gcleaner | b242612fab32f3a2bc44033c804e586a12fd450795ba68510a32c67059b6d7b1

Analysis

max time kernel
120s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8406c0265685a3472517f1b8b5d514b.exe
Size

2.1MB
MD5

b8406c0265685a3472517f1b8b5d514b
SHA1

1c94df97a4580e48860b5d8b543f3ef5b6f5c0d7
SHA256

b242612fab32f3a2bc44033c804e586a12fd450795ba68510a32c67059b6d7b1
SHA512

ebb457e8e4cafa9e0197e235f029b3a67ba1136e93440d638f26251a2a71b120be788579468f56ab271222b42006ddb54979aaa8cd99a652ba84bee7bf382586
SSDEEP

49152:NJ4HLiAIg8bZGZLggVaa6acVbId2cD/ki+aHT+:NJ4HWBXALg+56pkd2+/kl4T+

Score

10^/10

gcleaner raccoon 81620d6b0f6e4fbb3048818577e1f9be loader spyware stealer upx

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

raccoon

Botnet

81620d6b0f6e4fbb3048818577e1f9be

http://91.201.115.148

rc4.plain

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b8406c0265685a3472517f1b8b5d514b.exelower.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	b8406c0265685a3472517f1b8b5d514b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	lower.exe

Executes dropped EXE 6 IoCs

Processes:

kDVHEJb.exeEngine.exeMozilla.exe.piflower.exess29.exeMozilla.exe.pif

pid process

4396 kDVHEJb.exe
1128 Engine.exe
3632 Mozilla.exe.pif
1880 lower.exe
5060 ss29.exe
3260 Mozilla.exe.pif
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4396	kDVHEJb.exe
1128	Engine.exe
3632	Mozilla.exe.pif
1880	lower.exe
5060	ss29.exe
3260	Mozilla.exe.pif

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\Engine.exe	upx
behavioral2/memory/1128-167-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral2/memory/1128-237-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral2/memory/1128-239-0x0000000000400000-0x0000000000557000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Mozilla.exe.pif

description pid process target process

PID 3632 set thread context of 3260 3632 Mozilla.exe.pif Mozilla.exe.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

description	pid	process	target process
PID 3632 set thread context of 3260	3632	Mozilla.exe.pif	Mozilla.exe.pif

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3096	1880	WerFault.exe	lower.exe
4076	1880	WerFault.exe	lower.exe
4964	1880	WerFault.exe	lower.exe
2384	1880	WerFault.exe	lower.exe
968	1880	WerFault.exe	lower.exe
3620	1880	WerFault.exe	lower.exe
1780	1880	WerFault.exe	lower.exe
3628	1880	WerFault.exe	lower.exe
220	1880	WerFault.exe	lower.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

508 taskkill.exe

pid	process
508	taskkill.exe

Modifies registry class 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{C454C1D6-B37D-4512-A09F-6428FC669179}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1529757233-3489015626-3409890339-1000\{31A13A95-DDD5-47FE-9C6F-6F308A8B70CA}	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3120 PING.EXE

pid	process
3120	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exeMozilla.exe.pif

pid	process
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 2792 powershell.exe
Token: SeDebugPrivilege 1208 powershell.exe
Token: SeDebugPrivilege 508 taskkill.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Mozilla.exe.pif

pid process

3632 Mozilla.exe.pif
3632 Mozilla.exe.pif
3632 Mozilla.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Mozilla.exe.pif

pid process

3632 Mozilla.exe.pif
3632 Mozilla.exe.pif
3632 Mozilla.exe.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

3640 OpenWith.exe

description	pid	process
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	508	taskkill.exe

pid	process
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif

pid	process
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif
3632	Mozilla.exe.pif

pid	process
3640	OpenWith.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

b8406c0265685a3472517f1b8b5d514b.exekDVHEJb.exeEngine.exeCmD.execmd.exelower.execmd.exeMozilla.exe.pif

