Analysis Overview
Threat Level: Known bad
The file https://yadi.sk/d/LLgD0R6wU1SSLg was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Sets file to hidden
Reads user/profile data of web browsers
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
autoit_exe
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Modifies registry class
Views/modifies file attributes
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-27 09:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-27 09:21
Reported
2021-12-27 09:23
Platform
win10-en-20211208
Max time kernel
114s
Max time network
89s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Log sorter\Sorter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Log sorter\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1400639587\Build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1400639587\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Log sorter\GetAdress.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Log sorter\Sorter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe | N/A |
Sets file to hidden
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Desktop\Log sorter\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\Log sorter\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\Z1400639587\Build.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\Log sorter\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://yadi.sk/d/LLgD0R6wU1SSLg
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9bc2c4f50,0x7ff9bc2c4f60,0x7ff9bc2c4f70
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1568 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1664 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6196 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6340 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,16365298107391975294,6026641113910950433,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Log sorter.rar"
C:\Users\Admin\Desktop\Log sorter\Sorter.exe
"C:\Users\Admin\Desktop\Log sorter\Sorter.exe"
C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe
"C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe"
C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe
"C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /S /Q "log/Enother/Skype/
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /S /Q "log/Enother/Steam/
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /S /Q "log/Enother/Telegram/
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /S /Q "log/Enother/Wallets/
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "log/folders/"
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\ENU_801FE974C7C2EA5E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445"
C:\Users\Admin\Desktop\Log sorter\Launcher.exe
"C:\Users\Admin\Desktop\Log sorter\Launcher.exe"
C:\Users\Admin\AppData\Roaming\Z1400639587\Build.exe
"C:\Users\Admin\AppData\Roaming\Z1400639587\Build.exe"
C:\Users\Admin\AppData\Roaming\Z1400639587\Launcher.exe
