a6dc6c9350b5c01ab00c4241cf233f9d69910f1c431fb25e1fda63e463c64642

Analysis

max time kernel
305s
max time network
408s
platform
windows10_x64
resource
win10-20220414-en
submitted
19-05-2022 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mysetup.exe
Size

115.3MB
MD5

1c32da9a18b51af4ac59579322a8c5c7
SHA1

f09d16ee1822139e4bad3958bd46537c16552c30
SHA256

a6dc6c9350b5c01ab00c4241cf233f9d69910f1c431fb25e1fda63e463c64642
SHA512

62699c67e96808655cb3b20350e9b44fc8cb132c1153a3228a2a90c8be5dde445dc5113d7d765fda31e44c425d615b1622d497e1d54cb5890d7c402282081c57

Score

8^/10

discovery upx vmprotect

Malware Config

Signatures

Executes dropped EXE 14 IoCs

Processes:

mysetup.tmpFirefox.exeFirefox.exeFirefox-cleaned.exeFurryfox (3).exeFurryfox.exeFurryfox2.exeFurryfox3.exeFurryfox4.exeGenericSetup.exeinstaller.exeok.exeunins000.exe_iu14D2N.tmp

pid	process
1820	mysetup.tmp
1572	Firefox.exe
732	Firefox.exe
4828	Firefox-cleaned.exe
348	Furryfox (3).exe
4080	Furryfox.exe
4284	Furryfox2.exe
3320	Furryfox3.exe
4304	Furryfox4.exe
4308	GenericSetup.exe
4352	installer.exe
1264	ok.exe
1736	unins000.exe
4780	_iu14D2N.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\My Program\Winlocker.exe	upx
C:\Program Files (x86)\My Program\winfirefox.exe	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe	vmprotect
C:\Program Files (x86)\My Program\winfirefoxvmp.exe	vmprotect

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

_iu14D2N.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Control Panel\International\Geo\Nation _iu14D2N.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Control Panel\International\Geo\Nation	_iu14D2N.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

Furryfox2.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	Furryfox2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Furryfox2.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Program Files (x86)\My Program\SGN Miner Builder 1.06.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

Furryfox (3).exe

pid	process
348	Furryfox (3).exe
348	Furryfox (3).exe
348	Furryfox (3).exe
348	Furryfox (3).exe
348	Furryfox (3).exe
348	Furryfox (3).exe
348	Furryfox (3).exe
348	Furryfox (3).exe

Drops file in Program Files directory 51 IoCs

Processes:

mysetup.tmpinstaller.exe_iu14D2N.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\My Program\SGN Miner Builder 1.06.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\winfirefoxvmp.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-VH2RE.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-72IQE.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-LPQU0.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-ETR6E.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox (3).exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox4.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\ok.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Public.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\seed.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\winfirefox.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-15LMD.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-LTA0R.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-673EC.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-JB3VA.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Lime Crypter v3.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox3.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Winlocker_protected.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-SSIAH.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-KE3PI.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-J3D8O.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-PPBAV.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-7KUKS.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Firefox-cleaned.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Lime-Miner v1.0.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-KM04C.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-DPJCR.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-FBPI4.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-JTGF4.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-74QO4.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\unins000.dat	mysetup.tmp
File created	C:\Program Files (x86)\My Program\2022.05.19_04.25.35.593091_installer_pid=4352.txt	installer.exe
File opened for modification	C:\Program Files (x86)\My Program\Firefox.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-LJOG4.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-TFQ5Q.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Winlocker.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\NYAN W0rm v0.3.8.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\installer.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\zm_.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-VHHR8.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-UVROM.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\Furryfox2.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\GenericSetup.exe	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\zm__Slayed.exe	mysetup.tmp
File created	C:\Program Files (x86)\My Program\unins000.dat	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-P7D87.tmp	mysetup.tmp
File created	C:\Program Files (x86)\My Program\is-BCK80.tmp	mysetup.tmp
File opened for modification	C:\Program Files (x86)\My Program\unins000.dat	_iu14D2N.tmp

Drops file in Windows directory 4 IoCs

Processes:

dw20.exeFurryfox2.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe
File opened for modification	C:\Windows\assembly	Furryfox2.exe
File created	C:\Windows\assembly\Desktop.ini	Furryfox2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Furryfox2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 22 IoCs

Processes:

_iu14D2N.tmpmysetup.tmp

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MYPROGRAMFILE.MYP\DEFAULTICON	_iu14D2N.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell\open	_iu14D2N.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell	_iu14D2N.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp	_iu14D2N.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\My Program\\Firefox.exe,0"	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell\open\command	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Firefox.exe\SupportedTypes	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\MyProgramFile.myp\shell\open\command	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	_iu14D2N.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\SupportedTypes\.myp	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\MyProgramFile.myp	mysetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\ = "My Program File"	mysetup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\MyProgramFile.myp\DefaultIcon	mysetup.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MYPROGRAMFILE.MYP\SHELL\OPEN\COMMAND	_iu14D2N.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	mysetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\MyProgramFile.myp	mysetup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell\open	mysetup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyProgramFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\My Program\\Firefox.exe\" \"%1\""	mysetup.tmp

