Analysis Overview
SHA256
4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb
Threat Level: Known bad
The file 4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb was found to be: Known bad.
Malicious Activity Summary
NanoCore
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 23:36
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 23:36
Reported
2022-11-27 17:05
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
159s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 208 set thread context of 4200 | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe
"C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe"
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
"C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd" nvqme.cax
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\WJRYK
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.249.91.254:80 | tcp | |
| N/A | 13.89.178.27:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.249.91.254:80 | tcp | |
| N/A | 8.249.91.254:80 | tcp | |
| N/A | 8.249.91.254:80 | tcp | |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq1.ddns.net | udp |
| N/A | 8.8.8.8:53 | tooblaq2.ddns.net | udp |
Files
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
memory/1208-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Roaming\rwxok\nvqme.cax
| MD5 | e752d28535b542697712aff0ba741e00 |
| SHA1 | cdada9d037000d8102929cb4f45239a8d736f70a |
| SHA256 | d1ef83dd382057431b0822158b1628fa6918aab33e557170747e3914bd209340 |
| SHA512 | 74ff03fa2404a3014631ada173a76ba218b21fe7c6262cadc87ead2afdcd7aea9a6cbe04194416411840233e365dff2ff4faac7ec061d07bb9b804ca33e15825 |
C:\Users\Admin\AppData\Roaming\rwxok\YMQGIX
| MD5 | 6f35bdf3bfd6613a2ca33e5157c9d7ab |
| SHA1 | 869e796f034d8ff735c6f259e64f8457965b538e |
| SHA256 | d87016e0c7372007e52399ca62c1a4ebd6b2e7a3d1bbd0a79de79c5948c739fa |
| SHA512 | 04adb7ba79f902a47316c1cfeeb74165a9deb9c1d383dc1a426125e238e7eef5c09946ac04cdeee9d43798e32cc17bdf556e0bdbec7da7f59c3e858715e750ba |
C:\Users\Admin\AppData\Roaming\rwxok\wjcok.giu
| MD5 | 276253d9360c147e55b7dd175d0ea37e |
| SHA1 | 3c76fb9f4bc1735c5a064c97398fd6d34471c7d2 |
| SHA256 | 0442adf7a873a806e7b31af671fda6d7a5eb7cef028811a4412cda265384bbc6 |
| SHA512 | a5f0fcfc3dc6d18328c30ab9d1f7f99b147369235f3c17ce9cdfe7f27f21a839367c597738cd04715868a7709ead0bbcb75227f0af598c229b44c2eb0e8ff305 |
C:\Users\Admin\AppData\Roaming\rwxok\jtgkl
| MD5 | 8b972a5d97dce6214e6f98f7c36ae62f |
| SHA1 | fbb11c0cda9607792091719f4d6b07e60a1d8027 |
| SHA256 | 25f182e19880784f63c62f0f2f8357d6986995ec54b4306724980653d6da94d1 |
| SHA512 | 77473d57bed24523471e70e27c59a7ba851c4cacb4e733c4ca4c4ce35127218fa73d0d1d1bf6435620a6f7c94559a802eb2cdf47f78d6f086328f0dd30659ef1 |
C:\Users\Admin\AppData\Roaming\rwxok\jixji.hja
| MD5 | c81204be47b41630d20ef1410a96c443 |
| SHA1 | 2bf3e88fd27d59b989ed8cd2656e566796b4c252 |
| SHA256 | 171e3883819320e8bc3891662d93a878f19ef1c6dfffa591f6e161948c37b1a7 |
| SHA512 | 086e3a5e80836789cae526594039b2ac98f6077cbfe73bf6724e05734c3c2a0c8bb6c94b8b0eec3b38d4b627103797dd7ef6cba8e872d7e5f0cf8757de09f3ab |
C:\Users\Admin\AppData\Roaming\rwxok\jffbf.tme
| MD5 | 726981173cc61be3cd1025611dd6d43b |
| SHA1 | f64a1eead53448967522a4713ed3d726a5850edf |
| SHA256 | 0bdad0dcf80956a2cfbefbdac795db7747f6e40756bee0853ed04b293457c0a3 |
| SHA512 | d9eed5c50b210edcb0c65e32c1c14329437d6588be714f4f5b89758fe69b666d12af91ebf9ddae56c5f8ebbc44a2c1beb320a5a20b782ea13223fa2a603088f0 |
C:\Users\Admin\AppData\Roaming\rwxok\jelbo.sqj
| MD5 | 23c84b4ef0634d459290e7c7a781d883 |
| SHA1 | 7f3f400da1885d4e8b2d1fd081fb6c73047241e7 |
| SHA256 | 05ae8bec1d8671fdd86173312f4d9b22173a30cb0af5b704aed4150fda567876 |
