lumma | 2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686

Analysis

max time kernel
97s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
Size

186.8MB
MD5

98b3ea9e6364e2f0e2ac1294041fb9be
SHA1

7ca708206aa92e3b5736543275d1036d679e713c
SHA256

2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686
SHA512

807b783fa2fadd9c8e2001b3828554bad500af10465277a4b9e80aeb97fa83a3c6bb98d77bdcb49bed3da9189fe2c71a6fa8c4ab387dfbfb05c938acb337deb9
SSDEEP

3145728:TeC0rah3ZxOnTcDXjcFRLHaY48Mjj/4v6cAGiBy/zYFmcHqX/HNhak8Phm:TJ0r23ZEQDXjILHaYJM3LcAG+08i/Pak

Score

10^/10

lumma netsupport defense_evasion discovery persistence rat stealer

Malware Config

Extracted

Family

lumma

https://rlxspoty.run/nogoaz

https://jrxsafer.top/shpaoz

https://krxspint.digital/kendwz

https://rhxhube.run/pogrs

https://grxeasyw.digital/xxepw

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://xrfxcaseq.live/gspaz

https://ywmedici.top/noagis

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Looks for VirtualBox drivers on disk 2 TTPs 2 IoCs

defense_evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe

Executes dropped EXE 6 IoCs

pid	Process
2544	client32.exe
4576	client32.exe
528	adobe.exe
1584	client32.exe
4340	client32.exe
3732	adobe.exe

Loads dropped DLL 60 IoCs

pid	Process
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
2544	client32.exe
2544	client32.exe
2544	client32.exe
2544	client32.exe
4576	client32.exe
4576	client32.exe
4576	client32.exe
4576	client32.exe
2544	client32.exe
4576	client32.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1584	client32.exe
1584	client32.exe
1584	client32.exe
1584	client32.exe
4340	client32.exe
4340	client32.exe
4340	client32.exe
4340	client32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdaterSvc = "C:\\Users\\Admin\\AppData\\Roaming\\qnyktcbb\\client32.exe"	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdaterSvc = "C:\\Users\\Admin\\AppData\\Roaming\\gmdtaexg\\client32.exe"	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	api.ipify.org
28	api.ipify.org
29	api.ipify.org
47	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 528 set thread context of 5656	528	adobe.exe	113
PID 3732 set thread context of 5352	3732	adobe.exe	135