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

GenericSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	GenericSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	GenericSetup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

mysetup.tmpdw20.exedw20.exedw20.exedw20.exedw20.exe

pid	process
1820	mysetup.tmp
1820	mysetup.tmp
4928	dw20.exe
4928	dw20.exe
3124	dw20.exe
3124	dw20.exe
4360	dw20.exe
4360	dw20.exe
4340	dw20.exe
4340	dw20.exe
4768	dw20.exe
4768	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Furryfox (3).exedw20.exeFurryfox4.exe

description	pid	process
Token: SeDebugPrivilege	348	Furryfox (3).exe
Token: SeRestorePrivilege	4928	dw20.exe
Token: SeBackupPrivilege	4928	dw20.exe
Token: SeBackupPrivilege	4928	dw20.exe
Token: SeDebugPrivilege	4304	Furryfox4.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

mysetup.tmp_iu14D2N.tmp

pid process

1820 mysetup.tmp
4780 _iu14D2N.tmp
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Furryfox (3).exedw20.exedw20.exe

pid process

348 Furryfox (3).exe
348 Furryfox (3).exe
4340 dw20.exe
3124 dw20.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

mysetup.exemysetup.tmpFurryfox.exeFurryfox (3).exeFurryfox3.exeFurryfox4.exeGenericSetup.exeunins000.exe

description	pid	process	target process
PID 1584 wrote to memory of 1820	1584	mysetup.exe	mysetup.tmp
PID 1584 wrote to memory of 1820	1584	mysetup.exe	mysetup.tmp
PID 1584 wrote to memory of 1820	1584	mysetup.exe	mysetup.tmp
PID 1820 wrote to memory of 1572	1820	mysetup.tmp	Firefox.exe
PID 1820 wrote to memory of 1572	1820	mysetup.tmp	Firefox.exe
PID 1820 wrote to memory of 1572	1820	mysetup.tmp	Firefox.exe
PID 4080 wrote to memory of 4928	4080	Furryfox.exe	dw20.exe
PID 4080 wrote to memory of 4928	4080	Furryfox.exe	dw20.exe
PID 4080 wrote to memory of 4928	4080	Furryfox.exe	dw20.exe
PID 348 wrote to memory of 3124	348	Furryfox (3).exe	dw20.exe
PID 348 wrote to memory of 3124	348	Furryfox (3).exe	dw20.exe
PID 348 wrote to memory of 3124	348	Furryfox (3).exe	dw20.exe
PID 3320 wrote to memory of 4360	3320	Furryfox3.exe	dw20.exe
PID 3320 wrote to memory of 4360	3320	Furryfox3.exe	dw20.exe
PID 3320 wrote to memory of 4360	3320	Furryfox3.exe	dw20.exe
PID 4304 wrote to memory of 4340	4304	Furryfox4.exe	dw20.exe
PID 4304 wrote to memory of 4340	4304	Furryfox4.exe	dw20.exe
PID 4304 wrote to memory of 4340	4304	Furryfox4.exe	dw20.exe
PID 4308 wrote to memory of 4768	4308	GenericSetup.exe	dw20.exe
PID 4308 wrote to memory of 4768	4308	GenericSetup.exe	dw20.exe
PID 4308 wrote to memory of 4768	4308	GenericSetup.exe	dw20.exe
PID 1736 wrote to memory of 4780	1736	unins000.exe	_iu14D2N.tmp
PID 1736 wrote to memory of 4780	1736	unins000.exe	_iu14D2N.tmp
PID 1736 wrote to memory of 4780	1736	unins000.exe	_iu14D2N.tmp

C:\Users\Admin\AppData\Local\Temp\mysetup.exe
"C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\is-KS1ML.tmp\mysetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KS1ML.tmp\mysetup.tmp" /SL5="$70068,120034821,831488,C:\Users\Admin\AppData\Local\Temp\mysetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Program Files (x86)\My Program\Firefox.exe
    "C:\Program Files (x86)\My Program\Firefox.exe"
    3⤵
    - Executes dropped EXE
    PID:1572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3092

C:\Program Files (x86)\My Program\Firefox.exe
"C:\Program Files (x86)\My Program\Firefox.exe"
1⤵
- Executes dropped EXE
PID:732

C:\Program Files (x86)\My Program\Firefox-cleaned.exe
"C:\Program Files (x86)\My Program\Firefox-cleaned.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Program Files (x86)\My Program\Furryfox (3).exe
"C:\Program Files (x86)\My Program\Furryfox (3).exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 928
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3124

