Malware Analysis Report

2025-01-03 07:37

Sample ID 230826-mhbjjabc6z
Target Office_Macro_Downloader.zip
SHA256 231f7db79384197640d2d7658cfce15df3890e2b2d409b25fb1b679efaf9b3ab
Tags
asyncrat stormkitty default rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

231f7db79384197640d2d7658cfce15df3890e2b2d409b25fb1b679efaf9b3ab

Threat Level: Known bad

The file Office_Macro_Downloader.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default rat stealer

StormKitty

StormKitty payload

AsyncRat

Async RAT payload

Executes dropped EXE

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-26 10:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-26 10:27

Reported

2023-08-26 10:29

Platform

win10v2004-20230824-en

Max time kernel

8s

Max time network

67s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe N/A
N/A N/A C:\Windows\Bubbles.scr N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Bubbles.scr C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1548 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe
PID 1548 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe
PID 1548 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe
PID 1548 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Windows\Bubbles.scr
PID 1548 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Windows\Bubbles.scr
PID 1548 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Windows\Bubbles.scr
PID 1548 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe
PID 1548 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe
PID 1548 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAagBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZgB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAZQBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBuACMAPgA="

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

"C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe"

C:\Windows\Bubbles.scr

"C:\Windows\Bubbles.scr" /S

C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe

"C:\Users\Admin\AppData\Local\Temp\Office Macro Downloader.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 maper.info udp
DE 148.251.234.93:443 maper.info tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 d492e4d65eb406e00207def1ceb6675a
SHA1 2d718322b7133c012590827dbf9a43d4a8c31638
SHA256 f6161dd6264c025a56fbf16d25f5faaf51e71a4e461381d80cd8b67f63df9dac
SHA512 fd87bb2a2d419dda4bc109a38d50f5e26b09ebf1fa3a0180b89b2f87a4f10278c1f9aa01b739003608f7369e42dd8a61e5d8ba3d9873887ea9786985093f3ea9

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 d492e4d65eb406e00207def1ceb6675a
SHA1 2d718322b7133c012590827dbf9a43d4a8c31638
SHA256 f6161dd6264c025a56fbf16d25f5faaf51e71a4e461381d80cd8b67f63df9dac
SHA512 fd87bb2a2d419dda4bc109a38d50f5e26b09ebf1fa3a0180b89b2f87a4f10278c1f9aa01b739003608f7369e42dd8a61e5d8ba3d9873887ea9786985093f3ea9

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

memory/2092-14-0x0000000073470000-0x0000000073C20000-memory.dmp

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

memory/100-16-0x0000000000170000-0x00000000001A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 d492e4d65eb406e00207def1ceb6675a
SHA1 2d718322b7133c012590827dbf9a43d4a8c31638
SHA256 f6161dd6264c025a56fbf16d25f5faaf51e71a4e461381d80cd8b67f63df9dac
SHA512 fd87bb2a2d419dda4bc109a38d50f5e26b09ebf1fa3a0180b89b2f87a4f10278c1f9aa01b739003608f7369e42dd8a61e5d8ba3d9873887ea9786985093f3ea9

memory/2092-19-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/100-17-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/2092-20-0x00000000049F0000-0x0000000004A26000-memory.dmp

memory/2092-21-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/2092-22-0x0000000005100000-0x0000000005728000-memory.dmp

