4D5000-memory.dmp	family_svcstealer
behavioral2/memory/4976-419-0x00007FF7BB930000-0x00007FF7BBA35000-memory.dmp	family_svcstealer
behavioral2/memory/5628-425-0x00007FF71AED0000-0x00007FF71AFD5000-memory.dmp	family_svcstealer
behavioral2/memory/2912-431-0x00007FF6F6F70000-0x00007FF6F7075000-memory.dmp	family_svcstealer
behavioral2/memory/2912-432-0x00007FF6F6F70000-0x00007FF6F7075000-memory.dmp	family_svcstealer
behavioral2/memory/5204-467-0x00007FF723F20000-0x00007FF724025000-memory.dmp	family_svcstealer
behavioral2/memory/5204-468-0x00007FF723F20000-0x00007FF724025000-memory.dmp	family_svcstealer
behavioral2/memory/6000-476-0x00007FF78B410000-0x00007FF78B515000-memory.dmp	family_svcstealer
behavioral2/memory/4896-483-0x00007FF7A4D00000-0x00007FF7A4E05000-memory.dmp	family_svcstealer
behavioral2/memory/5832-500-0x00007FF752810000-0x00007FF752915000-memory.dmp	family_svcstealer
behavioral2/memory/5832-499-0x00007FF752810000-0x00007FF752915000-memory.dmp	family_svcstealer
behavioral2/memory/5460-514-0x00007FF6E2B10000-0x00007FF6E2C15000-memory.dmp	family_svcstealer
behavioral2/memory/5460-513-0x00007FF6E2B10000-0x00007FF6E2C15000-memory.dmp	family_svcstealer
behavioral2/memory/4320-521-0x00007FF64AE80000-0x00007FF64AF85000-memory.dmp	family_svcstealer

SvcStealer, Diamotrix
SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.
stealer downloader svcstealer
Svcstealer family
svcstealer

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	LauncherApps.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
41	3776	rundll32.exe
72	4540	rundll32.exe

Downloads MZ/PE file 7 IoCs

flow	pid	Process
61	4620	kjjhg.exe
61	4620	kjjhg.exe
24	4972	Gxtuum.exe
40	4972	Gxtuum.exe
40	4972	Gxtuum.exe
40	4972	Gxtuum.exe
40	4972	Gxtuum.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LauncherApps.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LauncherApps.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	crvcvdds.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	kjjhg.exe

Executes dropped EXE 64 IoCs

pid	Process
2248	fvbtyfda.exe
772	nbbcvxuf.exe
4092	crvcvdds.exe
4444	LauncherApps.exe
4624	nbbcvxuf.exe
4812	ffdcdbadbafbec.exe
4696	ffdcdbadbafbec.exe
5372	fvbtyfda.exe
4972	Gxtuum.exe
5116	ffdcdbadbafbec.exe
5504	ffdcdbadbafbec.exe
1276	ffdcdbadbafbec.exe
3140	ffdcdbadbafbec.exe
896	ffdcdbadbafbec.exe
4320	ffdcdbadbafbec.exe
4416	ffdcdbadbafbec.exe
436	ffdcdbadbafbec.exe
4620	kjjhg.exe
4636	ffdcdbadbafbec.exe
5884	ffdcdbadbafbec.exe
4456	ffdcdbadbafbec.exe
4540	ffdcdbadbafbec.exe
820	Gxtuum.exe
5504	ffdcdbadbafbec.exe
2376	ffdcdbadbafbec.exe
4040	ffdcdbadbafbec.exe
3196	ffdcdbadbafbec.exe
1252	ffdcdbadbafbec.exe
3056	ffdcdbadbafbec.exe
3256	ffdcdbadbafbec.exe
4684	ffdcdbadbafbec.exe
4600	ffdcdbadbafbec.exe
5084	uu.exe
5976	uu.exe
4980	winserv.exe
4976	ffdcdbadbafbec.exe
5628	ffdcdbadbafbec.exe
2912	ffdcdbadbafbec.exe
4820	zz.exe
5204	ffdcdbadbafbec.exe
6000	ffdcdbadbafbec.exe
4896	ffdcdbadbafbec.exe
3140	temp_25886.exe
5832	ffdcdbadbafbec.exe
5548	temp_25896.exe
5460	ffdcdbadbafbec.exe
4320	ffdcdbadbafbec.exe
4812	ffdcdbadbafbec.exe
4884	ffdcdbadbafbec.exe
2984	67FD.tmp.exe
5976	ffdcdbadbafbec.exe
4908	ffdcdbadbafbec.exe
1832	ffdcdbadbafbec.exe
752	ffdcdbadbafbec.exe
3892	ffdcdbadbafbec.exe
5780	ffdcdbadbafbec.exe
3280	ffdcdbadbafbec.exe
2592	ffdcdbadbafbec.exe
1872	zx.exe
4560	zx.exe
636	ffdcdbadbafbec.exe
2128	Gxtuum.exe
4800	ffdcdbadbafbec.exe
4872	ffdcdbadbafbec.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Wine	LauncherApps.exe