C:\Program Files (x86)\My Program\Furryfox.exe
"C:\Program Files (x86)\My Program\Furryfox.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 764
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4928

C:\Program Files (x86)\My Program\Furryfox2.exe
"C:\Program Files (x86)\My Program\Furryfox2.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
PID:4284

C:\Program Files (x86)\My Program\Furryfox4.exe
"C:\Program Files (x86)\My Program\Furryfox4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 856
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4340

C:\Program Files (x86)\My Program\Furryfox3.exe
"C:\Program Files (x86)\My Program\Furryfox3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 764
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360

C:\Program Files (x86)\My Program\GenericSetup.exe
"C:\Program Files (x86)\My Program\GenericSetup.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1812
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768

C:\Program Files (x86)\My Program\installer.exe
"C:\Program Files (x86)\My Program\installer.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4352

C:\Program Files (x86)\My Program\ok.exe
"C:\Program Files (x86)\My Program\ok.exe"
1⤵
- Executes dropped EXE
PID:1264

C:\Program Files (x86)\My Program\unins000.exe
"C:\Program Files (x86)\My Program\unins000.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
  "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\My Program\unins000.exe" /FIRSTPHASEWND=$50240
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\My Program\Firefox-cleaned.exe

Filesize
738KB

MD5
52022371d76c92445515c83991887542

SHA1
e34fd42bdecefa0eae06e8717d891dac51b155bc

SHA256
bd74f052247e9b174bc35d6d03e1658e979e6c7d10da4a598a3083db86beba53

SHA512
0f06e570534a5b2dd5a8f93eb4815ed4426238d9989399896db94c775c80cff6a7c6d98d3821f981b1005ed9fd8713034bde656eef72264c1d8ca1807f2ba737

Download Submit
C:\Program Files (x86)\My Program\Firefox-cleaned.exe

Filesize
738KB

MD5
52022371d76c92445515c83991887542

SHA1
e34fd42bdecefa0eae06e8717d891dac51b155bc

SHA256
bd74f052247e9b174bc35d6d03e1658e979e6c7d10da4a598a3083db86beba53

SHA512
0f06e570534a5b2dd5a8f93eb4815ed4426238d9989399896db94c775c80cff6a7c6d98d3821f981b1005ed9fd8713034bde656eef72264c1d8ca1807f2ba737

Download Submit
C:\Program Files (x86)\My Program\Firefox.exe

Filesize
738KB

MD5
21950db214fe165cf82abaf660e26ea5

SHA1
1f753330518edea341e4c888444747c9b243930f

SHA256
66c9a8ab912581867515f14afc52fdd964cff273c850f3b0452852a511ea114b

SHA512
57ae0d579e8fc8155bb5759aa492645a102b2f12628669b78df2d9847e6236f85bfcb1cd80cbcf94420f68c7f53cbb3b0f9e1db36470e6cdb58ec04cb323b68d

Download Submit
C:\Program Files (x86)\My Program\Firefox.exe

Filesize
738KB

MD5
21950db214fe165cf82abaf660e26ea5

SHA1
1f753330518edea341e4c888444747c9b243930f

SHA256
66c9a8ab912581867515f14afc52fdd964cff273c850f3b0452852a511ea114b

SHA512
57ae0d579e8fc8155bb5759aa492645a102b2f12628669b78df2d9847e6236f85bfcb1cd80cbcf94420f68c7f53cbb3b0f9e1db36470e6cdb58ec04cb323b68d

Download Submit
C:\Program Files (x86)\My Program\Firefox.exe

Filesize
738KB

MD5
21950db214fe165cf82abaf660e26ea5

SHA1
1f753330518edea341e4c888444747c9b243930f

SHA256
66c9a8ab912581867515f14afc52fdd964cff273c850f3b0452852a511ea114b

SHA512
57ae0d579e8fc8155bb5759aa492645a102b2f12628669b78df2d9847e6236f85bfcb1cd80cbcf94420f68c7f53cbb3b0f9e1db36470e6cdb58ec04cb323b68d

Download Submit
C:\Program Files (x86)\My Program\Furryfox (3).exe

Filesize
2.5MB

MD5
3b756930d5b39b23764b37f502667130

SHA1
18791c89ff2e8fc41a9d014756ecdf3a67e4b495

SHA256
76892892094a82689c13907b1de8ce2fabc0184e9cc439d5eab7bee8bba25ff9

SHA512
f702ab6f426976769c8cf9a3cfe9a59274936db5ebf0621554bade7ed4de65d227ab01d4c88bd29a12e5cf9ab0df0aef096e1c533950fb7a79fbfa796a0ee1a9

Download Submit
C:\Program Files (x86)\My Program\Furryfox (3).exe

Filesize
2.5MB

MD5
3b756930d5b39b23764b37f502667130

SHA1
18791c89ff2e8fc41a9d014756ecdf3a67e4b495

SHA256
76892892094a82689c13907b1de8ce2fabc0184e9cc439d5eab7bee8bba25ff9

SHA512
f702ab6f426976769c8cf9a3cfe9a59274936db5ebf0621554bade7ed4de65d227ab01d4c88bd29a12e5cf9ab0df0aef096e1c533950fb7a79fbfa796a0ee1a9

