Analysis Overview
SHA256
cdd2cab3b753dd1a2f583f14dae86457593c6114d9e69e0e41533fcc3af450fc
Threat Level: Known bad
The file Val0ader.CL.1.5-F.exe was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
Downloads MZ/PE file
Executes dropped EXE
Registers COM server for autorun
Modifies file permissions
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
NTFS ADS
Suspicious behavior: GetForegroundWindowSpam
Enumerates processes with tasklist
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-09-12 02:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-09-12 02:08
Reported
2022-09-12 02:17
Platform
win10-20220812-en
Max time kernel
470s
Max time network
486s
Command Line
Signatures
Mercurial Grabber Stealer
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\output.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Val0ader.CL.1.5-F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Val0ader.CL.1.5-F.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\en.ttt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\es.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pt-br.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.sfx | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\vi.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ca.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\eu.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\is.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ug.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kab.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lt.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spc.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz-cyrl.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.chm | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\an.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ja.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku-ckb.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uk.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sv.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ast.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\be.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\de.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\he.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lij.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hr.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ky.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pa-in.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tr.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\History.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File created | C:\Program Files\7-Zip\7-zip.dll.tmp | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.dll | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\bg.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\br.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\io.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ms.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ta.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\eo.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ka.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sa.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\readme.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.dll.tmp | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\it.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File created | C:\Program Files\7-Zip\7-zip.dll | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\co.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip32.dll | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sk.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\sw.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\cs.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\da.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ext.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\id.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fur.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mn.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-cn.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-tw.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\va.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\af.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\cy.txt | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Downloads\output.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\Downloads\output.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip | C:\Users\Admin\Downloads\7z2107-x64.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\output.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| File created | C:\Users\Admin\Downloads\7z2107-x64.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Val0ader.CL.1.5-F.exe
