Analysis

  • max time kernel
    175s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2022 08:26

General

  • Target

    40bfa7ca072097a7f98ce5d7c8cfda52.exe

  • Size

    928KB

  • MD5

    40bfa7ca072097a7f98ce5d7c8cfda52

  • SHA1

    55b194f8a2b068617d5abcb9bbbdd1bbd48ca2c5

  • SHA256

    e7924441cf355557372d5d058eeb30341f9bb4be80f54449ea66b288d183b928

  • SHA512

    d6162425d1aca533e65db7b1e13c60633f2c9713067901c3f5c252f25cba395537d34ce6dc9a6df8951c12544eca7200c2e78d8ca024dd1e9195975f760d1989

Malware Config

Extracted

Family

redline

Botnet

nam3

C2

103.89.90.61:18728

Attributes
  • auth_value

    64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

alex

C2

185.106.92.128:16509

Attributes
  • auth_value

    4f79d5b8f5aae9e19c9693489b4872c0

Extracted

Family

redline

Botnet

4

C2

31.41.244.134:11643

Attributes
  • auth_value

    a516b2d034ecd34338f12b50347fbd92

Extracted

Family

redline

Botnet

@tag12312341

C2

62.204.41.144:14096

Attributes
  • auth_value

    71466795417275fac01979e57016e277

Extracted

Family

raccoon

Botnet

afb5c633c4650f69312baef49db9dfa4

C2

http://77.73.132.84

rc4.plain

Extracted

Family

raccoon

Botnet

f0c8034c83808635df0d9d8726d1bfd6

C2

http://45.95.11.158/

rc4.plain

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Raccoon Stealer payload 4 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 16 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40bfa7ca072097a7f98ce5d7c8cfda52.exe
    "C:\Users\Admin\AppData\Local\Temp\40bfa7ca072097a7f98ce5d7c8cfda52.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RyjC4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2012
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1220
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1A4aK4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:976
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RLtX4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2000
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1836
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1n7LH4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:904
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1692
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1RCgX4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:992
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1204
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1nfDK4
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:1136
    • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
      "C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:836
    • C:\Program Files (x86)\Company\NewProduct\real.exe
      "C:\Program Files (x86)\Company\NewProduct\real.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1884
    • C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
      "C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1004
    • C:\Program Files (x86)\Company\NewProduct\safert44.exe
      "C:\Program Files (x86)\Company\NewProduct\safert44.exe"
      2⤵
      • Executes dropped EXE
      PID:1656
    • C:\Program Files (x86)\Company\NewProduct\tag.exe
      "C:\Program Files (x86)\Company\NewProduct\tag.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1596
    • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
      "C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
      2⤵
      • Executes dropped EXE
      PID:1824
    • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
      "C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
      2⤵
      • Executes dropped EXE
      PID:1632
    • C:\Program Files (x86)\Company\NewProduct\EU1.exe
      "C:\Program Files (x86)\Company\NewProduct\EU1.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /im EU1.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Company\NewProduct\EU1.exe" & del C:\ProgramData\*.dll & exit
        3⤵
          PID:2996
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im EU1.exe /f
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1632
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 6
            4⤵
            • Delays execution with timeout.exe
            PID:2780

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    3
    T1005

    Command and Control

    Web Service

    1
    T1102

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Company\NewProduct\EU1.exe
      Filesize

      289KB

      MD5

      61f51370de492e1b8fd565c68aa3141d

      SHA1

      89da629358f5e7fd4da717a15fd72b74869af631

      SHA256

      19338864f06ba621eb3543d3a00ca4297d140e270a7ed1af174b61449a128355

      SHA512

      8aaed5770ee595c458f6e25e1ad40ff482e4b1343dd1a8b289f69b88236afc209c1f63094c95f2522728f7a5460b3de4f76938d69e03b5432316dbbf9c35e200

    • C:\Program Files (x86)\Company\NewProduct\EU1.exe
      Filesize

      289KB

      MD5

      61f51370de492e1b8fd565c68aa3141d

      SHA1

      89da629358f5e7fd4da717a15fd72b74869af631

      SHA256

      19338864f06ba621eb3543d3a00ca4297d140e270a7ed1af174b61449a128355

      SHA512

      8aaed5770ee595c458f6e25e1ad40ff482e4b1343dd1a8b289f69b88236afc209c1f63094c95f2522728f7a5460b3de4f76938d69e03b5432316dbbf9c35e200