Download Submit
C:\Program Files (x86)\My Program\Furryfox.exe

Filesize
1.2MB

MD5
a35c1e2201d63b0f3d1051ac3ef7f66d

SHA1
cf5f77b12d0fc851128b1db918f51512007d9b67

SHA256
d8b7c095bfd4b8ea3d1f2e1a3cfc70499323226ce1b43c830d5e8d8100399bc5

SHA512
3d2a42e27435c3580b6d69ea8516a4cbc907f39a336ea2d7a49239a84273870ca474b31b92d863d95898c8198e5407f5240e266651ca4f95f67c79d99d9280c3

Download Submit
C:\Program Files (x86)\My Program\Furryfox.exe

Filesize
1.2MB

MD5
a35c1e2201d63b0f3d1051ac3ef7f66d

SHA1
cf5f77b12d0fc851128b1db918f51512007d9b67

SHA256
d8b7c095bfd4b8ea3d1f2e1a3cfc70499323226ce1b43c830d5e8d8100399bc5

SHA512
3d2a42e27435c3580b6d69ea8516a4cbc907f39a336ea2d7a49239a84273870ca474b31b92d863d95898c8198e5407f5240e266651ca4f95f67c79d99d9280c3

Download Submit
C:\Program Files (x86)\My Program\Furryfox2.exe

Filesize
1.3MB

MD5
002e76b8ae88ec3f53205592d027642c

SHA1
d31a0e2dca9751e13145f3a3f488ff7bca6420d8

SHA256
4b6782d75c3736c7922b9083d7321ecbce65698ca599271d929ab1116daf5acb

SHA512
9de538d6b44fed8d571ba78c60d9f3b273a1a34658baf8a19ce5598969918a53bb27b6ec1de0ed2a74a29642dece547c8bcec427fbd78f412d3041d57a5bce6f

Download Submit
C:\Program Files (x86)\My Program\Furryfox2.exe

Filesize
1.3MB

MD5
002e76b8ae88ec3f53205592d027642c

SHA1
d31a0e2dca9751e13145f3a3f488ff7bca6420d8

SHA256
4b6782d75c3736c7922b9083d7321ecbce65698ca599271d929ab1116daf5acb

SHA512
9de538d6b44fed8d571ba78c60d9f3b273a1a34658baf8a19ce5598969918a53bb27b6ec1de0ed2a74a29642dece547c8bcec427fbd78f412d3041d57a5bce6f

Download Submit
C:\Program Files (x86)\My Program\Furryfox3.exe

Filesize
1.2MB

MD5
20c006abf2e9107a6c118d3b37f66cb1

SHA1
b8042b4fd763e6e4bffbdc502f9de53479a478a6

SHA256
37d249984928935104d547af9253158738ccce54f447cb121ec129d41bc97270

SHA512
747a13153f03b9c36bbcb7442f07cd54ffb53abfa4b04b4499c84f1aa1f390a81d198e2a9a1e47e3a937b9a007b8b846188ba1e2c8d0cf9f374c6abef6a84a4d

Download Submit
C:\Program Files (x86)\My Program\Furryfox3.exe

Filesize
1.2MB

MD5
20c006abf2e9107a6c118d3b37f66cb1

SHA1
b8042b4fd763e6e4bffbdc502f9de53479a478a6

SHA256
37d249984928935104d547af9253158738ccce54f447cb121ec129d41bc97270

SHA512
747a13153f03b9c36bbcb7442f07cd54ffb53abfa4b04b4499c84f1aa1f390a81d198e2a9a1e47e3a937b9a007b8b846188ba1e2c8d0cf9f374c6abef6a84a4d

Download Submit
C:\Program Files (x86)\My Program\Furryfox4.exe

Filesize
1.4MB

MD5
5b0987aeb0fc04d0b8923a689d0a04a5

SHA1
a2326c9623ae5818e3775512dc321a5f9f8dac28

SHA256
246e0b8fcfb08951ef9da18cbcb270c79090410fdab7ed4826c34ac52d7db495

SHA512
5838a082a40e95e87e9539a0cf120c98e15ce2c0d041a5b5001dbe919f1f06d34a27b30bbd3a8f098670837b3ce39641138bd10f846c513058fc19e65a5da258

Download Submit
C:\Program Files (x86)\My Program\Furryfox4.exe

Filesize
1.4MB

MD5
5b0987aeb0fc04d0b8923a689d0a04a5

SHA1
a2326c9623ae5818e3775512dc321a5f9f8dac28

SHA256
246e0b8fcfb08951ef9da18cbcb270c79090410fdab7ed4826c34ac52d7db495

SHA512
5838a082a40e95e87e9539a0cf120c98e15ce2c0d041a5b5001dbe919f1f06d34a27b30bbd3a8f098670837b3ce39641138bd10f846c513058fc19e65a5da258

