Analysis Overview
SHA256
228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075
Threat Level: Known bad
The file 228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Sets file to hidden
UPX packed file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
AutoIT Executable
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 04:49
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 04:49
Reported
2022-06-12 09:01
Platform
win7-20220414-en
Max time kernel
125s
Max time network
131s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe
"C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\ENU_687FE978D73A864E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources"
C:\Windows\system32\taskeng.exe
taskeng.exe {753C4C1B-0798-4896-B855-9130E111F08C} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| RU | 185.142.97.228:65233 | tcp | |
| RU | 185.142.97.228:65233 | tcp |
Files
memory/2032-54-0x0000000075221000-0x0000000075223000-memory.dmp
memory/940-55-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
memory/940-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
memory/972-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\Information.txt
| MD5 | 184b0dfd70b5e601d7d29c2869498a18 |
| SHA1 | 3a22f4eee33c0b5415f61d2190e5c81ecf172896 |
| SHA256 | 2a4f1e7939d6a2d458456885a4942472c54d031a639a86df2eefc329b478489c |
| SHA512 | 1420a38d211b9d813a3022d45be14c42886d2747f78b9038c1bf70a6deb6a851ad3c449f031f6882bcde2822aaf02ec8c8d0194fe45bcb34e5ec2870be7431f1 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\Screen.jpg
| MD5 | ad45db7ebf83291fb1f01831fd86ecc2 |
| SHA1 | 9d2916f907669774a2ce851ada6c16f5903e8122 |
| SHA256 | 1243f45b8b8332542a14331768e5318306d49ed7ee0b61b5b33fd72005ebe59d |
| SHA512 | f140a5469de90fd60ade43623182f63e5bb1ef53f54490d7a33a8cf5d24c23b9abaca6661b60cea95aa907bcb4326100779ca0fa809b0e2d15309c46d9877273 |
memory/972-65-0x0000000000DD0000-0x0000000000E5F000-memory.dmp
memory/940-66-0x0000000002F30000-0x0000000002FBF000-memory.dmp
memory/1192-67-0x0000000000000000-mapping.dmp
memory/1720-68-0x0000000000000000-mapping.dmp
memory/1408-70-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 04:49
Reported
2022-06-12 09:02
Platform
win10v2004-20220414-en
Max time kernel
131s
Max time network
178s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c0000000100000004000000000800000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe
"C:\Users\Admin\AppData\Local\Temp\228ed897d96e7f5c588a0e1b7a2f7a97e1145ac81cb5ef92af7a0c0d3fa78075.exe"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\ENU_801FE97294A87C4E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\*"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources"
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.exe
Network
| Country | Destination | Domain | Proto |
| NL | 87.248.202.1:80 | tcp | |
| US | 52.109.8.21:443 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 67.26.205.254:80 | tcp | |
| US | 67.26.205.254:80 | tcp | |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| US | 20.42.65.88:443 | tcp | |
| US | 104.26.8.44:443 | ipapi.co | tcp |
| NL | 88.221.144.192:80 | tcp | |
| US | 67.26.205.254:80 | tcp | |
| US | 67.26.205.254:80 | tcp | |
| US | 67.26.205.254:80 | tcp | |
| US | 8.8.8.8:53 | crl.godaddy.com | udp |
| US | 192.124.249.31:80 | crl.godaddy.com | tcp |
| US | 52.242.97.97:443 | tcp | |
| RU | 185.142.97.228:65233 | tcp | |
| US | 192.124.249.41:80 | crl.godaddy.com | tcp |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
Files
memory/4396-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.sqlite3.module.dll
| MD5 | 71000fc34d27d2016846743d1dcce548 |
| SHA1 | f75456389b8c0dd0398bb3d58f0b4745d862e1b5 |
| SHA256 | bbc7ca2b74fc5dd4118a11b633ab2ff6e2498f3734f24221d4cb09582f9d4e03 |
| SHA512 | d382d2c33c3c20f1dbed4874329b0d750be0fe36fe5fde53ceb6d6a173a5f8525a32e45e68befabe7a853ee9cab6e31028016f265d54bf3439ec92a7f76f9d0c |
memory/4396-133-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4396-134-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4396-135-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4396-136-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4064-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\KBDSN1.module.exe
| MD5 | 965119091c292c96af5011f40dae87a5 |
| SHA1 | 85708f7bab07528f1b6e9dfbf64648189a513043 |
| SHA256 | 1ad53eed4d91c6835551aa997399b6054cdf53bca33f103aec24afe46547186b |
| SHA512 | 244ef9a88308f9a1d738bb1fbf9f6125a4f25ef5665df85adff1985068f92a1d9714785eb63183fede6f1fd9c1420eecfa185a971c99ab835a8f9ea770d94629 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\Information.txt
| MD5 | 3aa341af136cd04e25f90ab6361dae79 |
| SHA1 | dff370748d9b85f1e9bcc37c63333fb865ae3ae1 |
| SHA256 | 7446ab1c6c5ba0d19c3c5097fa0e0c5d79bf76d4ecb0c4780faf39f4c7ad0bb6 |
| SHA512 | 902442649a5f805cf618759ffe6292f2105c15e5261c35afbc5b4b236d9c32a1bab97d6391949505ab85e47e0a5c909bbf1f122d2d891feeb6e091747f54feb0 |
C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-mfplat.resources\1\Screen.jpg
| MD5 | c99974b8f0eb799a334282cecb8656fb |
| SHA1 | 93a207014e2177b275696adb8698139a3766ead1 |
| SHA256 | d4d7896a9dd04f529da32d02995055f1620724b739d25a4912755acc30aa8e29 |
| SHA512 | 50eb67f7295fa6fcf23b01c6ca87451e82b785f4e73ee57f028e103ac1581575167d98557cb2df0534812afb546e3e63ab61342b910d895aa07d0891c89ced15 |
memory/4064-141-0x0000000000C30000-0x0000000000CBF000-memory.dmp
memory/4788-142-0x0000000000000000-mapping.dmp