Loads dropped DLL 17 IoCs

pid	Process
4624	nbbcvxuf.exe
4624	nbbcvxuf.exe
4624	nbbcvxuf.exe
4624	nbbcvxuf.exe
4624	nbbcvxuf.exe
3776	rundll32.exe
4560	zx.exe
4560	zx.exe
4560	zx.exe
4560	zx.exe
4560	zx.exe
4540	rundll32.exe
2156	temp_25902.exe
2156	temp_25902.exe
2156	temp_25902.exe
2156	temp_25902.exe
2156	temp_25902.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffdcdbadbafbec = "\"C:\\ProgramData\\fvbtyfda.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffdcdbadbafbec = "\"C:\\ProgramData\\ffdcdbadbafbec.exe\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ffdcdbadbafbec = "\"C:\\ProgramData\\ffdcdbadbafbec.exe\""	fvbtyfda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemServices = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10000840101\\uu.exe"	uu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemServices = "C:\\Users\\Admin\\AppData\\Roaming\\Winserv\\winserv.exe"	uu.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4444	LauncherApps.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	crvcvdds.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000024231-38.dat	pyinstaller
behavioral2/files/0x000900000002423a-613.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crvcvdds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7519.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LauncherApps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp_25886.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	fvbtyfda.exe
2248	fvbtyfda.exe
4444	LauncherApps.exe
4444	LauncherApps.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe
4620	kjjhg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3508	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE
Token: SeShutdownPrivilege	3508	Explorer.EXE
Token: SeCreatePagefilePrivilege	3508	Explorer.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4092	crvcvdds.exe
4444	LauncherApps.exe
3508	Explorer.EXE
3508	Explorer.EXE
4444	LauncherApps.exe
3508	Explorer.EXE
3508	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4444	LauncherApps.exe
4444	LauncherApps.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4444	LauncherApps.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2248	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	86
PID 2612 wrote to memory of 2248	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	86
PID 2248 wrote to memory of 3508	2248	fvbtyfda.exe	56
PID 3508 wrote to memory of 5388	3508	Explorer.EXE	87
PID 3508 wrote to memory of 5388	3508	Explorer.EXE	87
PID 3508 wrote to memory of 1244	3508	Explorer.EXE	88
PID 3508 wrote to memory of 1244	3508	Explorer.EXE	88
PID 3508 wrote to memory of 5220	3508	Explorer.EXE	89
PID 3508 wrote to memory of 5220	3508	Explorer.EXE	89
PID 2612 wrote to memory of 772	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	90
PID 2612 wrote to memory of 772	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	90
PID 2612 wrote to memory of 4092	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	94
PID 2612 wrote to memory of 4092	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	94
PID 2612 wrote to memory of 4092	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	94
PID 2612 wrote to memory of 4444	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	95
PID 2612 wrote to memory of 4444	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	95
PID 2612 wrote to memory of 4444	2612	2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe	95
PID 772 wrote to memory of 4624	772	nbbcvxuf.exe	96
PID 772 wrote to memory of 4624	772	nbbcvxuf.exe	96
PID 5220 wrote to memory of 4812	5220	cmd.exe	97
PID 5220 wrote to memory of 4812	5220	cmd.exe	97
PID 5388 wrote to memory of 4696	5388	cmd.exe	98
PID 5388 wrote to memory of 4696	5388	cmd.exe	98
PID 1244 wrote to memory of 5372	1244	cmd.exe	99
PID 1244 wrote to memory of 5372	1244	cmd.exe	99
PID 3508 wrote to memory of 5384	3508	Explorer.EXE	100
PID 3508 wrote to memory of 5384	3508	Explorer.EXE	100
PID 4092 wrote to memory of 4972	4092	crvcvdds.exe	102
PID 4092 wrote to memory of 4972	4092	crvcvdds.exe	102
PID 4092 wrote to memory of 4972	4092	crvcvdds.exe	102
PID 5384 wrote to memory of 5116	5384	cmd.exe	103
PID 5384 wrote to memory of 5116	5384	cmd.exe	103
PID 3508 wrote to memory of 5876	3508	Explorer.EXE	109
PID 3508 wrote to memory of 5876	3508	Explorer.EXE	109
PID 5876 wrote to memory of 5504	5876	cmd.exe	152
PID 5876 wrote to memory of 5504	5876	cmd.exe	152
PID 3508 wrote to memory of 3196	3508	Explorer.EXE	162
PID 3508 wrote to memory of 3196	3508	Explorer.EXE	162
PID 3196 wrote to memory of 1276	3196	cmd.exe	161
PID 3196 wrote to memory of 1276	3196	cmd.exe	161
PID 3508 wrote to memory of 4632	3508	Explorer.EXE	118
PID 3508 wrote to memory of 4632	3508	Explorer.EXE	118
PID 3508 wrote to memory of 2292	3508	Explorer.EXE	120
PID 3508 wrote to memory of 2292	3508	Explorer.EXE	120
PID 2292 wrote to memory of 3140	2292	cmd.exe	122
PID 2292 wrote to memory of 3140	2292	cmd.exe	122
PID 4632 wrote to memory of 896	4632	cmd.exe	123
PID 4632 wrote to memory of 896	4632	cmd.exe	123
PID 3508 wrote to memory of 3064	3508	Explorer.EXE	125
PID 3508 wrote to memory of 3064	3508	Explorer.EXE	125
PID 3064 wrote to memory of 4320	3064	cmd.exe	127
PID 3064 wrote to memory of 4320	3064	cmd.exe	127
PID 3508 wrote to memory of 5784	3508	Explorer.EXE	130
PID 3508 wrote to memory of 5784	3508	Explorer.EXE	130
PID 5784 wrote to memory of 4416	5784	cmd.exe	132
PID 5784 wrote to memory of 4416	5784	cmd.exe	132
PID 3508 wrote to memory of 212	3508	Explorer.EXE	133
PID 3508 wrote to memory of 212	3508	Explorer.EXE	133
PID 212 wrote to memory of 436	212	cmd.exe	135
PID 212 wrote to memory of 436	212	cmd.exe	135
PID 4972 wrote to memory of 4620	4972	Gxtuum.exe	136
PID 4972 wrote to memory of 4620	4972	Gxtuum.exe	136
PID 3508 wrote to memory of 4764	3508	Explorer.EXE	137
PID 3508 wrote to memory of 4764	3508	Explorer.EXE	137

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-29_4e745efd0aae40ef661716606f42c192_amadey_black-basta_cobalt-strike_luca-stealer_satacom_smoke-loader.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\ProgramData\fvbtyfda.exe
    "C:\ProgramData\fvbtyfda.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2248
- - C:\ProgramData\nbbcvxuf.exe
    "C:\ProgramData\nbbcvxuf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\ProgramData\nbbcvxuf.exe
      "C:\ProgramData\nbbcvxuf.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4624
- - C:\ProgramData\crvcvdds.exe
    "C:\ProgramData\crvcvdds.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe"
      4⤵
      Downloads MZ/PE file
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Users\Admin\AppData\Local\Temp\10000650101\kjjhg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000650101\kjjhg.exe"
        5⤵
        Downloads MZ/PE file
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4620
      - C:\Users\Admin\AppData\Local\Temp\temp_25886.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_25886.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3140
      - C:\Users\Admin\AppData\Local\Temp\temp_25896.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_25896.exe"
        6⤵
        Executes dropped EXE
        