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 d492e4d65eb406e00207def1ceb6675a
SHA1 2d718322b7133c012590827dbf9a43d4a8c31638
SHA256 f6161dd6264c025a56fbf16d25f5faaf51e71a4e461381d80cd8b67f63df9dac
SHA512 fd87bb2a2d419dda4bc109a38d50f5e26b09ebf1fa3a0180b89b2f87a4f10278c1f9aa01b739003608f7369e42dd8a61e5d8ba3d9873887ea9786985093f3ea9

memory/492-25-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/2588-26-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/2588-27-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/492-28-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/2588-29-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/2092-31-0x0000000005090000-0x00000000050F6000-memory.dmp

memory/2092-30-0x0000000004FF0000-0x0000000005012000-memory.dmp

memory/2092-32-0x0000000005960000-0x00000000059C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tiljpu5t.w0p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 d492e4d65eb406e00207def1ceb6675a
SHA1 2d718322b7133c012590827dbf9a43d4a8c31638
SHA256 f6161dd6264c025a56fbf16d25f5faaf51e71a4e461381d80cd8b67f63df9dac
SHA512 fd87bb2a2d419dda4bc109a38d50f5e26b09ebf1fa3a0180b89b2f87a4f10278c1f9aa01b739003608f7369e42dd8a61e5d8ba3d9873887ea9786985093f3ea9

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

C:\Users\Admin\AppData\Local\Temp\aut4793.tmp

MD5 dc12b861ff524e6486c60f41331abe0f
SHA1 fab7160fe1ff707f0082c49077459792147acbf3
SHA256 330d95b33280d77375e979bfaf7db64a5714802887d560c9c0b00ea61d0d1c03
SHA512 0127e977cb659d5678cf91228e54138e6258b28b28e045f51ab0a0240be31a448ca02653985e9e7353e5c274dd778d7af2c8bdb530d7280274ff259ff43bd626

memory/3916-60-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/3916-61-0x0000000005420000-0x0000000005430000-memory.dmp

memory/4612-62-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/4612-63-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/4612-64-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/2092-65-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/100-66-0x0000000073470000-0x0000000073C20000-memory.dmp

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 44e5104468e0f56b1e34037a4420d7a2
SHA1 ad7f3747d48b086da6bf6cdbcde9073975cccb29
SHA256 c50ef287e725fb22f65ad4f30ee5ae9d97b49f4ce0f702c2608f8bd4ed3575d5
SHA512 853567445d74b0fdcfd5dca4ae7e61846b6ae6b69e72f7aa4d0bc83af6e3a52d7b79bb810892f5f155b4e697edc9511416f8bffef2efd86d57c919505232256f

memory/4400-78-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/4400-79-0x0000000005200000-0x0000000005210000-memory.dmp

memory/2092-80-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/2092-81-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/2092-82-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/492-83-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/2588-84-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/704-85-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/492-89-0x0000000004E10000-0x0000000004E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 51f54f0720ca174a1f750f2899105800
SHA1 f33f61a5092472ea752b2da89b08ba0831665e78
SHA256 3e216f09d9ddb640a1cf70422990e772bc11b83e7a93b83ba8db79a51539c1b0
SHA512 07fbd33d5b0b6748b5a94781ae64d8576a09874b2fe3eefe8033a0b43082960150ec7b03b3e73300b3c9b021fbf1cd87e3824802914602e0c45c74a70a97acfa

memory/2588-88-0x0000000004A50000-0x0000000004A60000-memory.dmp

memory/704-86-0x00000000021D0000-0x00000000021E0000-memory.dmp

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

memory/2588-91-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/2032-93-0x0000000004940000-0x0000000004950000-memory.dmp

memory/2032-92-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/3908-94-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/3908-100-0x00000000025E0000-0x00000000025F0000-memory.dmp

memory/3916-105-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/3916-117-0x0000000005420000-0x0000000005430000-memory.dmp