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
5656	MSBuild.exe
5656	MSBuild.exe
5656	MSBuild.exe
5656	MSBuild.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
5352	MSBuild.exe
5352	MSBuild.exe
5352	MSBuild.exe
5352	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
Token: SeSecurityPrivilege	4576	client32.exe
Token: SeSecurityPrivilege	2544	client32.exe
Token: SeIncreaseQuotaPrivilege	4268	wmic.exe
Token: SeSecurityPrivilege	4268	wmic.exe
Token: SeTakeOwnershipPrivilege	4268	wmic.exe
Token: SeLoadDriverPrivilege	4268	wmic.exe
Token: SeSystemProfilePrivilege	4268	wmic.exe
Token: SeSystemtimePrivilege	4268	wmic.exe
Token: SeProfSingleProcessPrivilege	4268	wmic.exe
Token: SeIncBasePriorityPrivilege	4268	wmic.exe
Token: SeCreatePagefilePrivilege	4268	wmic.exe
Token: SeBackupPrivilege	4268	wmic.exe
Token: SeRestorePrivilege	4268	wmic.exe
Token: SeShutdownPrivilege	4268	wmic.exe
Token: SeDebugPrivilege	4268	wmic.exe
Token: SeSystemEnvironmentPrivilege	4268	wmic.exe
Token: SeRemoteShutdownPrivilege	4268	wmic.exe
Token: SeUndockPrivilege	4268	wmic.exe
Token: SeManageVolumePrivilege	4268	wmic.exe
Token: 33	4268	wmic.exe
Token: 34	4268	wmic.exe
Token: 35	4268	wmic.exe
Token: 36	4268	wmic.exe
Token: SeIncreaseQuotaPrivilege	4268	wmic.exe
Token: SeSecurityPrivilege	4268	wmic.exe
Token: SeTakeOwnershipPrivilege	4268	wmic.exe
Token: SeLoadDriverPrivilege	4268	wmic.exe
Token: SeSystemProfilePrivilege	4268	wmic.exe
Token: SeSystemtimePrivilege	4268	wmic.exe
Token: SeProfSingleProcessPrivilege	4268	wmic.exe
Token: SeIncBasePriorityPrivilege	4268	wmic.exe
Token: SeCreatePagefilePrivilege	4268	wmic.exe
Token: SeBackupPrivilege	4268	wmic.exe
Token: SeRestorePrivilege	4268	wmic.exe
Token: SeShutdownPrivilege	4268	wmic.exe
Token: SeDebugPrivilege	4268	wmic.exe
Token: SeSystemEnvironmentPrivilege	4268	wmic.exe
Token: SeRemoteShutdownPrivilege	4268	wmic.exe
Token: SeUndockPrivilege	4268	wmic.exe
Token: SeManageVolumePrivilege	4268	wmic.exe
Token: 33	4268	wmic.exe
Token: 34	4268	wmic.exe
Token: 35	4268	wmic.exe
Token: 36	4268	wmic.exe
Token: SeIncreaseQuotaPrivilege	1040	wmic.exe
Token: SeSecurityPrivilege	1040	wmic.exe
Token: SeTakeOwnershipPrivilege	1040	wmic.exe
Token: SeLoadDriverPrivilege	1040	wmic.exe
Token: SeSystemProfilePrivilege	1040	wmic.exe
Token: SeSystemtimePrivilege	1040	wmic.exe
Token: SeProfSingleProcessPrivilege	1040	wmic.exe
Token: SeIncBasePriorityPrivilege	1040	wmic.exe
Token: SeCreatePagefilePrivilege	1040	wmic.exe
Token: SeBackupPrivilege	1040	wmic.exe
Token: SeRestorePrivilege	1040	wmic.exe
Token: SeShutdownPrivilege	1040	wmic.exe
Token: SeDebugPrivilege	1040	wmic.exe
Token: SeSystemEnvironmentPrivilege	1040	wmic.exe
Token: SeRemoteShutdownPrivilege	1040	wmic.exe
Token: SeUndockPrivilege	1040	wmic.exe
Token: SeManageVolumePrivilege	1040	wmic.exe
Token: 33	1040	wmic.exe
Token: 34	1040	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2544	client32.exe
4576	client32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4940	3224	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	90
PID 3224 wrote to memory of 4940	3224	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	90
PID 4940 wrote to memory of 5424	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	93
PID 4940 wrote to memory of 5424	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	93
PID 4940 wrote to memory of 5320	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	96
PID 4940 wrote to memory of 5320	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	96
PID 5320 wrote to memory of 5772	5320	cmd.exe	98
PID 5320 wrote to memory of 5772	5320	cmd.exe	98
PID 3448 wrote to memory of 2544	3448	explorer.exe	102
PID 3448 wrote to memory of 2544	3448	explorer.exe	102
PID 3448 wrote to memory of 2544	3448	explorer.exe	102
PID 4940 wrote to memory of 3232	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	106
PID 4940 wrote to memory of 3232	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	106
PID 1720 wrote to memory of 4576	1720	cmd.exe	108
PID 1720 wrote to memory of 4576	1720	cmd.exe	108
PID 1720 wrote to memory of 4576	1720	cmd.exe	108
PID 3232 wrote to memory of 1052	3232	cmd.exe	109
PID 3232 wrote to memory of 1052	3232	cmd.exe	109
PID 1116 wrote to memory of 528	1116	explorer.exe	111
PID 1116 wrote to memory of 528	1116	explorer.exe	111
PID 528 wrote to memory of 1872	528	adobe.exe	112
PID 528 wrote to memory of 1872	528	adobe.exe	112
PID 528 wrote to memory of 1872	528	adobe.exe	112
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 528 wrote to memory of 5656	528	adobe.exe	113
PID 4940 wrote to memory of 4268	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	114
PID 4940 wrote to memory of 4268	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	114
PID 4940 wrote to memory of 1040	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	116
PID 4940 wrote to memory of 1040	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	116
PID 4940 wrote to memory of 1432	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	118
PID 4940 wrote to memory of 1432	4940	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	118
PID 1432 wrote to memory of 3656	1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	119
PID 1432 wrote to memory of 3656	1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	119
PID 1432 wrote to memory of 1036	1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	121
PID 1432 wrote to memory of 1036	1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	121
PID 1036 wrote to memory of 2168	1036	cmd.exe	123
PID 1036 wrote to memory of 2168	1036	cmd.exe	123
PID 244 wrote to memory of 1584	244	explorer.exe	125
PID 244 wrote to memory of 1584	244	explorer.exe	125
PID 244 wrote to memory of 1584	244	explorer.exe	125
PID 1432 wrote to memory of 440	1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	127
PID 1432 wrote to memory of 440	1432	2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe	127
PID 1460 wrote to memory of 4340	1460	cmd.exe	130
PID 1460 wrote to memory of 4340	1460	cmd.exe	130
PID 1460 wrote to memory of 4340	1460	cmd.exe	130
PID 440 wrote to memory of 4260	440	cmd.exe	131
PID 440 wrote to memory of 4260	440	cmd.exe	131
PID 5256 wrote to memory of 3732	5256	explorer.exe	133
PID 5256 wrote to memory of 3732	5256	explorer.exe	133
PID 3732 wrote to memory of 1984	3732	adobe.exe	134
PID 3732 wrote to memory of 1984	3732	adobe.exe	134
PID 3732 wrote to memory of 1984	3732	adobe.exe	134
PID 3732 wrote to memory of 5352	3732	adobe.exe	135
PID 3732 wrote to memory of 5352	3732	adobe.exe	135
PID 3732 wrote to memory of 5352	3732	adobe.exe	135
PID 3732 wrote to memory of 5352	3732	adobe.exe	135
PID 3732 wrote to memory of 5352	3732	adobe.exe	135