description	pid	process	target process
PID 1956 wrote to memory of 4396	1956	b8406c0265685a3472517f1b8b5d514b.exe	kDVHEJb.exe
PID 1956 wrote to memory of 4396	1956	b8406c0265685a3472517f1b8b5d514b.exe	kDVHEJb.exe
PID 1956 wrote to memory of 4396	1956	b8406c0265685a3472517f1b8b5d514b.exe	kDVHEJb.exe
PID 4396 wrote to memory of 1128	4396	kDVHEJb.exe	Engine.exe
PID 4396 wrote to memory of 1128	4396	kDVHEJb.exe	Engine.exe
PID 4396 wrote to memory of 1128	4396	kDVHEJb.exe	Engine.exe
PID 1128 wrote to memory of 4052	1128	Engine.exe	CmD.exe
PID 1128 wrote to memory of 4052	1128	Engine.exe	CmD.exe
PID 1128 wrote to memory of 4052	1128	Engine.exe	CmD.exe
PID 4052 wrote to memory of 3056	4052	CmD.exe	cmd.exe
PID 4052 wrote to memory of 3056	4052	CmD.exe	cmd.exe
PID 4052 wrote to memory of 3056	4052	CmD.exe	cmd.exe
PID 3056 wrote to memory of 2792	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 2792	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 2792	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 1208	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 1208	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 1208	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 4756	3056	cmd.exe	findstr.exe
PID 3056 wrote to memory of 4756	3056	cmd.exe	findstr.exe
PID 3056 wrote to memory of 4756	3056	cmd.exe	findstr.exe
PID 3056 wrote to memory of 3632	3056	cmd.exe	Mozilla.exe.pif
PID 3056 wrote to memory of 3632	3056	cmd.exe	Mozilla.exe.pif
PID 3056 wrote to memory of 3632	3056	cmd.exe	Mozilla.exe.pif
PID 3056 wrote to memory of 3120	3056	cmd.exe	PING.EXE
PID 3056 wrote to memory of 3120	3056	cmd.exe	PING.EXE
PID 3056 wrote to memory of 3120	3056	cmd.exe	PING.EXE
PID 1956 wrote to memory of 1880	1956	b8406c0265685a3472517f1b8b5d514b.exe	lower.exe
PID 1956 wrote to memory of 1880	1956	b8406c0265685a3472517f1b8b5d514b.exe	lower.exe
PID 1956 wrote to memory of 1880	1956	b8406c0265685a3472517f1b8b5d514b.exe	lower.exe
PID 1880 wrote to memory of 116	1880	lower.exe	cmd.exe
PID 1880 wrote to memory of 116	1880	lower.exe	cmd.exe
PID 1880 wrote to memory of 116	1880	lower.exe	cmd.exe
PID 116 wrote to memory of 508	116	cmd.exe	taskkill.exe
PID 116 wrote to memory of 508	116	cmd.exe	taskkill.exe
PID 116 wrote to memory of 508	116	cmd.exe	taskkill.exe
PID 1956 wrote to memory of 5060	1956	b8406c0265685a3472517f1b8b5d514b.exe	ss29.exe
PID 1956 wrote to memory of 5060	1956	b8406c0265685a3472517f1b8b5d514b.exe	ss29.exe
PID 3632 wrote to memory of 3260	3632	Mozilla.exe.pif	Mozilla.exe.pif
PID 3632 wrote to memory of 3260	3632	Mozilla.exe.pif	Mozilla.exe.pif
PID 3632 wrote to memory of 3260	3632	Mozilla.exe.pif	Mozilla.exe.pif
PID 3632 wrote to memory of 3260	3632	Mozilla.exe.pif	Mozilla.exe.pif
PID 3632 wrote to memory of 3260	3632	Mozilla.exe.pif	Mozilla.exe.pif