"C:\Users\Admin\AppData\Roaming\Z1400639587\Launcher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /pid 952 & attrib -s -h -r -a /S /D "C:\Users\Admin\AppData\Roaming\Z1400639587" & del /q /f "C:\Users\Admin\AppData\Roaming\Z1400639587\Build.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 952
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a /S /D "C:\Users\Admin\AppData\Roaming\Z1400639587"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sorter.exe
C:\Users\Admin\Desktop\Log sorter\GetAdress.exe
"C:\Users\Admin\Desktop\Log sorter\GetAdress.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Log sorter\run.vbs"
C:\Users\Admin\Desktop\Log sorter\Sorter.exe
"C:\Users\Admin\Desktop\Log sorter\Sorter.exe"
C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe
"C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe"
C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe
"C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rmdir /S /Q "log/Enother/Skype/
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /pid 2528 & attrib -s -h -r -a /S /D "C:\Users\Admin\AppData\Roaming\Z1115706372" & del /q /f "C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 2528
C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r -a /S /D "C:\Users\Admin\AppData\Roaming\Z1115706372"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | yadi.sk | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| RU | 87.250.250.50:443 | yadi.sk | tcp |
| RU | 87.250.250.50:443 | yadi.sk | tcp |
| US | 142.251.36.45:443 | accounts.google.com | udp |
| NL | 142.250.179.174:443 | clients2.google.com | udp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 104.110.191.15:80 | repository.certum.pl | tcp |
| US | 8.8.8.8:53 | edgedl.me.gvt1.com | udp |
| US | 34.104.35.123:80 | edgedl.me.gvt1.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| NL | 216.58.208.97:443 | clients2.googleusercontent.com | udp |
| NL | 216.58.208.97:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | disk.yandex.com | udp |
| RU | 87.250.250.50:443 | disk.yandex.com | tcp |
| US | 8.8.8.8:53 | yastatic.net | udp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| RU | 178.154.131.217:443 | yastatic.net | tcp |
| US | 8.8.8.8:53 | mc.yandex.ru | udp |
| RU | 77.88.21.119:443 | mc.yandex.ru | tcp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 77.88.55.60:443 | yandex.ru | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| RU | 77.88.55.60:443 | yandex.ru | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | udp |
| RU | 87.250.250.119:443 | mc.yandex.ru | tcp |
| RU | 87.250.247.181:443 | tcp | |
| RU | 77.88.21.179:443 | tcp | |
| RU | 213.180.204.90:443 | tcp | |
| RU | 77.88.21.127:443 | tcp | |
| RU | 213.180.204.90:443 | tcp | |
| RU | 87.250.250.119:443 | mc.yandex.ru | tcp |
| RU | 178.154.169.223:443 | tcp | |
| FI | 95.217.109.66:443 | sonar.semantiqo.com | tcp |
| RU | 81.222.128.216:443 | tcp | |
| RU | 185.15.175.130:443 | tcp | |
| DE | 88.99.214.77:443 | tcp | |
| RU | 91.192.150.14:443 | tcp | |
| RU | 80.64.106.149:443 | tcp | |
| RU | 80.64.106.148:443 | tcp | |
| US | 35.190.16.14:443 | redirect.frontend.weborama.fr | tcp |
| RU | 89.108.119.43:443 | x01.aidata.io | tcp |
