Overview

overview

10

Static

static

auto kick ...ck.exe

windows7_x64

10

auto kick ...ck.exe

windows10-2004_x64

10

auto kick ...ab.exe

windows7_x64

10

auto kick ...ab.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    auto kick + tav/AutoClick.exe

  • Size

    716KB

  • MD5

    dec0a88203e4f73a3682c8a8bbc76d14

  • SHA1

    e6178afe89a702a12f3f604cebde0299e7f68c09

  • SHA256

    2b869c809ac19759798be63e56ff36567e35b641bbde5f5b6c0e17d4137d6965

  • SHA512

    5172b582dc6fd55e9e03eab4755c0fcfc8bd2c29eaa04c612f5ce32a355bbfec73b6ae25b8a8000b99d80c998729d09dc7d627c6d4da38874ce64ac7bb268db3

Score
10/10
adwareevasionpersistencestealertrojanupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
    evasion
  • Executes dropped EXE 9 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 32 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\auto kick + tav\AutoClick.exe
    "C:\Users\Admin\AppData\Local\Temp\auto kick + tav\AutoClick.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2184
    • \??\c:\users\admin\appdata\local\temp\auto kick + tav\autoclick.exe 
      "c:\users\admin\appdata\local\temp\auto kick + tav\autoclick.exe "
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4988
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoClick.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoClick.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4864
        • C:\Windows\SysWOW64\iexplore.exe
          C:\Windows\system32\iexplore.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3260
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4064
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2148
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4100
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4452
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4436
            • C:\Windows\SysWOW64\at.exe
              at 05:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:4928
              • C:\Windows\SysWOW64\at.exe
                at 05:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:1124

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Hidden Files and Directories

      1
      T1158

      Registry Run Keys / Startup Folder

      2
      T1060

      Browser Extensions

      1
      T1176

      Privilege Escalation

      Defense Evasion

      Modify Registry

      5
      T1112

      Hidden Files and Directories

      1
      T1158

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoClick.exe
        Filesize

        270KB

        MD5

        3bc8526cb02d572a6590061d8d775b47

        SHA1

        9835f5df476f38036b2320531ee0a3e3b493fd30

        SHA256

        97810558180c71b18b0b4ce3e223797546172fea12790b7681bcad127745ca96

        SHA512

        58bf3ad8252cba662903ee9435c13f14b504c35934b833ef6b848448ca0eaee85d096837173520c68991140944b09a676575df212a9028049cf2a9dad26c2fad

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoClick.exe
        Filesize

        270KB

        MD5

        3bc8526cb02d572a6590061d8d775b47

        SHA1

        9835f5df476f38036b2320531ee0a3e3b493fd30

        SHA256

        97810558180c71b18b0b4ce3e223797546172fea12790b7681bcad127745ca96

        SHA512

        58bf3ad8252cba662903ee9435c13f14b504c35934b833ef6b848448ca0eaee85d096837173520c68991140944b09a676575df212a9028049cf2a9dad26c2fad

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iexplore.exe
        Filesize

        424KB

        MD5

        2a98fb1ede3a77f0e62488536138ddca

        SHA1

        ee010c5a0d8c18e19df19a28f9d52a9ca2c8a76b

        SHA256

        3020c04e8a872357e196467b36a171714939896a15f6a36716f426f25d38faba

        SHA512

        915dc92ab2658e0ab0dab53fa26907b45503085de73ab1f509183a1b8afb6ddf028cd907cb5ff026d7b8cb3005d2416722f1af3a1ced87efa0562d1e1fd857e1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iexplorehk.dll
        Filesize

        24KB

        MD5

        81b7f40ff53a778463dd904957da4fa9

        SHA1

        1500786a0ac422fbed0c072b90b3a38627ded5cd

        SHA256

        0ba48c0c16f2fa5622adb5aeb5dbb67da8a449a01096ccc6d8eee3b967332275

        SHA512

        61b7fa5e16f7b789576dc0293df8983992099d50b386620016bcc800eee5569956a13750e95d987841617dac49b1783a0e6adfc2f4761164d78a09f2c16c83fa

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\iexplorewb.dll
        Filesize

        40KB

        MD5

        26859450dd1e2e4f7344ac521f0f4101

        SHA1

        5533f421dfdc970d89ab44431b333eea9736fa38

        SHA256

        5c7d6a0ef482dc3ee561d4b3f69010fe9709d8735532e4154a7d5c0489d81be5

        SHA512

        b9382d52aea91b8b5bada292ba00089cb4a34a9852a932b3b41ac2e9ad1c298e9dc355559dca4d2206d820d60da39be2dde77d94608994a12d3b2b2fdd4cae44