"C:\Users\Admin\AppData\Local\Temp\Val0ader.CL.1.5-F.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FA7.tmp" "c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\CSC32991452AC9D4E2099FF6F93C44E1DD.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CheckpointHide.mp4"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.0.1704711340\813273425" -parentBuildID 20200403170909 -prefsHandle 1556 -prefMapHandle 1544 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1644 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.3.2063232443\915437027" -childID 1 -isForBrowser -prefsHandle 2208 -prefMapHandle 2228 -prefsLen 122 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 1796 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2052.13.1310599383\976329756" -childID 2 -isForBrowser -prefsHandle 3348 -prefMapHandle 3344 -prefsLen 6904 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2052 "\\.\pipe\gecko-crash-server-pipe.2052" 3332 tab
C:\Users\Admin\Downloads\output.exe
"C:\Users\Admin\Downloads\output.exe"
C:\Users\Admin\Downloads\7z2107-x64.exe
"C:\Users\Admin\Downloads\7z2107-x64.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\takeown.exe
takeown /fC:\Windows\System32
C:\Windows\system32\takeown.exe
takeown /C:\Windows\System32
C:\Windows\system32\takeown.exe
takeown /C:\Windows\System32
C:\Windows\system32\takeown.exe
takeown C:\Windows\System32
C:\Windows\system32\takeown.exe
takeown /fC:\Windows\System32
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t4ck0wsvvpbmktxzluyee11uce27kbct.nl | udp |
| US | 104.21.36.10:443 | t4ck0wsvvpbmktxzluyee11uce27kbct.nl | tcp |
| US | 104.21.36.10:443 | t4ck0wsvvpbmktxzluyee11uce27kbct.nl | tcp |
| US | 104.21.36.10:443 | t4ck0wsvvpbmktxzluyee11uce27kbct.nl | tcp |
| US | 104.21.36.10:443 | t4ck0wsvvpbmktxzluyee11uce27kbct.nl | tcp |
| US | 104.21.36.10:443 | t4ck0wsvvpbmktxzluyee11uce27kbct.nl | tcp |
| US | 104.21.36.10:443 | t4ck0wsvvpbmktxzluyee11uce27kbct.nl | tcp |
| US | 20.189.173.13:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| N/A | 127.0.0.1:49835 | tcp | |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| NL | 65.9.86.68:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | search.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 52.35.93.250:443 | search.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | search.r53-2.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 50.112.193.239:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| NL | 65.9.86.77:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | d2nxq2uap88usk.cloudfront.net | udp |
| US | 35.161.231.36:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| US | 8.8.8.8:53 | snippets.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | cs9.wac.phicdn.net | udp |
| NL | 65.9.86.52:443 | snippets.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| US | 8.8.8.8:53 | d228z91au11ukj.cloudfront.net | udp |
| NL | 65.9.86.52:443 | d228z91au11ukj.cloudfront.net | tcp |
| NL | 65.9.86.52:443 | d228z91au11ukj.cloudfront.net | tcp |
| N/A | 127.0.0.1:49838 | tcp | |
| N/A | 127.0.0.1:49842 | tcp | |
| US | 8.8.8.8:53 | www.wikipedia.org | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | dyna.wikimedia.org | udp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | www.reddit.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| US | 8.8.8.8:53 | prod-tp.sumo.mozit.cloud | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | reddit.map.fastly.net | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | prod-tp.sumo.mozit.cloud | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| DE | 2.16.106.208:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 216.58.214.14:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| NL | 65.9.86.68:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | pki-goog.l.google.com | udp |
| US | 8.8.8.8:53 | pki-goog.l.google.com | udp |
| US | 8.8.8.8:53 | r5---sn-5hnekn76.gvt1.com | udp |
| NL | 209.85.226.10:443 | r5---sn-5hnekn76.gvt1.com | tcp |
| US | 8.8.8.8:53 | r5.sn-5hnekn76.gvt1.com | udp |
| NL | 65.9.86.77:443 | d2nxq2uap88usk.cloudfront.net | tcp |
| US | 8.8.8.8:53 | r5.sn-5hnekn76.gvt1.com | udp |
| NL | 65.9.86.68:443 | firefox.settings.services.mozilla.com | tcp |
| NL | 65.9.86.77:443 | d2nxq2uap88usk.cloudfront.net | tcp |
| NL | 65.9.86.68:443 | firefox.settings.services.mozilla.com | tcp |
| NL | 65.9.86.68:443 | firefox.settings.services.mozilla.com | tcp |
| NL | 65.9.86.68:443 | firefox.settings.services.mozilla.com | tcp |
| NL | 65.9.86.68:443 | firefox.settings.services.mozilla.com | tcp |
