Analysis Overview
SHA256
954226b2a3caf5b0a7924bdfdcd4f6a551d04f9ed25924c4081c3f749a1ce020
Threat Level: Known bad
The file 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.zip was found to be: Known bad.
Malicious Activity Summary
BitRAT
Executes dropped EXE
Uses the VBS compiler for execution
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-21 14:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-21 14:32
Reported
2023-03-21 14:35
Platform
win7-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
BitRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tewu\tewu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tewu\tewu.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1320 set thread context of 848 | N/A | C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1668 set thread context of 1660 | N/A | C:\Users\Admin\AppData\Roaming\tewu\tewu.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1724 set thread context of 580 | N/A | C:\Users\Admin\AppData\Roaming\tewu\tewu.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
"C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\system32\taskeng.exe
taskeng.exe {E7486573-CB93-4D1D-BED5-B162C628DE79} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
Network
| Country | Destination | Domain | Proto |
| US | 74.201.28.92:3569 | tcp | |
| US | 74.201.28.92:3569 | tcp |
Files
memory/1320-54-0x0000000000DA0000-0x0000000001174000-memory.dmp
memory/848-55-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-56-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-57-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-58-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-59-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-60-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-61-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-62-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/848-63-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-67-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-68-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-70-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-71-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-73-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-74-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-75-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-76-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-77-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-78-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-79-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-80-0x0000000000090000-0x000000000009A000-memory.dmp
memory/848-81-0x0000000000090000-0x000000000009A000-memory.dmp
memory/848-82-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-84-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-85-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-86-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-88-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-87-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-90-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-92-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-93-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-94-0x0000000000090000-0x000000000009A000-memory.dmp
memory/848-95-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
| MD5 | d07b7112b39c9eee7eaeba1adb099543 |
| SHA1 | 1df70cc161540228240e1dde290ac2f5efcfbb0c |
| SHA256 | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a |
| SHA512 | 9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135 |
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
| MD5 | d07b7112b39c9eee7eaeba1adb099543 |
| SHA1 | 1df70cc161540228240e1dde290ac2f5efcfbb0c |
| SHA256 | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a |
| SHA512 | 9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135 |
memory/1668-99-0x0000000001080000-0x0000000001454000-memory.dmp
memory/1668-102-0x0000000000CC0000-0x0000000000D00000-memory.dmp
memory/1660-112-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-113-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/1660-116-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-117-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-119-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-121-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-123-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-125-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-127-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/848-129-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
| MD5 | d07b7112b39c9eee7eaeba1adb099543 |
| SHA1 | 1df70cc161540228240e1dde290ac2f5efcfbb0c |
| SHA256 | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a |
| SHA512 | 9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135 |
memory/1724-134-0x0000000001080000-0x0000000001454000-memory.dmp
memory/580-146-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/580-155-0x0000000000400000-0x00000000007CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-21 14:32
Reported
2023-03-21 14:35
Platform
win10v2004-20230220-en
Max time kernel
107s
Max time network
110s
Command Line
Signatures
BitRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tewu\tewu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tewu\tewu.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5024 set thread context of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 2728 set thread context of 552 | N/A | C:\Users\Admin\AppData\Roaming\tewu\tewu.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 2620 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Roaming\tewu\tewu.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe
"C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3124 -ip 3124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 188
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 552 -ip 552
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 188
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1688 -ip 1688
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 188
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 52.168.117.169:443 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.247.210.254:80 | tcp | |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.247.210.254:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
Files
memory/5024-133-0x0000000000770000-0x0000000000B44000-memory.dmp
memory/5024-134-0x0000000005480000-0x00000000054E6000-memory.dmp
memory/3124-135-0x0000000001100000-0x00000000014CE000-memory.dmp
memory/3124-140-0x0000000001100000-0x00000000014CE000-memory.dmp
memory/3124-144-0x0000000001100000-0x00000000014CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
| MD5 | d07b7112b39c9eee7eaeba1adb099543 |
| SHA1 | 1df70cc161540228240e1dde290ac2f5efcfbb0c |
| SHA256 | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a |
| SHA512 | 9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135 |
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
| MD5 | d07b7112b39c9eee7eaeba1adb099543 |
| SHA1 | 1df70cc161540228240e1dde290ac2f5efcfbb0c |
| SHA256 | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a |
| SHA512 | 9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135 |
memory/552-153-0x0000000000B00000-0x0000000000ECE000-memory.dmp
memory/552-157-0x0000000000B00000-0x0000000000ECE000-memory.dmp
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
| MD5 | d07b7112b39c9eee7eaeba1adb099543 |
| SHA1 | 1df70cc161540228240e1dde290ac2f5efcfbb0c |
| SHA256 | 1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a |
| SHA512 | 9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tewu.exe.log
| MD5 | 13f84b613e6a4dd2d82f7c44b2295a04 |
| SHA1 | f9e07213c2825ecb28e732f3e66e07625747c4b3 |
| SHA256 | d9c52c1eb0b6a04d3495ab971da2c6d01b0964a8b04fd173bfb351820b255c33 |
| SHA512 | 3a2aca3d21bff43e36de5d9c97b0d1a9c972ee5ab0d9322a3615c0820042a7c9c4c0f2d41522fb4f2347b9a1679b63c91dcf5dc75444ba64c736e2cdcf10ee7d |
memory/1688-165-0x0000000001200000-0x00000000015CE000-memory.dmp
memory/1688-169-0x0000000001200000-0x00000000015CE000-memory.dmp