Analysis
-
max time kernel
365s -
max time network
367s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-02-2021 20:44
General
-
Target
lufdgThK9EuYSwgOb6xdwvcF.bin.exe
-
Size
6.0MB
-
MD5
f5cca3aa7de2478569d38c765654267d
-
SHA1
7dfd05dd62788dd43289e2032f00006789e71311
-
SHA256
280aa9de9a1db7e8c380b811e80f30a12b592222fe304b578ea1efcb2ac340e5
-
SHA512
0a78ae90699d7b8834946368c9d2d8e87d9a6c610d9cc2d26fe9c2e1e80173331d55beeb28c40f17831daf29132fb40c9fe670334b9626e349eeeb0a28acb57d
Malware Config
Signatures
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Nirsoft 4 IoCs
-
Executes dropped EXE 18 IoCs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lufdgThK9EuYSwgOb6xdwvcF.bin.exe"C:\Users\Admin\AppData\Local\Temp\lufdgThK9EuYSwgOb6xdwvcF.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exeC:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe 0011 installp14⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\1614199268252.exe"C:\Users\Admin\AppData\Roaming\1614199268252.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614199268252.txt"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\1614199270861.exe"C:\Users\Admin\AppData\Roaming\1614199270861.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614199270861.txt"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exeC:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe 200 installp14⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 35⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\9C84.tmp.exe"C:\Users\Admin\AppData\Roaming\9C84.tmp.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\9C84.tmp.exe"C:\Users\Admin\AppData\Roaming\9C84.tmp.exe"5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"3⤵
- Executes dropped EXE
-
C:\ProgramData\8782057.96"C:\ProgramData\8782057.96"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\2230098.24"C:\ProgramData\2230098.24"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"5⤵
- Executes dropped EXE
-
C:\ProgramData\7967945.87"C:\ProgramData\7967945.87"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8EFC7F3A1153F671E744A3DC8EB38D63 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\2230098.24MD5
6eedffd3651138e002a6a9639eca9830
SHA18a0c7542187471603f2ff4f8cc5977d8be44dfbe
SHA25688304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f
SHA51222f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a
-
C:\ProgramData\2230098.24MD5
6eedffd3651138e002a6a9639eca9830
SHA18a0c7542187471603f2ff4f8cc5977d8be44dfbe
SHA25688304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f
SHA51222f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a
-
C:\ProgramData\7967945.87MD5
28d92f2f1b2f17197d4d090952943cd3
SHA124835f7ba0fb91c280374737031f9eb2acc866da
SHA2566c65ddab1d6e9690968430a15024cd433b2791f9eb47d08ccba65e5fbcfb3884
SHA512ae461ddb126984abdf4babe13ebdd62e996154026abfb84b90947c745b80998ca265f0fea27eb04915f02f25e61293daeb13a5777024ab991f56bf960cf36dd4
-
C:\ProgramData\7967945.87MD5
28d92f2f1b2f17197d4d090952943cd3
SHA124835f7ba0fb91c280374737031f9eb2acc866da
SHA2566c65ddab1d6e9690968430a15024cd433b2791f9eb47d08ccba65e5fbcfb3884
SHA512ae461ddb126984abdf4babe13ebdd62e996154026abfb84b90947c745b80998ca265f0fea27eb04915f02f25e61293daeb13a5777024ab991f56bf960cf36dd4
-
C:\ProgramData\8782057.96MD5
9298adc9b93e65d9ae6d73a72b5a8f5d
SHA173309cbd5515ce5f5b9160071e986b2fb54771e1
SHA25626d0db9d4899a7fbf981e1e11047abc5d7d8094c34176d411d82b26805657b4b
SHA512fee90a372cabcea95019f29ac8fc4fc4cddf3aaa83598dd26f93ba7732da7736c69205253a7adec6293b8292c4b9a32e53dca56b306fb743fb9e782b263b43b2
-
C:\ProgramData\8782057.96MD5
9298adc9b93e65d9ae6d73a72b5a8f5d
SHA173309cbd5515ce5f5b9160071e986b2fb54771e1
SHA25626d0db9d4899a7fbf981e1e11047abc5d7d8094c34176d411d82b26805657b4b
SHA512fee90a372cabcea95019f29ac8fc4fc4cddf3aaa83598dd26f93ba7732da7736c69205253a7adec6293b8292c4b9a32e53dca56b306fb743fb9e782b263b43b2