| NL | 65.9.86.68:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| NL | 65.9.86.6:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| NL | 65.9.86.6:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| NL | 65.9.86.6:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| NL | 65.9.86.6:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| NL | 65.9.86.6:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| NL | 65.9.86.6:443 | fennec-catalog-cdn.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | fennec-catalog-cdn.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | ufile.io | udp |
| US | 172.67.155.81:80 | ufile.io | tcp |
| US | 172.67.155.81:80 | ufile.io | tcp |
| US | 8.8.8.8:53 | ufile.io | udp |
| US | 8.8.8.8:53 | ufile.io | udp |
| US | 172.67.155.81:443 | ufile.io | tcp |
| US | 104.21.66.22:80 | ufile.io | tcp |
| US | 172.67.155.81:443 | ufile.io | tcp |
| US | 8.8.8.8:53 | d3vw4uehoh23hx.cloudfront.net | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 172.64.156.26:443 | static.cloudflareinsights.com | tcp |
| US | 172.64.156.26:443 | static.cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| NL | 65.9.84.72:443 | d3vw4uehoh23hx.cloudfront.net | tcp |
| US | 8.8.8.8:53 | d3vw4uehoh23hx.cloudfront.net | udp |
| US | 8.8.8.8:53 | d3vw4uehoh23hx.cloudfront.net | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | lcreatessque.xyz | udp |
| US | 8.8.8.8:53 | oulukdliketo.shop | udp |
| US | 8.8.8.8:53 | pogothere.xyz | udp |
| US | 188.114.96.0:443 | pogothere.xyz | tcp |
| US | 8.8.8.8:53 | lcreatessque.xyz | udp |
| US | 188.114.96.0:443 | pogothere.xyz | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 18.65.39.80:443 | oulukdliketo.shop | tcp |
| NL | 18.65.39.80:443 | oulukdliketo.shop | tcp |
| US | 8.8.8.8:53 | oulukdliketo.shop | udp |
| NL | 18.65.39.80:443 | oulukdliketo.shop | tcp |
| US | 188.114.97.0:443 | pogothere.xyz | tcp |
| US | 188.114.97.0:443 | pogothere.xyz | tcp |
| US | 8.8.8.8:53 | pogothere.xyz | udp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| NL | 142.251.36.45:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | lcreatessque.xyz | udp |
| US | 8.8.8.8:53 | oulukdliketo.shop | udp |
| US | 8.8.8.8:53 | pogothere.xyz | udp |
| US | 8.8.8.8:53 | e1.o.lencr.org | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.251.36.35:80 | pki-goog.l.google.com | tcp |
| NL | 96.16.53.165:80 | e1.o.lencr.org | tcp |
| NL | 96.16.53.165:80 | e1.o.lencr.org | tcp |
| US | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| NL | 96.16.53.165:80 | a1887.dscq.akamai.net | tcp |
| NL | 96.16.53.165:80 | a1887.dscq.akamai.net | tcp |
| US | 8.8.8.8:53 | star-mini.c10r.facebook.com | udp |
| US | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| ES | 31.13.83.36:443 | star-mini.c10r.facebook.com | tcp |
| NL | 142.251.36.35:80 | pki-goog.l.google.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.250.179.130:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | partner.googleadservices.com | udp |
| US | 8.8.8.8:53 | adservice.google.nl | udp |
| NL | 142.251.39.98:443 | partner.googleadservices.com | tcp |
| US | 8.8.8.8:53 | partnerad.l.doubleclick.net | udp |
| US | 8.8.8.8:53 | partnerad.l.doubleclick.net | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 142.250.102.154:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | stats.l.doubleclick.net | udp |
| US | 8.8.8.8:53 | stats.l.doubleclick.net | udp |
| US | 8.8.8.8:53 | client.crisp.chat | udp |
| US | 104.18.28.91:443 | client.crisp.chat | tcp |
| US | 8.8.8.8:53 | client.crisp.chat | udp |
| US | 8.8.8.8:53 | client.crisp.chat | udp |
| US | 8.8.8.8:53 | cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | cloudflareinsights.com | udp |
| US | 104.18.47.230:443 | cloudflareinsights.com | tcp |
| US | 104.18.47.230:443 | cloudflareinsights.com | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| US | 8.8.8.8:53 | cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| NL | 142.250.179.193:443 | tpc.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | qxdownload.com | udp |
| US | 8.8.8.8:53 | qxdownload.com | udp |
| US | 188.114.97.0:443 | qxdownload.com | tcp |
| US | 8.8.8.8:53 | qxdownload.com | udp |
| US | 188.114.97.0:80 | qxdownload.com | tcp |
| US | 188.114.97.0:443 | qxdownload.com | tcp |
| US | 188.114.96.0:80 | qxdownload.com | tcp |
| US | 8.8.8.8:53 | mendress.icu | udp |
| US | 104.21.56.110:443 | mendress.icu | tcp |
| US | 8.8.8.8:53 | mendress.icu | udp |
| US | 8.8.8.8:53 | mendress.icu | udp |
| US | 8.8.8.8:53 | filezonearea.com | udp |
| US | 104.21.34.183:443 | filezonearea.com | tcp |
| US | 8.8.8.8:53 | filezonearea.com | udp |
| US | 8.8.8.8:53 | filezonearea.com | udp |
| US | 8.8.8.8:53 | allcdnjs.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | nostop.go2cloud.org | udp |
| US | 104.26.15.53:443 | allcdnjs.com | tcp |
| US | 8.8.8.8:53 | allcdnjs.com | udp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| IE | 52.210.174.128:443 | nostop.go2cloud.org | tcp |