        PID:5548
      - C:\Users\Admin\AppData\Local\Temp\temp_25902.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_25902.exe"
        6⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\temp_25902.exe
        
        "C:\Users\Admin\AppData\Local\Temp\temp_25902.exe"
        7⤵
        Loads dropped DLL
        
        PID:2156
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\7ae14b05c802cd\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3776
    - - C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe"
        5⤵
        Executes dropped EXE
        
        PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe"
        5⤵
        Executes dropped EXE
        
        PID:1872
      - C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4560
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\7ae14b05c802cd\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4540
- - C:\Users\Admin\AppData\Local\Temp\LauncherApps.exe
    "C:\Users\Admin\AppData\Local\Temp\LauncherApps.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5388
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\fvbtyfda.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\ProgramData\fvbtyfda.exe
    C:\ProgramData\fvbtyfda.exe
    3⤵
    - Executes dropped EXE
    PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5220
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5384
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5876
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5784
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4764
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2416
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1788
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3692
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1792
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5864
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2140
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1940
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1276
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1172
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3496
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:3056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4464
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:3256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3864
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4808
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe
  2⤵
  PID:5884
- - C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe
    C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
  2⤵
  PID:1692
- - C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
    C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3448
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3500
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:6044
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:2912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5152
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5200
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:6000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:6008
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1900
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2624
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3832
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5268
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4792
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\67FD.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\67FD.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5952
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1360
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4088
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5600
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2556
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4040
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:5780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2296
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1704
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2132
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5740
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3012
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    - Executes dropped EXE
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2036
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2016
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4648
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4496
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4076
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2376
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4220
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5868
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5464
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1404
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5652
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5148
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3056
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:6040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:844
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4416
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2132
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4812
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5508
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:4756
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:704
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5952
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2492
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:6028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:388
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5244
- C:\Users\Admin\AppData\Local\Temp\7519.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\7519.tmp.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3244
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3912
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1480
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:3892
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:972
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5204
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:5152
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:3348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:2576
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\ProgramData\ffdcdbadbafbec.exe"
  2⤵
  PID:1372
- - C:\ProgramData\ffdcdbadbafbec.exe
    C:\ProgramData\ffdcdbadbafbec.exe
    3⤵
    PID:5148

C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:820

C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:2128

C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\f917d25a84\Gxtuum.exe
1⤵
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\crvcvdds.exe

Filesize
429KB

MD5
8b12410737d2ea98450d892a8f838c3f

SHA1
1b60e0e7dc1a46d421db6c876274971f7d9f8944

SHA256
f700d0b50bb04e46842ba6448e91059d4c6499ab4a2500a82871edecb62ef026

SHA512
d3fcce4443b1d922fdd6d1541271cbbc938542424f6fc9b3cd8589f9d78c7654828e0deaa221fe4631a367c860716d2317a62251540f6358a3e3278fc76007dd

Download Submit
C:\ProgramData\ffdcdbadbafbec.cfg

Filesize
18B

MD5
abc60b937f6d48e2280d1f32b6561264

SHA1
994d4abe04ea7c2f5af0805a5147791c622d0ca7

SHA256
379ca58c2cebab3e5247e81769b6f69f9dc1963baee0dda99e2fde738f04ab7d

SHA512
82910e2dda0945f4aa670fb6a5288e9c698c68f24d1ffefd54628a9e56a2dd63a3625a7c164449d753d04611cc9eddce806195062cf194f2128e27b17330e36e

Download Submit
C:\ProgramData\ffdcdbadbafbec.exe

Filesize
1021KB

MD5
942e285920589ef847f851c6b6bf5f19

SHA1
2e71b51c07d0b5b9c4fbfef187565c77af8164d8

SHA256
32146febb4fdc0f80c8460696c5063d3dcbf1af3989f599b31cba52680cf2aff

SHA512
c4623e113eaa98dcf8a487ebff515f88251892c4d1ffd35959d77811c1e6a959015e3a73dcacae83fadcb1ba1eb86951b4e32fabef05584b18db2fc3705bc8f2

Download Submit
C:\ProgramData\fvbtyfda.exe

Filesize
615KB

MD5
87e4e839db4c5b351eabcc6bcfb8090a

SHA1
7f69c1475374ac492d05a999f04eba76d76b31b7

SHA256
6add58b1952bae305852709d553dc0ec3f0ac0565a502d6caff9488659f4bcbf

SHA512
60a4826daa190dd608296ac4111d6c4d1c9db075f294ad6380cee310c73ff7399ed1ae918e696c4b0f5c254a60cf5fdbe909a6666d67a79d5540a6b45e69bc26

Download Submit
C:\ProgramData\nbbcvxuf.exe

Filesize
5.6MB

MD5
a65a454d5438727f5196a9369feb3813

SHA1
753cd2c461276119f531ffec22ab2f68559d83d6

SHA256
72cb41fd2724a13ffb9b980b0b36032a6162a15293c56fc11c6bcaf8b3a45d31

SHA512
4d2b6ca2fe670f273c56eed30428a3eb0b1fc0798108cacec0ae705fb94c20d592c4c0cf0446201a4cfd10806f32b50fda9ede1a3282ef38101fdf5f285f9999

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000650101\kjjhg.exe

Filesize
1.3MB

MD5
7649c0971252ffe91d89be9c5e975116

SHA1
fec1eea05dc92f5cab9ccf4f10e9fd3dcaf9d79d

SHA256
401c472ad7425e95b53f52be849016afdd467a4728ac8796ff1a932731b1d3ce

SHA512
fb0697c7857eeb655b3aa5d88f18d22b4ce132f1dbdb767701851776adadd0aa30d597c297ef6556e0f273d66b65ca03194f468915b0f67c32ee890ad4966255