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 5b47adbec2f86cc23b04216ea8391eaf
SHA1 04018816b22e209e7cdbbed6125568b799073ae2
SHA256 25ccb2da431d33eead185e27795bd6ea43fae10036b8c3ea114a6a4cd3fbc768
SHA512 20e6a4946802d637abd2fbe3fa496406417a4f99b4f273fd0c72f21294b2065a57e0dcf09161fceb28c46fb5584eecda25306eacd284a06466082850c77eec47

memory/3356-118-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/3560-119-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/3560-120-0x0000000003200000-0x0000000003210000-memory.dmp

memory/3560-121-0x0000000003200000-0x0000000003210000-memory.dmp

memory/4612-122-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/4612-123-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/4612-124-0x0000000002AF0000-0x0000000002B00000-memory.dmp

memory/2588-125-0x0000000004A50000-0x0000000004A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 ae521f5aba7bd248af32ff2db5fd52fc
SHA1 03a531e33170a1a52fcd334f12c001d41e6d289a
SHA256 e9e1ba1daa10f788cace3f016c810f59645ea8d912ff1076c1489b259fd94069
SHA512 bb72a0fd8245b35c52a357ac14c598354531fcb7fafc17089d59dd2db20750b12d0e9de596d87a45cda9de2e300f0d76826ff7a484dd74e1271880b3ae1559cc

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

memory/4784-128-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/4784-129-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/4400-130-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/4400-131-0x0000000005200000-0x0000000005210000-memory.dmp

memory/3028-132-0x00000000046D0000-0x00000000046E0000-memory.dmp

memory/3028-142-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/2588-143-0x0000000007070000-0x00000000070A2000-memory.dmp

memory/2588-146-0x0000000074330000-0x000000007437C000-memory.dmp

memory/2092-145-0x0000000074330000-0x000000007437C000-memory.dmp

memory/2092-144-0x000000007F550000-0x000000007F560000-memory.dmp

memory/704-166-0x0000000073470000-0x0000000073C20000-memory.dmp

memory/704-167-0x00000000021D0000-0x00000000021E0000-memory.dmp

memory/704-168-0x00000000021D0000-0x00000000021E0000-memory.dmp

memory/2588-165-0x0000000006330000-0x000000000634E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 627ad9ec9d562f5df369bfb238684389
SHA1 650e7afe991509b52fea545f2084c8dfd8126871
SHA256 3b5fd1914a056c2db2879eb571ff3c9b3a5ac6a178f4a7306b9673291018c79e
SHA512 db6750587ce1e2550fdfc86b6dbd32e18b92803ba3e7e105610b3f3bd64b326878662c8020599e5820ca91748d06094bcad748c699d3ba7d15c29eb563e3a8fc

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

memory/2092-176-0x0000000007970000-0x0000000007FEA000-memory.dmp

memory/2588-177-0x0000000007210000-0x000000000722A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCD8E.tmp.dat

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

MD5 d48fce44e0f298e5db52fd5894502727
SHA1 fce1e65756138a3ca4eaaf8f7642867205b44897
SHA256 231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8
SHA512 a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

MD5 87a524a2f34307c674dba10708585a5e
SHA1 e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201
SHA256 d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9
SHA512 7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 17bce7a4aded83ca8335db50e43c3fe3
SHA1 90086f062f5feb37c2ba22f7d461655a637d0351
SHA256 1e4a5976ef1e41ac7532e87641f0fc2c1600301f3a08c88e368e07c97206ea5d
SHA512 14ff13a2bab123d0817d06a2e8fff0a58cf5eafcd19e6381861a274da8a698fa2ac2a9f0f1380e8fb5485b91215a0f31dcabaaba279c06933f0384675546e131

C:\Users\Admin\AppData\Local\Temp\tmpCE0E.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\tmpCD7C.tmp.dat

MD5 0c01810fdc45fb55a955763f05ffb3ba
SHA1 4da7024f57dc2d842f95059fb04d31afb05fc763
SHA256 b8e0cfa7fb9477bb92583db07932b12823f3d512898ea2e27510812acd77f128
SHA512 5152b8d877273c9d3aa7351e4af12401bf907a7b6306487fcbefd2ee536fbfdafcb919be9a2ed5f4a99d70be130c8f383221c7aafb362bfdeeee957901f550e3

