Analysis
-
max time kernel
137s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 11:34
Static task
static1
Behavioral task
behavioral1
Sample
lv.exe.1.exe
Resource
win7v20201028
General
-
Target
lv.exe.1.exe
-
Size
5.2MB
-
MD5
84920b4d07d67e5a19e63fd881121945
-
SHA1
453625e1c1638fa1b687f203b46ff00225d5217d
-
SHA256
63390e4e08966692a6abface224e660cb3708addc00a570e185cafe73368b524
-
SHA512
09118e3a49863561ca34be4bb8128bd17106ebad5113ce076c6637abd8258743d164b5244cf389df21ded3f1e2a3e88105b3e1a986fc7cf13fa020bb730933ca
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 5 IoCs
Processes:
RUNDLL32.EXEWScript.exeflow pid process 25 548 RUNDLL32.EXE 31 1828 WScript.exe 33 1828 WScript.exe 35 1828 WScript.exe 37 1828 WScript.exe -
Executes dropped EXE 5 IoCs
Processes:
4_ico.exe6_ico.exevpn_ico.exeSmartClock.exekxgcofgdb.exepid process 3144 4_ico.exe 3784 6_ico.exe 3156 vpn_ico.exe 504 SmartClock.exe 3228 kxgcofgdb.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe upx C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe upx -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4_ico.exe6_ico.exevpn_ico.exeSmartClock.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4_ico.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6_ico.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6_ico.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vpn_ico.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vpn_ico.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SmartClock.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SmartClock.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4_ico.exe -
Drops startup file 1 IoCs
Processes:
4_ico.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6_ico.exe4_ico.exevpn_ico.exeSmartClock.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine 6_ico.exe Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine 4_ico.exe Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine vpn_ico.exe Key opened \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine SmartClock.exe -
Loads dropped DLL 3 IoCs
Processes:
lv.exe.1.exerundll32.exeRUNDLL32.EXEpid process 60 lv.exe.1.exe 2780 rundll32.exe 548 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
4_ico.exevpn_ico.exe6_ico.exeSmartClock.exepid process 3144 4_ico.exe 3156 vpn_ico.exe 3784 6_ico.exe 504 SmartClock.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
vpn_ico.exeRUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vpn_ico.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vpn_ico.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 3116 timeout.exe 2820 timeout.exe -
Modifies registry class 1 IoCs
Processes:
vpn_ico.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings vpn_ico.exe -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 504 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
4_ico.exe6_ico.exevpn_ico.exeSmartClock.exepowershell.exeRUNDLL32.EXEpowershell.exepid process 3144 4_ico.exe 3144 4_ico.exe 3784 6_ico.exe 3784 6_ico.exe 3156 vpn_ico.exe 3156 vpn_ico.exe 504 SmartClock.exe 504 SmartClock.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 548 RUNDLL32.EXE 548 RUNDLL32.EXE 2592 powershell.exe 2592 powershell.exe 2592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2780 rundll32.exe Token: SeDebugPrivilege 548 RUNDLL32.EXE Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 548 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