C:\Users\Admin\AppData\Local\Temp\2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
"C:\Users\Admin\AppData\Local\Temp\2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
  "C:\Users\Admin\AppData\Local\Temp\2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe"
  2⤵
  - Looks for VirtualBox drivers on disk
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c explorer.exe "C:\Users\Admin\AppData\Roaming\qnyktcbb\client32.exe" > nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5320
  - - C:\Windows\explorer.exe
      explorer.exe "C:\Users\Admin\AppData\Roaming\qnyktcbb\client32.exe"
      4⤵
      PID:5772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c explorer.exe "C:\Users\Admin\AppData\Roaming\fwvucchg\adobe.exe" > nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\explorer.exe
      explorer.exe "C:\Users\Admin\AppData\Roaming\fwvucchg\adobe.exe"
      4⤵
      PID:1052
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer /format:list
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe
    "C:\Users\Admin\AppData\Local\Temp\2bc0310f5606d19887f66e595c371c79a7e11073598aa5e3233609feb88a1686.exe" "--multiprocessing-fork" "parent_pid=4940" "pipe_handle=1004"
    3⤵
    - Looks for VirtualBox drivers on disk
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c explorer.exe "C:\Users\Admin\AppData\Roaming\gmdtaexg\client32.exe" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\explorer.exe
        
        explorer.exe "C:\Users\Admin\AppData\Roaming\gmdtaexg\client32.exe"
        5⤵
        
        PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c explorer.exe "C:\Users\Admin\AppData\Roaming\cpuphirc\adobe.exe" > nul 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\explorer.exe
        
        explorer.exe "C:\Users\Admin\AppData\Roaming\cpuphirc\adobe.exe"
        5⤵
        
        PID:4260

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Roaming\qnyktcbb\client32.exe
  "C:\Users\Admin\AppData\Roaming\qnyktcbb\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\qnyktcbb\client32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\qnyktcbb\client32.exe
  C:\Users\Admin\AppData\Roaming\qnyktcbb\client32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Roaming\fwvucchg\adobe.exe
  "C:\Users\Admin\AppData\Roaming\fwvucchg\adobe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:244
- C:\Users\Admin\AppData\Roaming\gmdtaexg\client32.exe
  "C:\Users\Admin\AppData\Roaming\gmdtaexg\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\gmdtaexg\client32.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Roaming\gmdtaexg\client32.exe
  C:\Users\Admin\AppData\Roaming\gmdtaexg\client32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5256
- C:\Users\Admin\AppData\Roaming\cpuphirc\adobe.exe
  "C:\Users\Admin\AppData\Roaming\cpuphirc\adobe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI32242\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_bz2.pyd

Filesize
82KB

MD5
aa1083bde6d21cabfc630a18f51b1926

SHA1
e40e61dba19301817a48fd66ceeaade79a934389

SHA256
00b8ca9a338d2b47285c9e56d6d893db2a999b47216756f18439997fb80a56e3

SHA512
2df0d07065170fee50e0cd6208b0cc7baa3a295813f4ad02bec5315aa2a14b7345da4cdf7cac893da2c7fc21b201062271f655a85ceb51940f0acb99bb6a1d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_cffi_backend.cp311-win_amd64.pyd

Filesize
174KB

MD5
739d352bd982ed3957d376a9237c9248

SHA1
961cf42f0c1bb9d29d2f1985f68250de9d83894d

SHA256
9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980

SHA512
585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ctypes.pyd

Filesize
121KB

MD5
565d011ce1cee4d48e722c7421300090

SHA1
9dc300e04e5e0075de4c0205be2e8aae2064ae19

SHA256
c148292328f0aab7863af82f54f613961e7cb95b7215f7a81cafaf45bd4c42b7

SHA512
5af370884b5f82903fd93b566791a22e5b0cded7f743e6524880ea0c41ee73037b71df0be9f07d3224c733b076bec3be756e7e77f9e7ed5c2dd9505f35b0e4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_decimal.pyd