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000840101\uu.exe

Filesize
177KB

MD5
4d38d0416a7392711f340e87f22ea4ba

SHA1
85d501d7fd5fc843e96be88caf6c1f1054aa2f28

SHA256
95b64cf5502b24d592c79f2611b76d5d8035c8061c4af6b1ff6800ec2b46442f

SHA512
3a86a6521fb856220875c9bac2c01ce82e7e67e515285273f7687596dc6c169949af8703d835654506c8205bcf6d372403c9ea925c0bf2969f11227d7cacb5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000850101\zz.exe

Filesize
253KB

MD5
5381a870d74ee49586aa9632e93c232b

SHA1
f2ee6d461102d3353077d3d6f08bbda2b8dfb1ed

SHA256
e90f2a5eae99811b65dc284734e0e295708d89bfef9a003b3ab2f8bc42e1fa9c

SHA512
c611262eb7badc08486a6416dd470f14d09c5c86c04076a472d32da52bf2cc21344dd4130f85a83cb25556383528ce57ac94ad0de36cef6a67f1bdb9e87a65a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000860101\zx.exe

Filesize
5.6MB

MD5
f6d5cc794c2a2eb47b84e1dfc26c988a

SHA1
dd0fd87afef860b482909c08332794aff35c288a

SHA256
631190fc83321193d8cb31f592b33919c9e3fbfa19ce0c29f9e86c1a4c2e5892

SHA512
8cadf6f0b2e75be2d6392aef2526458750e5b9c3a180b9362803ae2b3d75094db5a29dd8db5305a43def16e2cd3ec1c6adafdb4aaa07d5c8f3ca3a6546fa19a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\149186961585

Filesize
88KB

MD5
5d1957875131f8a5d7e124752554e940

SHA1
44d24fbb735aae81167b967115fb8ad8408a50c5

SHA256
f7a43274da28aede772bacf25a6f6ce963e62e04a99356e2e44fe51c38b24790

SHA512
34187fbdf93f59586377c93fc53ce4fe48d4fa30a4f4eb267919577580f7ccdf1619acbff6d1a9799e906797defddb6dc077a218feaeae71b62fdbbb3559493d

Download Submit
C:\Users\Admin\AppData\Local\Temp\History

Filesize
192KB

MD5
83c468b78a1714944e5becf35401229b

SHA1
5bb1aaf85b2b973e4ba33fa8457aaf71e4987b34

SHA256
da5fdb5a9d869b349244f1ab62d95b0dbd05ac12ff45a6db157da829566a6690

SHA512
795aa24a35781ea1e91cdb1760aef90948a61c0f96f94f20585662bdce627443a702f7b2637472cb595e027b1989cec822959dcad4b121928dbb2f250b2df599

Download Submit
C:\Users\Admin\AppData\Local\Temp\LauncherApps.exe

Filesize
7.8MB

MD5
025c1c35c3198e6e3497d5dbf97ae81f

SHA1
6d390038003c298c7ab8f2cbe35a50b07e096554

SHA256
ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4

SHA512
1d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\_bz2.pyd

Filesize
82KB

MD5
3dc8af67e6ee06af9eec52fe985a7633

SHA1
1451b8c598348a0c0e50afc0ec91513c46fe3af6

SHA256
c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929

SHA512
da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
b56d69079d2001c1b2af272774b53a64

SHA1
67ede1c5a71412b11847f79f5a684eabaf00de01

SHA256
f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143

SHA512
7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5af784f599437629deea9fe4e8eb4799

SHA1
3c891b920fd2703edd6881117ea035ced5a619f6

SHA256
7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c

SHA512
4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e1ca15cf0597c6743b3876af23a96960

SHA1
301231f7250431bd122b12ed34a8d4e8bb379457

SHA256
990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d

SHA512
7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8d6599d7c4897dcd0217070cca074574

SHA1
25eacaaa4c6f89945e97388796a8c85ba6fb01fb

SHA256
a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928

SHA512
e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
642b29701907e98e2aa7d36eba7d78b8

SHA1
16f46b0e057816f3592f9c0a6671111ea2f35114

SHA256
5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c

SHA512
1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
7bc1b8712e266db746914db48b27ef9c

SHA1
c76eb162c23865b3f1bd7978f7979d6ba09ccb60

SHA256
f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9

SHA512
db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
b071e761cea670d89d7ae80e016ce7e6

SHA1
c675be753dbef1624100f16674c2221a20cf07dd

SHA256
63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e

SHA512
f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
1dccf27f2967601ce6666c8611317f03

SHA1
d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b

SHA256
6a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387

SHA512
70b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
569a7ac3f6824a04282ff708c629a6d2

SHA1
fc0d78de1075dfd4c1024a72074d09576d4d4181

SHA256
84c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2

SHA512
e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
623283471b12f1bdb83e25dbafaf9c16

SHA1
ecbba66f4dca89a3faa3e242e30aefac8de02153

SHA256
9ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7

SHA512
54b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
61f70f2d1e3f22e976053df5f3d8ecb7

SHA1
7d224b7f404cde960e6b7a1c449b41050c8e9c58

SHA256
2695761b010d22fdfda2b5e73cf0ac7328ccc62b4b28101d5c10155dd9a48020

SHA512
1ddc568590e9954db198f102be99eabb4133b49e9f3b464f2fc7f31cc77d06d5a7132152f4b331332c42f241562ee6c7bf1c2d68e546db3f59ab47eaf83a22cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
20KB

MD5
1322690996cf4b2b7275a7950bad9856

SHA1
502e05ed81e3629ea3ed26ee84a4e7c07f663735

SHA256
5660030ee4c18b1610fb9f46e66f44d3fc1cf714ecce235525f08f627b3738d7

SHA512
7edc06bfa9e633351291b449b283659e5dd9e706dd57ade354bce3af55df4842491af27c7721b2acc6948078bdfc8e9736fec46e0641af368d419c7ed6aebd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
95612a8a419c61480b670d6767e72d09

SHA1
3b94d1745aff6aafeff87fed7f23e45473f9afc9

SHA256
6781071119d66757efa996317167904697216ad72d7c031af4337138a61258d4

SHA512
570f15c2c5aa599332dd4cfb3c90da0dd565ca9053ecf1c2c05316a7f623615dd153497e93b38df94971c8abf2e25bc1aaaf3311f1cda432f2670b32c767012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-profile-l1-1-0.dll