    • C:\Program Files (x86)\Company\NewProduct\F0geI.exe
      Filesize

      178KB

      MD5

      8d24da259cd54db3ede2745724dbedab

      SHA1

      96f51cc49e1a6989dea96f382f2a958f488662a9

      SHA256

      42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

      SHA512

      ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

    • C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
      Filesize

      107KB

      MD5

      ba055c9213817647673b72f9ea898de9

      SHA1

      e45a767b0fb77920d28198169f4e7d16809b9c9a

      SHA256

      d2cb8ab16c0a8b29c99abab063775f3e0a115e5a4da9082064c7bc4a58cd6838

      SHA512

      6fa57b1f0979aff2e746433c5c1ba3a7d8543c7938837b874b3c73f0520550d02f751c4c46b8c460e9672062d9b5c4e4d8a31d72fd2e448533986da2da7aacb9

    • C:\Program Files (x86)\Company\NewProduct\Roman_12020.exe
      Filesize

      107KB

      MD5

      ba055c9213817647673b72f9ea898de9

      SHA1

      e45a767b0fb77920d28198169f4e7d16809b9c9a

      SHA256

      d2cb8ab16c0a8b29c99abab063775f3e0a115e5a4da9082064c7bc4a58cd6838

      SHA512

      6fa57b1f0979aff2e746433c5c1ba3a7d8543c7938837b874b3c73f0520550d02f751c4c46b8c460e9672062d9b5c4e4d8a31d72fd2e448533986da2da7aacb9

    • C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
      Filesize

      699KB

      MD5

      591fe3c4a7613d32309af09848c88233

      SHA1

      8170fce4ede2b4769fad1bec999db5d6a138fbb1

      SHA256

      9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

      SHA512

      e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

    • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
      Filesize

      245KB

      MD5

      b16134159e66a72fb36d93bc703b4188

      SHA1

      e869e91a2b0f77e7ac817e0b30a9a23d537b3001

      SHA256

      b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

      SHA512

      3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

    • C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
      Filesize

      245KB

      MD5

      b16134159e66a72fb36d93bc703b4188

      SHA1

      e869e91a2b0f77e7ac817e0b30a9a23d537b3001

      SHA256

      b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

      SHA512

      3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

    • C:\Program Files (x86)\Company\NewProduct\real.exe
      Filesize

      289KB

      MD5

      c334f2f742fc8f7c13dfa2a01da3f46a

      SHA1

      d020819927da87bc5499df52e12dc5211a09ef61

      SHA256

      92e9d7c3e28e78b7702d1de113e7b1ffbd6fe1447159e1982e0158aafe5e75cb

      SHA512

      43deb443af74f5086d58d7d79af0407c2c6ef94ed338dfd2311dd595388143929a1ad8550b60d30a54e13207a3c95fa26be6fad773f191a56ca845c1055b5156

    • C:\Program Files (x86)\Company\NewProduct\safert44.exe
      Filesize

      244KB

      MD5

      dbe947674ea388b565ae135a09cc6638

      SHA1

      ae8e1c69bd1035a92b7e06baad5e387de3a70572

      SHA256

      86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

      SHA512

      67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

    • C:\Program Files (x86)\Company\NewProduct\safert44.exe
      Filesize

      244KB

      MD5

      dbe947674ea388b565ae135a09cc6638

      SHA1

      ae8e1c69bd1035a92b7e06baad5e387de3a70572

      SHA256

      86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

      SHA512

      67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

    • C:\Program Files (x86)\Company\NewProduct\tag.exe
      Filesize

      107KB

      MD5

      2ebc22860c7d9d308c018f0ffb5116ff

      SHA1

      78791a83f7161e58f9b7df45f9be618e9daea4cd

      SHA256

      8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

      SHA512

      d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

    • C:\Program Files (x86)\Company\NewProduct\tag.exe
      Filesize

      107KB

      MD5

      2ebc22860c7d9d308c018f0ffb5116ff

      SHA1

      78791a83f7161e58f9b7df45f9be618e9daea4cd

      SHA256

      8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

      SHA512

      d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8264E901-1184-11ED-89AE-728CCAC0C843}.dat
      Filesize

      3KB

      MD5

      3aba6f1572c29477e5a471d0dd3c0fdc

      SHA1

      f9b950e04bb54b39c49a5dd3569cb80ee23e10ef

      SHA256

      20af1ceead7fa9d4875467f1daf5fbecd0d10a4fc7bd69edfa6941832ad492d0

      SHA512

      f9a49919b15ec90cb09eef255b37b793b1d39b8219f5d8143ddf1d62a17d7906b5f50437b4dfb37883ca2417ccf08b337c3256dc8ae73ed61b7ea4bc0e92e43f

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{82674A61-1184-11ED-89AE-728CCAC0C843}.dat
      Filesize