| SHA512 | c7d7cee220fab65c765abe53b1541207709bfeebfd251983a65e53db5604f26a55ba7aced297459adbf85648fb9f79969905a26b87c507d86e8eedb211daa129 |
memory/208-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\rwxok\wtwtb.kbk
| MD5 | 6ee656e8042e7ac9eef60cdbb52f69b1 |
| SHA1 | 76dcd0eb88d0178c16c4f630d64f15fcfe231bd5 |
| SHA256 | e149f1034b243178b067d4f539ebc1b1c3eaf70421b91b9b3611522eee8e61f3 |
| SHA512 | c94c552a6de746c800bd39e6f54e31c413fcf4e7ed52b360af4e23229f5044bf6bd116b5071deca318ff88252eb158fb12ad9a919db5c1fd6f9509e771b5c226 |
C:\Users\Admin\AppData\Roaming\rwxok\vfgjo.lvb
| MD5 | b1ff5189c52d1aa4fadf7ebf2dcdee0d |
| SHA1 | da50bd0967dfb9cc57a2cef2962e915c87a20c79 |
| SHA256 | 3edd70ff685a2224dfe73eb428f5165186ddc04c76e48bd83a92025f7bbb5bed |
| SHA512 | 7d42185c8e138e2b26fac5f68163b2286ab0f5c19df20270979df4f52eb06c74f591c53bdd81644aebffc1a0bb8f2ec152d82ce8baf7a134d03bd8506a9ed9d8 |
C:\Users\Admin\AppData\Roaming\rwxok\vbunm.etw
| MD5 | 466c9d4e4677ab32b848260c134f29ce |
| SHA1 | f2861ddaea047161f1e304a2e9e31567dbb25421 |
| SHA256 | dfba06a42ad6a6b40940f3bcb8435f08efe5d546ff1e95976774ac2e86453bac |
| SHA512 | d197d4e5f493ea6c0d3c627c1638d8191a57a52f82a48bfaf56371e19126d26b2242a203f290320a9b59ddbf3e9955e05ec4702c8e3fb1cf36f0ee436d047dbe |
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Roaming\rwxok\upvcp.vls
| MD5 | 0c10eb920c3c7be5de3dad0312ac4a2c |
| SHA1 | 2dc0f353e236de30423f3d7db6864d94c36b353e |
| SHA256 | 3034dd386c48550c71fbf5c424cfa0933cbc4ef825939c6c1f224ae6c903c052 |
| SHA512 | 53ed5307f510f74cff99a1befc557f8eb85d4ae629bd37eaa5bf1a546db12699db84bcc87d30592e0d6be678fd6dcbd923d4a91715e7f7d044d31342d78e8f41 |
C:\Users\Admin\AppData\Roaming\rwxok\ttbjt.phf
| MD5 | 4e503909473860cc7a34068d02caeb99 |
| SHA1 | 0a03e77c43223d5721224ac473517ae42806d4ac |
| SHA256 | 656190a374354d9a2edec1d82030299e08652ea6ba7aeda3494d541e1afe1c8e |
| SHA512 | e872aaa337060d461d58f3b5febec07c4b16aafd23fe37666f1edf30252dc8acbcb3c4b8ba439ca5bcd06b1f5f79d35e62b1ee1da54cc32635fec1ec1ee01fd2 |
C:\Users\Admin\AppData\Roaming\rwxok\tbaui.tve
| MD5 | 750d69619fdac5dd1e97961b061ba4bd |
| SHA1 | 238ee34e89b6b5eb1cf1fbfa6463a16eb09f1c9d |
| SHA256 | 8f32593a506a5bd86fa4e40dfad538234df090c542ea95d068a9fa1f6c8c12cf |
| SHA512 | f7b1d4acae339f453386c2d734b914917cd4592abd5241841a3a5fd4b35580db81da0c7133c31a2cddbb691d72e8b281301f1b656b9c415f5362abd353d15215 |
C:\Users\Admin\AppData\Roaming\rwxok\tamij.mcp
| MD5 | 90b6ad2959b858be4148d68b8dc6a490 |
| SHA1 | 07e256fbff17c1fe8762f16263322ecfa5791dc6 |
| SHA256 | 28c62c3c8ed6be61fc5408444119969d143b17b6360640b91d77487f0f83df39 |
| SHA512 | 0355cae4c71e40ed41e249faf5eb8f8c1e35f999796b026edf9d72b3afab419c6f116c230d98a6206ad77f624accf54ab1078765e8d271c8427926537d0224ea |
C:\Users\Admin\AppData\Roaming\rwxok\sxoqa.tta
| MD5 | 7c84ac85efa969f559677e6a172f76ed |
| SHA1 | bbac0ad19e24b5d391e60c99651b8745e0a82ebd |
| SHA256 | 61cf364416927ca0eb80d26e1d26beb435a7802143252dc5c164a9db27c6f087 |
| SHA512 | 9a044e4e4910ca039905aaa53c0f8f4502faa3373463e0ab6ce3e29b97d2882834366dc14fdf8d8f6b3e1d3bddcf80c9176eca9fa7e78b22ebc6f7d2a9f46a4c |
C:\Users\Admin\AppData\Roaming\rwxok\rubjc.kud
| MD5 | 30b4fa92afd8a6924821f2fb3fd70bfe |
| SHA1 | c433bc86a36cd0a1771bd411f9626b86e042328f |
| SHA256 | 91a387a05d08348372c7a45feba7b6b2d7e97b7ef1c632cb4c3491a66639798c |
| SHA512 | e5327273c4f99426f505ce3e1577161b3f01ba27ec372ca1053169bf313a3ebb4994c7f0a49adeab9f7d26091f7faa75bf0495ea9977bb0e1845bc5b12063f93 |
C:\Users\Admin\AppData\Roaming\rwxok\rbwtp.fvv
| MD5 | 89605141142db62278e965ba599449e9 |
| SHA1 | 3998a650acc23d9090bd1b7fd8a9b7fbbca40ec2 |