C:\Users\Admin\AppData\Local\Temp\b8406c0265685a3472517f1b8b5d514b.exe
"C:\Users\Admin\AppData\Local\Temp\b8406c0265685a3472517f1b8b5d514b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\RarSFX0\kDVHEJb.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\kDVHEJb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\SETUP_40676\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\Engine.exe /TH_ID=_4692 /OriginExe="C:\Users\Admin\AppData\Local\Temp\RarSFX0\kDVHEJb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\CmD.exe
C:\Windows\system32\CmD.exe /c cmd < Stand
4⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^paintingConstructedDevonContributingCircuit$" Secrets
6⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\ftz0mjwi.drp\15790\Mozilla.exe.pif
15790\\Mozilla.exe.pif 15790\\x
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Local\Temp\ftz0mjwi.drp\15790\Mozilla.exe.pif
C:\Users\Admin\AppData\Local\Temp\ftz0mjwi.drp\15790\Mozilla.exe.pif
7⤵
- Executes dropped EXE
PID:3260

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 8
6⤵
- Runs ping.exe
PID:3120

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 460
3⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 768
3⤵
- Program crash
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 776
3⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 776
3⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 836
3⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 908
3⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1012
3⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1360
3⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "lower.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "lower.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 488
3⤵
- Program crash
PID:220

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe"
2⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1880 -ip 1880
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1880 -ip 1880
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1880 -ip 1880
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1880 -ip 1880
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1880 -ip 1880
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1880 -ip 1880
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1880 -ip 1880
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1880 -ip 1880
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1880 -ip 1880
1⤵
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
7b9381eaa1df119820b3642afb93ef49

SHA1
fc7b12e691c632f96abb321dc077a4eebad5e699

SHA256
cdd5bb8df27162ebacf0e1a3135f4cad5cc9668060bb5a24ddadb6ed3515e76b

SHA512
933dc6eb34f81ce34fcf9003bd8f5a6034e02af60cbf6d5b8a08527eafc636f0aeadb5315b3181d577f26ee7d6c8dd79859b38fda3e42ddf93eec679fdeaa910

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kDVHEJb.exe
Filesize
1.3MB

MD5
e28dcae9385b2cdae500155583929bd2

SHA1
375ece2a9a7e7c49713af8d1a4d6daada13699b7

SHA256
dacd40fb9ba58f8fd0f2d3e0839d2981377f3d9a0ad5b4350f531b386fe411c7

SHA512
6ceab93d430f7b03b6f293b79ed40becc063386d4bddce26a8aab3e24adc310e8b9cf095744dd66a1c881e0455fd286e1476213da71016f617c80b280f5a42ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kDVHEJb.exe
Filesize
1.3MB

MD5
e28dcae9385b2cdae500155583929bd2

SHA1
375ece2a9a7e7c49713af8d1a4d6daada13699b7

SHA256
dacd40fb9ba58f8fd0f2d3e0839d2981377f3d9a0ad5b4350f531b386fe411c7

SHA512
6ceab93d430f7b03b6f293b79ed40becc063386d4bddce26a8aab3e24adc310e8b9cf095744dd66a1c881e0455fd286e1476213da71016f617c80b280f5a42ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kDVHEJb.exe
Filesize
1.3MB

MD5
e28dcae9385b2cdae500155583929bd2

SHA1
375ece2a9a7e7c49713af8d1a4d6daada13699b7

SHA256
dacd40fb9ba58f8fd0f2d3e0839d2981377f3d9a0ad5b4350f531b386fe411c7

SHA512
6ceab93d430f7b03b6f293b79ed40becc063386d4bddce26a8aab3e24adc310e8b9cf095744dd66a1c881e0455fd286e1476213da71016f617c80b280f5a42ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
Filesize
352KB

MD5
6846ab8f263fee98d6ffaed098cefa89

SHA1
aab51eef6a37ed278023ec822629c337559e10d7

SHA256
c795c61db26d48c8e516aee1ea6fb260a09a788742b21a1119c165e735700e27

SHA512
25eed2d63b95e1b526c13735a6221596919322d0f96e5a388f2f30e26f00ed63561594872722d0c43b0761bf5e8758022986e5e6ab8e40b924139c85f1d39f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
Filesize
352KB