| RU | 37.18.16.22:443 | dm.hybrid.ai | tcp |
| RU | 194.226.130.229:443 | cm.tns-counter.ru | tcp |
| DE | 148.251.236.115:443 | tcp | |
| RU | 188.42.29.165:443 | tcp | |
| NL | 142.250.179.162:443 | cm.g.doubleclick.net | tcp |
| IE | 54.194.45.85:443 | tcp | |
| DE | 195.201.243.72:443 | tcp | |
| RU | 81.163.17.245:443 | mitdmp.whiteboxdigital.ru | tcp |
| NL | 142.250.179.162:443 | udp | |
| NL | 82.145.213.8:443 | tcp | |
| RU | 88.212.201.198:443 | tcp | |
| RU | 188.42.29.165:443 | tcp | |
| RU | 91.207.59.214:443 | tcp | |
| RU | 217.66.147.162:443 | tcp | |
| DE | 31.172.81.158:443 | tcp | |
| NL | 31.220.27.134:443 | tcp | |
| DE | 176.9.8.252:443 | tcp | |
| RU | 87.250.250.114:443 | tcp | |
| RU | 213.87.44.187:443 | tcp | |
| NL | 142.250.179.131:443 | ssl.gstatic.com | tcp |
| RU | 87.250.250.119:443 | mc.yandex.ru | tcp |
| NL | 142.250.179.194:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.250.179.194:443 | tcp | |
| NL | 142.250.179.194:443 | udp | |
| US | 142.250.102.156:443 | bid.g.doubleclick.net | tcp |
| US | 142.250.102.156:443 | udp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| NL | 142.250.179.174:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| RU | 89.191.233.38:65233 | tcp | |
| RU | 89.191.233.38:65233 | tcp | |
| RU | 89.191.233.38:65233 | tcp |
Files
\??\pipe\crashpad_652_HQNMGGLYHTFPMDHP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Downloads\Log sorter.rar
| MD5 | c816f03f3b60d91dab53ca4913d53fff |
| SHA1 | f0dcea7b7c15be2dcf937e11a8609be309629a33 |
| SHA256 | 53b1760a03e5597a0071f9be1df8247650025221168085131634749c5b53870e |
| SHA512 | 17a36e36867c64f638141f3824b265599291b5ff73d78abb8fc3fb22f6b8efebe0817e3a582c7cc9346de37e7a10d27b31c81e2dc4c00ce88bf780405564aae8 |
C:\Users\Admin\Desktop\Log sorter\Sorter.exe
| MD5 | 2f0ab396d2b1ccb7617761160f9b9509 |
| SHA1 | dc9095391b7d375999ee11a274d6fc96e5d4f69a |
| SHA256 | c5686144786b958cf7e0c87cf10c61fe3f8fb7ceed24c3c850856ab1be8bccf8 |
| SHA512 | e5bf9450f05351ce678a20a2e37e287fe30699456882623273ba2036f642e90858404ac742b13c42da4be968466ec12898f8ff19ecf7d9caf6025da2a1da6ddc |
C:\Users\Admin\Desktop\Log sorter\Sorter.exe
| MD5 | 2f0ab396d2b1ccb7617761160f9b9509 |
| SHA1 | dc9095391b7d375999ee11a274d6fc96e5d4f69a |
| SHA256 | c5686144786b958cf7e0c87cf10c61fe3f8fb7ceed24c3c850856ab1be8bccf8 |
| SHA512 | e5bf9450f05351ce678a20a2e37e287fe30699456882623273ba2036f642e90858404ac742b13c42da4be968466ec12898f8ff19ecf7d9caf6025da2a1da6ddc |
memory/1728-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe
| MD5 | 9e3622c7bbb737a24e150468f59e8d24 |
| SHA1 | 3d546ba84a846bc0c3e79c551cea89fd10eb29f5 |
| SHA256 | a98a2c7fc485217e13f1896b6046f39a46e0edca71c110aab0a106383b177e9a |
| SHA512 | 66e4c6123b6944d5d977d77c9c9a7af21a60e3f0498cca9974a9c27615edddef7add3b79444f87e1cbc352077224fcf84fc1a5eff5bb339ad51f3b6516d28da7 |
C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe
| MD5 | 9e3622c7bbb737a24e150468f59e8d24 |
| SHA1 | 3d546ba84a846bc0c3e79c551cea89fd10eb29f5 |
| SHA256 | a98a2c7fc485217e13f1896b6046f39a46e0edca71c110aab0a106383b177e9a |