| US | 8.8.8.8:53 | nostop.go2cloud.org | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | allcdnjs.com | udp |
| US | 8.8.8.8:53 | nostop.go2cloud.org | udp |
| US | 104.26.15.53:443 | allcdnjs.com | tcp |
| US | 8.8.8.8:53 | gstaticadssl.l.google.com | udp |
| US | 8.8.8.8:53 | gstaticadssl.l.google.com | udp |
| NL | 142.251.36.35:80 | pki-goog.l.google.com | tcp |
| US | 8.8.8.8:53 | trk.playstretch.host | udp |
| US | 8.8.8.8:53 | nostop-elb1.go2cloud.org | udp |
| IE | 54.155.11.60:443 | nostop-elb1.go2cloud.org | tcp |
| US | 8.8.8.8:53 | www.7-zip.org | udp |
| GB | 159.65.89.65:443 | www.7-zip.org | tcp |
| US | 8.8.8.8:53 | www.7-zip.org | udp |
| US | 8.8.8.8:53 | nostop-elb1.go2cloud.org | udp |
| US | 8.8.8.8:53 | www.7-zip.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | cdn-eu-hz-3.ufile.io | udp |
| DE | 213.239.207.70:443 | cdn-eu-hz-3.ufile.io | tcp |
| US | 8.8.8.8:53 | cdn-eu-hz-3.ufile.io | udp |
| US | 8.8.8.8:53 | cdn-eu-hz-3.ufile.io | udp |
| US | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| US | 8.8.8.8:53 | a1887.dscq.akamai.net | udp |
| US | 172.67.155.81:443 | ufile.io | tcp |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
Files
memory/4764-118-0x0000000000000000-mapping.dmp
memory/4768-119-0x0000000000000000-mapping.dmp
memory/4784-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\temp.ps1
| MD5 | bf77c98084bde13aa379a5527a0f5850 |
| SHA1 | 8a4d1307c3952d00ab3279baee4a03f899de7f1c |
| SHA256 | c88eb353b4e1fe7f02529f9e8b48b21cee2c813674b32843136861f885053e3f |
| SHA512 | 8237fb209695c2568f4d3ada3181eb9a65ad16140896a5f8013ae267048ecd6994cddb25fc7ca0849bb0c484ba7be7a738a3ca0cad6e85d75587c4a2c37c60ef |
memory/4784-127-0x00000233442F0000-0x0000023344312000-memory.dmp
memory/4784-146-0x0000023344D20000-0x0000023344D5C000-memory.dmp
memory/4784-157-0x00000233452C0000-0x0000023345336000-memory.dmp
memory/4136-216-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.cmdline
| MD5 | 139ae8dfca87bfc0128f456e2d4c25f3 |
| SHA1 | de13500d63c2b7777bc70780019d05b029c33458 |
| SHA256 | 4bd5d43d99a0632659f2554aee3bf607749bc2d0d2f96b0edbd52753f4fb1b16 |
| SHA512 | a2fdb366a4f2cba0efb4fe55d5130ec209cde4cbbe2f72a526070d334349492063794f67c7dcddb404b3e48a5103b85823da37711f3782bdf156457fe7cec670 |
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.0.cs
| MD5 | 290cee718da5975e051415a46af47a4a |
| SHA1 | 8099250c47bb93d821def350b467521e7cf8d5de |
| SHA256 | 26d220f0926af717fb195e1ec05f2ecccee3fbd37fa92148774bb5604557c9c9 |
| SHA512 | 306d86ec0c4bc64594b4ca336822030926eaea0873ccdbcf989a721d307b19831761a15b3a222f6ec0dcc44ba0fbacac6ffbe7da0f7a447d5d34d76f3f029510 |
memory/4304-219-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\qt2lnd4s\CSC32991452AC9D4E2099FF6F93C44E1DD.TMP
| MD5 | 74aebc95a015a1b143ac329d1d3d7b49 |
| SHA1 | a2914b1085334db022f66cbe85c0aa250bd3ec85 |
| SHA256 | 054dbe7547d34da6fdfa9627a5541d03445b3cc69144dfe9e95091aab5d05d54 |
| SHA512 | 7c40c1b676c70f9e30254e8b121e0108817e1a6e6593c859a54bb75ef750ccacc0a20a79d3751d299e3621615cf40f5fdff3b8fa795f5ea33137391b2f0a7943 |
C:\Users\Admin\AppData\Local\Temp\RES6FA7.tmp
| MD5 | 665758f5fb601b808293e8069043d360 |
| SHA1 | 561fb12e55a91f24efd0efbe008267412e094308 |
| SHA256 | 250754cd6af41d80fae854d7bd78b7ebcc6151c7f3c45d5927ee3dbd40b3daec |
| SHA512 | 9c017f7c1999fa38a2160bc66742b69c6123d5f683d39a15052a11ae77888786f38788c2b408ef36c958059f3d800e028828eeeb1cd669558a425f4b136fff2d |
C:\Users\Admin\AppData\Local\Temp\qt2lnd4s\qt2lnd4s.dll
| MD5 | 08b13cdf0f3c6a9ca451e45c58b32b5d |
| SHA1 | 07c27ff4028634d0f51f39e1d4619e6af67d2add |
| SHA256 | 01feecb6b35b51bf14f11701dfbb68eed7df2ff9909abd3375d18b8c1a61edbe |
| SHA512 | 9f7ed8457fff6e4676f53d846f9cf27812a70edae67a97e2d298e9b7500482ff815a81813fc494afe983f5ae98c97a3c1d0079c156371325efae96e4551ce5d8 |
memory/4784-223-0x0000023344320000-0x0000023344328000-memory.dmp
\Users\Admin\AppData\Local\Temp\pkg\81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2\win-dpapi\build\Release\node-dpapi.node
| MD5 | dc92b8e77d869866a6af82409fae0af2 |
| SHA1 | a0edf2ddf35304854a134eac14637239fe319292 |
| SHA256 | 81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2 |
| SHA512 | dbfb1656b9aeb116993e9034d8a422a8d61d89f861221e15491d8dde04231eaa357573de59eab65b49533e03f06699a508dd27ed6b85ac94c882f505d22a0bdb |
\Users\Admin\AppData\Local\Temp\pkg\53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282\better-sqlite3\build\Release\better_sqlite3.node
| MD5 | 4b25dfb983845ff57360c720a429eef4 |
| SHA1 | 51a9cad777b37f1c521c6d50b6f49379fb6d0a06 |
| SHA256 | 53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282 |
| SHA512 | b808133885ef35cba2ea81d37a9f996b121a91e459c68cf5b98cab2a53f783927a0023ecc095b5664fef1bcd463f8b8b42b51f8511fda25e21141693aed4ec77 |
memory/3608-248-0x0000000000000000-mapping.dmp