MD5
6846ab8f263fee98d6ffaed098cefa89

SHA1
aab51eef6a37ed278023ec822629c337559e10d7

SHA256
c795c61db26d48c8e516aee1ea6fb260a09a788742b21a1119c165e735700e27

SHA512
25eed2d63b95e1b526c13735a6221596919322d0f96e5a388f2f30e26f00ed63561594872722d0c43b0761bf5e8758022986e5e6ab8e40b924139c85f1d39f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lower.exe
Filesize
352KB

MD5
6846ab8f263fee98d6ffaed098cefa89

SHA1
aab51eef6a37ed278023ec822629c337559e10d7

SHA256
c795c61db26d48c8e516aee1ea6fb260a09a788742b21a1119c165e735700e27

SHA512
25eed2d63b95e1b526c13735a6221596919322d0f96e5a388f2f30e26f00ed63561594872722d0c43b0761bf5e8758022986e5e6ab8e40b924139c85f1d39f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe
Filesize
592KB

MD5
1da0eb8a4d2f4626e0efdf853660fad2

SHA1
125590e084ceafd311a3d8b1d3da7cefeb80694a

SHA256
7ca4b2d8a3f86ef34221bd686f87ce7f94206a774d1c3df11453f2dfe7b5aa47

SHA512
8f64ad11b693bf6cd5c26ad97db9860ce93f60faf5ed9a0414a142208d676fe99a8ff1ae6d3e41034b80cdc760c0628f4f9931a14d5796babd480ce02272fb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe
Filesize
592KB

MD5
1da0eb8a4d2f4626e0efdf853660fad2

SHA1
125590e084ceafd311a3d8b1d3da7cefeb80694a

SHA256
7ca4b2d8a3f86ef34221bd686f87ce7f94206a774d1c3df11453f2dfe7b5aa47

SHA512
8f64ad11b693bf6cd5c26ad97db9860ce93f60faf5ed9a0414a142208d676fe99a8ff1ae6d3e41034b80cdc760c0628f4f9931a14d5796babd480ce02272fb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe
Filesize
592KB

MD5
1da0eb8a4d2f4626e0efdf853660fad2

SHA1
125590e084ceafd311a3d8b1d3da7cefeb80694a

SHA256
7ca4b2d8a3f86ef34221bd686f87ce7f94206a774d1c3df11453f2dfe7b5aa47

SHA512
8f64ad11b693bf6cd5c26ad97db9860ce93f60faf5ed9a0414a142208d676fe99a8ff1ae6d3e41034b80cdc760c0628f4f9931a14d5796babd480ce02272fb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00000#Cast
Filesize
101KB

MD5
528dcb94c0374029b68062cfa6289ccc

SHA1
a3113210f866cba8362ec5f4d709de4174621cd0

SHA256
650c2fa65abe23355159c88c9a268d097b0ba05ddabfd6f0b7b10974e6505cf2

SHA512
bf1288627d8eae8f263a38f52cbd66e2b0d09e96a535f14ea1641748f92953c9fd6e56ee3a15a8b520090296279fae26fff78b74508cbeebfc4cc3bd735d6a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00001#Harmful
Filesize
92KB

MD5
3a2924b1786f76b2fa7c9587db0d88cc

SHA1
adaafc58bc6a24846fc7357456aa8a6327e9935d

SHA256
3a4e51347109ef17fe4d8d2d513abed728908bf04d6112072cfba4ded6a21018

SHA512
97fccdda7a189d5f1efd9497f510e3f0390391f6ea22bc7e5bf08f3ca7ca2aab4dd949b2d1cab4c16ba1679f053acf19e12f9a36a2f0145efd4d780fe8720b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00002#Honda
Filesize
28KB