| SHA256 | f56b462d166ab80d2713d765d8c3b963d9b30597e7e0b17a500ecab658043067 |
| SHA512 | 9dd2e9197e47562b69b12d7c4a1d63143ae0f0e2c0540f6f392f2930d1761613a9ee5995a5cceb1c7c27055ed3b8a20e78176e0e68891ad7cfdc097f481f3022 |
C:\Users\Admin\AppData\Roaming\rwxok\qigcj.bap
| MD5 | e81a0db95cc18a649b6d0b4df190718a |
| SHA1 | 347b32a9b6251d1a14f8ca2d755a3cba93a5753b |
| SHA256 | ea422e0e3f8d95fe2487ddaabf78515491936292af50fefe0391f7fe26a59a3c |
| SHA512 | 18ca5da100f1d0df06aa59cb76089fd81bc3a82e52fb99be8ffe7258e803be8f2c3107fff43543d22eb06cf62bab29d2247f19e6ec6806d7f572b2d3c4e2a73c |
C:\Users\Admin\AppData\Roaming\rwxok\pwwek.txw
| MD5 | 00865d413600d26adb36d2f55973559f |
| SHA1 | d5ac50815d4487c4de04caac1ceb500b9fd12a5d |
| SHA256 | 5393f44a4c0c05ae0a25bc80b83ac9d462f074625eea50658e1f20cb5f2c2704 |
| SHA512 | 7222d0e8f1a2c10dd9ddc831922cad6b8da4fc437eb647483668ccaf8fb31d2d396488865dae32414ce322dba5d32e43c360950396577ab07df3ca4fa91299cc |
C:\Users\Admin\AppData\Roaming\rwxok\pnptt.how
| MD5 | 3e2a35fdb69dadda458db6014fa8bf2b |
| SHA1 | c4ffde6a4874d30a89f4f270fde29409c8922802 |
| SHA256 | bba7d20b7a562203298491945da0ea8984d6d177bf0c1782a9cb1afe35611afb |
| SHA512 | bdb3d1c6071f836351a3a10c35ce64ac6cede5bbb669311b2749a123883739208b69c95564cbdbda0b6405c3ec161134ca150fc6bc0ace93b2c9473ec516bbed |
C:\Users\Admin\AppData\Roaming\rwxok\olsjv.gdq
| MD5 | b06f9ab88a550a9664ac4e6c15a8802f |
| SHA1 | c425f114dd897362e671009e1becbb9bb7c34ac9 |
| SHA256 | e4a1ec2873df4494a36beaef8a0ee57ab3f4380ccb2b91a976e64844d4ce671a |
| SHA512 | c40bb6c1589e90d1262f1dac53bbad8c90fbfbc3c2a3a9a3b8601f13f38c553b44dbe35a8fdd09227dbe362f0d7c140d7bda733269b9e6c2c452c9830da52a44 |
C:\Users\Admin\AppData\Roaming\rwxok\ogott.psf
| MD5 | 26021334e307ea1a517a133d42bb6368 |
| SHA1 | e6f24c318fd4571b1a075aabd0b2f1536b21a3b7 |
| SHA256 | 0b217195c52409b0bf35c783dabe8800d0e7deb4ada5c5d8c35d6c2cfcdc19f8 |
| SHA512 | de03ef9ccebd8d740a309763062563e0c9f72ebb2b21345e488f4413cb17b86335d8902f9d17d0c1f511c60d6a97bc600d20c347e8dd6e2e2274389d960fa4ef |
C:\Users\Admin\AppData\Roaming\rwxok\objjo.ulo
| MD5 | 60b87dbdf025ae348f8286cafe999f2c |
| SHA1 | c392468ae233b54f6e7d6d1556107df5896ee8a0 |
| SHA256 | 4e9e3a751185d77bdc2e5df5fd5aafe64003d1e71fecfba0682269dde0e151c6 |
| SHA512 | dd10858c2bfce929a33bdd93bfa5e72108c190505f4b917ff82950dd99995b53e60e1a3e445121fd5925bb5bb49a943fbde5108a20d14fa22f67a570174b67f4 |
C:\Users\Admin\AppData\Roaming\rwxok\nqust.jbv
| MD5 | 5abb1c90cae8ee967d7e30fc9707000f |
| SHA1 | df15abd82b9fb9daaa4517c1e4e8ad5510943b5b |
| SHA256 | efd3830fa426c5a31d7fc9eb50363936a8774cba480c0738d0177c1e93f1c3d4 |
| SHA512 | 5bb17fec154a7d0e76ac134676d8e916aaae4b249fb3746df7397d48aa2f6f443f982d40773863a722d2bcf951fb6f9ef979dc5c8e49fbec9d1002d22db74c8d |
C:\Users\Admin\AppData\Roaming\rwxok\macms.ndh
| MD5 | 83779f76fe14f9adaa4ecdf72caf0b02 |
| SHA1 | 9878fedea4404baea061e588cbd72a1035462ea2 |
| SHA256 | adb74894ff8f27a999e173c2e53adde8d47a0be11a3653672b800542b03dbcf3 |
| SHA512 | 343b237723eebe6a84cce19a3b8fcd1d67bd40c9b091d6d14c3b4f927c932713db2de5f247f0e796db10487b1af318fafb9f43c8a356d76c8e10df0127e4d045 |
C:\Users\Admin\AppData\Roaming\rwxok\lffhk.gpf
| MD5 | cbd436bbe6db5ee843359440ca80c689 |
| SHA1 | e373e9db75e8805f98416dcfaca81a6aa0c80adb |
| SHA256 | eb0bef30067a4b404ab5b6db97d7f7e6953104caf9c05ea7d2e6fc16d17dd2f4 |
| SHA512 | 6ba66ce4b24c6894b720e9037022570c1ec034edc11c830f1a6bac6741567e5cafd4b87f0827bdc8f01ae193a45b8e5fca3b75c93a2072a5c19359f29bda5057 |
C:\Users\Admin\AppData\Roaming\rwxok\ioorp.wff
| MD5 | 3a4ee016e9bf2c3ee4e7d501921206d6 |
| SHA1 | d31c814421f272b4bdd49bd6d3abbc0c0ee70019 |
| SHA256 | 936c81dea03d98d6cbe95b8ba03249fd45d99c64d05d5a00043d964d9c36e8bc |