Filesize
249KB

MD5
c88282908ba54510eda3887c488198eb

SHA1
94ed1b44f99642b689f5f3824d2e490252936899

SHA256
980a63f2b39cf16910f44384398e25f24482346a482addb00de42555b17d4278

SHA512
312b081a90a275465787a539e48412d07f1a4c32bab0f3aa024e6e3fe534ac9c07595238d51dc4d6f13c8d03c2441f788dff9fe3d7ca2aad3940609501d273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9f746f4f7d845f063fea3c37dcebc27c

SHA1
24d00523770127a5705fcc2a165731723df36312

SHA256
88ace577a9c51061cb7d1a36babbbefa48212fadc838ffde98fdfff60de18386

SHA512
306952418b095e5cf139372a7e684062d05b2209e41d74798a20d7819efeb41d9a53dc864cb62cc927a98df45f7365f32b72ec9b17ba1aee63e2bf4e1d61a6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
8f8eb9cb9e78e3a611bc8acaec4399cb

SHA1
237eee6e6e0705c4be7b0ef716b6a4136bf4e8a8

SHA256
1bd81dfd19204b44662510d9054852fb77c9f25c1088d647881c9b976cc16818

SHA512
5b10404cdc29e9fc612a0111b0b22f41d78e9a694631f48f186bdde940c477c88f202377e887b05d914108b9be531e6790f8f56e6f03273ab964209d83a60596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
226a5983ae2cbbf0c1bda85d65948abc

SHA1
d0f131dcba0f0717c5dea4a9ca7f2e2ecf0ad1c3

SHA256
591358eb4d1531e9563ee0813e4301c552ce364c912ce684d16576eabf195dc3

SHA512
a1e6671091bd5b2f83bfaa8fcf47093026e354563f84559bd2b57d6e9fa1671eea27b4ed8493e9fdf4bde814074dc669de047b4272b2d14b4f928d25c4be819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
c2f8c03ecce9941492bfbe4b82f7d2d5

SHA1
909c66c6dfea5e0c74d3892d980918251bb08632

SHA256
d56ce7b1cd76108ad6c137326ec694a14c99d48c3d7b0ace8c3ff4d9bcee3ce8

SHA512
7c6c85e390bbe903265574e0e7a074da2ce30d9376d7a91a121a3e0b1a8b0fffd5579f404d91836525d4400d2760cb74c9cb448f8c5ae9713385329612b074cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
b5e2760c5a46dbeb8ae18c75f335707e

SHA1
e71db44fc0e0c125de90a9a87ccb1461e72a9030

SHA256
91d249d7bc0e38ef6bcb17158b1fdc6dd8888dc086615c9b8b750b87e52a5fb3

SHA512
c3400772d501c5356f873d96b95dc33428a34b6fcaad83234b6782b5f4bf087121e4fd84885b1abab202066da98eb424f93dd2eed19a0e2a9f6ff4a5cfd1e4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-fibers-l1-1-1.dll

Filesize
21KB

MD5
050a30a687e7a2fa6f086a0db89aa131

SHA1
1484322caaf0d71cbb873a2b87bdd8d456da1a3b

SHA256
fc9d86cec621383eab636ebc87ddd3f5c19a3cb2a33d97be112c051d0b275429

SHA512
07a15aa3b0830f857b9b9ffeb57b6593ae40847a146c5041d38be9ce3410f58caa091a7d5671cc1bc7285b51d4547e3004cf0e634ae51fe3da0051e54d8759e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
9f45a47ebfd9d0629f4935764243dd5a

SHA1
86a4a0ea205e31fb73f3bfcce24945bd6bea06c7

SHA256
1ca895aba4e7435563a6b43e85eba67a0f8c74aa6a6a94d0fc48fa35535e2585

SHA512
8c1cdcad557bff1685a633d181fcf14ec512d322caeaeb9c937da8794c74694fe93528fc9578cb75098f50a2489ed4a5dedf8c8c2ac93eeb9c8f50e3dd690d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
cc228ff8d86b608e73026b1e9960b2f8

SHA1
cef0705aee1e8702589524879a49e859505d6fe0

SHA256
4cadbc0c39da7c6722206fdcebd670abe5b8d261e7b041dd94f9397a89d1990d

SHA512
17abd9e0ec20b7eb686e3c0f41b043d0742ab7f9501a423b2d2922d44af660379792d1cc6221effbd7e856575d5babf72657ae9127c87cc5cf678bd2ceb1228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
e368a236f5676a3da44e76870cd691c9