lv.exe.1.exe4_ico.exevpn_ico.exe6_ico.execmd.execmd.exekxgcofgdb.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 60 wrote to memory of 3144 60 lv.exe.1.exe 4_ico.exe PID 60 wrote to memory of 3144 60 lv.exe.1.exe 4_ico.exe PID 60 wrote to memory of 3144 60 lv.exe.1.exe 4_ico.exe PID 60 wrote to memory of 3784 60 lv.exe.1.exe 6_ico.exe PID 60 wrote to memory of 3784 60 lv.exe.1.exe 6_ico.exe PID 60 wrote to memory of 3784 60 lv.exe.1.exe 6_ico.exe PID 60 wrote to memory of 3156 60 lv.exe.1.exe vpn_ico.exe PID 60 wrote to memory of 3156 60 lv.exe.1.exe vpn_ico.exe PID 60 wrote to memory of 3156 60 lv.exe.1.exe vpn_ico.exe PID 3144 wrote to memory of 504 3144 4_ico.exe SmartClock.exe PID 3144 wrote to memory of 504 3144 4_ico.exe SmartClock.exe PID 3144 wrote to memory of 504 3144 4_ico.exe SmartClock.exe PID 3156 wrote to memory of 3228 3156 vpn_ico.exe kxgcofgdb.exe PID 3156 wrote to memory of 3228 3156 vpn_ico.exe kxgcofgdb.exe PID 3156 wrote to memory of 3228 3156 vpn_ico.exe kxgcofgdb.exe PID 3156 wrote to memory of 348 3156 vpn_ico.exe WScript.exe PID 3156 wrote to memory of 348 3156 vpn_ico.exe WScript.exe PID 3156 wrote to memory of 348 3156 vpn_ico.exe WScript.exe PID 3784 wrote to memory of 2248 3784 6_ico.exe cmd.exe PID 3784 wrote to memory of 2248 3784 6_ico.exe cmd.exe PID 3784 wrote to memory of 2248 3784 6_ico.exe cmd.exe PID 2248 wrote to memory of 3116 2248 cmd.exe timeout.exe PID 2248 wrote to memory of 3116 2248 cmd.exe timeout.exe PID 2248 wrote to memory of 3116 2248 cmd.exe timeout.exe PID 3784 wrote to memory of 660 3784 6_ico.exe cmd.exe PID 3784 wrote to memory of 660 3784 6_ico.exe cmd.exe PID 3784 wrote to memory of 660 3784 6_ico.exe cmd.exe PID 660 wrote to memory of 2820 660 cmd.exe timeout.exe PID 660 wrote to memory of 2820 660 cmd.exe timeout.exe PID 660 wrote to memory of 2820 660 cmd.exe timeout.exe PID 3228 wrote to memory of 2780 3228 kxgcofgdb.exe rundll32.exe PID 3228 wrote to memory of 2780 3228 kxgcofgdb.exe rundll32.exe PID 3228 wrote to memory of 2780 3228 kxgcofgdb.exe rundll32.exe PID 2780 wrote to memory of 548 2780 rundll32.exe RUNDLL32.EXE PID 2780 wrote to memory of 548 2780 rundll32.exe RUNDLL32.EXE PID 2780 wrote to memory of 548 2780 rundll32.exe RUNDLL32.EXE PID 548 wrote to memory of 4048 548 RUNDLL32.EXE powershell.exe PID 548 wrote to memory of 4048 548 RUNDLL32.EXE powershell.exe PID 548 wrote to memory of 4048 548 RUNDLL32.EXE powershell.exe PID 3156 wrote to memory of 1828 3156 vpn_ico.exe WScript.exe PID 3156 wrote to memory of 1828 3156 vpn_ico.exe WScript.exe PID 3156 wrote to memory of 1828 3156 vpn_ico.exe WScript.exe PID 548 wrote to memory of 2592 548 RUNDLL32.EXE powershell.exe PID 548 wrote to memory of 2592 548 RUNDLL32.EXE powershell.exe PID 548 wrote to memory of 2592 548 RUNDLL32.EXE powershell.exe PID 2592 wrote to memory of 3764 2592 powershell.exe nslookup.exe PID 2592 wrote to memory of 3764 2592 powershell.exe nslookup.exe PID 2592 wrote to memory of 3764 2592 powershell.exe nslookup.exe PID 548 wrote to memory of 3792 548 RUNDLL32.EXE schtasks.exe PID 548 wrote to memory of 3792 548 RUNDLL32.EXE schtasks.exe PID 548 wrote to memory of 3792 548 RUNDLL32.EXE schtasks.exe PID 548 wrote to memory of 1180 548 RUNDLL32.EXE schtasks.exe PID 548 wrote to memory of 1180 548 RUNDLL32.EXE schtasks.exe PID 548 wrote to memory of 1180 548 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lv.exe.1.exe"C:\Users\Admin\AppData\Local\Temp\lv.exe.1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\lejmidkhwlp & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\lejmidkhwlp & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe"C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\KXGCOF~1.EXE4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLL,aRpP5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpBB18.tmp.ps1"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE269.tmp.ps1"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hudiujsffiwj.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trqkqdpbfa.vbs"3⤵
