Analysis Overview
SHA256
311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2
Threat Level: Known bad
The file 311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2 was found to be: Known bad.
Malicious Activity Summary
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Sets file to hidden
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
AutoIT Executable
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
Suspicious behavior: RenamesItself
NTFS ADS
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-25 09:20
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-25 09:20
Reported
2022-11-25 15:23
Platform
win7-20220812-en
Max time kernel
125s
Max time network
135s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe
"C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\ENU_687FE973ABB782FE9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\1\*"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi"
C:\Windows\system32\taskeng.exe
taskeng.exe {3E33FC62-0FDF-4F68-8503-781E18521753} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 8.8.8.8:53 | ipapi.co | udp |
| N/A | 104.26.8.44:443 | ipapi.co | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 102.129.240.198:45785 | api.telegram.org | tcp |
| N/A | 102.129.240.198:45785 | api.telegram.org | tcp |
Files
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp
memory/1940-55-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/1940-59-0x0000000061E00000-0x0000000061ED2000-memory.dmp
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1676-62-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/1940-64-0x0000000003D30000-0x0000000003DAD000-memory.dmp
memory/1940-65-0x0000000003D30000-0x0000000003DAD000-memory.dmp
memory/1676-66-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\1\Information.txt
| MD5 | 911546894290fe15a6b0ea4f366260b6 |
| SHA1 | e2a06e9623a7586d003d0a77ab0d6e9d69c32a21 |
| SHA256 | 88aa4ab1734b2eb67015a402a60bc7b2b1fa7d4174ccc6563b148ac15eb8e18f |
| SHA512 | daef1065020bfa4ecbe846d849d3d89190eb35848d41e1368bc07947e02928b7cfc04d015996802d1a3d87679f163187b0ec9b8ffe8578a0b4e4524e2667101d |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\1\Screen.jpg
| MD5 | 72c8fd90f8fd6db81f0490663226c833 |
| SHA1 | cac01250a6c4e45dffd191e5e415858ada627060 |
| SHA256 | ed45038ff982a490c5caff01fdde4bd62922145cc635b7882727bf6f600b7b91 |
| SHA512 | a11ff2cbed6651c8a01073c88e0c9da1869dea0d0eb43785395a7ab2672bffbaed0c6897ac34529d7b2fdeb3f2ce2a71a58e0aebceb98343db9094d24ba2e859 |
memory/1676-69-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1868-70-0x0000000000000000-mapping.dmp
memory/1940-71-0x0000000003D30000-0x0000000003DAD000-memory.dmp
memory/2008-72-0x0000000000000000-mapping.dmp
memory/1660-74-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-25 09:20
Reported
2022-11-25 15:25
Platform
win10v2004-20221111-en
Max time kernel
207s
Max time network
220s
Command Line
Signatures
Qulab Stealer & Clipper
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ | C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\winmgmts:\localhost\ | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe
"C:\Users\Admin\AppData\Local\Temp\311061da8395d212052ec8155b4571e5f4cd6c05d8c13acb52b8cd633efac8b2.exe"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\ENU_801FE97447113F3E9D41.7z" "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\1\*"
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi"
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.24:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.247.211.254:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 8.8.8.8:53 | ipapi.co | udp |
| N/A | 172.67.69.226:443 | ipapi.co | tcp |
| N/A | 172.67.69.226:443 | ipapi.co | tcp |
| N/A | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| N/A | 172.67.69.226:443 | ipapi.co | tcp |
| N/A | 104.26.8.44:443 | ipapi.co | tcp |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 102.129.240.198:45785 | tcp |
Files
memory/4376-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.sqlite3.module.dll
| MD5 | 8c127ce55bfbb55eb9a843c693c9f240 |
| SHA1 | 75c462c935a7ff2c90030c684440d61d48bb1858 |
| SHA256 | 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028 |
| SHA512 | d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02 |
memory/4376-135-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4376-136-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4376-137-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/4376-138-0x0000000061E00000-0x0000000061ED2000-memory.dmp
memory/224-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
memory/224-141-0x0000000000400000-0x000000000047D000-memory.dmp
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\dxtrans.module.exe
| MD5 | 946285055913d457fda78a4484266e96 |
| SHA1 | 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285 |
| SHA256 | 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb |
| SHA512 | 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\1\Information.txt
| MD5 | d9586d9ffb65f1164faffdb26bf72566 |
| SHA1 | 0f20c4fe825647eb776a82f3a6ea17ebd6415206 |
| SHA256 | c090f90d8ec9633bc1bdb5ab5844d71129d20aef9aca9d5dab7519361161e676 |
| SHA512 | 6b948919d2fc4bc891b329f2c34d83656d4a59ad425876a2b9fd9a6030b683397e98d0eab7029d4bce68c0855f73a91a1eb71028717db7cb59dee75da57d8f08 |
C:\Users\Admin\AppData\Roaming\wow64_microsoft-windows-smbserver-netapi\1\Screen.jpg
| MD5 | b13e504a9d0953e9d6074578b892e7f6 |
| SHA1 | e6aa814c6e0af2fba447568f2520a1f569c1c4fa |
| SHA256 | c5a04a55f24a1ba389bbf5796ebb058812b464792dca9a7116305bc2750aa9a9 |
| SHA512 | 7b9cdf7dfd6e4fcd66aa421bb5355e2c9fcd22e7fd7d508c7dee5a519542a976b97538b0c5c8f5747d670c83015ca0c2508a1b0b7382cbf185ba430176c2db5f |
memory/224-145-0x0000000000400000-0x000000000047D000-memory.dmp
memory/1700-146-0x0000000000000000-mapping.dmp
memory/4884-147-0x0000000000000000-mapping.dmp