SHA1
e4f1d2c6f714a47f0dc29021855c632ef98b0a74

SHA256
93c624b366ba16c643fc8933070a26f03b073ad0cf7f80173266d67536c61989

SHA512
f5126498a8b65ab20afaaf6b0f179ab5286810384d44638c35f3779f37e288a51c28bed3c3f8125d51feb2a0909329f3b21273cb33b3c30728b87318480a9ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
416aa8314222db6cbb3760856be13d46

SHA1
5f28fe2d565378c033ef8eea874bc38f4b205327

SHA256
39095f59c41d76ec81bb2723d646fde4c148e7cc3402f4980d2ade95cb9c84f9

SHA512
b16ed31dc3343caea47c771326810c040a082e0ab65d9ae69946498ceb6ae0dee0a570dbcd88090668a100b952c1ff88bade148811b913c90931aa0e657cd808

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
344a09b4be069f86356a89482c156647

SHA1
2506ffeb157cb531195dd04d11d07c16e4429530

SHA256
8f105771b236dbcb859de271f0a6822ce1cb79c36988dd42c9e3f6f55c5f7eb9

SHA512
4c1e616443576dc83200a4f98d122065926f23212b6647b601470806151ff15ea44996364674821afec492b29ba868f188a9d6119b1e1d378a268f1584ca5b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
86023497fa48ca2c7705d3f90b76ebc5

SHA1
835215d7954e57d33d9b34d8850e8dc82f6d09e8

SHA256
53b25e753ca785bf8b695d89dde5818a318890211dc992a89146f16658f0b606

SHA512
8f8370f4c0b27779d18529164fa40cbfddafa81a4300d9273713b13428d0367d50583271ea388d43c1a96fed5893448cd14711d5312da9dfa09b9893df333186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
21KB

MD5
0c1cc0a54d4b38885e1b250b40a34a84

SHA1
24400f712bbe1dd260ed407d1eb24c35dcb2ecac

SHA256
a9b13a1cd1b8c19b0c6b4afcd5bb0dd29c0e2288231ac9e6db8510094ce68ba6

SHA512
71674e7ed8650cac26b6f11a05bfc12bd7332588d21cf81d827c1d22df5730a13c1e6b3ba797573bb05b3138f8d46091402e63c059650c7e33208d50973dde39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
5fbcb20d99e463259b4f15429010b9cd

SHA1
b16770f8bb53dc2bafcb309824d6fa7b57044d8a

SHA256
7f39ba298b41e4963047341288cab36b6a241835ee11ba4ad70f44dacd40906c

SHA512
7ba1ac34b3ecfbfb8252f5875be381d8ef823b50dfe0e070222175ee51191f5ee6d541eeedd1445ed603a23d200ce9ce15914c8ed3fafe7e7f3591f51f896c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
5241df2e95e31e73ccfd6357ad309df0

SHA1
2644cc5e86dfad1ad2140181ab2ca79725f95411

SHA256
6ee44dd0d8510dc024c9f7c79b1b9fa88c987b26b6beb6653ddd11751c34e5dc

SHA512
52cccd1dd237e764e34996c0c5f7a759a7f0eff29b61befeaf96a16d80df2ba9ee2c3615f875153198a145d68f275aea6d02187e6eee5a129e3e2ab81aaceb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
8d285430e8bda6d5c9b683579adcb180

SHA1
619dbbcff06c659e3fc48f03917a4dadbfc1c275

SHA256
0512a35316ec9180437f86696a84c5c06a7e4e82e050055a656e5bf9fca206f9

SHA512
38405dd85dd62f843abb55acea1b64d7d63bb601445bf1b32078cde5bbef4861dd99f26659281fe2aea86f58cfb1725d8c63d91fb539dcbf5d98cdbe783337fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
4a28ca64f44b91f43945ee3971e0996a

SHA1
45b3d8584c58e8d6ae507fdbd772feeb1886c8b0

SHA256
c05f1fffe3b5a2738ea54ce9485cca026fb9635f982626fba1e1dcc531897273

SHA512
862a0428f08d447cd1ee0431969e0fbcb182f4c46418c26d26fa33e586e686d9c093c1ca5781f544ce9276195ce973850719636e39e465f059607f455ecfdd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
7fd4a71085783ccfe9c289c07bcf9b04

SHA1
bb6ffdb5c069dbba06998dc877d24f72dad6298d

SHA256
c4eca98c3c67b6395d5b005b00ac1eb0318b86b23aa71035a44c2b1602befba9

SHA512
a96c5b90b8384b239be111d90caa3b947651ad73382ab9e5dbe4a4b6ad30921876545331d37c8d5a8f669e39d71bf60983c4ba39c479e23015c2f7579c5e55cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c123f2c161884fbff4f00ef1e1391266