| SHA512 | b4c1719e1d0804a70bbc217750ee33cd3c009a9948f07a35a7bb9c562be4f5e94474a0936c441de325c6ffbbc4f43bbfeca1aed3cb29843d162a64526beda84d |
C:\Users\Admin\AppData\Roaming\rwxok\ilxis.dlr
| MD5 | a35cb2a520fd34a5eaf3d38ee52c3d1d |
| SHA1 | c0a1fba76b7e9d6f57159db6f3010b94d130729a |
| SHA256 | df516e125219ea117dc1523db2eedf690b7149523e309d92b6d9d0fe1d7f19ca |
| SHA512 | 82bf93617320589fd08112888a6703c015a843202c2428011cfa4fdea9896bd87a20d38ca98ba7c3739cf9c679aa11f5f3eeaff8e917f50b4f3c925a3f1dce1c |
C:\Users\Admin\AppData\Roaming\rwxok\hmdtx.gum
| MD5 | 21e1fbb8318e89418899f4124f9a2d29 |
| SHA1 | 4049b469f744874537dff6a805418c143e15d02f |
| SHA256 | 5abedb604b0c712e223a7b7d04a2fd34af04880b4b409546102017c2ae346b2e |
| SHA512 | 5ad47e5eec0f8a72ebb2dda65254f31d6f23cee048f8fc00543aad40f1ae9ebe750bf534e84804c23d3577e7e9b50713e906364438e52f0fd65f550dff37b9ca |
C:\Users\Admin\AppData\Roaming\rwxok\hhrqa.dxi
| MD5 | 7075094de0a585229df1a7ba36a1f250 |
| SHA1 | 5f9230592cae5f08c488c6d63975ab2f9f42dc04 |
| SHA256 | 4c035b5ecbe1697e81d6f64bc080e56d35c15d2436dd99f9acd65c4e0fdded37 |
| SHA512 | 5356b0f73ad21ce59b8e27854cc6e537b5f9a9428d5e058d85e8685e1d2176eac4580fac7c848a46ad6d34f7646cb704aeb3405be701218e026f1bcd6fad228c |
C:\Users\Admin\AppData\Roaming\rwxok\gefbm.rrg
| MD5 | a3271cf0e143422346e6170dd14a55f1 |
| SHA1 | 96b06496fb5a8812628218375d56f1fe1da392dd |
| SHA256 | 6ca00b183b6be536d3526f76a5058b8a35accad373e18ce42bccd806b002bc13 |
| SHA512 | 512408fe950872357ce3bbed3930ac161da7a649d6f60780c940549341231d083a0acc5d3cd4d591a7fb7116373f2d292218deda180043a9a64e2c9dfa143cbd |
C:\Users\Admin\AppData\Roaming\rwxok\fqfth.dhp
| MD5 | a8331ea8b1187f23a1dd041afe18bc9f |
| SHA1 | 0cc14c421e8d7ee9acf78fd31d8fe7c1472ad10c |
| SHA256 | 382ef960c48a310130cab66d3eb52a4dd5eb29e78f910bcd274d4c2d4c87c114 |
| SHA512 | 96fadd0e25a2d951d442bf1a325445c600f604b2e7ef7d6273a8826baff239084889a18e6d05ec05fac669d232f121a81f4bd75152c12268459c2a0df81cd870 |
C:\Users\Admin\AppData\Roaming\rwxok\eumdj.tcg
| MD5 | 07e350d725078b68c87da3af5c91facf |
| SHA1 | dd48eb24368f5d9113125b908b516ebbc2a6170e |
| SHA256 | d44976162b5c47b12f73628ff1ecf7e2a64fd4902027734362bc209cd15e8c7c |
| SHA512 | 656308b500d2fae3806d763822c4d7e39e5ca41dbd6462d46b209a3522e2b12028f07f55ab8aa107d5cff74a512fde47764a1609af75efd0659c9f8584fc9224 |
C:\Users\Admin\AppData\Roaming\rwxok\dxqer.oxx
| MD5 | 6fadbab20e2a46bf37b1df27fbc4f9c1 |
| SHA1 | 8b07b82e6f8cbb4103541f88922d9f7e20ac3fbc |
| SHA256 | ba56a8102cec7508b0cf0342abd0abc1f9bb436fbc1aeaaff89efe8cc66faf08 |
| SHA512 | ffff13599e7c24b1cf8c7b433aa403d735d3fd153726fe0de7081d41d71c77fa95ce18c31839990b8fe90e2e6f7ef100323c4a41fb2e309860ddf713b571ab33 |
C:\Users\Admin\AppData\Roaming\rwxok\bdlxe.jfd
| MD5 | a468f6268268627d431996ee7d75929d |
| SHA1 | bf8d94b028cf34c0c0644c8ba2ead5059413f1d0 |
| SHA256 | e315c86e17001ee1c4ad5bf7574dbec7f80ed2d11fde41b1937a036f672023e6 |
| SHA512 | bff2e826c86717c0a7468062265a0322ed0d0d703400bccef5c1517e199a4b6cd64236ae4d2e0703e59db32eb7833f28d4600b7826470a38615fa600057a8d83 |
C:\Users\Admin\AppData\Roaming\rwxok\kjblv.vhp
| MD5 | 7a8713faacca9a23839d937eb1f12d58 |
| SHA1 | 1a4b677cd8a669dbffdf189b6e2fe3f7bc7d9f8b |
| SHA256 | 8b98183b079fc4c2d2c791c32ca50086c4962da7b748df0df1e76c684345106f |
| SHA512 | 44adf98bf3be7f04f2b7efcc9b4c65b883953b627393a0634d821062be46bf999119113db06287c2cc5d58c846cbccc63e764a71466cb31779a3fa650880cb9c |
C:\Users\Admin\AppData\Roaming\rwxok\WJRYK
| MD5 | a2fcc3c8ed806da4a28fd3b11d121b78 |
| SHA1 | 8505aa3c95eeff211612490206fcb150a064cd2d |
| SHA256 | dcfb4ceedb10506fb2b3d8cfeb189f530b7b860a6b3dfbcd1c2171c34fe6ce60 |