Download Submit
C:\Program Files (x86)\My Program\GenericSetup.exe

Filesize
26KB

MD5
e8e42c3cdf76d03e068b4d1ecf6bb317

SHA1
3df2b679b90cad81e73b10ad7e4d074da4a415da

SHA256
fa22ac38e305fa6031ad5b7f95970190f5ba4ba9e1ec385e192323c9daa46d6a

SHA512
bdbd16a8950914e7339ff608b3ba7e5cecb2b01296042b28c8240650bc08b820494280be0e3de839a65b2429ba4e17e041e6194183d19306ba90a7c3cc6c959a

Download Submit
C:\Program Files (x86)\My Program\GenericSetup.exe

Filesize
26KB

MD5
e8e42c3cdf76d03e068b4d1ecf6bb317

SHA1
3df2b679b90cad81e73b10ad7e4d074da4a415da

SHA256
fa22ac38e305fa6031ad5b7f95970190f5ba4ba9e1ec385e192323c9daa46d6a

SHA512
bdbd16a8950914e7339ff608b3ba7e5cecb2b01296042b28c8240650bc08b820494280be0e3de839a65b2429ba4e17e041e6194183d19306ba90a7c3cc6c959a

Download Submit
C:\Program Files (x86)\My Program\Lime Crypter v3.exe

Filesize
377KB

MD5
ced45f6998154c48d72f053029ecbfc7

SHA1
8f98b757653674f7744484bb6c36604214b6a04a

SHA256
a7496cca2e47de0672548076a7e892844b50cf72b8f624eba4f0b3ddbf53ca21

SHA512
839119702307d9f3852a1af85b2574391673e8cbb380b054f1f6fa8e75ab4e4f1dc9ff5d32440ef25721cd17a7af5c37e1c94ea683d49564e3845fde494b2f25

Download Submit
C:\Program Files (x86)\My Program\Lime-Miner v1.0.exe

Filesize
1.1MB

MD5
695ef3e346df92ecc7390d78fecf7800

SHA1
cfd8522f9d29a7130f6482e1cc802af313d3f4bc

SHA256
f1ff99e447b9de819775d95e7d454e15f171c2c69d6f6584b6e78612911e402c

SHA512
c2bbdb4cd2fff60f4fcfda3b129802d30c630476cb456b7b5361459cb5bf66ae68f5fb3d639b8f1fa4ec8945e9dda7c9dd84d532e1f4491243b8459bab3d0317

Download Submit
C:\Program Files (x86)\My Program\NYAN W0rm v0.3.8.exe

Filesize
2.3MB

MD5
31e57be84107bc0024147d0277973341

SHA1
7e4db48111b10884f3679788fbbae0639fa85904

SHA256
da6a731cb158ddf7e20f96a87e68624a34ffaa4b85d987fed68dd8beabd83e83

SHA512
15d0dfb9ef1b9494b952d92819db7f447763c6ec74f4f6f4154d21baa5b44ca82e3efb566ecd8ecef25cf84216f6623687e2c8ac38314ae9af3038abbb490274

Download Submit
C:\Program Files (x86)\My Program\Public.exe

Filesize
889KB

MD5
c65a1d390521997619951edaa95202ae

SHA1
97e70ae6b763813e4379f324f89a25b3f46ca259

SHA256
dbd31f073dbd669aacb03f7d9f92045f8238ac95625dd97ed280e40b6d684251

SHA512
da9b4df3ff9c0a7fd8621a1bbaeba33c9b71b62c81d0de1a34b625aafc7aa4eb1d33b5cff032a1f51e1c206cdd9643c2d71c8988b17aa47079c37278115429bd

Download Submit
C:\Program Files (x86)\My Program\SGN Miner Builder 1.06.exe

Filesize
8.0MB

MD5
73320bf0560cfc66774e9942be2a81a4

SHA1
ffa07e7084b235721151fa6408429025506fdb3d

SHA256
259047329383a7d72c83171d8b179082be8f4c8f878b25eec8e910632f0249a4

SHA512
cd37ac57afb942cbd76ef48dce7b936e745cf2917f3b7d254b17f0d2c45b53b0aaa4bad7522d4d10ffcbff1132923ec4e0c164edb8f3bf0c6d47b983f9da575b

Download Submit
C:\Program Files (x86)\My Program\Winlocker.exe

Filesize
192KB

MD5
200359966b995d0b2e449dab1c82c5f7

SHA1
6247e1ebaf105b50796078ec27623e21c93d0e02

SHA256
62375022bc3f1416f0b84dc1ace17ad9dfc16c260aa073c4b0e9bb8a9de0af28

SHA512
e03ece30cf5ddbeb39e007fc67cef4b183a48295967c2bea3ab9e0a12b4f27b2dbc47ec01e3c182209f7ded790d232066b680f36d3254dffd3c995fab6d022a4