SHA1
7db3055da53916bea2b85b159491a0772fb620ce

SHA256
5ccb89e93d67bc3288d4e84649c5346e66e15e3d7cd65d989daf3f4cb584be9a

SHA512
dac5616320b9052254b5687959e67126c4a938e79173d8245675a9651674384c36cc856f996ef88ae621ec67afc6616626657585d92bb5d14602a7cc9fc0f669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
385f562bdc391ccd4f81aca3719f3236

SHA1
f6633e1dac227ba3cd14d004748ef0c1c4135e67

SHA256
4ad565a8ba3ef0ea8ab87221ad11f83ee0bc844ce236607958406663b407333e

SHA512
b72ed1a02d4a02791ca5490b35f7e2cb6cb988e4899eda78134a34fb28964ea573d3289b69d5db1aac2289d1f24fd0a432b8187f7ae8147656d38691ae923f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
7a629293eeb0bca5f9bdee8ade477c54

SHA1
a25bf8bac4fbfd9216ea827e71344ba07b1d463b

SHA256
7809160932f44e59b021699f5bc68799eb7293ee1fa926d6fcca3c3445302e61

SHA512
1c58c547d1fe9b54ddf07e5407edaf3375c6425ca357aa81d09c76a001376c43487476a6f18c891065ab99680501b0f43a16a10ed8e0d5e87b9a9542098f45fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
3c5c7a3130b075b2def5c413c127173f

SHA1
f3d2b8ad93f3dc99c8410d34c871aec56c52e317

SHA256
9dc1e91e71c7c054854bd1487cb4e6946d82c9f463430f1c4e8d1471005172b1

SHA512
46a52631e3dd49b0ae10afbdf50a08d6d6575f3093b3921b2fa744704e2d317f8b10a6d48ad7f922a7843731782521773032a6cc04833b00bd85e404c168ffe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
28005b20fbef6e1db10912d0fdd6471c

SHA1
47b83697677e08e4ebcff6fc41eca7ece120cc17

SHA256
60fc31d2a0c634412f529dba76af3b9bf991352877c6dae528186d3935704cfd

SHA512
45d6f860d7f7aefaa7a0a3b4b21b5c3234f442e39d6259e0a9e2083890533c275f07ddda93fddc7445928a55475b83c63253d3b08e41e5576f9029b205dfb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
436ea0237ed040513ec887046418faaa

SHA1
44bafbbdb1b97d86505e16b8a5fcb42b2b771f91

SHA256
3a72b4f29f39a265d32ad12f0ce15dbf60129c840e10d84d427829ede45e78ad

SHA512
9f0dbfb538c05383ae9abfe95e55740530ecc12c1890d8862deacbc84212be0740d82afc9e81d529125221e00b2286cae0d4b3ca8dd3a6c57774d59f37933692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
8f107a7bc018227b181a0e7e76e9ca39

SHA1
ef57e24f29d2b1deeacefd82171873b971a3f606

SHA256
efc1e4460984a73cf47a3def033af1c8f3b1dbc1a56cd27781d3aacf3e3330cb

SHA512
d8d8250aaf93fa99e9d1e4286b32579de0029c83867a787c0a765505a0f8cbd2dd076bb324509d5c4867423bc7dc8f00c8b8458e08e8cbfa8dd731d03dd1ae3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
b65bf5ef316880fd8d21e1b34eb5c8a9

SHA1
3ab4674cb5c76e261fe042d6d0da8a20bfcbcbae

SHA256
b203d862ddef1dd62bf623fc866c7f7a9c317c1c2ae30d1f52cb41f955b5698e

SHA512
4af3b0ef9a813ce1a93a35dd6869817910ae4b628f374477f60ea1831d2cc1aae7908262672e11954a4953bdff22bcc5fe23b4a736788e8e5ef4f8ac30eb24f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-sysinfo-l1-2-0.dll

Filesize
21KB

MD5
fc9fc5f308ffc2d2d71814df8e2ae107

SHA1
24d7477f2a7dc2610eb701ed683108cd57eca966

SHA256
2703635d835396afd0f138d7c73751afe7e33a24f4225d08c1690b0a371932c0

SHA512
490fa6dc846e11c94cfe2f80a781c1bd1943cddd861d8907de8f05d9dc7a6364a777c6988c58059e435ac7e5d523218a597b2e9c69c9c34c50d82cac4400fe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
43d8d2fb8801c5bd90d9482ddf3ea356

SHA1
d582b55cd58531e726141c63ba9910ff185d72e0

SHA256
33f4fddc181066fce06b2227bded813f95e94ed1f3d785e982c6b6b56c510c57

SHA512
0e073381a340db3f95165dbcceb8dfbf1ed1b4343e860446032400a7b321b7922c42ee5d9a881e28e69a3f55d56d63663adb9bb5abb69c5306efbf116cc5e456

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
3c58a804b90a0782e80bbbf6c6b6f167