| SHA512 | 8da240f3857d9504e2189d1a61e791f3109699183a71ffd016848b1c48a003fef8951e37d2ed097fed16c1f4ebe0ee78f71e4853e2561386a74f34028d27ae48 |
memory/4200-174-0x0000000000000000-mapping.dmp
memory/4200-175-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4200-176-0x00000000735C0000-0x0000000073B71000-memory.dmp
memory/4200-177-0x00000000735C0000-0x0000000073B71000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 23:36
Reported
2022-11-27 17:05
Platform
win7-20220901-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 300 set thread context of 1952 | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe
"C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe"
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
"C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd" nvqme.cax
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\ASWTC
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
Files
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp
\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
memory/936-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Roaming\rwxok\nvqme.cax
| MD5 | e752d28535b542697712aff0ba741e00 |
| SHA1 | cdada9d037000d8102929cb4f45239a8d736f70a |
| SHA256 | d1ef83dd382057431b0822158b1628fa6918aab33e557170747e3914bd209340 |
| SHA512 | 74ff03fa2404a3014631ada173a76ba218b21fe7c6262cadc87ead2afdcd7aea9a6cbe04194416411840233e365dff2ff4faac7ec061d07bb9b804ca33e15825 |
C:\Users\Admin\AppData\Roaming\rwxok\wjcok.giu
| MD5 | 276253d9360c147e55b7dd175d0ea37e |
| SHA1 | 3c76fb9f4bc1735c5a064c97398fd6d34471c7d2 |
| SHA256 | 0442adf7a873a806e7b31af671fda6d7a5eb7cef028811a4412cda265384bbc6 |
| SHA512 | a5f0fcfc3dc6d18328c30ab9d1f7f99b147369235f3c17ce9cdfe7f27f21a839367c597738cd04715868a7709ead0bbcb75227f0af598c229b44c2eb0e8ff305 |
\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Roaming\rwxok\wtwtb.kbk
| MD5 | 6ee656e8042e7ac9eef60cdbb52f69b1 |
| SHA1 | 76dcd0eb88d0178c16c4f630d64f15fcfe231bd5 |
| SHA256 | e149f1034b243178b067d4f539ebc1b1c3eaf70421b91b9b3611522eee8e61f3 |
| SHA512 | c94c552a6de746c800bd39e6f54e31c413fcf4e7ed52b360af4e23229f5044bf6bd116b5071deca318ff88252eb158fb12ad9a919db5c1fd6f9509e771b5c226 |
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Roaming\rwxok\vfgjo.lvb
| MD5 | b1ff5189c52d1aa4fadf7ebf2dcdee0d |
| SHA1 | da50bd0967dfb9cc57a2cef2962e915c87a20c79 |
| SHA256 | 3edd70ff685a2224dfe73eb428f5165186ddc04c76e48bd83a92025f7bbb5bed |
| SHA512 | 7d42185c8e138e2b26fac5f68163b2286ab0f5c19df20270979df4f52eb06c74f591c53bdd81644aebffc1a0bb8f2ec152d82ce8baf7a134d03bd8506a9ed9d8 |
C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
memory/300-100-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\rwxok\vbunm.etw
| MD5 | 466c9d4e4677ab32b848260c134f29ce |
| SHA1 | f2861ddaea047161f1e304a2e9e31567dbb25421 |
| SHA256 | dfba06a42ad6a6b40940f3bcb8435f08efe5d546ff1e95976774ac2e86453bac |
| SHA512 | d197d4e5f493ea6c0d3c627c1638d8191a57a52f82a48bfaf56371e19126d26b2242a203f290320a9b59ddbf3e9955e05ec4702c8e3fb1cf36f0ee436d047dbe |
C:\Users\Admin\AppData\Roaming\rwxok\upvcp.vls
| MD5 | 0c10eb920c3c7be5de3dad0312ac4a2c |
| SHA1 | 2dc0f353e236de30423f3d7db6864d94c36b353e |
| SHA256 | 3034dd386c48550c71fbf5c424cfa0933cbc4ef825939c6c1f224ae6c903c052 |
| SHA512 | 53ed5307f510f74cff99a1befc557f8eb85d4ae629bd37eaa5bf1a546db12699db84bcc87d30592e0d6be678fd6dcbd923d4a91715e7f7d044d31342d78e8f41 |
C:\Users\Admin\AppData\Roaming\rwxok\ttbjt.phf
| MD5 | 4e503909473860cc7a34068d02caeb99 |
| SHA1 | 0a03e77c43223d5721224ac473517ae42806d4ac |
| SHA256 | 656190a374354d9a2edec1d82030299e08652ea6ba7aeda3494d541e1afe1c8e |