-
C:\ProgramData\Windows Host\Windows Host.exeMD5
6eedffd3651138e002a6a9639eca9830
SHA18a0c7542187471603f2ff4f8cc5977d8be44dfbe
SHA25688304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f
SHA51222f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a
-
C:\ProgramData\Windows Host\Windows Host.exeMD5
6eedffd3651138e002a6a9639eca9830
SHA18a0c7542187471603f2ff4f8cc5977d8be44dfbe
SHA25688304ec83df816066689acaa269581741168cbb1e5b849ea3373a051faac1b0f
SHA51222f7ad4b6a1f0d4f917e19dee5194c56068804e91e3c8071f5007efe4418d9e51f8953e43f644ac253f4a7c4156baed8404c96a5d34a5f7f6233d71fe28fb80a
-
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exeMD5
e70e40b7acda24d775bfa15b89137483
SHA1a993e1cccbfbdf0ec6eead05a99506e3fdc4e146
SHA25626b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136
SHA5120ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053
-
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exeMD5
e70e40b7acda24d775bfa15b89137483
SHA1a993e1cccbfbdf0ec6eead05a99506e3fdc4e146
SHA25626b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136
SHA5120ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053
-
C:\Users\Admin\AppData\Local\Temp\80EBA4EA58D40136.exeMD5
e70e40b7acda24d775bfa15b89137483
SHA1a993e1cccbfbdf0ec6eead05a99506e3fdc4e146
SHA25626b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136
SHA5120ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053
-
C:\Users\Admin\AppData\Local\Temp\MSI7D63.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exeMD5
2effa71f03a5d4a572191b534e28e13e
SHA1666e04fac3e335664743b71edca3e645775a54fa
SHA256ccc0b907f78bf21befba3c9b199c926f488572237d6487c145c92a5213b25d29
SHA51202e64f3751d4afb0d3058e88461cd2a55cd7f662c73c40e3af782a95fa759b9b40c66bd33acdd0199386fda9de0c46dccc22e75e5305e43b9573d836e64f680f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer.exeMD5
2effa71f03a5d4a572191b534e28e13e
SHA1666e04fac3e335664743b71edca3e645775a54fa
SHA256ccc0b907f78bf21befba3c9b199c926f488572237d6487c145c92a5213b25d29
SHA51202e64f3751d4afb0d3058e88461cd2a55cd7f662c73c40e3af782a95fa759b9b40c66bd33acdd0199386fda9de0c46dccc22e75e5305e43b9573d836e64f680f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exeMD5
4cfee35f55ecaef4bdc4508eb5d46f8a
SHA1be092ce3723b7a8ea942ec59c1c30e5d585b89ba
SHA256fa828cf0731d35f2e35606d56aad77fc5fff41dfd5d37a5ad0f657b38b57cfbe
SHA5124cf15a517f103750ac0ad93bb858b930f7c2f454ecc688f0adbe20ee9a8b18dc04fc004d0678b3de5b94a50049d8e73fa1c3616adfa5aeb716e1ad6521913401
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exeMD5
4cfee35f55ecaef4bdc4508eb5d46f8a
SHA1be092ce3723b7a8ea942ec59c1c30e5d585b89ba
SHA256fa828cf0731d35f2e35606d56aad77fc5fff41dfd5d37a5ad0f657b38b57cfbe
SHA5124cf15a517f103750ac0ad93bb858b930f7c2f454ecc688f0adbe20ee9a8b18dc04fc004d0678b3de5b94a50049d8e73fa1c3616adfa5aeb716e1ad6521913401
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exeMD5
e70e40b7acda24d775bfa15b89137483
SHA1a993e1cccbfbdf0ec6eead05a99506e3fdc4e146
SHA25626b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136
SHA5120ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exeMD5
e70e40b7acda24d775bfa15b89137483
SHA1a993e1cccbfbdf0ec6eead05a99506e3fdc4e146
SHA25626b8ffe7b3e413e1cb19c534d3b8c2bd05244aad79d84f96a6eb9ad5e5e19136
SHA5120ff7bb4228a2aee8d062031c31c67e05b88176efb0771602a591a599a78d7d03ba5e4d343caf8f4fadc14230b0b07605900eeb76a8e593fb22528a98d4300053
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exeMD5
4127593be833d53d84be69a1073b46d6
SHA1589338f5597ae7bc8e184dcf06b7bf0cb21ca104
SHA256d0ba78c12f7fc6d3c7976b561c6e092bdefc4ee297b51c1f1bd2c13b775df5a4
SHA512a239cf6ebd06f3d3955dd7fc885e3d0a8bc6d363c5861e4e2a2ed02f23fba6a852ba01a6e3b3582e5e763fc721867d38c1ee58af9f62e8f366a57d5863753ddb
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exeMD5
4127593be833d53d84be69a1073b46d6
SHA1589338f5597ae7bc8e184dcf06b7bf0cb21ca104