      5KB

      MD5

      0bfda4af3097550082d3100a907ba1a9

      SHA1

      2b90224349a74f2112eb2cae1ea96f81da7f5f2e

      SHA256

      15bc155179def6a6e2c489c835f967a78764fd0c1affeddc6bb06f1c0d113f98

      SHA512

      82dde40dab462259d0a6a25b123641797eaed35c3ffdc2a34e1b24de16ccbfff08d26cba26ecf40a05d1661e04792852380541cbc37a48cfcb65c6fed5646f7a

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8269ABC1-1184-11ED-89AE-728CCAC0C843}.dat
      Filesize

      3KB

      MD5

      0e503fc5a85e42a7f3188ddba58f3eb0

      SHA1

      7368fb332cba2ca79fdbb4d8957287e1c797036c

      SHA256

      ca17f31ae7a70270f37872b47e936a2696c7ce6209837ccd0b5510fefc314ed4

      SHA512

      d71446ec697928c2dd0f4731f099d410c51ce25fc7913fa66f0e462854d91f55624e9c6b49c86503e3016118d97f113122d4234051b8be59d8c0c68e83169018

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\43OLX6IR.txt
      Filesize

      608B

      MD5

      97aad2384dc9f4358408934bbcee032a

      SHA1

      20420e92e47edc8ddf2e8adc79168e4738da2065

      SHA256

      5aaa6908c51630a351421cafff6e09deeb71b98bc1077de81ca4501cc3029762

      SHA512

      ce6fdd7bcc85535d14c0f7570fd4c922f1ffada87975c4508e637deb6255098afb99f646a3b8d6106f2ceb8319d8db15a02e1b92ca2879eeb3070e9ae90f6a5c

    • \Program Files (x86)\Company\NewProduct\EU1.exe
      Filesize

      289KB

      MD5

      61f51370de492e1b8fd565c68aa3141d

      SHA1

      89da629358f5e7fd4da717a15fd72b74869af631

      SHA256

      19338864f06ba621eb3543d3a00ca4297d140e270a7ed1af174b61449a128355

      SHA512

      8aaed5770ee595c458f6e25e1ad40ff482e4b1343dd1a8b289f69b88236afc209c1f63094c95f2522728f7a5460b3de4f76938d69e03b5432316dbbf9c35e200

    • \Program Files (x86)\Company\NewProduct\EU1.exe
      Filesize

      289KB

      MD5

      61f51370de492e1b8fd565c68aa3141d

      SHA1

      89da629358f5e7fd4da717a15fd72b74869af631

      SHA256

      19338864f06ba621eb3543d3a00ca4297d140e270a7ed1af174b61449a128355

      SHA512

      8aaed5770ee595c458f6e25e1ad40ff482e4b1343dd1a8b289f69b88236afc209c1f63094c95f2522728f7a5460b3de4f76938d69e03b5432316dbbf9c35e200

    • \Program Files (x86)\Company\NewProduct\F0geI.exe
      Filesize

      178KB

      MD5

      8d24da259cd54db3ede2745724dbedab

      SHA1

      96f51cc49e1a6989dea96f382f2a958f488662a9

      SHA256

      42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

      SHA512

      ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

    • \Program Files (x86)\Company\NewProduct\F0geI.exe
      Filesize

      178KB

      MD5

      8d24da259cd54db3ede2745724dbedab

      SHA1

      96f51cc49e1a6989dea96f382f2a958f488662a9

      SHA256

      42f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883

      SHA512

      ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536

    • \Program Files (x86)\Company\NewProduct\Roman_12020.exe
      Filesize

      107KB

      MD5

      ba055c9213817647673b72f9ea898de9

      SHA1

      e45a767b0fb77920d28198169f4e7d16809b9c9a

      SHA256

      d2cb8ab16c0a8b29c99abab063775f3e0a115e5a4da9082064c7bc4a58cd6838

      SHA512

      6fa57b1f0979aff2e746433c5c1ba3a7d8543c7938837b874b3c73f0520550d02f751c4c46b8c460e9672062d9b5c4e4d8a31d72fd2e448533986da2da7aacb9

    • \Program Files (x86)\Company\NewProduct\kukurzka9000.exe
      Filesize

      699KB

      MD5

      591fe3c4a7613d32309af09848c88233

      SHA1

      8170fce4ede2b4769fad1bec999db5d6a138fbb1

      SHA256

      9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

      SHA512

      e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

    • \Program Files (x86)\Company\NewProduct\kukurzka9000.exe
      Filesize

      699KB

      MD5

      591fe3c4a7613d32309af09848c88233

      SHA1

      8170fce4ede2b4769fad1bec999db5d6a138fbb1

      SHA256

      9f289f95453c588a9ff4bef57b59d6ec812e985b14fdae4554b7112e52819e9d

      SHA512

      e1b3c7c3a807814a7a8139e7043053d12820bdd18c6e4d1320818f9f8b0e1c98a0786425c2d68ad7f789160f816eaa367402af5c67f2e204b9ec0831c1a04f6c