| SHA512 | e872aaa337060d461d58f3b5febec07c4b16aafd23fe37666f1edf30252dc8acbcb3c4b8ba439ca5bcd06b1f5f79d35e62b1ee1da54cc32635fec1ec1ee01fd2 |
C:\Users\Admin\AppData\Roaming\rwxok\tbaui.tve
| MD5 | 750d69619fdac5dd1e97961b061ba4bd |
| SHA1 | 238ee34e89b6b5eb1cf1fbfa6463a16eb09f1c9d |
| SHA256 | 8f32593a506a5bd86fa4e40dfad538234df090c542ea95d068a9fa1f6c8c12cf |
| SHA512 | f7b1d4acae339f453386c2d734b914917cd4592abd5241841a3a5fd4b35580db81da0c7133c31a2cddbb691d72e8b281301f1b656b9c415f5362abd353d15215 |
C:\Users\Admin\AppData\Roaming\rwxok\tamij.mcp
| MD5 | 90b6ad2959b858be4148d68b8dc6a490 |
| SHA1 | 07e256fbff17c1fe8762f16263322ecfa5791dc6 |
| SHA256 | 28c62c3c8ed6be61fc5408444119969d143b17b6360640b91d77487f0f83df39 |
| SHA512 | 0355cae4c71e40ed41e249faf5eb8f8c1e35f999796b026edf9d72b3afab419c6f116c230d98a6206ad77f624accf54ab1078765e8d271c8427926537d0224ea |
C:\Users\Admin\AppData\Roaming\rwxok\sxoqa.tta
| MD5 | 7c84ac85efa969f559677e6a172f76ed |
| SHA1 | bbac0ad19e24b5d391e60c99651b8745e0a82ebd |
| SHA256 | 61cf364416927ca0eb80d26e1d26beb435a7802143252dc5c164a9db27c6f087 |
| SHA512 | 9a044e4e4910ca039905aaa53c0f8f4502faa3373463e0ab6ce3e29b97d2882834366dc14fdf8d8f6b3e1d3bddcf80c9176eca9fa7e78b22ebc6f7d2a9f46a4c |
C:\Users\Admin\AppData\Roaming\rwxok\rubjc.kud
| MD5 | 30b4fa92afd8a6924821f2fb3fd70bfe |
| SHA1 | c433bc86a36cd0a1771bd411f9626b86e042328f |
| SHA256 | 91a387a05d08348372c7a45feba7b6b2d7e97b7ef1c632cb4c3491a66639798c |
| SHA512 | e5327273c4f99426f505ce3e1577161b3f01ba27ec372ca1053169bf313a3ebb4994c7f0a49adeab9f7d26091f7faa75bf0495ea9977bb0e1845bc5b12063f93 |
C:\Users\Admin\AppData\Roaming\rwxok\rbwtp.fvv
| MD5 | 89605141142db62278e965ba599449e9 |
| SHA1 | 3998a650acc23d9090bd1b7fd8a9b7fbbca40ec2 |
| SHA256 | f56b462d166ab80d2713d765d8c3b963d9b30597e7e0b17a500ecab658043067 |
| SHA512 | 9dd2e9197e47562b69b12d7c4a1d63143ae0f0e2c0540f6f392f2930d1761613a9ee5995a5cceb1c7c27055ed3b8a20e78176e0e68891ad7cfdc097f481f3022 |
C:\Users\Admin\AppData\Roaming\rwxok\qigcj.bap
| MD5 | e81a0db95cc18a649b6d0b4df190718a |
| SHA1 | 347b32a9b6251d1a14f8ca2d755a3cba93a5753b |
| SHA256 | ea422e0e3f8d95fe2487ddaabf78515491936292af50fefe0391f7fe26a59a3c |
| SHA512 | 18ca5da100f1d0df06aa59cb76089fd81bc3a82e52fb99be8ffe7258e803be8f2c3107fff43543d22eb06cf62bab29d2247f19e6ec6806d7f572b2d3c4e2a73c |
C:\Users\Admin\AppData\Roaming\rwxok\pwwek.txw
| MD5 | 00865d413600d26adb36d2f55973559f |
| SHA1 | d5ac50815d4487c4de04caac1ceb500b9fd12a5d |
| SHA256 | 5393f44a4c0c05ae0a25bc80b83ac9d462f074625eea50658e1f20cb5f2c2704 |
| SHA512 | 7222d0e8f1a2c10dd9ddc831922cad6b8da4fc437eb647483668ccaf8fb31d2d396488865dae32414ce322dba5d32e43c360950396577ab07df3ca4fa91299cc |
C:\Users\Admin\AppData\Roaming\rwxok\pnptt.how
| MD5 | 3e2a35fdb69dadda458db6014fa8bf2b |
| SHA1 | c4ffde6a4874d30a89f4f270fde29409c8922802 |
| SHA256 | bba7d20b7a562203298491945da0ea8984d6d177bf0c1782a9cb1afe35611afb |
| SHA512 | bdb3d1c6071f836351a3a10c35ce64ac6cede5bbb669311b2749a123883739208b69c95564cbdbda0b6405c3ec161134ca150fc6bc0ace93b2c9473ec516bbed |
C:\Users\Admin\AppData\Roaming\rwxok\olsjv.gdq
| MD5 | b06f9ab88a550a9664ac4e6c15a8802f |
| SHA1 | c425f114dd897362e671009e1becbb9bb7c34ac9 |
| SHA256 | e4a1ec2873df4494a36beaef8a0ee57ab3f4380ccb2b91a976e64844d4ce671a |
| SHA512 | c40bb6c1589e90d1262f1dac53bbad8c90fbfbc3c2a3a9a3b8601f13f38c553b44dbe35a8fdd09227dbe362f0d7c140d7bda733269b9e6c2c452c9830da52a44 |
C:\Users\Admin\AppData\Roaming\rwxok\ogott.psf
| MD5 | 26021334e307ea1a517a133d42bb6368 |
| SHA1 | e6f24c318fd4571b1a075aabd0b2f1536b21a3b7 |
| SHA256 | 0b217195c52409b0bf35c783dabe8800d0e7deb4ada5c5d8c35d6c2cfcdc19f8 |
| SHA512 | de03ef9ccebd8d740a309763062563e0c9f72ebb2b21345e488f4413cb17b86335d8902f9d17d0c1f511c60d6a97bc600d20c347e8dd6e2e2274389d960fa4ef |