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat
        Filesize

        996B

        MD5

        3810682c780fb6403bcaf08ff959c8c2

        SHA1

        d93607ccf3b66ee644a939e6a313fbe3a613a503

        SHA256

        50f5ee95c0f2dbae9af5fb8738f3acc580f1559938ed7fd20423f89dba9e1b7c

        SHA512

        a4f300a8bcd0cbdaf7b70cd455538a72585cca7964f1859b2e10227c8a5ec3ffef402bd06943692618a5d5e5783596529dfc19a419741c5db4e383543421e970

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\kw.dat
        Filesize

        197B

        MD5

        b04b517debaa87fa12e501073834e13c

        SHA1

        42732afdd5e7e31887b10a7a6a2dca545826549b

        SHA256

        57170f7d966924d21c3aca9d5e976fc702451bd87f0c8a9381fac9f09852209e

        SHA512

        ad558442a078b469d126541ab0ad7492b1de213dd1f988d9397cc02e7e371f0ee4edd21a0a3f93a7acf4886834f7a5d120e9396396bb73751edc5899d93a3f71

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mc.dat
        Filesize

        69B

        MD5

        3cf9476e9d7cc713dfbf21d1553d9127

        SHA1

        2b449c0df6cef085fae4b10cc8a1d65923896014

        SHA256

        2cd5d5daa1f7feabdec8c9c2f1faf752c5db59c9713d506966eeaa4785eb01ce

        SHA512

        3eaa956e78e0801a5179f94065911199d461d6dd7b75fc6b53d3d703ed348d85c30e015f2016faab52a5f9b0bba1b4b31ee5fe15af831f5d6924a67372bbae0f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin
        Filesize

        4KB

        MD5

        99604b6570b0e8764587d1373220add5

        SHA1

        1dc8672a7097f787d5d7a381bfe46e9d2fd756f6

        SHA256

        a6e878f13794b3a1abce99c0a063883292e14a8f3d5ab7ba4bec6136d3578bc2

        SHA512

        3468f9b138ece3a59e7f96f1128b0533f875dcb3976a996fe8ffa0aa4206b55d45158db262a42daecf0597af94938d496a23f3c1bb296198f6a9206c59358263

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
        Filesize

        7KB

        MD5

        fbe4bab53f74d3049ef4b306d4cd8742

        SHA1

        6504b63908997a71a65997fa31eda4ae4de013e7

        SHA256

        446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

        SHA512

        d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
        Filesize

        7KB

        MD5

        fbe4bab53f74d3049ef4b306d4cd8742

        SHA1

        6504b63908997a71a65997fa31eda4ae4de013e7

        SHA256

        446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

        SHA512

        d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\auto kick + tav\autoclick.exe 
        Filesize

        509KB

        MD5

        17b5d3f71dd49aafe803c77ef4755b84

        SHA1

        7618ce99913d09a2be20aeb3584bf0262f30217a

        SHA256

        2f2dde9447808267504111cc8cce1eb30e9efabd3c7e9663435d526a70777dd2

        SHA512

        53855ab8119bcb9034ea87c4aceb032f6948ccdf42b38b0920aac41a2cd4a38f87b9fbb663b40b01df14242baab6062349de45243d083cae6be4bf2888d3c46c

        Download Submit
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        Filesize

        206KB

        MD5

        d1eab72f8cc2dd9ad688d676c6e02167

        SHA1

        4a70fba3b529ce1264dd953f044e684282a2cb78

        SHA256

        f0c9827d2402672216201898887b2fbecd078a98198b519ab37469ab61f0288b

        SHA512

        66ec0558f4bda827323a051ef486b59ec472fe3223ae01a222306df5fd58399712d1363bff5b638d66086a1486ce08ac0ee4cef126ccb00da65d1dc8ed9338bc

        Download Submit
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        Filesize

        206KB

        MD5

        d1eab72f8cc2dd9ad688d676c6e02167

        SHA1

        4a70fba3b529ce1264dd953f044e684282a2cb78

        SHA256

        f0c9827d2402672216201898887b2fbecd078a98198b519ab37469ab61f0288b

        SHA512

        66ec0558f4bda827323a051ef486b59ec472fe3223ae01a222306df5fd58399712d1363bff5b638d66086a1486ce08ac0ee4cef126ccb00da65d1dc8ed9338bc

        Download Submit
      • C:\Users\Admin\AppData\Roaming\mrsys.exe
        Filesize