    • \Program Files (x86)\Company\NewProduct\namdoitntn.exe
      Filesize

      245KB

      MD5

      b16134159e66a72fb36d93bc703b4188

      SHA1

      e869e91a2b0f77e7ac817e0b30a9a23d537b3001

      SHA256

      b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c

      SHA512

      3fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c

    • \Program Files (x86)\Company\NewProduct\real.exe
      Filesize

      289KB

      MD5

      c334f2f742fc8f7c13dfa2a01da3f46a

      SHA1

      d020819927da87bc5499df52e12dc5211a09ef61

      SHA256

      92e9d7c3e28e78b7702d1de113e7b1ffbd6fe1447159e1982e0158aafe5e75cb

      SHA512

      43deb443af74f5086d58d7d79af0407c2c6ef94ed338dfd2311dd595388143929a1ad8550b60d30a54e13207a3c95fa26be6fad773f191a56ca845c1055b5156

    • \Program Files (x86)\Company\NewProduct\real.exe
      Filesize

      289KB

      MD5

      c334f2f742fc8f7c13dfa2a01da3f46a

      SHA1

      d020819927da87bc5499df52e12dc5211a09ef61

      SHA256

      92e9d7c3e28e78b7702d1de113e7b1ffbd6fe1447159e1982e0158aafe5e75cb

      SHA512

      43deb443af74f5086d58d7d79af0407c2c6ef94ed338dfd2311dd595388143929a1ad8550b60d30a54e13207a3c95fa26be6fad773f191a56ca845c1055b5156

    • \Program Files (x86)\Company\NewProduct\safert44.exe
      Filesize

      244KB

      MD5

      dbe947674ea388b565ae135a09cc6638

      SHA1

      ae8e1c69bd1035a92b7e06baad5e387de3a70572

      SHA256

      86aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709

      SHA512

      67441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893

    • \Program Files (x86)\Company\NewProduct\tag.exe
      Filesize

      107KB

      MD5

      2ebc22860c7d9d308c018f0ffb5116ff

      SHA1

      78791a83f7161e58f9b7df45f9be618e9daea4cd

      SHA256

      8e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89

      SHA512

      d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e

    • memory/836-101-0x00000000001F0000-0x00000000001F6000-memory.dmp
      Filesize

      24KB

    • memory/836-56-0x0000000000000000-mapping.dmp
    • memory/836-93-0x00000000012C0000-0x0000000001304000-memory.dmp
      Filesize

      272KB

    • memory/1004-90-0x0000000000F20000-0x0000000000F40000-memory.dmp
      Filesize

      128KB

    • memory/1004-64-0x0000000000000000-mapping.dmp
    • memory/1596-72-0x0000000000000000-mapping.dmp
    • memory/1596-92-0x0000000001270000-0x0000000001290000-memory.dmp
      Filesize

      128KB

    • memory/1632-104-0x0000000000400000-0x000000000062B000-memory.dmp
      Filesize

      2.2MB

    • memory/1632-129-0x0000000000000000-mapping.dmp
    • memory/1632-82-0x0000000000000000-mapping.dmp
    • memory/1632-102-0x00000000006D9000-0x00000000006E9000-memory.dmp
      Filesize

      64KB

    • memory/1632-103-0x0000000000020000-0x000000000002F000-memory.dmp
      Filesize

      60KB

    • memory/1656-100-0x00000000003B0000-0x00000000003B6000-memory.dmp
      Filesize

      24KB

    • memory/1656-91-0x0000000000FB0000-0x0000000000FF4000-memory.dmp
      Filesize

      272KB

    • memory/1656-67-0x0000000000000000-mapping.dmp
    • memory/1792-86-0x0000000000000000-mapping.dmp
    • memory/1792-109-0x0000000060900000-0x0000000060992000-memory.dmp
      Filesize

      584KB

    • memory/1824-77-0x0000000000000000-mapping.dmp
    • memory/1824-96-0x0000000000300000-0x0000000000316000-memory.dmp
      Filesize

      88KB

    • memory/1824-97-0x0000000000400000-0x00000000004B5000-memory.dmp
      Filesize

      724KB

    • memory/1884-60-0x0000000000000000-mapping.dmp
    • memory/1948-54-0x0000000075141000-0x0000000075143000-memory.dmp
      Filesize

      8KB

    • memory/2780-130-0x0000000000000000-mapping.dmp
    • memory/2996-128-0x0000000000000000-mapping.dmp