Filesize
18KB

MD5
654d95515ab099639f2739685cb35977

SHA1
9951854a5cf407051ce6cd44767bfd9bd5c4b0cc

SHA256
c4868e4cebdf86126377a45bd829d88449b4aa031c9b1c05edc47d6d395949d4

SHA512
9c9dd64a3ad1136ba62cca14fc27574faaebc3de1e371a86b83599260424a966dfd813991a5ef0b2342e0401cb99ce83cd82c19fcae73c7decdb92bac1fb58a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
19KB

MD5
e6b7681ccc718ddb69c48abe8709fdd6

SHA1
a518b705746b2c6276f56a2f1c996360b837d548

SHA256
4b532729988224fe5d98056cd94fc3e8b4ba496519f461ef5d9d0ff9d9402d4b

SHA512
89b20affaa23e674543f0f2e9b0a8b3ecd9a8a095e19d50e11c52cb205dafdbf2672892fd35b1c45f16e78ae9b61525de67dbe7673f8ca450aa8c42feeac0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-string-l1-1-0.dll

Filesize
19KB

MD5
bcb412464f01467f1066e94085957f42

SHA1
716c11b5d759d59dbfec116874e382d69f9a25b6

SHA256
f040b6e07935b67599ea7e32859a3e93db37ff4195b28b4451ad0d274db6330e

SHA512
79ec0c5ee21680843c8b7f22da3155b7607d5be269f8a51056cc5f060ad3a48ced3b6829117262aba1a90e692374b59ddfe92105d14179f631efc0c863bfdecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
b98598657162de8fbc1536568f1e5a4f

SHA1
f7c020220025101638fd690d86c53d895a03e53c

SHA256
f596c72be43db3a722b7c7a0fd3a4d5aea68267003986fbfd278702af88efa74

SHA512
ad5f46a3f4f6e64a5dcb85c328f1b8daefa94fc33f59922328fdcfedc04a8759f16a1a839027f74b7d7016406c20ac47569277620d6b909e09999021b669a0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-synch-l1-2-0.dll

Filesize
19KB

MD5
b751571148923d943f828a1deb459e24

SHA1
d4160404c2aa6aeaf3492738f5a6ce476a0584a6

SHA256
b394b1142d060322048fb6a8ac6281e4576c0e37be8da772bc970f352dd22a20

SHA512
26e252ff0c01e1e398ebddcc5683a58cdd139161f2b63b65bde6c3e943e85c0820b24486859c2c597af6189de38ca7fe6fa700975be0650cb53c791cd2481c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
20KB

MD5
8aea681e0e2b9abbf73a924003247dbb

SHA1
5bafc2e0a3906723f9b12834b054e6f44d7ff49f

SHA256
286068a999fe179ee91b289360dd76e89365900b130a50e8651a9b7ece80b36d

SHA512
08c83a729036c94148d9a5cbc03647fa2adea4fba1bbb514c06f85ca804eefbf36c909cb6edc1171da8d4d5e4389e15e52571baa6987d1f1353377f509e269ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-core-util-l1-1-0.dll

Filesize
19KB

MD5
edd61ff85d75794dc92877f793a2cef6

SHA1
de9f1738fc8bf2d19aa202e34512ec24c1ccb635

SHA256
8aca888849e9089a3a56fa867b16b071951693ab886843cfb61bd7a5b08a1ece

SHA512
6cef9b256cdca1a401971ca5706adf395961b2d3407c1fff23e6c16f7e2ce6d85d946843a53532848fcc087c18009c08f651c6eb38112778a2b4b33e8c64796c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
22bfe210b767a667b0f3ed692a536e4e

SHA1
88e0ff9c141d8484b5e34eaaa5e4be0b414b8adf

SHA256
f1a2499cc238e52d69c63a43d1e61847cf852173fe95c155056cfbd2cb76abc3

SHA512
cbea3c690049a73b1a713a2183ff15d13b09982f8dd128546fd3db264af4252ccd390021dee54435f06827450da4bd388bd6ff11b084c0b43d50b181c928fd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
da5e087677c8ebbc0062eac758dfed49

SHA1
ca69d48efa07090acb7ae7c1608f61e8d26d3985

SHA256
08a43a53a66d8acb2e107e6fc71213cedd180363055a2dc5081fe5a837940dce

SHA512
6262e9a0808d8f64e5f2dfad5242cd307e2f5eaa78f0a768f325e65c98db056c312d79f0b3e63c74e364af913a832c1d90f4604fe26cc5fb05f3a5a661b12573

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33a0fe1943c5a325f93679d6e9237fee

SHA1
737d2537d602308fc022dbc0c29aa607bcdec702

SHA256
5af7aa065ffdbf98d139246e198601bfde025d11a6c878201f4b99876d6c7eac

SHA512
cab7fcaa305a9ace1f1cc7077b97526bebc0921adf23273e74cd42d7fe99401d4f7ede8ecb9847b6734a13760b9ebe4dbd2465a3db3139ed232dbef68fb62c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
633dca52da4ebaa6f4bf268822c6dc88

SHA1
1ebfc0f881ce338d2f66fcc3f9c1cbb94cdc067e

SHA256
424fd5d3d3297a8ab1227007ef8ded5a4f194f24bd573a5211be71937aa55d22

SHA512
ed058525ee7b4cc7e12561c7d674c26759a4301322ff0b3239f3183911ce14993614e3199d8017b9bfde25c8cb9ac0990d318bb19f3992624b39ec0f084a8df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
43bf2037bfd3fb60e1fedac634c6f86e

SHA1
959eebe41d905ad3afa4254a52628ec13613cf70

SHA256
735703c0597da278af8a6359fc051b9e657627f50ad5b486185c2ef328ad571b

SHA512
7042846c009efea45ca5fafdc08016eca471a8c54486ba03f212abba47467f8744e9546c8f33214620f97dbcc994e3002788ad0db65b86d8a3e4ff0d8a9d0d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
d51bc845c4efbfdbd68e8ccffdad7375