| SHA512 | 66e4c6123b6944d5d977d77c9c9a7af21a60e3f0498cca9974a9c27615edddef7add3b79444f87e1cbc352077224fcf84fc1a5eff5bb339ad51f3b6516d28da7 |
memory/2088-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe
| MD5 | 5899efb13e5d2af4b94f6b115643f310 |
| SHA1 | 25f41bac5fc1bd34deeca93a85ec689ae340cfdf |
| SHA256 | 37299b38898a92b9df8f466d1430a7dcca8b8696c2048c2a29464e22efd35c14 |
| SHA512 | 48739eb655015b17a0b5878189df9763e63274415fcec68ae196fa71ba2ad076579d43185bf4a17da7608f553cb2926a4b98d1eb4b7e795f8ec8be0ee92db294 |
C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe
| MD5 | 5899efb13e5d2af4b94f6b115643f310 |
| SHA1 | 25f41bac5fc1bd34deeca93a85ec689ae340cfdf |
| SHA256 | 37299b38898a92b9df8f466d1430a7dcca8b8696c2048c2a29464e22efd35c14 |
| SHA512 | 48739eb655015b17a0b5878189df9763e63274415fcec68ae196fa71ba2ad076579d43185bf4a17da7608f553cb2926a4b98d1eb4b7e795f8ec8be0ee92db294 |
memory/2088-125-0x00007FF6F84B0000-0x00007FF6F850A000-memory.dmp
memory/2088-126-0x00007FF6F84B0000-0x00007FF6F850A000-memory.dmp
C:\Users\Admin\Desktop\Log sorter\error.log
| MD5 | ead2aa1cf9ef2fd31ad28ed7797c4ae0 |
| SHA1 | f52145c370059b7c460c0235fb221d0a5c1cbb0a |
| SHA256 | 288f706f6bd775c7350ad2a27c7ca83161cbef3603543f18f36ff28c19696c28 |
| SHA512 | 25b2ee253693667531ada75b1bc6b7f71a4846df07f83b5423f3b2df7cfc60c01c94bfca6934cbf4326155ff535d816645a61e0f8c14caf77cf474856160e28c |
C:\Users\Admin\Desktop\Log sorter\log\settings.ini
| MD5 | 92c8fbe20fba61aadeb49fb499f6c9ff |
| SHA1 | e2aac2154153b672f9bb250b73029851bb627bb7 |
| SHA256 | c4b804e5a4673a42b8e4034b3b71236a274387885d68fe1905ea43ab9c5caaf3 |
| SHA512 | 20ff2370c15e75e4e1f69fe40e5131b4e70fd499ea0f014f364e420c75a6ae46b3fe26d4ac066b25b4f917882fb3fcd3079fbbd4f6c2a55967444067722ab3d9 |
memory/3544-129-0x0000000000000000-mapping.dmp
memory/2176-130-0x0000000000000000-mapping.dmp
memory/2220-131-0x0000000000000000-mapping.dmp
memory/2640-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\Log sorter\stats.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2164-133-0x0000000000000000-mapping.dmp
memory/2088-135-0x000001E1545E0000-0x000001E1545E2000-memory.dmp
memory/3960-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.exe
| MD5 | 9e3622c7bbb737a24e150468f59e8d24 |
| SHA1 | 3d546ba84a846bc0c3e79c551cea89fd10eb29f5 |
| SHA256 | a98a2c7fc485217e13f1896b6046f39a46e0edca71c110aab0a106383b177e9a |
| SHA512 | 66e4c6123b6944d5d977d77c9c9a7af21a60e3f0498cca9974a9c27615edddef7add3b79444f87e1cbc352077224fcf84fc1a5eff5bb339ad51f3b6516d28da7 |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies
| MD5 | ccc6786953dd0776892fad1b535d116f |
| SHA1 | a4df5848f4a3a4a80370dc5010e30b49c2854a13 |
| SHA256 | 24ee890a4f3efd1f9605851a750ed7794c9bad5f605e8e404cfd4f8d34daa5a7 |
| SHA512 | 9e9c34dd45a26e5118035e2c5beba1c3d0e3a98ebbba61089e860b9ee487823a60c8911fd11e7de66776fca80636bd1bedef523e4500b520d390cbf547ff5777 |
C:\Users\Admin\Desktop\Log sorter\stats.txt
| MD5 | 501e95e78c09869bcfed18ada5c04a3f |
| SHA1 | e6e23bd49b141e94437d8bea4ad864879fba7f8b |
| SHA256 | 7aed6bacce338c4709ba6575d2ab12b31f1d4967881f7a63a53649b47494f388 |