        206KB

        MD5

        45fa88441bf5822e77999516becc28df

        SHA1

        e6d859028aa4c76aaec8c8e012de2eff06c2db8b

        SHA256

        be249210b3e7bd6f53fc105a731cdea09f497970fc7669055eb71780e1d7073a

        SHA512

        29b5eb2eea366902d19139042ed48c4f7860da58de30c9e078bf4844a3fbe4a787a9a9c337373957dc1d3411d20b0a706c41d06395944364b338f3a9a8f1d2c5

        Download Submit
      • C:\Windows\SysWOW64\iexplore.exe
        Filesize

        424KB

        MD5

        994ffae187f4e567c6efee378af66ad0

        SHA1

        0cc35d07e909b7f6595b9c698fe1a8b9b39c7def

        SHA256

        f0b707b1ab25024ba5a65f68cd4380a66ef0ce9bb880a92e1feee818854fe423

        SHA512

        bd5320327a24fbab8934395d272869bfa97d77a2ee44ac6eec8fa79b3ffbd4a049bf9dfeeb6b8cc946c295a07bd07ddba41d81c76d452d2c5587b4bf92559e0a

        Download Submit
      • C:\Windows\SysWOW64\iexplore.exe
        Filesize

        424KB

        MD5

        994ffae187f4e567c6efee378af66ad0

        SHA1

        0cc35d07e909b7f6595b9c698fe1a8b9b39c7def

        SHA256

        f0b707b1ab25024ba5a65f68cd4380a66ef0ce9bb880a92e1feee818854fe423

        SHA512

        bd5320327a24fbab8934395d272869bfa97d77a2ee44ac6eec8fa79b3ffbd4a049bf9dfeeb6b8cc946c295a07bd07ddba41d81c76d452d2c5587b4bf92559e0a

        Download Submit
      • C:\Windows\SysWOW64\iexplorehk.dll
        Filesize

        24KB

        MD5

        9ac9028338d1b353a7cacb563bb91df7

        SHA1

        a20c5dee8f05c91686324cec2d5b092bafe58339

        SHA256

        93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

        SHA512

        ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

        Download Submit
      • C:\Windows\SysWOW64\iexplorehk.dll
        Filesize

        24KB

        MD5

        9ac9028338d1b353a7cacb563bb91df7

        SHA1

        a20c5dee8f05c91686324cec2d5b092bafe58339

        SHA256

        93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

        SHA512

        ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

        Download Submit
      • C:\Windows\SysWOW64\iexplorehk.dll
        Filesize

        24KB

        MD5

        9ac9028338d1b353a7cacb563bb91df7

        SHA1

        a20c5dee8f05c91686324cec2d5b092bafe58339

        SHA256

        93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

        SHA512

        ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

        Download Submit
      • C:\Windows\SysWOW64\iexplorehk.dll
        Filesize

        24KB

        MD5

        9ac9028338d1b353a7cacb563bb91df7

        SHA1

        a20c5dee8f05c91686324cec2d5b092bafe58339

        SHA256

        93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

        SHA512

        ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

        Download Submit
      • C:\Windows\SysWOW64\iexplorehk.dll
        Filesize

        24KB

        MD5

        9ac9028338d1b353a7cacb563bb91df7

        SHA1

        a20c5dee8f05c91686324cec2d5b092bafe58339

        SHA256

        93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

        SHA512

        ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

        Download Submit
      • C:\Windows\SysWOW64\iexplorehk.dll
        Filesize

        24KB

        MD5

        9ac9028338d1b353a7cacb563bb91df7

        SHA1

        a20c5dee8f05c91686324cec2d5b092bafe58339

        SHA256

        93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

        SHA512

        ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

        Download Submit
      • C:\Windows\SysWOW64\iexplorehk.dll
        Filesize

        24KB

        MD5

        9ac9028338d1b353a7cacb563bb91df7

        SHA1

        a20c5dee8f05c91686324cec2d5b092bafe58339

        SHA256

        93c0e7f41d5d74217189e4cc2d5cdb8f97d8e5eeef0a0dcf4cecd67e3393682c

        SHA512

        ac83c8f7b6fe913487015d8d7a2e430e917d230b6b2907150f6c4a73bf64c3a02320dddc29fea03db5df8ac5620d8a902fe7be80ba1b1bd1e6f5b8b1b016ddfe