C:\Users\Admin\AppData\Roaming\rwxok\objjo.ulo
| MD5 | 60b87dbdf025ae348f8286cafe999f2c |
| SHA1 | c392468ae233b54f6e7d6d1556107df5896ee8a0 |
| SHA256 | 4e9e3a751185d77bdc2e5df5fd5aafe64003d1e71fecfba0682269dde0e151c6 |
| SHA512 | dd10858c2bfce929a33bdd93bfa5e72108c190505f4b917ff82950dd99995b53e60e1a3e445121fd5925bb5bb49a943fbde5108a20d14fa22f67a570174b67f4 |
C:\Users\Admin\AppData\Roaming\rwxok\nqust.jbv
| MD5 | 5abb1c90cae8ee967d7e30fc9707000f |
| SHA1 | df15abd82b9fb9daaa4517c1e4e8ad5510943b5b |
| SHA256 | efd3830fa426c5a31d7fc9eb50363936a8774cba480c0738d0177c1e93f1c3d4 |
| SHA512 | 5bb17fec154a7d0e76ac134676d8e916aaae4b249fb3746df7397d48aa2f6f443f982d40773863a722d2bcf951fb6f9ef979dc5c8e49fbec9d1002d22db74c8d |
C:\Users\Admin\AppData\Roaming\rwxok\macms.ndh
| MD5 | 83779f76fe14f9adaa4ecdf72caf0b02 |
| SHA1 | 9878fedea4404baea061e588cbd72a1035462ea2 |
| SHA256 | adb74894ff8f27a999e173c2e53adde8d47a0be11a3653672b800542b03dbcf3 |
| SHA512 | 343b237723eebe6a84cce19a3b8fcd1d67bd40c9b091d6d14c3b4f927c932713db2de5f247f0e796db10487b1af318fafb9f43c8a356d76c8e10df0127e4d045 |
C:\Users\Admin\AppData\Roaming\rwxok\lffhk.gpf
| MD5 | cbd436bbe6db5ee843359440ca80c689 |
| SHA1 | e373e9db75e8805f98416dcfaca81a6aa0c80adb |
| SHA256 | eb0bef30067a4b404ab5b6db97d7f7e6953104caf9c05ea7d2e6fc16d17dd2f4 |
| SHA512 | 6ba66ce4b24c6894b720e9037022570c1ec034edc11c830f1a6bac6741567e5cafd4b87f0827bdc8f01ae193a45b8e5fca3b75c93a2072a5c19359f29bda5057 |
C:\Users\Admin\AppData\Roaming\rwxok\kjblv.vhp
| MD5 | 7a8713faacca9a23839d937eb1f12d58 |
| SHA1 | 1a4b677cd8a669dbffdf189b6e2fe3f7bc7d9f8b |
| SHA256 | 8b98183b079fc4c2d2c791c32ca50086c4962da7b748df0df1e76c684345106f |
| SHA512 | 44adf98bf3be7f04f2b7efcc9b4c65b883953b627393a0634d821062be46bf999119113db06287c2cc5d58c846cbccc63e764a71466cb31779a3fa650880cb9c |
C:\Users\Admin\AppData\Roaming\rwxok\jtgkl
| MD5 | 8b972a5d97dce6214e6f98f7c36ae62f |
| SHA1 | fbb11c0cda9607792091719f4d6b07e60a1d8027 |
| SHA256 | 25f182e19880784f63c62f0f2f8357d6986995ec54b4306724980653d6da94d1 |
| SHA512 | 77473d57bed24523471e70e27c59a7ba851c4cacb4e733c4ca4c4ce35127218fa73d0d1d1bf6435620a6f7c94559a802eb2cdf47f78d6f086328f0dd30659ef1 |
C:\Users\Admin\AppData\Roaming\rwxok\jixji.hja
| MD5 | c81204be47b41630d20ef1410a96c443 |
| SHA1 | 2bf3e88fd27d59b989ed8cd2656e566796b4c252 |
| SHA256 | 171e3883819320e8bc3891662d93a878f19ef1c6dfffa591f6e161948c37b1a7 |
| SHA512 | 086e3a5e80836789cae526594039b2ac98f6077cbfe73bf6724e05734c3c2a0c8bb6c94b8b0eec3b38d4b627103797dd7ef6cba8e872d7e5f0cf8757de09f3ab |
C:\Users\Admin\AppData\Roaming\rwxok\jffbf.tme
| MD5 | 726981173cc61be3cd1025611dd6d43b |
| SHA1 | f64a1eead53448967522a4713ed3d726a5850edf |
| SHA256 | 0bdad0dcf80956a2cfbefbdac795db7747f6e40756bee0853ed04b293457c0a3 |
| SHA512 | d9eed5c50b210edcb0c65e32c1c14329437d6588be714f4f5b89758fe69b666d12af91ebf9ddae56c5f8ebbc44a2c1beb320a5a20b782ea13223fa2a603088f0 |
C:\Users\Admin\AppData\Roaming\rwxok\jelbo.sqj
| MD5 | 23c84b4ef0634d459290e7c7a781d883 |
| SHA1 | 7f3f400da1885d4e8b2d1fd081fb6c73047241e7 |
| SHA256 | 05ae8bec1d8671fdd86173312f4d9b22173a30cb0af5b704aed4150fda567876 |
| SHA512 | c7d7cee220fab65c765abe53b1541207709bfeebfd251983a65e53db5604f26a55ba7aced297459adbf85648fb9f79969905a26b87c507d86e8eedb211daa129 |
C:\Users\Admin\AppData\Roaming\rwxok\ioorp.wff
| MD5 | 3a4ee016e9bf2c3ee4e7d501921206d6 |
| SHA1 | d31c814421f272b4bdd49bd6d3abbc0c0ee70019 |
| SHA256 | 936c81dea03d98d6cbe95b8ba03249fd45d99c64d05d5a00043d964d9c36e8bc |
| SHA512 | b4c1719e1d0804a70bbc217750ee33cd3c009a9948f07a35a7bb9c562be4f5e94474a0936c441de325c6ffbbc4f43bbfeca1aed3cb29843d162a64526beda84d |