SHA1
b333143e0f6e508b51d27adf7872b586fa54c794

SHA256
6eda016742a6171205a387a14b3c0b331841567740376f56768f8c151724207d

SHA512
773f8deded48b34babe24d955a501f4f357c20125affb6eade36ce6a7acd380906713c366318f79d627747e636d156875c216fffac26dba25373bbc1c820da76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
5794b8e183eb547aadd5faf30a8c4dd2

SHA1
5b1ed8a9da14d8ecc4209662809727931aa49307

SHA256
b762061b688aae679afe788904d2c9970f74a7dac98f3b42463d08f25e483d3f

SHA512
3e896854e5dd957ab2b88c82fbaf2eaa03729bab30fd8518bd999081f4da9000d9b22894b324e5930df161c7adaec3fc87fd00de60dcda34876007aea4a2fd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
3560176d0cdbe2f5d33f543348e0a027

SHA1
1e35a1f7793fc3899927835491f28fe5b903edcd

SHA256
ebb2ae5535a64f65daeab8235585114fc9dd2cf1a49f5852d446250b998b6ae4

SHA512
8ab24c8c9fe8331f21be96818c5fa69ae5578eb742c4504596310bb0db7c4c087d350fa47a13ed9ff2e051bb62ac5581de082d0177923d24fee6b140afecf50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
e93c7f013493b12ad40229b19db02ce6

SHA1
ef878bfbfd2f8328bbb8cff1aa29a39e624a8503

SHA256
17d63275d00bdd8670422b95bd264c532998e0a1b041079e54fce4b6b7a55819

SHA512
2f4a25ea4062840bea10442cad665a72abbce747307ad9ce7b3bb89eaf7dcc28f1e9396749576be304fd793690ddc445653613440442695e72b761eacacb6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
47555752931cecf90e796499b62ec729

SHA1
217b171764fba5e91190d1f8a36feccb3f6d4585

SHA256
9a9e2a65a281644e368d0f272b95ba5f6b445d1c35910d06056c5ebeb77402db

SHA512
a68009f0306d4d8e70951978d2c184eb80fbec98c6db0997bd7b0b503dd63019363cfef68a9adbfb568c0a552b774fbdbeb1bcf45f211a6a3224b49e85a5619c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
527bbbfded529ea77ee798d94ce0f243

SHA1
647f8c89eb4db3cf3656292b3de984b32c6e02a5

SHA256
bab9ac3ec83e380ae51e4295ef3bf2c738627812d3a49d1e713661abbc8dc57a

SHA512
c1ed69e15ab19084390cf9d1ceab791758ac4ddd688169f3b814b0e4cf1fc3b6ba17651e35b25dcdc601a8a64821d58933d52a5e939942fa134dfd04fca04c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
09796dab12cbbd920f632aeb89820193

SHA1
7d81c0e5537b6d8b79af0c28cd102e064027c78d

SHA256
bd14c67ea28e21d6257ad780a37122c9b5773f69e693f5db6bffaee4d839526e

SHA512
09a6175dccbbd18a62209e156089f1167dfb8040c97c8c2c14724ce2a8fbe6ce039d7fe04fb8bd60092427beb7fdd8e7127d611f006fff1cf2a1ad75e9e5ef3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
aa9624cb27cc50a3fbbd3b223a617b1c

SHA1
797aea1c5cedd1125276bfc5dcd7a3fb8c6355aa

SHA256
606d66d82db562ea7979179d06486a0f94d079941d26b80a1e2c49d29959df6f

SHA512
024975e6787f7a6b0ab6e4b02ad33901f8473b97dc73d4f03b7a116b24ac74150c0c48990ea7a4fb750f9fe728dafed172796743f802e70f2150eefcf70fe96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
9d6925407136753e8eb8234d59fa3f1f

SHA1
62631b7007d394fb4d406ea686b291fff9e486cd

SHA256
f6156b1020380ec4f0e48577ebedaaef5fb1ab1f337d8b4e72e6a33a7567a9cc

SHA512
ab04de62524e465810cd0ee81e85018863e276d49861e67a920667af802e94869b816b47a6e3c4738179a7a7d726d44bbba6e47d9097363a63eaff51cd56de8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
bbaa58e9e1abdf7d8c4c69652d29d789

SHA1
38aef13abc14502354e8c5c3c37b97a8e2e5fdcf

SHA256
c5902934d026d7e15fbe9917d474f3322846a41a25e66f4b2b1f758801879f4b

SHA512
7882a8e1e1ea7e217f70ff9df27d36709b4be23588909ef002f3eb1b9a7d3eea2591a8524af2c83448ddfff0911658517c6989683245c54678583f359a78b0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
ef37235fc43157a4c93241d5e49e304b