Download Submit
C:\Program Files (x86)\My Program\Winlocker_protected.exe

Filesize
1.3MB

MD5
1937d3b787291a073e1a751cedff062f

SHA1
703656e086a090ab5d3e58be8887d6da5cb1923e

SHA256
5591256bba2e4afe923ac77bcf993e7c3c8b99ec2bf378fce705a667a1a6134e

SHA512
b600dc18ecf7e5dd3626f545022291cece6262d59ff6d92106c6e749fb75256a9220f3373d06bc5de8f4507b3adb7a0707f0d30c5b6b833b7ba55bf19bf41fc8

Download Submit
C:\Program Files (x86)\My Program\Winlocker_protected.vmp.exe

Filesize
6.3MB

MD5
19404909d93979ecbc4395dd22b15098

SHA1
c557e8e91c420a9981b2d46585621589bded33d2

SHA256
c4131a9180bab1915765e0fdc7d65e46cba6e9474fea0e3286290e76603646a4

SHA512
43657b49e82251fa7c851d1046dd64404c30ab2fd23bed79617b8085a67a18bb9758091f9b5f57ebed76c28c1c34907422baef0ab301967d77618d44836c4369

Download Submit
C:\Program Files (x86)\My Program\installer.exe

Filesize
1.6MB

MD5
60071cb7b99510995ded0e47f8cca187

SHA1
e8934517f63c911045df6c4cffee7c08b6023a71

SHA256
2dab64718b242e1f818d52cf2f3363908a73774822d4ee004301fd746ca5e9df

SHA512
daa4b5dba88fc4a9df39921bbff4f97074c3414f2807371421d4c9a9944a7d79c28b452c42bd1c138fb13be14987099f1a3218ac2b230c99be24f4525ca9f668

Download Submit
C:\Program Files (x86)\My Program\installer.exe

Filesize
1.6MB

MD5
60071cb7b99510995ded0e47f8cca187

SHA1
e8934517f63c911045df6c4cffee7c08b6023a71

SHA256
2dab64718b242e1f818d52cf2f3363908a73774822d4ee004301fd746ca5e9df

SHA512
daa4b5dba88fc4a9df39921bbff4f97074c3414f2807371421d4c9a9944a7d79c28b452c42bd1c138fb13be14987099f1a3218ac2b230c99be24f4525ca9f668

Download Submit
C:\Program Files (x86)\My Program\ok.exe

Filesize
82.8MB

MD5
b867a1db94d0c503f2dfd6894d0161ea

SHA1
942f0ab8a35969ad5d730c7d12c8cb61cf0b86f4

SHA256
7dd60d767642b792a8f93b26af0ccc17337cb6f70eab7fcca860c817a609c652

SHA512
c8fe26d2e88687c7a580252a7ce3a54a8b42dcd68cb6c5e90bd528cc645768db70cfe2f0e159232d47dd05d6cfa65518166d2bbe11b7eec6faafe9331b5e955c

Download Submit
C:\Program Files (x86)\My Program\ok.exe

Filesize
82.8MB

MD5
b867a1db94d0c503f2dfd6894d0161ea

SHA1
942f0ab8a35969ad5d730c7d12c8cb61cf0b86f4

SHA256
7dd60d767642b792a8f93b26af0ccc17337cb6f70eab7fcca860c817a609c652

SHA512
c8fe26d2e88687c7a580252a7ce3a54a8b42dcd68cb6c5e90bd528cc645768db70cfe2f0e159232d47dd05d6cfa65518166d2bbe11b7eec6faafe9331b5e955c

Download Submit
C:\Program Files (x86)\My Program\seed.exe

Filesize
1.9MB

MD5
9462fc0f63c2f95bc2e6796189ef18b5

SHA1
6bb4282414f3fddef31debe396a5264371ab1e3d

SHA256
80063f3e9fee6ced4f159714bd00ba61d757fd185621d82330bed16d4c2eb495

SHA512
c0b542784f681aec31899235e425c482b43da038f1ca847b428e34a4677f1da30c773f43183c3d287f64bb7271fffcea873ca03136de77f54c1bf614cccec297

Download Submit
C:\Program Files (x86)\My Program\unins000.dat

Filesize
5KB

MD5
4fb86b96bb0f0dfb3797b2ca0e5c5c3b

SHA1
b9d5d882ecdb9e7f41102b04cd1742d6fd6743f6

SHA256
c52efde98a18d2a24b770ddf748d640575e10d0c262b7b2f3efe1745e9cf9731

SHA512
f3409defed8c031453c3a4fbcdc3dbed5b87e03a7767cc243aba3f15b457f0f0d9cce0dc4c9c00827e3123b471c5e2f0a751387074729819da2ac1825908b9f4