MD5
da36fb02a590de2370ae08387926fe71

SHA1
865f2867814a6961a0b4418edbea22b34f9c3139

SHA256
ce94c1e8bff6f4d8ddc3a5ce4b16b4913aeda2628d2791d6518c81555377014e

SHA512
48b11906c18b69ef608ea3f6b34c1a07921aa33cb375ce71d9ac5a8093a7410590f9b24d3ee51d9fe686904a217165040a45a3bc9679cebe2612b7f564cece9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00003#Ky
Filesize
162KB

MD5
90d37ced38c72fdd9c5fafee271ad2c0

SHA1
0e6720d40de47ec48dfd66242e3380b990174d39

SHA256
15a87330819170aa8f65522533759c6c00aa91557597073841f953a13e856da3

SHA512
4728bd9b23e45e20894a288577c88e98efabd7ae201bcb18a673f66c62018d0872dc7deb48edacae22e7243d06734d2776de430e2a03f2502ab41f0683521838

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00004#Regions
Filesize
170KB

MD5
85d9eb423267b3868f0f91d093b7676e

SHA1
7524bc75996b16c2829c5cd1737dc84e863491af

SHA256
65508506af844348aa36c25f7978d31dc312515624978e1352ee2e7582742866

SHA512
df9cc441f4e5f5bed60cfe38f72820485d5e4fb7214e03203fb6dcc7b3c8c9fa87baeaba4ba284e88851a538609e2631d8a8a8a94a1aad60c30d7ef2bbd62c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00005#Shop
Filesize
176KB

MD5
92fd71c512a44eef656af97bdebd0b3b

SHA1
718e103991f629180ad8f80f5f2ff81849196316

SHA256
a41ee788b65c650736b120bf83ecaed1c362f28832d365039af6af655bb4c7dd

SHA512
522f1ae6440277872f00b5110c780ff9caa10ef0d9f4a417d0c8633dde18ca5f1886f77973e7f61b169280032044a46167bf19237034c3f569709237e6df2eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00006#Stand
Filesize
15KB

MD5
21e959eb4e8b7e1a05e3495bed52ed44

SHA1
76fba2d4d07ee8d071093daaa75c0e6cdf34386f

SHA256
43fc3609f949e04a0e2bff7e501e9976596b15b042ac792f39369f38fbfb3f7b

SHA512
1b8455decf7739fddfc71f9ee4e2aa92006fb31ee0ee5ec8c01ce3c353aaa49e8ab69299386af4a37109d05fde3cc4dbcf0ff6ef45fdca7279d273370e2896e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00007#Sword
Filesize
196KB

MD5
aab18a10de0c9cdc049b3b6ac5712515

SHA1
e80666a1782d12b8d51b5cd30568f0e8d1cb5efc

SHA256
3db5bda0976e4bec103a6f992b0bfbab43027e8c377913786ad83691cd825b44

SHA512
9c88614b903cd7654e6e52c31395fa51f0b6018fd42ba532a8b8d42d6adfc5b74d6ce57357df2f7037f5188f5d7e0f5b4c1db980ac48b70d062dd362580fc62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\00008#Trinity
Filesize
749KB

MD5
d21967a049553a81e74eadc7e480d677

SHA1
c39b88d98d23f507365a3bac434e7b2ef75fbb99

SHA256
d95c72ddad37e7693f84cafac77e2c6a7e99a0c471f6d5ed8db2206639c2c8ef

SHA512
133f88296d7d726a059068bf2be35451523d7f7bd0dac204e29d822fcc6b33c8334bbc04a45353e56d3162ba6f14f68508176a17f25e0d91050911c739d17d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\Engine.exe
Filesize
428KB

MD5
8c428b11f3ce1e852a57a23f1cec0cd3

SHA1
2e79eaa5bb9a654cd08b152f3b4f9fdc5d1c8e70

SHA256
b726cae4e004014fdd461abe9d7ea9e32bd0158434be1f58e468537d8dfa9e35

SHA512
4837aa9398a2ea9e44e2fdc266d2678fb493704dc8ef114e5e6574f509392f3b29886c6e3e892721cac45e43e753924cc64090198aca4a7ad5fcd7ea1f710e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\Engine.exe
Filesize
428KB