SHA1
c82e580ec68c48e613c63a4c2f9974bb59182cf6

SHA256
89d9f54e6c9ae1cb8f914da1a2993a20de588c18f1aaf4d66efb20c3a282c866

SHA512
2e353cf58ad218c3e068a345d1da6743f488789ef7c6b96492d48571dc64df8a71ad2db2e5976cfd04cf4b55455e99c70c7f32bd2c0f4a8bed1d29c2dafc17b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
487f72d0cf7dc1d85fa18788a1b46813

SHA1
0aabff6d4ee9a2a56d40ee61e4591d4ba7d14c0d

SHA256
560baf1b87b692c284ccbb82f2458a688757231b315b6875482e08c8f5333b3d

SHA512
b7f4e32f98bfdcf799331253faebb1fb08ec24f638d8526f02a6d9371c8490b27d03db3412128ced6d2bbb11604247f3f22c8380b1bf2a11fb3bb92f18980185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-process-l1-1-0.dll

Filesize
20KB

MD5
54a8fca040976f2aac779a344b275c80

SHA1
ea1f01d6dcdf688eb0f21a8cb8a38f03bc777883

SHA256
7e90e7acc69aca4591ce421c302c7f6cdf8e44f3b4390f66ec43dff456ffea29

SHA512
cb20bed4972e56f74de1b7bc50dc1e27f2422dbb302aecb749018b9f88e3e4a67c9fc69bbbb8c4b21d49a530cc8266172e7d237650512aafb293cdfe06d02228

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
21b509d048418922b92985696710afca

SHA1
c499dd098aab8c7e05b8b0fd55f994472d527203

SHA256
fe7336d2fb3b13a00b5b4ce055a84f0957daefdace94f21b88e692e54b678ac3

SHA512
c517b02d4e94cf8360d98fd093bca25e8ae303c1b4500cf4cf01f78a7d7ef5f581b99a0371f438c6805a0b3040a0e06994ba7b541213819bd07ec8c6251cb9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
120a5dc2682cd2a838e0fc0efd45506e

SHA1
8710be5d5e9c878669ff8b25b67fb2deb32cd77a

SHA256
c14f0d929a761a4505628c4eb5754d81b88aa1fdad2154a2f2b0215b983b6d89

SHA512
4330edf9b84c541e5ed3bb672548f35efa75c6b257c3215fc29ba6e152294820347517ec9bd6bde38411efa9074324a276cf0d7d905ed5dd88e906d78780760c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
f22faca49e4d5d80ec26ed31e7ecd0e0

SHA1
473bcbfb78e6a63afd720b5cbe5c55d9495a3d88

SHA256
1eb30ea95dae91054a33a12b1c73601518d28e3746db552d7ce120da589d4cf4

SHA512
c8090758435f02e3659d303211d78102c71754ba12b0a7e25083fd3529b3894dc3ab200b02a2899418cc6ed3b8f483d36e6c2bf86ce2a34e5fd9ad0483b73040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
2fd0da47811b8ed4a0abdf9030419381

SHA1
46e3f21a9bd31013a804ba45dc90cc22331a60d1

SHA256
de81c4d37833380a1c71a5401de3ab4fe1f8856fc40d46d0165719a81d7f3924

SHA512
2e6f900628809bfd908590fe1ea38e0e36960235f9a6bbccb73bbb95c71bfd10f75e1df5e8cf93a682e4ada962b06c278afc9123ab5a4117f77d1686ff683d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\api-ms-win-crt-utility-l1-1-0.dll

Filesize
19KB

MD5
fe1096f1ade3342f049921928327f553

SHA1
118fb451ab006cc55f715cdf3b5e0c49cf42fbe0

SHA256
88d3918e2f063553cee283306365aa8701e60fb418f37763b4719f9974f07477

SHA512
0a982046f0c93f68c03a9dd48f2bc7aee68b9eebeaea01c3566b2384d0b8a231570e232168d4608a09136bcb2b1489af802fd0c25348f743f0c1c8955edd41c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\select.pyd

Filesize
26KB

MD5
6ae54d103866aad6f58e119d27552131

SHA1
bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

SHA256
63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

SHA512
ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7722\unicodedata.pyd

Filesize
1.0MB

MD5
4c0d43f1a31e76255cb592bb616683e7

SHA1
0a9f3d77a6e064baebacacc780701117f09169ad

SHA256
0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8

SHA512
b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778

Download Submit
C:\Users\Admin\AppData\Roaming\7ae14b05c802cd\clip64.dll

Filesize
124KB

MD5
a3379448f4304fbc3d94ce7dd4f6b3d8

SHA1
ec143bd798f89287a3bfe3cf9038eaed18d68748

SHA256
7dffa0b7cd3c0fc4a20cb1c92fee3504b579950d01f32ac481566e8656b0e8e0

SHA512
fa37460004a3fda4cb59246a5f4e2214a419ebf6ef5baafb5aee39f39de2d32d3d6d7d5d256dc4c9b90388100c92bb09a52c7114ef71ff51a91be82fe0085a30