| SHA512 | 2e4eba1aac284ad4dc85a67e294b289928cfd54fee21472bb30c6cbaf9d9b6831774e82a109e2249ab7b28b55a75dcc380ecf294d8867881eaa2f5d8f14cb701 |
memory/1520-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe
| MD5 | f469446c7ad375de6f2419c3bedb20a0 |
| SHA1 | c2c586385060414fe3a84cfc624dec86f99fda3a |
| SHA256 | cea20c7e1f674b56894e4179eae6916149e00866e171b76257f2906b1a87b0fc |
| SHA512 | c99c9471621df95cf0fe8a8d076be0b781a7ec1c4d62fc67a38097c0e2aeb1c9460f8871846a358e2c47cc7f0999d8852794aef339e64954c0d90f0efc9c51c9 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\dpnet.module.exe
| MD5 | f469446c7ad375de6f2419c3bedb20a0 |
| SHA1 | c2c586385060414fe3a84cfc624dec86f99fda3a |
| SHA256 | cea20c7e1f674b56894e4179eae6916149e00866e171b76257f2906b1a87b0fc |
| SHA512 | c99c9471621df95cf0fe8a8d076be0b781a7ec1c4d62fc67a38097c0e2aeb1c9460f8871846a358e2c47cc7f0999d8852794aef339e64954c0d90f0efc9c51c9 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\1\Cookies\Google Chrome (1).txt
| MD5 | 6b11a587ab35a0d16b921fb710c48ebe |
| SHA1 | 2715aac787b5b2f4080706cc0cd7fe5b28e6ebd9 |
| SHA256 | 71937b34e92eee34fcd9450bde1de357d61488685d35e82c3ddcc2cb72e8bcf5 |
| SHA512 | 01b44b02810d6c8cbaf7c4286a17ed2cb7e0345a21476622c53be318062b6ec41012dabd9f2e7648c66f27d1657749fe3377ab1eb137babf4300225352913ba1 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\1\Desktop TXT Files\Log sorter\stats.txt
| MD5 | 501e95e78c09869bcfed18ada5c04a3f |
| SHA1 | e6e23bd49b141e94437d8bea4ad864879fba7f8b |
| SHA256 | 7aed6bacce338c4709ba6575d2ab12b31f1d4967881f7a63a53649b47494f388 |
| SHA512 | 2e4eba1aac284ad4dc85a67e294b289928cfd54fee21472bb30c6cbaf9d9b6831774e82a109e2249ab7b28b55a75dcc380ecf294d8867881eaa2f5d8f14cb701 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\1\Information.txt
| MD5 | 54b5a66d18a4853cf0f13ba066389e5d |
| SHA1 | c667dc1a756312aaec2987ba47dc481e04e72597 |
| SHA256 | 3d87f9544d6ae43d7fc7d83f5a521f7229f9b56110e7639ac3ca85c33eb9a6ff |
| SHA512 | 2c86b5d451fdafc23224626d84d4ed8e1adeb0e25818ac4ce8eb3c40ba0cfa02523a46438b9348329d45bc15485934ab48f2d8df1a572bbee1f7c2cebb48e205 |
C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-i..l-keyboard-00000445\1\Screen.jpg
| MD5 | 1bf8da35df9d2b97b3ee034401ccf9f5 |
| SHA1 | ec269dfe40c2367e47caf743bd42fc10a6e457ba |
| SHA256 | 7b50d8ac3230061e73af738f40699df52b11635b2e2e56ddeb89b2aba475046c |
| SHA512 | ba2d4bed3e5de2d008b4fd9b31daad4cd6893dceb713d529ee681a04502e22e3e369c7f8c9fc89ccb365b83253ce96afaa784eb3eb11e86032bfbdcba991cb50 |
memory/3960-150-0x0000000006DF0000-0x0000000006DF1000-memory.dmp
memory/3960-149-0x0000000006DD0000-0x0000000006DD1000-memory.dmp
memory/3960-152-0x0000000006E00000-0x0000000006E01000-memory.dmp
memory/3960-151-0x0000000006DE0000-0x0000000006DE1000-memory.dmp
memory/1996-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\Log sorter\Launcher.exe
| MD5 | a3c5c6ceec0b6ace480179cc0783d44d |
| SHA1 | bec9178f44daa5aef1cbc90f807a305c0b348ced |
| SHA256 | 53e32276726d3c070bc07efcb79b1c42dcdd406731a7502df63e3f02e2be8a79 |
| SHA512 | d72904e2d63e1c3bcd9a9f9c1b6ec5b483081a2be9b683f2bfdd5ccf6b139d254c90e1a3739561d8ce0a1bb49828809a106828a34a3ff495987f29429bf7929d |