MD5
8c428b11f3ce1e852a57a23f1cec0cd3

SHA1
2e79eaa5bb9a654cd08b152f3b4f9fdc5d1c8e70

SHA256
b726cae4e004014fdd461abe9d7ea9e32bd0158434be1f58e468537d8dfa9e35

SHA512
4837aa9398a2ea9e44e2fdc266d2678fb493704dc8ef114e5e6574f509392f3b29886c6e3e892721cac45e43e753924cc64090198aca4a7ad5fcd7ea1f710e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_40676\Setup.txt
Filesize
2KB

MD5
403629dc3c35b6e18f0c5b641f39a817

SHA1
b86aba29133a5ca5451d63e835c7529d3f1dea07

SHA256
398eb21006c93ae82c9cbc25cc6a553243488b457b1a44c7f7355e29291f26c7

SHA512
f0091ddd47bb64620c724ea99a7d5eaec2d81646462c0fd27c2c2d642d2c7acd1f9309b0a64358752413be4f7fb9c8b6f0dd1a8806c354b981a190da53752849

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvtyukzl.5un.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftz0mjwi.drp\15790\Mozilla.exe.pif
Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftz0mjwi.drp\15790\Mozilla.exe.pif
Filesize
925KB

MD5
0162a97ed477353bc35776a7addffd5c

SHA1
10db8fe20bbce0f10517c510ec73532cf6feb227

SHA256
15600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571

SHA512
9638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ftz0mjwi.drp\Secrets
Filesize
925KB

MD5
b6c9faa888d8b5f5a0472365c27afe0a

SHA1
bb582d03ece261fb724873554d39c2b5cedbd798

SHA256
861afd7be2707ece08dc30c08155e70b1e381bd1f1948c9b437308ec49223354

SHA512
94b3ad61d9115b08dadbb25f60f9919e404561447115e5730602424aad52f7546f746ae27e86e0007129d9335cd3e9328c830244762ce30acea7da582b47ace5

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/1128-167-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1128-168-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1128-239-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1128-237-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1208-228-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1208-229-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1880-256-0x0000000000400000-0x0000000002B86000-memory.dmp

Filesize
39.5MB

Download
memory/1880-254-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/2792-204-0x0000000004570000-0x0000000004580000-memory.dmp

Filesize
64KB

Download
memory/2792-196-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/2792-211-0x0000000006010000-0x000000000602A000-memory.dmp

Filesize
104KB

Download
memory/2792-210-0x0000000006090000-0x0000000006126000-memory.dmp

Filesize
600KB

Download
memory/2792-193-0x0000000004580000-0x00000000045B6000-memory.dmp

Filesize
216KB

Download
memory/2792-209-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/2792-212-0x0000000006060000-0x0000000006082000-memory.dmp

Filesize
136KB

Download
memory/2792-213-0x0000000007090000-0x0000000007634000-memory.dmp

Filesize
5.6MB

Download
memory/2792-203-0x0000000004570000-0x0000000004580000-memory.dmp

Filesize
64KB

Download
memory/2792-197-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/2792-194-0x0000000004BF0000-0x0000000005218000-memory.dmp

Filesize
6.2MB

Download
memory/2792-195-0x0000000004B60000-0x0000000004B82000-memory.dmp

Filesize
136KB

Download
memory/3260-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3260-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3632-269-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4396-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5060-267-0x00000000034A0000-0x00000000035D4000-memory.dmp

Filesize
1.2MB

Download
memory/5060-266-0x0000000003320000-0x0000000003493000-memory.dmp

Filesize
1.4MB

Download
memory/5060-274-0x00000000034A0000-0x00000000035D4000-memory.dmp

Filesize
1.2MB

Download