        Download Submit
      • C:\Windows\SysWOW64\iexplorewb.dll
        Filesize

        40KB

        MD5

        21d4e01f38b5efd64ad6816fa0b44677

        SHA1

        5242d2c5b450c773b9fa3ad014a8aba9b7bb206a

        SHA256

        3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977

        SHA512

        77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

        Download Submit
      • C:\Windows\SysWOW64\iexplorewb.dll
        Filesize

        40KB

        MD5

        21d4e01f38b5efd64ad6816fa0b44677

        SHA1

        5242d2c5b450c773b9fa3ad014a8aba9b7bb206a

        SHA256

        3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977

        SHA512

        77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

        Download Submit
      • C:\Windows\SysWOW64\iexplorewb.dll
        Filesize

        40KB

        MD5

        21d4e01f38b5efd64ad6816fa0b44677

        SHA1

        5242d2c5b450c773b9fa3ad014a8aba9b7bb206a

        SHA256

        3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977

        SHA512

        77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

        Download Submit
      • C:\Windows\SysWOW64\inst.dat
        Filesize

        996B

        MD5

        3810682c780fb6403bcaf08ff959c8c2

        SHA1

        d93607ccf3b66ee644a939e6a313fbe3a613a503

        SHA256

        50f5ee95c0f2dbae9af5fb8738f3acc580f1559938ed7fd20423f89dba9e1b7c

        SHA512

        a4f300a8bcd0cbdaf7b70cd455538a72585cca7964f1859b2e10227c8a5ec3ffef402bd06943692618a5d5e5783596529dfc19a419741c5db4e383543421e970

        Download Submit
      • C:\Windows\SysWOW64\kw.dat
        Filesize

        197B

        MD5

        26a22fbcbbb3b4a5ebb06606f6dce669

        SHA1

        f166da6556b08a1afbb6d567cd5906d93d393df1

        SHA256

        06fe040fc318a78fab63b06a5ecabf1ea4989a047b56cf2e37428fe5f8a0122e

        SHA512

        b67a600e1338c24f5cbff2d0e63f007e97037459849047a5d7e0f2ab5008b96254a1beffb33450e2347d51dec5c2d20e1857a69c0a5a64952615ceaefe6659ad

        Download Submit
      • C:\Windows\SysWOW64\mc.dat
        Filesize

        69B

        MD5

        5788324f0a5c6814b96809ad21a604dd

        SHA1

        a4de6a189aebdafa04486ad7dd07933d1ab97396

        SHA256

        59fac42242e78d77d29e7181b9509f13a9b03d1bd24c91b0f075d4c347ea0942

        SHA512

        c0ef5ba1fe29a3cd77aace738e4cf1d5a43c593aa1b1f32e664553d7a3e39067b812b0c83e9f2f1682218d4c8f29916a5e11b8d0e51cef9c6fb6373231350093

        Download Submit
      • C:\Windows\SysWOW64\pk.bin
        Filesize

        4KB

        MD5

        38ced90e39523199c83279394da05015

        SHA1

        99d503b1239476d5f10f6c44f7f842626621b65e

        SHA256

        81f51675376ea55c6296393d02f274a4caf90e2e26a5ee70e50ec13d55697389

        SHA512

        3d82768fa9f2ed9b575dac661709b672b26090da7a622106d12a14903118bb69d7125ca1f6e3c381561509c9aea76c2c8cf8cc08ed34da53b89e97d4fd8f2b81

        Download Submit
      • C:\Windows\SysWOW64\rinst.exe
        Filesize

        7KB

        MD5

        fbe4bab53f74d3049ef4b306d4cd8742

        SHA1

        6504b63908997a71a65997fa31eda4ae4de013e7

        SHA256

        446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092

        SHA512

        d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

        Download Submit
      • C:\Windows\System\explorer.exe
        Filesize

        206KB

        MD5

        0b1f60199178cb7539660d07823c3c96

        SHA1

        56b20a4682cc1403c4fa3725aee881564b32035c

        SHA256

        83bae35082f936a5accf8ea3b01e22df411c5a075dbc29c19b570a266bd16dc5

        SHA512

        8585a73ff1adafcd1603e439d285cafb0b1cc5d8f8de19ef5240a24ee23408b2bb6a4015e6dee677de29b0b41dd6df849a04e45086152dd0654bb92848281c77

        Download Submit
      • C:\Windows\System\spoolsv.exe
        Filesize

        206KB

        MD5

        e28d81d0b9deaf15cdae6b53581fc877

        SHA1

        57b74173ee9ea7c5bdbfe6e70450871a910591ca

        SHA256

        14504ba9914b9a1866c1e5998ec6c6164694ba0172a2ab92039022bb0d60c907

        SHA512

        6c550e4c68d4c4cf41ee2a3b338f0849be7e096a88d406afe8651d621825a256c80027a9a272f73feb63a39e23083d2dd7acb3a2d5f52ad4228adca5a62ee281