C:\Users\Admin\Desktop\Log sorter\Launcher.exe
| MD5 | a3c5c6ceec0b6ace480179cc0783d44d |
| SHA1 | bec9178f44daa5aef1cbc90f807a305c0b348ced |
| SHA256 | 53e32276726d3c070bc07efcb79b1c42dcdd406731a7502df63e3f02e2be8a79 |
| SHA512 | d72904e2d63e1c3bcd9a9f9c1b6ec5b483081a2be9b683f2bfdd5ccf6b139d254c90e1a3739561d8ce0a1bb49828809a106828a34a3ff495987f29429bf7929d |
memory/952-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Z1400639587\Build.exe
| MD5 | 9e3622c7bbb737a24e150468f59e8d24 |
| SHA1 | 3d546ba84a846bc0c3e79c551cea89fd10eb29f5 |
| SHA256 | a98a2c7fc485217e13f1896b6046f39a46e0edca71c110aab0a106383b177e9a |
| SHA512 | 66e4c6123b6944d5d977d77c9c9a7af21a60e3f0498cca9974a9c27615edddef7add3b79444f87e1cbc352077224fcf84fc1a5eff5bb339ad51f3b6516d28da7 |
C:\Users\Admin\AppData\Roaming\Z1400639587\Build.exe
| MD5 | 9e3622c7bbb737a24e150468f59e8d24 |
| SHA1 | 3d546ba84a846bc0c3e79c551cea89fd10eb29f5 |
| SHA256 | a98a2c7fc485217e13f1896b6046f39a46e0edca71c110aab0a106383b177e9a |
| SHA512 | 66e4c6123b6944d5d977d77c9c9a7af21a60e3f0498cca9974a9c27615edddef7add3b79444f87e1cbc352077224fcf84fc1a5eff5bb339ad51f3b6516d28da7 |
memory/1488-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Z1400639587\Launcher.exe
| MD5 | 3a094770f08e84549f4452e9ca34be0f |
| SHA1 | b76545d1f9350df332761d0f15e00eee02527314 |
| SHA256 | 5e50dcbe35fcfe32d1cd0c2c16df69f66539b6551b1b975423da6e2bb81376d7 |
| SHA512 | 90677c27946e4ef7104dfed159eda53d801ab89eba0734c0047d621d5c7258593f6ea97ac73e7d2e067ed285d6e0f50eba8559fe995d44ea5c69b602a15a64c5 |
C:\Users\Admin\AppData\Roaming\Z1400639587\Launcher.exe
| MD5 | 3a094770f08e84549f4452e9ca34be0f |
| SHA1 | b76545d1f9350df332761d0f15e00eee02527314 |
| SHA256 | 5e50dcbe35fcfe32d1cd0c2c16df69f66539b6551b1b975423da6e2bb81376d7 |
| SHA512 | 90677c27946e4ef7104dfed159eda53d801ab89eba0734c0047d621d5c7258593f6ea97ac73e7d2e067ed285d6e0f50eba8559fe995d44ea5c69b602a15a64c5 |
memory/1488-162-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
memory/3560-163-0x0000000000000000-mapping.dmp
memory/2084-164-0x0000000000000000-mapping.dmp
memory/1048-165-0x0000000000000000-mapping.dmp
memory/3508-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\Log sorter\GetAdress.exe
| MD5 | 13e4b43e34c67f7af709ba3b8be18363 |
| SHA1 | 949bf8a6dc3a4172b23d4c2ea24ed477807262fb |
| SHA256 | 6f70eaa38728efd595cb4b36e88da89957c4e4f800feadd6fba710ac23bf120a |
| SHA512 | a330a979498924b8514b7e1606a53cbae8ca4c1039a8e898b1ce6ac21e769c99641c98e563f64ccb0d4ae6d6b9d52bd60ce16cdc4c46675835806f8e22212d56 |
memory/1760-169-0x00007FF757EA0000-0x00007FF757EEA000-memory.dmp
C:\Users\Admin\Desktop\Log sorter\GetAdress.exe
| MD5 | 13e4b43e34c67f7af709ba3b8be18363 |
| SHA1 | 949bf8a6dc3a4172b23d4c2ea24ed477807262fb |
| SHA256 | 6f70eaa38728efd595cb4b36e88da89957c4e4f800feadd6fba710ac23bf120a |
| SHA512 | a330a979498924b8514b7e1606a53cbae8ca4c1039a8e898b1ce6ac21e769c99641c98e563f64ccb0d4ae6d6b9d52bd60ce16cdc4c46675835806f8e22212d56 |
memory/1760-170-0x00007FF757EA0000-0x00007FF757EEA000-memory.dmp