- Blocklisted process makes network request
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\lejmidkhwlp\46173476.txtMD5
e2c235b45b393651a3fa5a8ce723084e
SHA1da74aae744ade5e0c31829eeca9f01bc63dac249
SHA25638c60acee553da4ed8de04d3d468e78a680b9645cee505aa78b48ecaec33cb30
SHA5125c7f5cba87a61a20b46eeae885d0cc4c79f417c432e790907caae0365988a7fc8203f9ee2ec90b474f0dfafaa3929d73416272bcbac03c05bfd7330bcc59728b
-
C:\ProgramData\lejmidkhwlp\8372422.txtMD5
550cc6486c1ac1d65c8f1b14517a8294
SHA16f7b60b1f5b90ac815ab56c78cd7a5de05311fe1
SHA256176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b
SHA512eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726
-
C:\ProgramData\lejmidkhwlp\Files\_INFOR~1.TXTMD5
c34a41c9fa74e5952d888b16829aa44f
SHA15cede3294d280f6c3a40eb2f7afc1e7a6abfefdb
SHA256cf47cd2d2be93167ad2efddab042eb171b5373e534c3e7a823abf5d2334cb32f
SHA512720840817c731daf291ea670ba91dca16f9160eb291450c99da4e1fece4fe38324121015c8ad90a3930632f34a9526e47df2cd3c19e6a7c09f11e6aaeace0a14
-
C:\ProgramData\lejmidkhwlp\NL_202~1.ZIPMD5
262f3893e04661c850161e4790d56c93
SHA1f63ca3f6709b8a14aae47f57ae9fb1fc729c5211
SHA256e2c18e41b7b3970cc198988a50af6d1360ab3bd5b0caae984c9acf57483abeda
SHA5129943b3e3feb2b993e10cdd46fdeb11b27e17a11f7b6c16d0ff2bc69457869ba793fd5fb5c4c355fb7a2aad20539a9c12f74b0d5d3fd8ad5378378bbbb2736b71
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2bfc5bfcf144885a49eea684c08dc8bf
SHA190920d29134a8e8fe1e657eb30fc760d0be624a8
SHA256b7ecd588c615bab0c714be21158bdbd59e1f6928fb5db7cb722c81e1487c4eac
SHA512a388681e026808e93814bbc6edc940d6af714a08485ede8b3a57474d0aa4dfc7e3913dca8f10ba2352fdd211c74a5429205274b79cbb126b60ec15a21bd769f3
-
C:\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLLMD5
17e141221316b1e3a3fa2cc58fd6dd14
SHA115892b6ec1f12a7fc5c1f5713aafa26869ba6cc5
SHA25675fa87392f0e7b4d9d73d55ab01f63db0196feb5878a6a3108902719f2b6ba52
SHA5121a22f24a0100df771822581811897bb54cdb1cd3970217c34d5ef307080db36f94c0fa3f36f09e48cdf608bd70b542780f37891218b400744c69a1124f1d9e14
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exeMD5
28c51cb777fc8b3fb7df6b1bdc1c7e03
SHA124c2dfbe1c367718fbfcc5fc6a2bfb2d425d366a
SHA256c265e742691b3d174b27b037ee7800c28989b6d3c2595b06b71cf04574cafc03
SHA51213627ebf98f8ee5cb810bd36b031acc7f554543f8fceb22acf94c40de1df593a473a6718afce4a15ca0b3d0e3abe88788cbc6a35b60da46825c338460c87cc62
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exeMD5
28c51cb777fc8b3fb7df6b1bdc1c7e03
SHA124c2dfbe1c367718fbfcc5fc6a2bfb2d425d366a
SHA256c265e742691b3d174b27b037ee7800c28989b6d3c2595b06b71cf04574cafc03
SHA51213627ebf98f8ee5cb810bd36b031acc7f554543f8fceb22acf94c40de1df593a473a6718afce4a15ca0b3d0e3abe88788cbc6a35b60da46825c338460c87cc62
-
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exeMD5
a5bd45032d411b03efc9eaedce7a37c2
SHA15e33357bd7107f4415ab33ce52625f20df47e343
SHA256e87ac535cdef049f221d7aa3c5f5eb8e1495480321b5898c4a605503b8423674
SHA5124ad7f72ef9f3e303f3ac2c6529f80a7c4046cebe83f25cda810cb5d40ac81e38714d392fea8d0ed534b01562f924b5e83ccf4806daa086fb3f16ff64a5b39c93
-
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exeMD5
a5bd45032d411b03efc9eaedce7a37c2
SHA15e33357bd7107f4415ab33ce52625f20df47e343
SHA256e87ac535cdef049f221d7aa3c5f5eb8e1495480321b5898c4a605503b8423674
SHA5124ad7f72ef9f3e303f3ac2c6529f80a7c4046cebe83f25cda810cb5d40ac81e38714d392fea8d0ed534b01562f924b5e83ccf4806daa086fb3f16ff64a5b39c93