SHA1
d4de26b36812c2ddccd1618b4d7ac02ad1b42273

SHA256
a9c5a153d8c0286f9b41a2b1c65854ad9e6471b8755b7de87bae4470e60bcab6

SHA512
c0857760d5d069beeb1eb1737f4160530910331bf6047022836cf58137bd28c2a966a8760a681859f57ebd810fd424ce231402eddde1316eaef7b6f9f773afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
639b1fb35cb61ba633eb1791b750631f

SHA1
392a6925009f5fb02a4c122c9ce31d82b9059628

SHA256
25b8f83a7767211b11132775a0e27a45aa4ec8ab4e6572599f9c172ae3606b40

SHA512
def547ef66673862cea9bb13c433edce24a3075c328d9b3b9452f2f01f2f4243daab38c0f8571c52d601bc4aecaaa0682dbebf6be41cae345787a719063ebf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
fccce207a34c947f01d3f23a7dd09569

SHA1
75f722801c77285db98a08af763252a0255e99e2

SHA256
7c7f6393f06de11750adb09cc5698ae55cd9fb27b2e51e207286feb1b5b2b156

SHA512
d3d923f133594eb4325f4a6e5ed46fcc348a7c0f310f14eaa38c6fad070ba637bdb4a77200feb231114e111d07a86595a6130291028cde3a284d9f847ec38ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
708a5bc205384633a7b6674eecc7f0f0

SHA1
01603a7826029293236c67fce02ace8d392a0514

SHA256
d8ba5f17b9ffcbf3aeaf3fa1da226832d2fa90f81acce0cd669464e76ce434ac

SHA512
8638845326ab6543338baa7a644af8be33a123e1fc9da2037158be7c8d165691ccd06cb3ff73696a30b8801eab030e81f93db81216bb3b7e83a320a0df5af270

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\pyexpat.pyd

Filesize
194KB

MD5
79561bc9f70383f8ae073802a321adfb

SHA1
5f378f47888e5092598c20c56827419d9f480fa7

SHA256
c7c7564f7f874fb660a46384980a2cf28bc3e245ca83628a197ccf861eab5560

SHA512
476c839f544b730c5b133e2ae08112144cac07b6dfb8332535058f5cbf54ce7ed4a72efb38e6d56007ae755694b05e81e247d0a10210c993376484a057f2217c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\python3.dll

Filesize
65KB

MD5
7e07c63636a01df77cd31cfca9a5c745

SHA1
593765bc1729fdca66dd45bbb6ea9fcd882f42a6

SHA256
db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6

SHA512
8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\python311.dll

Filesize
5.5MB

MD5
387bb2c1e40bde1517f06b46313766be

SHA1
601f83ef61c7699652dec17edd5a45d6c20786c4

SHA256
0817a2a657a24c0d5fbb60df56960f42fc66b3039d522ec952dab83e2d869364

SHA512
521cde6eaa5d4a2e0ef6bbfdea50b00750ae022c1c7bd66b20654c035552b49c9d2fac18ef503bbd136a7a307bdeb97f759d45c25228a0bf0c37739b6e897bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\select.pyd

Filesize
29KB

MD5
e4ab524f78a4cf31099b43b35d2faec3

SHA1
a9702669ef49b3a043ca5550383826d075167291

SHA256
bae0974390945520eb99ab32486c6a964691f8f4a028ac408d98fa8fb0db7d90

SHA512
5fccfb3523c87ad5ab2cde4b9c104649c613388bc35b6561517ae573d3324f9191dd53c0f118b9808ba2907440cbc92aecfc77d0512ef81534e970118294cdee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\ucrtbase.dll

Filesize
1.3MB

MD5
286b308df8012a5dfc4276fb16dd9ccc

SHA1
8ae9df813b281c2bd7a81de1e4e9cef8934a9120

SHA256
2e5fb14b7bf8540278f3614a12f0226e56a7cc9e64b81cbd976c6fcf2f71cbfb

SHA512
24166cc1477cde129a9ab5b71075a6d935eb6eebcae9b39c0a106c5394ded31af3d93f6dea147120243f7790d0a0c625a690fd76177dddab2d2685105c3eb7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\unicodedata.pyd

Filesize
1.1MB

MD5
fd9132f966ee6d214e0076bf0492fb30

SHA1
89b95957f002bf382435d015e26962a42032cb97

SHA256
37c68617fa02a2cadced17ef724e2d450ef12a8a37215da789a4679fde1c5c02

SHA512
e35729abc45e5561aae1fb9e0e7c711dd7d3c1491520aa5c44fcc50c955f549f81d90897959327e930d02a5356afe08d6195adf002c87801a7a11235670639b5

Download Submit
memory/5656-155-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5656-154-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download