Download Submit
memory/436-221-0x00007FF675610000-0x00007FF675715000-memory.dmp

Filesize
1.0MB

Download
memory/436-220-0x00007FF675610000-0x00007FF675715000-memory.dmp

Filesize
1.0MB

Download
memory/636-678-0x00007FF7226D0000-0x00007FF7227D5000-memory.dmp

Filesize
1.0MB

Download
memory/636-677-0x00007FF7226D0000-0x00007FF7227D5000-memory.dmp

Filesize
1.0MB

Download
memory/752-579-0x00007FF63AD30000-0x00007FF63AE35000-memory.dmp

Filesize
1.0MB

Download
memory/896-199-0x00007FF67AC40000-0x00007FF67AD45000-memory.dmp

Filesize
1.0MB

Download
memory/968-799-0x00007FF77FC60000-0x00007FF77FD65000-memory.dmp

Filesize
1.0MB

Download
memory/1252-352-0x00007FF6D0EA0000-0x00007FF6D0FA5000-memory.dmp

Filesize
1.0MB

Download
memory/1252-351-0x00007FF6D0EA0000-0x00007FF6D0FA5000-memory.dmp

Filesize
1.0MB

Download
memory/1276-181-0x00007FF7F5780000-0x00007FF7F581F000-memory.dmp

Filesize
636KB

Download
memory/1368-713-0x00007FF70D810000-0x00007FF70D915000-memory.dmp

Filesize
1.0MB

Download
memory/1832-572-0x00007FF690890000-0x00007FF690995000-memory.dmp

Filesize
1.0MB

Download
memory/1832-571-0x00007FF690890000-0x00007FF690995000-memory.dmp

Filesize
1.0MB

Download
memory/2248-31-0x00007FF622580000-0x00007FF62261F000-memory.dmp

Filesize
636KB

Download
memory/2248-10-0x00007FF622580000-0x00007FF62261F000-memory.dmp

Filesize
636KB

Download
memory/2376-330-0x00007FF65C580000-0x00007FF65C685000-memory.dmp

Filesize
1.0MB

Download
memory/2376-331-0x00007FF65C580000-0x00007FF65C685000-memory.dmp

Filesize
1.0MB

Download
memory/2592-606-0x00007FF644200000-0x00007FF644305000-memory.dmp

Filesize
1.0MB

Download
memory/2592-607-0x00007FF644200000-0x00007FF644305000-memory.dmp

Filesize
1.0MB

Download
memory/2912-432-0x00007FF6F6F70000-0x00007FF6F7075000-memory.dmp

Filesize
1.0MB

Download
memory/2912-431-0x00007FF6F6F70000-0x00007FF6F7075000-memory.dmp

Filesize
1.0MB

Download
memory/2980-792-0x00007FF6A1EB0000-0x00007FF6A1FB5000-memory.dmp

Filesize
1.0MB

Download
memory/2980-793-0x00007FF6A1EB0000-0x00007FF6A1FB5000-memory.dmp

Filesize
1.0MB

Download
memory/3056-359-0x00007FF6E2950000-0x00007FF6E2A55000-memory.dmp

Filesize
1.0MB

Download
memory/3056-358-0x00007FF6E2950000-0x00007FF6E2A55000-memory.dmp

Filesize
1.0MB

Download
memory/3140-198-0x00007FF67AC40000-0x00007FF67AD45000-memory.dmp

Filesize
1.0MB

Download
memory/3196-345-0x00007FF683750000-0x00007FF683855000-memory.dmp

Filesize
1.0MB

Download
memory/3196-374-0x00007FF683750000-0x00007FF683855000-memory.dmp

Filesize
1.0MB

Download
memory/3256-371-0x00007FF694DB0000-0x00007FF694EB5000-memory.dmp

Filesize
1.0MB

Download
memory/3256-372-0x00007FF694DB0000-0x00007FF694EB5000-memory.dmp

Filesize
1.0MB

Download
memory/3280-600-0x00007FF6765B0000-0x00007FF6766B5000-memory.dmp

Filesize
1.0MB

Download
memory/3280-599-0x00007FF6765B0000-0x00007FF6766B5000-memory.dmp

Filesize
1.0MB

Download
memory/3508-24-0x0000000002FB0000-0x0000000003055000-memory.dmp

Filesize
660KB

Download
memory/3508-30-0x0000000002FB0000-0x0000000003055000-memory.dmp

Filesize
660KB

Download
memory/3508-22-0x0000000003060000-0x0000000003061000-memory.dmp

Filesize
4KB

Download
memory/3508-14-0x0000000002FB0000-0x0000000003055000-memory.dmp

Filesize
660KB

Download
memory/3508-15-0x0000000002FB0000-0x0000000003055000-memory.dmp

Filesize
660KB

Download
memory/3508-21-0x0000000002FB0000-0x0000000003055000-memory.dmp

Filesize
660KB

Download
memory/3508-197-0x0000000002FB0000-0x0000000003055000-memory.dmp

Filesize
660KB

Download
memory/3508-185-0x0000000002FB0000-0x0000000003055000-memory.dmp

Filesize
660KB

Download
memory/3508-20-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/3508-28-0x0000000002FB0000-0x0000000003055000-memory.dmp

Filesize
660KB

Download
memory/3892-586-0x00007FF784E40000-0x00007FF784F45000-memory.dmp

Filesize
1.0MB

Download
memory/3892-585-0x00007FF784E40000-0x00007FF784F45000-memory.dmp

Filesize
1.0MB

Download
memory/4040-337-0x00007FF684CC0000-0x00007FF684DC5000-memory.dmp

Filesize
1.0MB

Download
memory/4040-338-0x00007FF684CC0000-0x00007FF684DC5000-memory.dmp

Filesize
1.0MB

Download
memory/4320-520-0x00007FF64AE80000-0x00007FF64AF85000-memory.dmp

Filesize
1.0MB

Download
memory/4320-206-0x00007FF7938E0000-0x00007FF7939E5000-memory.dmp

Filesize
1.0MB

Download
memory/4320-207-0x00007FF7938E0000-0x00007FF7939E5000-memory.dmp

Filesize
1.0MB

Download
memory/4320-521-0x00007FF64AE80000-0x00007FF64AF85000-memory.dmp

Filesize
1.0MB

Download
memory/4416-303-0x00007FF7E57E0000-0x00007FF7E58E5000-memory.dmp

Filesize
1.0MB

Download
memory/4416-214-0x00007FF7E57E0000-0x00007FF7E58E5000-memory.dmp

Filesize
1.0MB

Download
memory/4444-183-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/4444-343-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/4444-156-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/4444-306-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/4444-209-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/4456-304-0x00007FF671B80000-0x00007FF671C85000-memory.dmp