C:\Users\Admin\AppData\Roaming\rwxok\ilxis.dlr
| MD5 | a35cb2a520fd34a5eaf3d38ee52c3d1d |
| SHA1 | c0a1fba76b7e9d6f57159db6f3010b94d130729a |
| SHA256 | df516e125219ea117dc1523db2eedf690b7149523e309d92b6d9d0fe1d7f19ca |
| SHA512 | 82bf93617320589fd08112888a6703c015a843202c2428011cfa4fdea9896bd87a20d38ca98ba7c3739cf9c679aa11f5f3eeaff8e917f50b4f3c925a3f1dce1c |
C:\Users\Admin\AppData\Roaming\rwxok\hmdtx.gum
| MD5 | 21e1fbb8318e89418899f4124f9a2d29 |
| SHA1 | 4049b469f744874537dff6a805418c143e15d02f |
| SHA256 | 5abedb604b0c712e223a7b7d04a2fd34af04880b4b409546102017c2ae346b2e |
| SHA512 | 5ad47e5eec0f8a72ebb2dda65254f31d6f23cee048f8fc00543aad40f1ae9ebe750bf534e84804c23d3577e7e9b50713e906364438e52f0fd65f550dff37b9ca |
C:\Users\Admin\AppData\Roaming\rwxok\hhrqa.dxi
| MD5 | 7075094de0a585229df1a7ba36a1f250 |
| SHA1 | 5f9230592cae5f08c488c6d63975ab2f9f42dc04 |
| SHA256 | 4c035b5ecbe1697e81d6f64bc080e56d35c15d2436dd99f9acd65c4e0fdded37 |
| SHA512 | 5356b0f73ad21ce59b8e27854cc6e537b5f9a9428d5e058d85e8685e1d2176eac4580fac7c848a46ad6d34f7646cb704aeb3405be701218e026f1bcd6fad228c |
C:\Users\Admin\AppData\Roaming\rwxok\gefbm.rrg
| MD5 | a3271cf0e143422346e6170dd14a55f1 |
| SHA1 | 96b06496fb5a8812628218375d56f1fe1da392dd |
| SHA256 | 6ca00b183b6be536d3526f76a5058b8a35accad373e18ce42bccd806b002bc13 |
| SHA512 | 512408fe950872357ce3bbed3930ac161da7a649d6f60780c940549341231d083a0acc5d3cd4d591a7fb7116373f2d292218deda180043a9a64e2c9dfa143cbd |
C:\Users\Admin\AppData\Roaming\rwxok\fqfth.dhp
| MD5 | a8331ea8b1187f23a1dd041afe18bc9f |
| SHA1 | 0cc14c421e8d7ee9acf78fd31d8fe7c1472ad10c |
| SHA256 | 382ef960c48a310130cab66d3eb52a4dd5eb29e78f910bcd274d4c2d4c87c114 |
| SHA512 | 96fadd0e25a2d951d442bf1a325445c600f604b2e7ef7d6273a8826baff239084889a18e6d05ec05fac669d232f121a81f4bd75152c12268459c2a0df81cd870 |
C:\Users\Admin\AppData\Roaming\rwxok\eumdj.tcg
| MD5 | 07e350d725078b68c87da3af5c91facf |
| SHA1 | dd48eb24368f5d9113125b908b516ebbc2a6170e |
| SHA256 | d44976162b5c47b12f73628ff1ecf7e2a64fd4902027734362bc209cd15e8c7c |
| SHA512 | 656308b500d2fae3806d763822c4d7e39e5ca41dbd6462d46b209a3522e2b12028f07f55ab8aa107d5cff74a512fde47764a1609af75efd0659c9f8584fc9224 |
C:\Users\Admin\AppData\Roaming\rwxok\dxqer.oxx
| MD5 | 6fadbab20e2a46bf37b1df27fbc4f9c1 |
| SHA1 | 8b07b82e6f8cbb4103541f88922d9f7e20ac3fbc |
| SHA256 | ba56a8102cec7508b0cf0342abd0abc1f9bb436fbc1aeaaff89efe8cc66faf08 |
| SHA512 | ffff13599e7c24b1cf8c7b433aa403d735d3fd153726fe0de7081d41d71c77fa95ce18c31839990b8fe90e2e6f7ef100323c4a41fb2e309860ddf713b571ab33 |
C:\Users\Admin\AppData\Roaming\rwxok\bdlxe.jfd
| MD5 | a468f6268268627d431996ee7d75929d |
| SHA1 | bf8d94b028cf34c0c0644c8ba2ead5059413f1d0 |
| SHA256 | e315c86e17001ee1c4ad5bf7574dbec7f80ed2d11fde41b1937a036f672023e6 |
| SHA512 | bff2e826c86717c0a7468062265a0322ed0d0d703400bccef5c1517e199a4b6cd64236ae4d2e0703e59db32eb7833f28d4600b7826470a38615fa600057a8d83 |
C:\Users\Admin\AppData\Roaming\rwxok\YMQGIX
| MD5 | 6f35bdf3bfd6613a2ca33e5157c9d7ab |
| SHA1 | 869e796f034d8ff735c6f259e64f8457965b538e |
| SHA256 | d87016e0c7372007e52399ca62c1a4ebd6b2e7a3d1bbd0a79de79c5948c739fa |
| SHA512 | 04adb7ba79f902a47316c1cfeeb74165a9deb9c1d383dc1a426125e238e7eef5c09946ac04cdeee9d43798e32cc17bdf556e0bdbec7da7f59c3e858715e750ba |
C:\Users\Admin\AppData\Roaming\rwxok\ASWTC
| MD5 | a2fcc3c8ed806da4a28fd3b11d121b78 |
| SHA1 | 8505aa3c95eeff211612490206fcb150a064cd2d |
| SHA256 | dcfb4ceedb10506fb2b3d8cfeb189f530b7b860a6b3dfbcd1c2171c34fe6ce60 |
| SHA512 | 8da240f3857d9504e2189d1a61e791f3109699183a71ffd016848b1c48a003fef8951e37d2ed097fed16c1f4ebe0ee78f71e4853e2561386a74f34028d27ae48 |
memory/1952-105-0x000000000041EDAE-mapping.dmp