Download Submit
C:\Program Files (x86)\My Program\unins000.exe

Filesize
3.1MB

MD5
6fc2b1fa03ffd953c8506da78b72de0a

SHA1
747da5df8496f4b69e7f88d691e7892f8ec1b4cb

SHA256
9462e9d5a59830d0d17a102154a3f854b69309cfb657e78b555124ff3cc544d6

SHA512
66b785eb82c6c834d3e6fd0b2d94961f2a25b097b640b7f7dc1845931865a649704b3b9cda43bc12a2cb1ed2c31ccff61d4581e8393fa47b0c70f3aa6f21683c

Download Submit
C:\Program Files (x86)\My Program\unins000.exe

Filesize
3.1MB

MD5
6fc2b1fa03ffd953c8506da78b72de0a

SHA1
747da5df8496f4b69e7f88d691e7892f8ec1b4cb

SHA256
9462e9d5a59830d0d17a102154a3f854b69309cfb657e78b555124ff3cc544d6

SHA512
66b785eb82c6c834d3e6fd0b2d94961f2a25b097b640b7f7dc1845931865a649704b3b9cda43bc12a2cb1ed2c31ccff61d4581e8393fa47b0c70f3aa6f21683c

Download Submit
C:\Program Files (x86)\My Program\winfirefox.exe

Filesize
485KB

MD5
7d7a120e76029cb9e2b7555983bf567e

SHA1
dda4e7408cfc79d798540a8434811ed6b6f3fff2

SHA256
74a746bdb78b6ce10db26e331d5b40295cf4a59518fc752828ea54e606cb5c2c

SHA512
6dde1410c9859662f18592bedabd7f6fe2124234635d60b6d0c6466f9ac235981823187bcda72db114814ff5a09434d5ad790bf4d3014134d3b52734d9444209

Download Submit
C:\Program Files (x86)\My Program\winfirefoxvmp.exe

Filesize
6.1MB

MD5
2069b674d08f35c112d67172d64aa289

SHA1
31ed2b0c7a7b994c2650b27754733898081c1458

SHA256
863bba97df380b8ab61ee30c3c0315b57026b187b2a2bcd2f3739c5b142e6e2a

SHA512
7bf35c009fa9bd2f70fa138524620064fae3c26ad21bda74bcef14e62db46f72b4d880adb6a1c7e7ea8751714a4dc0b8903ed354d24f5aa2b33ceb669155d585

Download Submit
C:\Program Files (x86)\My Program\zm_.exe

Filesize
917KB

MD5
b587205bfbe19372d72e90d77e27dbac

SHA1
96eb4e47df3ad0df7d0be7fad3bd2fa880703983

SHA256
3afc9cecbe6b3fbeb4ffefebf3bd1ae455342f7867962e3c24413ec0055c0673

SHA512
975ff722e1f4aec52fd9b2ef3f0434c7eef6c7150c1a5ff6f68789888dcc420b58d5cf74ae5c400dc5ffd326370ee61956bb4ababbabeebdff82a7995643edac

Download Submit
C:\Program Files (x86)\My Program\zm__Slayed.exe

Filesize
904KB

MD5
f612846f6805097ee44ada63660e899e

SHA1
19689443e7e8f640d6dfb144a0bcf3b0f2f177af

SHA256
8ad01d5d37dead0fd2f9a2a728d2d705f8593988c7baa24e9263db671da50d01

SHA512
55466cda550608075c3f4a0dcd962f8500aa502cb3a37aefa2296fcec09ea42e75b889661fb09bdddbb56e1d8b0482a655405ced56f8f174121e2f86ceb22928

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Program\My Program.lnk

Filesize
1KB

MD5
504abbe52fd50639a75e6b2adfbbf789

SHA1
90c899855793cdbd189436aab9733147128eb993

SHA256
7ff8ebf81c1f74918eda0a2e44de345c853e02a7e0e529e231b316a48f3a95ba

SHA512
cc0c2b84a52ee1a7170d7b465df0ac051660988e77d6aa8e1cc200dc65566a439ad0c1e8e03b3f75dadb472ddd3745b630c98aa1f509ffdfce390a3693f2d15f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Program\Видалити My Program.lnk

Filesize
1KB

MD5
c900b90044093360c564d82df3a79150

SHA1
95a0a27a2ef20df6e3e9081f2c89644c2f5f1209

SHA256
c8470defd93b50a1725baa39cccf40ff630ba0339fbf90b8a1391a4409331453

SHA512
cb86cd89e1c9d41a0f415c3b255128dea6157e85e1e0a2555bafcfd50b2602fb2ac24c0251b682cd89878442d90f87ed724f5b2b54aab50a9287c29e2c57b3d1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Program\Сайт My Program в Інтернеті.url