memory/2748-249-0x0000000000000000-mapping.dmp
memory/3060-250-0x0000000000000000-mapping.dmp
memory/4632-251-0x0000000000000000-mapping.dmp
C:\Users\Admin\Downloads\output.exe
| MD5 | 348036564062061947766020f527c1c7 |
| SHA1 | 14bcddc513e71261a275573d896acf7adfdd13fb |
| SHA256 | cf82aa6c88b9c40f987d3f862ebfdd1915aaa749416174a0b13093b1e2f1a0ee |
| SHA512 | 47fed975c5733695227dbe754c79b392536bf3b2158e272f66d365c120ba0f02c26aff3cc5798b81a6aa96f0a9df9aa8cd3f4f7cdead61a01f7abdb95a5462aa |
C:\Users\Admin\Downloads\output.exe
| MD5 | 348036564062061947766020f527c1c7 |
| SHA1 | 14bcddc513e71261a275573d896acf7adfdd13fb |
| SHA256 | cf82aa6c88b9c40f987d3f862ebfdd1915aaa749416174a0b13093b1e2f1a0ee |
| SHA512 | 47fed975c5733695227dbe754c79b392536bf3b2158e272f66d365c120ba0f02c26aff3cc5798b81a6aa96f0a9df9aa8cd3f4f7cdead61a01f7abdb95a5462aa |
memory/488-254-0x0000000000730000-0x0000000000740000-memory.dmp
C:\Users\Admin\Downloads\7z2107-x64.exe
| MD5 | 49839f0c227b5f9399b59f6ae94a7c7b |
| SHA1 | 332620e2e360d471736d714f3f5781354702d9a1 |
| SHA256 | 0b461f0a0eccfc4f39733a80d70fd1210fdd69f600fb6b657e03940a734e5fc1 |
| SHA512 | 4d406ddd257a28ab1521e0e28c20699a764d7a3d3c3651e9b080cbdb6dae2f7c348452b2946a1e16b00424f67b769fe44c54a9b94e9124fa219bbe2a544ee82b |
memory/2224-256-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-257-0x0000000077550000-0x00000000776DE000-memory.dmp
\??\c:\users\admin\downloads\7z2107-x64.exe
| MD5 | 49839f0c227b5f9399b59f6ae94a7c7b |
| SHA1 | 332620e2e360d471736d714f3f5781354702d9a1 |
| SHA256 | 0b461f0a0eccfc4f39733a80d70fd1210fdd69f600fb6b657e03940a734e5fc1 |
| SHA512 | 4d406ddd257a28ab1521e0e28c20699a764d7a3d3c3651e9b080cbdb6dae2f7c348452b2946a1e16b00424f67b769fe44c54a9b94e9124fa219bbe2a544ee82b |
memory/2224-258-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-260-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-261-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-262-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-263-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-264-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-265-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-266-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-267-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-268-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-270-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-269-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-271-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-272-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-273-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-274-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-275-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-276-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-277-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-278-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-279-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-280-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-281-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-282-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-283-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-284-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-285-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-286-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-287-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-288-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-289-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-290-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-291-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-292-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-293-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-294-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-295-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-296-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-297-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-298-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-299-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-300-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-301-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-302-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-303-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-304-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-305-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-306-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/2224-307-0x0000000077550000-0x00000000776DE000-memory.dmp
memory/3532-308-0x0000000000000000-mapping.dmp
memory/3848-309-0x0000000000000000-mapping.dmp
memory/1820-310-0x0000000000000000-mapping.dmp
memory/984-311-0x0000000000000000-mapping.dmp
memory/2652-312-0x0000000000000000-mapping.dmp