Filesize
1.0MB

Download
memory/4456-302-0x00007FF671B80000-0x00007FF671C85000-memory.dmp

Filesize
1.0MB

Download
memory/4540-316-0x00007FF6B4C70000-0x00007FF6B4D75000-memory.dmp

Filesize
1.0MB

Download
memory/4540-317-0x00007FF6B4C70000-0x00007FF6B4D75000-memory.dmp

Filesize
1.0MB

Download
memory/4600-394-0x00007FF79B3D0000-0x00007FF79B4D5000-memory.dmp

Filesize
1.0MB

Download
memory/4620-236-0x00000148537C0000-0x00000148538F0000-memory.dmp

Filesize
1.2MB

Download
memory/4620-235-0x00000148537C0000-0x00000148538F0000-memory.dmp

Filesize
1.2MB

Download
memory/4636-285-0x00007FF661610000-0x00007FF661715000-memory.dmp

Filesize
1.0MB

Download
memory/4636-284-0x00007FF661610000-0x00007FF661715000-memory.dmp

Filesize
1.0MB

Download
memory/4644-706-0x00007FF737350000-0x00007FF737455000-memory.dmp

Filesize
1.0MB

Download
memory/4644-705-0x00007FF737350000-0x00007FF737455000-memory.dmp

Filesize
1.0MB

Download
memory/4684-380-0x00007FF754F60000-0x00007FF755065000-memory.dmp

Filesize
1.0MB

Download
memory/4684-379-0x00007FF754F60000-0x00007FF755065000-memory.dmp

Filesize
1.0MB

Download
memory/4792-699-0x00007FF7F27E0000-0x00007FF7F28E5000-memory.dmp

Filesize
1.0MB

Download
memory/4792-698-0x00007FF7F27E0000-0x00007FF7F28E5000-memory.dmp

Filesize
1.0MB

Download
memory/4800-684-0x00007FF68A6A0000-0x00007FF68A7A5000-memory.dmp

Filesize
1.0MB

Download
memory/4800-685-0x00007FF68A6A0000-0x00007FF68A7A5000-memory.dmp

Filesize
1.0MB

Download
memory/4812-528-0x00007FF71FA80000-0x00007FF71FB85000-memory.dmp

Filesize
1.0MB

Download
memory/4812-157-0x00007FF72E560000-0x00007FF72E5FF000-memory.dmp

Filesize
636KB

Download
memory/4872-691-0x00007FF68A500000-0x00007FF68A605000-memory.dmp

Filesize
1.0MB

Download
memory/4872-692-0x00007FF68A500000-0x00007FF68A605000-memory.dmp

Filesize
1.0MB

Download
memory/4884-540-0x00007FF658740000-0x00007FF658845000-memory.dmp

Filesize
1.0MB

Download
memory/4884-539-0x00007FF658740000-0x00007FF658845000-memory.dmp

Filesize
1.0MB

Download
memory/4896-483-0x00007FF7A4D00000-0x00007FF7A4E05000-memory.dmp

Filesize
1.0MB

Download
memory/4896-529-0x00007FF7A4D00000-0x00007FF7A4E05000-memory.dmp

Filesize
1.0MB

Download
memory/4908-564-0x00007FF7CC7B0000-0x00007FF7CC8B5000-memory.dmp

Filesize
1.0MB

Download
memory/4908-565-0x00007FF7CC7B0000-0x00007FF7CC8B5000-memory.dmp

Filesize
1.0MB

Download
memory/4976-419-0x00007FF7BB930000-0x00007FF7BBA35000-memory.dmp

Filesize
1.0MB

Download
memory/5116-175-0x00007FF7D0DD0000-0x00007FF7D0E6F000-memory.dmp

Filesize
636KB

Download
memory/5116-174-0x00007FF7D0DD0000-0x00007FF7D0E6F000-memory.dmp

Filesize
636KB

Download
memory/5204-468-0x00007FF723F20000-0x00007FF724025000-memory.dmp

Filesize
1.0MB

Download
memory/5204-467-0x00007FF723F20000-0x00007FF724025000-memory.dmp

Filesize
1.0MB

Download
memory/5372-159-0x00007FF622580000-0x00007FF62261F000-memory.dmp

Filesize
636KB

Download
memory/5460-513-0x00007FF6E2B10000-0x00007FF6E2C15000-memory.dmp

Filesize
1.0MB

Download
memory/5460-514-0x00007FF6E2B10000-0x00007FF6E2C15000-memory.dmp

Filesize
1.0MB

Download
memory/5504-324-0x00007FF6D5180000-0x00007FF6D5285000-memory.dmp

Filesize
1.0MB

Download
memory/5504-178-0x00007FF6094D0000-0x00007FF60956F000-memory.dmp

Filesize
636KB

Download
memory/5504-323-0x00007FF6D5180000-0x00007FF6D5285000-memory.dmp

Filesize
1.0MB

Download
memory/5552-778-0x00007FF7CBE60000-0x00007FF7CBF65000-memory.dmp

Filesize
1.0MB

Download
memory/5552-779-0x00007FF7CBE60000-0x00007FF7CBF65000-memory.dmp

Filesize
1.0MB

Download
memory/5628-482-0x00007FF71AED0000-0x00007FF71AFD5000-memory.dmp

Filesize
1.0MB

Download
memory/5628-425-0x00007FF71AED0000-0x00007FF71AFD5000-memory.dmp

Filesize
1.0MB

Download
memory/5748-785-0x00007FF69A3E0000-0x00007FF69A4E5000-memory.dmp

Filesize
1.0MB

Download
memory/5748-786-0x00007FF69A3E0000-0x00007FF69A4E5000-memory.dmp

Filesize
1.0MB

Download
memory/5780-592-0x00007FF7507A0000-0x00007FF7508A5000-memory.dmp

Filesize
1.0MB

Download
memory/5780-593-0x00007FF7507A0000-0x00007FF7508A5000-memory.dmp

Filesize
1.0MB

Download
memory/5832-500-0x00007FF752810000-0x00007FF752915000-memory.dmp

Filesize
1.0MB

Download
memory/5832-499-0x00007FF752810000-0x00007FF752915000-memory.dmp

Filesize
1.0MB

Download
memory/5884-295-0x00007FF6A3460000-0x00007FF6A3565000-memory.dmp

Filesize
1.0MB

Download
memory/5884-294-0x00007FF6A3460000-0x00007FF6A3565000-memory.dmp

Filesize
1.0MB

Download
memory/5976-558-0x00007FF682EB0000-0x00007FF682FB5000-memory.dmp

Filesize
1.0MB

Download
memory/5976-557-0x00007FF682EB0000-0x00007FF682FB5000-memory.dmp

Filesize
1.0MB

Download
memory/6000-476-0x00007FF78B410000-0x00007FF78B515000-memory.dmp

Filesize
1.0MB

Download