SHA256d0ba78c12f7fc6d3c7976b561c6e092bdefc4ee297b51c1f1bd2c13b775df5a4
SHA512a239cf6ebd06f3d3955dd7fc885e3d0a8bc6d363c5861e4e2a2ed02f23fba6a852ba01a6e3b3582e5e763fc721867d38c1ee58af9f62e8f366a57d5863753ddb
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exeMD5
6a714c56525073f78181129ce52175db
SHA1eb7a9356e9cc40368e1774035c23b15b7c8d792b
SHA25657c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4
SHA51204a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exeMD5
6a714c56525073f78181129ce52175db
SHA1eb7a9356e9cc40368e1774035c23b15b7c8d792b
SHA25657c417f53d9032a2f256cee17c274df2d411858abb14789406671c1dca6017c4
SHA51204a183bddeeaa6fe316596fad52a6e707549ca2e93b2b294c618b4381018bf5791582e2ac08e0f5e5cea86ac980a56208e54e1e310945614e00524d50a00c550
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\gdiview.msiMD5
7cc103f6fd70c6f3a2d2b9fca0438182
SHA1699bd8924a27516b405ea9a686604b53b4e23372
SHA256dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1
SHA51292ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Roaming\1614199268252.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1614199268252.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1614199268252.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
C:\Users\Admin\AppData\Roaming\1614199270861.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1614199270861.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1614199270861.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
C:\Users\Admin\AppData\Roaming\9C84.tmp.exeMD5
5f58ea16d3b08acf421a568da5e901f1
SHA134b6677c290fd53c01d3920a161ed0410d6e55b3
SHA256e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10
SHA512c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b
-
C:\Users\Admin\AppData\Roaming\9C84.tmp.exeMD5
5f58ea16d3b08acf421a568da5e901f1
SHA134b6677c290fd53c01d3920a161ed0410d6e55b3
SHA256e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10
SHA512c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b
-
C:\Users\Admin\AppData\Roaming\9C84.tmp.exeMD5
5f58ea16d3b08acf421a568da5e901f1
SHA134b6677c290fd53c01d3920a161ed0410d6e55b3
SHA256e6f025d0a5ec3a4ac1d7943aaf64c95b18d0f2956caf43444ce9651cb71dcd10
SHA512c80a545edc4ea15947184ee51e7fe8d50e09afca719d0a2e8dadbe6dec8711e0002c3b175a14280c6a9bc2799837cd1a3d546156e2effef959f2c7002bdd560b
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2MD5
89d0e752d4ed4262800291dd8b56aff0
SHA16e2befb4a8cc46dd337f15ada00ff9176fd789a4
SHA256a183fcc35fbb2f0e223a9cfa5988b37961bfe9fee5852316eefc7bf59141eda3
SHA5127580b413996c4985f13d3cbca59e8484c58c532301a2b5bab59f57e8f3cd900d791cf74cefd3868500d6a4fcc8ad2065e82d0a52512cb2fd484eb27a22b00a2d
-
\??\Volume{f994966a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{7b599148-a075-4501-be7e-123dec704446}_OnDiskSnapshotPropMD5
a40928eda930535236a5334dbfbef02b
SHA15c2bfb70b851e9c23363c4d9ce19aec1c61b2bf2
SHA256c8351d9cbe5a0d6dea1ea151c99f3708075d14002a95ecec6a4d7da5ffbf4d11
SHA512abe846b7176031dc5d2772459708fd75417bd76ccf763a27acca74b2d253f4f7abc2e3d54f2650706f3ca937a437860fdd44e485f101b37bd0e8fe8173f88ba9
-
\Users\Admin\AppData\Local\Temp\MSI7D63.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
memory/400-14-0x0000000000000000-mapping.dmp
-
memory/400-35-0x0000000002D90000-0x000000000323F000-memory.dmpFilesize
4.7MB
-
memory/400-25-0x0000000010000000-0x000000001033D000-memory.dmpFilesize
3.2MB
-
memory/816-9-0x0000000000000000-mapping.dmp
-
memory/1124-114-0x0000000000000000-mapping.dmp
-
memory/1332-20-0x0000000000000000-mapping.dmp
-
memory/1332-23-0x0000000001040000-0x000000000104D000-memory.dmpFilesize
52KB
-
memory/1332-51-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1748-124-0x000000000A650000-0x000000000A651000-memory.dmpFilesize
4KB
-
memory/1748-112-0x00000000713C0000-0x0000000071AAE000-memory.dmpFilesize
6.9MB
-
memory/1748-107-0x0000000000000000-mapping.dmp
-