        Download Submit
      • C:\Windows\System\spoolsv.exe
        Filesize

        206KB

        MD5

        e28d81d0b9deaf15cdae6b53581fc877

        SHA1

        57b74173ee9ea7c5bdbfe6e70450871a910591ca

        SHA256

        14504ba9914b9a1866c1e5998ec6c6164694ba0172a2ab92039022bb0d60c907

        SHA512

        6c550e4c68d4c4cf41ee2a3b338f0849be7e096a88d406afe8651d621825a256c80027a9a272f73feb63a39e23083d2dd7acb3a2d5f52ad4228adca5a62ee281

        Download Submit
      • C:\Windows\System\svchost.exe
        Filesize

        207KB

        MD5

        9c514d1cab3a668be9e24d28a9f0d9a1

        SHA1

        a242a8dc536fa1e66a2fbc6502e7486f0d7c944e

        SHA256

        d7628de7f2e332b76b6043afcc2c15d0a38c71001f838c046a2971015eede986

        SHA512

        4dd4b051778e4bb02d1ef6e588ed8407854621edead6bb55fe3d2f565848eac07f8a0ef43c5e9d1b6a09f39121f4e2edc95acbe4dc57ad6c79d7c41c4f133cb8

        Download Submit
      • \??\c:\users\admin\appdata\local\temp\auto kick + tav\autoclick.exe 
        Filesize

        509KB

        MD5

        17b5d3f71dd49aafe803c77ef4755b84

        SHA1

        7618ce99913d09a2be20aeb3584bf0262f30217a

        SHA256

        2f2dde9447808267504111cc8cce1eb30e9efabd3c7e9663435d526a70777dd2

        SHA512

        53855ab8119bcb9034ea87c4aceb032f6948ccdf42b38b0920aac41a2cd4a38f87b9fbb663b40b01df14242baab6062349de45243d083cae6be4bf2888d3c46c

        Download Submit
      • \??\c:\windows\system\explorer.exe
        Filesize

        206KB

        MD5

        0b1f60199178cb7539660d07823c3c96

        SHA1

        56b20a4682cc1403c4fa3725aee881564b32035c

        SHA256

        83bae35082f936a5accf8ea3b01e22df411c5a075dbc29c19b570a266bd16dc5

        SHA512

        8585a73ff1adafcd1603e439d285cafb0b1cc5d8f8de19ef5240a24ee23408b2bb6a4015e6dee677de29b0b41dd6df849a04e45086152dd0654bb92848281c77

        Download Submit
      • \??\c:\windows\system\spoolsv.exe
        Filesize

        206KB

        MD5

        e28d81d0b9deaf15cdae6b53581fc877

        SHA1

        57b74173ee9ea7c5bdbfe6e70450871a910591ca

        SHA256

        14504ba9914b9a1866c1e5998ec6c6164694ba0172a2ab92039022bb0d60c907

        SHA512

        6c550e4c68d4c4cf41ee2a3b338f0849be7e096a88d406afe8651d621825a256c80027a9a272f73feb63a39e23083d2dd7acb3a2d5f52ad4228adca5a62ee281

        Download Submit
      • \??\c:\windows\system\svchost.exe
        Filesize

        207KB

        MD5

        9c514d1cab3a668be9e24d28a9f0d9a1

        SHA1

        a242a8dc536fa1e66a2fbc6502e7486f0d7c944e

        SHA256

        d7628de7f2e332b76b6043afcc2c15d0a38c71001f838c046a2971015eede986

        SHA512

        4dd4b051778e4bb02d1ef6e588ed8407854621edead6bb55fe3d2f565848eac07f8a0ef43c5e9d1b6a09f39121f4e2edc95acbe4dc57ad6c79d7c41c4f133cb8

        Download Submit
      • memory/1124-199-0x0000000000000000-mapping.dmp
        Download
      • memory/2148-142-0x0000000000000000-mapping.dmp
        Download
      • memory/2984-133-0x0000000000000000-mapping.dmp
        Download
      • memory/3260-180-0x0000000000000000-mapping.dmp
        Download
      • memory/3260-197-0x0000000002EA1000-0x0000000002EA5000-memory.dmp
        Filesize

        16KB

        Download
      • memory/4064-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4100-148-0x0000000000000000-mapping.dmp
        Download
      • memory/4436-160-0x0000000000000000-mapping.dmp
        Download
      • memory/4452-154-0x0000000000000000-mapping.dmp
        Download
      • memory/4864-172-0x0000000000000000-mapping.dmp
        Download
      • memory/4928-165-0x0000000000000000-mapping.dmp
        Download
      • memory/4988-167-0x0000000000000000-mapping.dmp
        Download