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exeMD5
c0ffcf0a3850f75b4e080e282d83950e
SHA126ecc7690de6767626202b0036992b4fc3826ed8
SHA256b4725df9c9daeee5ec97533ff63a7629e45ad047ee43befb8d3d76ba2c0c21ca
SHA512ecb8f0862790520caa3445f667ca2a40b11d02a63b94aca9d8c4bee11b2435e554cb580ca71e0ebda9c5edd19ad6c6d28b96d5fa41b11a1ccc7a82df035a1f2b
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exeMD5
c0ffcf0a3850f75b4e080e282d83950e
SHA126ecc7690de6767626202b0036992b4fc3826ed8
SHA256b4725df9c9daeee5ec97533ff63a7629e45ad047ee43befb8d3d76ba2c0c21ca
SHA512ecb8f0862790520caa3445f667ca2a40b11d02a63b94aca9d8c4bee11b2435e554cb580ca71e0ebda9c5edd19ad6c6d28b96d5fa41b11a1ccc7a82df035a1f2b
-
C:\Users\Admin\AppData\Local\Temp\hudiujsffiwj.vbsMD5
26ff94f552c85eaba6c1f770f72fd548
SHA112661948bbfc2911c066b78a0340bbf5ba8591c3
SHA256a7860d83ebae8992371e15b604d582d4c3b506ea5367939480ee48e33e03b62d
SHA5128401494d1b9f74f26376195034c021aa808f639521f3cb5202f52ab45c3bc850372cbf293603198de287f0161a39482d4092e488d039e808e6d6690477a5b452
-
C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exeMD5
cf45aaae14ccdd5a2ff0f675c86a2ba0
SHA197c68000ce732fb698b25dfb9bb598dbe5c7e3b9
SHA25644483c34a2668610d6b6bd1a94914e8c2bf2f2eacddb3eff12a0064ab7a5db52
SHA5129a08fb66c3753b2fad09d36e4d79f1591cecd67c98e88675f5090381fe3abeb56f683e41c707772b92a00fac58f4b044db7c621d0c71a8d1fbe4bed3a9e95954
-
C:\Users\Admin\AppData\Local\Temp\kxgcofgdb.exeMD5
cf45aaae14ccdd5a2ff0f675c86a2ba0
SHA197c68000ce732fb698b25dfb9bb598dbe5c7e3b9
SHA25644483c34a2668610d6b6bd1a94914e8c2bf2f2eacddb3eff12a0064ab7a5db52
SHA5129a08fb66c3753b2fad09d36e4d79f1591cecd67c98e88675f5090381fe3abeb56f683e41c707772b92a00fac58f4b044db7c621d0c71a8d1fbe4bed3a9e95954
-
C:\Users\Admin\AppData\Local\Temp\tmpBB18.tmp.ps1MD5
76e565510b9e68500746c384ab893ba8
SHA1ae597c82eab73c3d0864f05eb54661e3ff3dd356
SHA25613655cb44649235eda7c28a7e08026e09030907dfb004ac31e9b4c40c8e4fcd8
SHA5120e4dba498f1f0d4233b555b8699949ef526aab63386f80c6d706d51e752a8b57093701fea53d8e056e41d60b6bf75206a83ec121c923918c71954559d6775a80
-
C:\Users\Admin\AppData\Local\Temp\tmpBB19.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmpE269.tmp.ps1MD5
627134ce88dd2a4cd33f75dedcca13af
SHA1bdf7863281963dc6262b8def08745201fa53b866
SHA256595d1c3a8da1f506b14cc3968d89085502968fb72b21f6d02578eaaee8f32481
SHA51225837b03bd054b70ef5251070d2ba8afcbe3638dc29ac316f640850a254ea9bf481da0914c230cda286b85a897987b28f8439d933f49fdd964e8d4d21790c5b2
-
C:\Users\Admin\AppData\Local\Temp\tmpE279.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\trqkqdpbfa.vbsMD5
2ac1e4bb9ee94a4cb3ebeb62398c9d01
SHA17b91b6e27ec27f46b23db2557ce9d9b655706e79
SHA2568eeeb6a1ec95d51c916021474ccedfd62584a9bbca0b20548969a7f37069de62
SHA51248625b870aaad5027b5e9f335a53543a75a5f4b23144f1883020d923a7d3b5257d4d7ab312c94291779ec24fa850c031296f091e2b6df7ab8090dfbc7691db98
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
28c51cb777fc8b3fb7df6b1bdc1c7e03
SHA124c2dfbe1c367718fbfcc5fc6a2bfb2d425d366a
SHA256c265e742691b3d174b27b037ee7800c28989b6d3c2595b06b71cf04574cafc03
SHA51213627ebf98f8ee5cb810bd36b031acc7f554543f8fceb22acf94c40de1df593a473a6718afce4a15ca0b3d0e3abe88788cbc6a35b60da46825c338460c87cc62
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
28c51cb777fc8b3fb7df6b1bdc1c7e03
SHA124c2dfbe1c367718fbfcc5fc6a2bfb2d425d366a
SHA256c265e742691b3d174b27b037ee7800c28989b6d3c2595b06b71cf04574cafc03
SHA51213627ebf98f8ee5cb810bd36b031acc7f554543f8fceb22acf94c40de1df593a473a6718afce4a15ca0b3d0e3abe88788cbc6a35b60da46825c338460c87cc62
-