Filesize
50B

MD5
2ebe93cb64c2bcfe2e1dc513f4970aa1

SHA1
4a4d36e49c682be6332416aa1bb605b8080d1428

SHA256
a96dbfc64178c2a8af4c3c0d78bce44fb60e64408946add6f0036c2dd502177d

SHA512
191579943380e2fdf77698522299e695dd65bff91427fc282eea82807dda3155d126c450b2c30e86dd040bf033a40a3472ce1f659537b4e1f132b5c09043d46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Firefox.exe.log

Filesize
499B

MD5
60d910ce5b8c0c806d861836999c90be

SHA1
6143b8e6333c1f5b596f7c10f83ef273dc7279b7

SHA256
6e58fa6beaaf852f78112fac2a5760e8e14dca845ea1f33a910e6780319fbace

SHA512
0d66f0cf944f6d839258a8815a3b0fc91a61bfa838e31cae23a6f03610c66c9836b8d90dfd6c45274835c95a7a3d0d891272e2bbbf6ca68264f4bc29718d59f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
3.1MB

MD5
6fc2b1fa03ffd953c8506da78b72de0a

SHA1
747da5df8496f4b69e7f88d691e7892f8ec1b4cb

SHA256
9462e9d5a59830d0d17a102154a3f854b69309cfb657e78b555124ff3cc544d6

SHA512
66b785eb82c6c834d3e6fd0b2d94961f2a25b097b640b7f7dc1845931865a649704b3b9cda43bc12a2cb1ed2c31ccff61d4581e8393fa47b0c70f3aa6f21683c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp

Filesize
3.1MB

MD5
6fc2b1fa03ffd953c8506da78b72de0a

SHA1
747da5df8496f4b69e7f88d691e7892f8ec1b4cb

SHA256
9462e9d5a59830d0d17a102154a3f854b69309cfb657e78b555124ff3cc544d6

SHA512
66b785eb82c6c834d3e6fd0b2d94961f2a25b097b640b7f7dc1845931865a649704b3b9cda43bc12a2cb1ed2c31ccff61d4581e8393fa47b0c70f3aa6f21683c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KS1ML.tmp\mysetup.tmp

Filesize
3.0MB

MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KS1ML.tmp\mysetup.tmp

Filesize
3.0MB

MD5
266673b16ab08a498deb528139dc7213

SHA1
f4f91f8056dbedc155b3965f19eeac7d185f1c9c

SHA256
c6fa242b88805720daf185db905717ff44f23086bb89f3409f100d4f80d95d3f

SHA512
c7fce8e4144f3b484726b6e0202cf4c911091ab04d5ea90ae445e9b5adba56f0e7f4f76f6f01917fccb8a566ddb6b3c4440fee5cf81fd56dee17f7bec984f908

Download Submit
C:\Users\Public\Desktop\My Program.lnk

Filesize
1KB

MD5
ae17c6c210bf3ff9373376fececf68c1

SHA1
2f99928246d14bfcb88990490fd0583edd584868

SHA256
1aa5be98c0998a3f8da13569a94dbbc83200c52e948f67ea001b543501a99312

SHA512
50cbec5c750a31b45cca60b5a8b6eb3f18dce1928b8d55a746b47b432d6893f3226503bff56152c2bf011f654ca98c344d20a0ca2ede47da140b94bdbdac3d60

Download Submit
memory/348-139-0x0000000073F90000-0x0000000074540000-memory.dmp

Filesize
5.7MB

Download
memory/732-131-0x0000000073F90000-0x0000000074540000-memory.dmp

Filesize
5.7MB

Download
memory/1572-123-0x0000000000000000-mapping.dmp

Download
memory/1572-126-0x0000000072D80000-0x0000000073330000-memory.dmp

Filesize
5.7MB

Download
memory/1584-117-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1584-121-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1820-119-0x0000000000000000-mapping.dmp

Download
memory/3124-153-0x0000000000000000-mapping.dmp

Download
memory/3320-147-0x0000000073F90000-0x0000000074540000-memory.dmp

Filesize
5.7MB

Download
memory/4080-137-0x0000000073F90000-0x0000000074540000-memory.dmp

Filesize
5.7MB

Download
memory/4284-146-0x0000000073F90000-0x0000000074540000-memory.dmp

Filesize
5.7MB

Download
memory/4304-148-0x0000000073F90000-0x0000000074540000-memory.dmp

Filesize
5.7MB

Download
memory/4308-151-0x0000000073F90000-0x0000000074540000-memory.dmp

Filesize
5.7MB

Download
memory/4340-172-0x0000000000000000-mapping.dmp

Download
memory/4360-171-0x0000000000000000-mapping.dmp

Download
memory/4768-173-0x0000000000000000-mapping.dmp

Download
memory/4780-176-0x0000000000000000-mapping.dmp

Download
memory/4828-136-0x0000000073F90000-0x0000000074540000-memory.dmp

Filesize
5.7MB

Download
memory/4928-138-0x0000000000000000-mapping.dmp

Download