memory/1748-126-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/2652-36-0x0000000003590000-0x0000000003A3F000-memory.dmpFilesize
4.7MB
-
memory/2652-16-0x0000000000000000-mapping.dmp
-
memory/2780-11-0x0000000000000000-mapping.dmp
-
memory/3420-134-0x0000000000000000-mapping.dmp
-
memory/3508-2-0x0000000000000000-mapping.dmp
-
memory/3660-8-0x0000000010000000-0x000000001033D000-memory.dmpFilesize
3.2MB
-
memory/3660-5-0x0000000000000000-mapping.dmp
-
memory/3968-24-0x0000000000000000-mapping.dmp
-
memory/4016-19-0x0000000000000000-mapping.dmp
-
memory/4276-37-0x0000000000000000-mapping.dmp
-
memory/4292-41-0x0000025043DA0000-0x0000025043DA1000-memory.dmpFilesize
4KB
-
memory/4292-38-0x00007FF764A48270-mapping.dmp
-
memory/4292-39-0x0000000010000000-0x0000000010057000-memory.dmpFilesize
348KB
-
memory/4320-128-0x0000000000000000-mapping.dmp
-
memory/4356-40-0x0000000000000000-mapping.dmp
-
memory/4412-42-0x0000000000000000-mapping.dmp
-
memory/4444-63-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/4444-45-0x0000000000000000-mapping.dmp
-
memory/4444-68-0x0000000000AE0000-0x0000000000B25000-memory.dmpFilesize
276KB
-
memory/4492-49-0x0000000000000000-mapping.dmp
-
memory/4536-50-0x0000000000000000-mapping.dmp
-
memory/4572-57-0x0000016D70DE0000-0x0000016D70DE1000-memory.dmpFilesize
4KB
-
memory/4572-52-0x00007FF764A48270-mapping.dmp
-
memory/4584-53-0x0000000000000000-mapping.dmp
-
memory/4632-59-0x0000000000000000-mapping.dmp
-
memory/4664-75-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/4664-74-0x00000000005D0000-0x00000000005EE000-memory.dmpFilesize
120KB
-
memory/4664-60-0x0000000000000000-mapping.dmp
-
memory/4664-72-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4664-64-0x00007FFE1F7E0000-0x00007FFE201CC000-memory.dmpFilesize
9.9MB
-
memory/4664-79-0x000000001AE20000-0x000000001AE22000-memory.dmpFilesize
8KB
-
memory/4664-69-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/4716-70-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/4716-65-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/4716-66-0x0000000000401480-mapping.dmp
-
memory/4784-141-0x0000000000000000-mapping.dmp
-
memory/4808-73-0x0000000000000000-mapping.dmp
-
memory/4888-105-0x0000000007E70000-0x0000000007EA2000-memory.dmpFilesize
200KB
-
memory/4888-83-0x00000000713C0000-0x0000000071AAE000-memory.dmpFilesize
6.9MB
-
memory/4888-86-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/4888-76-0x0000000000000000-mapping.dmp
-
memory/4888-132-0x0000000009220000-0x0000000009221000-memory.dmpFilesize
4KB
-
memory/4888-100-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/4888-125-0x0000000008C30000-0x0000000008C31000-memory.dmpFilesize
4KB
-
memory/4920-84-0x00000000713C0000-0x0000000071AAE000-memory.dmpFilesize
6.9MB
-
memory/4920-101-0x000000000A9C0000-0x000000000A9C1000-memory.dmpFilesize
4KB
-
memory/4920-103-0x000000000A5A0000-0x000000000A5A1000-memory.dmpFilesize
4KB
-
memory/4920-95-0x0000000002920000-0x0000000002921000-memory.dmpFilesize
4KB
-
memory/4920-99-0x0000000002940000-0x000000000294B000-memory.dmpFilesize
44KB
-
memory/4920-104-0x000000000A570000-0x000000000A571000-memory.dmpFilesize
4KB
-
memory/4920-87-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/4920-80-0x0000000000000000-mapping.dmp
-
memory/4964-85-0x0000000000000000-mapping.dmp
-
memory/4964-90-0x00000000713C0000-0x0000000071AAE000-memory.dmpFilesize
6.9MB
-
memory/4964-94-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/4964-111-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/4964-102-0x00000000016A0000-0x00000000016A1000-memory.dmpFilesize
4KB
-
memory/4964-113-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/4964-108-0x0000000005500000-0x0000000005535000-memory.dmpFilesize
212KB
-
memory/4984-137-0x0000000000000000-mapping.dmp
-
memory/5040-93-0x0000000000000000-mapping.dmp
-
memory/5116-140-0x0000000000000000-mapping.dmp