memory/1760-171-0x00000286A4E40000-0x00000286A4E42000-memory.dmp
C:\Users\Admin\Desktop\Log sorter\run.vbs
| MD5 | aa60c13f7e4586d6c2aa1ad8cc8efc47 |
| SHA1 | 5fa8fab30f5336f8d9110ebc2280e6a864767f2e |
| SHA256 | 51233e4c03f5c6486fa950d99c25a992fbb8c485ad7f01468802ddee97636bf8 |
| SHA512 | d9973b4cddf1bb3416f0c63f9e0b506d73ecf0da507644a6d40e2605483ffe4a16d0b0028b3ccda94981248b52755a1544e721804db0b5b0630f749aebd5e617 |
memory/2088-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\Log sorter\Sorter.exe
| MD5 | 2f0ab396d2b1ccb7617761160f9b9509 |
| SHA1 | dc9095391b7d375999ee11a274d6fc96e5d4f69a |
| SHA256 | c5686144786b958cf7e0c87cf10c61fe3f8fb7ceed24c3c850856ab1be8bccf8 |
| SHA512 | e5bf9450f05351ce678a20a2e37e287fe30699456882623273ba2036f642e90858404ac742b13c42da4be968466ec12898f8ff19ecf7d9caf6025da2a1da6ddc |
memory/2528-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe
| MD5 | 9e3622c7bbb737a24e150468f59e8d24 |
| SHA1 | 3d546ba84a846bc0c3e79c551cea89fd10eb29f5 |
| SHA256 | a98a2c7fc485217e13f1896b6046f39a46e0edca71c110aab0a106383b177e9a |
| SHA512 | 66e4c6123b6944d5d977d77c9c9a7af21a60e3f0498cca9974a9c27615edddef7add3b79444f87e1cbc352077224fcf84fc1a5eff5bb339ad51f3b6516d28da7 |
memory/2540-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe
| MD5 | 5899efb13e5d2af4b94f6b115643f310 |
| SHA1 | 25f41bac5fc1bd34deeca93a85ec689ae340cfdf |
| SHA256 | 37299b38898a92b9df8f466d1430a7dcca8b8696c2048c2a29464e22efd35c14 |
| SHA512 | 48739eb655015b17a0b5878189df9763e63274415fcec68ae196fa71ba2ad076579d43185bf4a17da7608f553cb2926a4b98d1eb4b7e795f8ec8be0ee92db294 |
C:\Users\Admin\AppData\Roaming\Z1115706372\Build.exe
| MD5 | 9e3622c7bbb737a24e150468f59e8d24 |
| SHA1 | 3d546ba84a846bc0c3e79c551cea89fd10eb29f5 |
| SHA256 | a98a2c7fc485217e13f1896b6046f39a46e0edca71c110aab0a106383b177e9a |
| SHA512 | 66e4c6123b6944d5d977d77c9c9a7af21a60e3f0498cca9974a9c27615edddef7add3b79444f87e1cbc352077224fcf84fc1a5eff5bb339ad51f3b6516d28da7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sorter.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
C:\Users\Admin\AppData\Roaming\Z1115706372\Sorter.exe
| MD5 | 5899efb13e5d2af4b94f6b115643f310 |
| SHA1 | 25f41bac5fc1bd34deeca93a85ec689ae340cfdf |
| SHA256 | 37299b38898a92b9df8f466d1430a7dcca8b8696c2048c2a29464e22efd35c14 |
| SHA512 | 48739eb655015b17a0b5878189df9763e63274415fcec68ae196fa71ba2ad076579d43185bf4a17da7608f553cb2926a4b98d1eb4b7e795f8ec8be0ee92db294 |
memory/2540-183-0x00007FF6911A0000-0x00007FF6911FA000-memory.dmp
memory/2540-182-0x00007FF6911A0000-0x00007FF6911FA000-memory.dmp
C:\Users\Admin\Desktop\Log sorter\error.log
| MD5 | ead2aa1cf9ef2fd31ad28ed7797c4ae0 |
| SHA1 | f52145c370059b7c460c0235fb221d0a5c1cbb0a |
| SHA256 | 288f706f6bd775c7350ad2a27c7ca83161cbef3603543f18f36ff28c19696c28 |
| SHA512 | 25b2ee253693667531ada75b1bc6b7f71a4846df07f83b5423f3b2df7cfc60c01c94bfca6934cbf4326155ff535d816645a61e0f8c14caf77cf474856160e28c |
memory/1332-185-0x0000000000000000-mapping.dmp
memory/4064-186-0x0000000000000000-mapping.dmp
memory/1836-187-0x0000000000000000-mapping.dmp
memory/1632-188-0x0000000000000000-mapping.dmp