\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLLMD5
17e141221316b1e3a3fa2cc58fd6dd14
SHA115892b6ec1f12a7fc5c1f5713aafa26869ba6cc5
SHA25675fa87392f0e7b4d9d73d55ab01f63db0196feb5878a6a3108902719f2b6ba52
SHA5121a22f24a0100df771822581811897bb54cdb1cd3970217c34d5ef307080db36f94c0fa3f36f09e48cdf608bd70b542780f37891218b400744c69a1124f1d9e14
-
\Users\Admin\AppData\Local\Temp\KXGCOF~1.DLLMD5
17e141221316b1e3a3fa2cc58fd6dd14
SHA115892b6ec1f12a7fc5c1f5713aafa26869ba6cc5
SHA25675fa87392f0e7b4d9d73d55ab01f63db0196feb5878a6a3108902719f2b6ba52
SHA5121a22f24a0100df771822581811897bb54cdb1cd3970217c34d5ef307080db36f94c0fa3f36f09e48cdf608bd70b542780f37891218b400744c69a1124f1d9e14
-
\Users\Admin\AppData\Local\Temp\nsp6B92.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/348-26-0x0000000000000000-mapping.dmp
-
memory/504-18-0x0000000000000000-mapping.dmp
-
memory/504-22-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/504-21-0x00000000045A0000-0x00000000045A1000-memory.dmpFilesize
4KB
-
memory/548-41-0x0000000000000000-mapping.dmp
-
memory/548-44-0x0000000005170000-0x00000000057CF000-memory.dmpFilesize
6.4MB
-
memory/660-35-0x0000000000000000-mapping.dmp
-
memory/1180-83-0x0000000000000000-mapping.dmp
-
memory/1828-53-0x0000000000000000-mapping.dmp
-
memory/2248-29-0x0000000000000000-mapping.dmp
-
memory/2592-66-0x0000000070BB0000-0x000000007129E000-memory.dmpFilesize
6.9MB
-
memory/2592-72-0x0000000007550000-0x0000000007551000-memory.dmpFilesize
4KB
-
memory/2592-75-0x0000000007970000-0x0000000007971000-memory.dmpFilesize
4KB
-
memory/2592-64-0x0000000000000000-mapping.dmp
-
memory/2780-40-0x0000000005050000-0x00000000056AF000-memory.dmpFilesize
6.4MB
-
memory/2780-37-0x0000000000000000-mapping.dmp
-
memory/2820-36-0x0000000000000000-mapping.dmp
-
memory/3116-34-0x0000000000000000-mapping.dmp
-
memory/3144-3-0x0000000000000000-mapping.dmp
-
memory/3144-13-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/3144-12-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/3156-17-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/3156-15-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/3156-9-0x0000000000000000-mapping.dmp
-
memory/3228-23-0x0000000000000000-mapping.dmp
-
memory/3228-28-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/3764-80-0x0000000000000000-mapping.dmp
-
memory/3784-14-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/3784-6-0x0000000000000000-mapping.dmp
-
memory/3784-16-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/3792-82-0x0000000000000000-mapping.dmp
-
memory/4048-57-0x00000000085B0000-0x00000000085B1000-memory.dmpFilesize
4KB
-
memory/4048-45-0x0000000000000000-mapping.dmp
-
memory/4048-62-0x0000000008700000-0x0000000008701000-memory.dmpFilesize
4KB
-
memory/4048-48-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/4048-47-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/4048-60-0x0000000009D10000-0x0000000009D11000-memory.dmpFilesize
4KB
-
memory/4048-46-0x0000000070E60000-0x000000007154E000-memory.dmpFilesize
6.9MB
-
memory/4048-61-0x00000000092B0000-0x00000000092B1000-memory.dmpFilesize
4KB
-
memory/4048-59-0x0000000007090000-0x0000000007091000-memory.dmpFilesize
4KB
-
memory/4048-49-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/4048-51-0x0000000007D50000-0x0000000007D51000-memory.dmpFilesize
4KB
-
memory/4048-56-0x00000000082F0000-0x00000000082F1000-memory.dmpFilesize
4KB
-
memory/4048-55-0x0000000008150000-0x0000000008151000-memory.dmpFilesize
4KB
-
memory/4048-50-0x0000000007B70000-0x0000000007B71000-memory.dmpFilesize
4KB
-
memory/4048-52-0x0000000007E00000-0x0000000007E01000-memory.dmpFilesize
4KB