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 17bce7a4aded83ca8335db50e43c3fe3
SHA1 90086f062f5feb37c2ba22f7d461655a637d0351
SHA256 1e4a5976ef1e41ac7532e87641f0fc2c1600301f3a08c88e368e07c97206ea5d
SHA512 14ff13a2bab123d0817d06a2e8fff0a58cf5eafcd19e6381861a274da8a698fa2ac2a9f0f1380e8fb5485b91215a0f31dcabaaba279c06933f0384675546e131

C:\Users\Admin\AppData\Local\Temp\tmpD9F1.tmp.dat

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpDB01.tmp.dat

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 33fb7799651b178ed3f3390e4d4ea9db
SHA1 817236db04518f10e11a6e2674798cbe8fbd80c0
SHA256 8967e0c2244d6fdc5fbc3d24ba4957aeb6bb84e83af280c2edf96f68dd7a41cd
SHA512 c7938796793595e2239ba8bdeaef61e5d69598df9ddc5bc15a68dcaac5aa5076d74c00340aed235fd834710203f9c178edc0094afeea9903eeefc7ec7b26b022

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 9d75c644b764804a5d49535f40f349a2
SHA1 4a3d0e09b0a56a860dac4f108bd402f9a601fbfc
SHA256 e5cb182b084e6d734a5389670cab90b421840f036746903020f3bb8b93905499
SHA512 e8e8baa6032b39a98daabf4c7c59c78f4e2d0f136b3a1b8997d8a570f07a6ab31732671cb0b54486e699a0447d92f19680bf46bb56a048f286c1cbf981a03706

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 9936962b4bd049ff0fe5b7a7d91da20c
SHA1 0a515c10763c03f312807cd1e5bfc17e3ad917f6
SHA256 19345f8143776074dc06b9485c1271a20594f42d9c7ba4ac2c4de9a7e57eda38
SHA512 a309b88358b043fb9d3e356b5b86b1e37c68d9642650e1a26efae9879e4df68af0822d5402968427f02f773663495ce974ea1a2a06c784da80fdbfd146141be5

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Directories\Temp.txt

MD5 d65b322bbb827a731e5ed3c3affb8236
SHA1 29533e37d1ff7b0877c5f98eca71f41e4ad0a545
SHA256 ead0f5eb24ed3adcccde8a288d6d7d596c935b144f05b8975c2dc1a329c63e45
SHA512 50a2037ba015f38fa18f5dd8e35543f3ff90659a0d0b22b13a99518df2e42ce0ef726e5c58a23d97d49f26bfba0840e6af8b86a7541da6ef4c0d770c4275be7b

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Directories\Downloads.txt

MD5 9a4a96ceb31972432f924e3752d1d8a0
SHA1 baaead1f645b8a30d46e4cb9ac0ebde51b6cc66d
SHA256 92b248c8aaa4ae6e2b3eda8779cfbd3d6ebfdcd3c5b8b2bbe21018bc27d55c37
SHA512 b43ab41065e8853aa38bf325871ba9431648f6f04f078738ed452bd684b0d9ee59ce8ff974f0339a371e497dc351978db73a4370114dd5299f562fb1b966b14e

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Directories\Pictures.txt

MD5 f7537dbbbe25551ab27944cac6b25edd
SHA1 aca103f62c0288d20ff8f8d71883b481b5901aa9
SHA256 8da48821503db0a69f7518cc6237dddefbe4aabbbcdddb8641d2453f32fee982
SHA512 7738bd3dc427e7a3f4cffa6ff31bd5a242dac89c39f5461584d7fc1fd21434bf69e09ed588770c338fcc34df0d479a46987237d71172e95c45b4fb4ec5106476

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Directories\Documents.txt

MD5 aa7327a3e623dd93312a13ed3ff5f6b3
SHA1 8067f1aa48c676f60c3994e3ba7fb927d1894a3d
SHA256 8436ab61a4566663d56a738f42792f41509492a41c79ac1df597d9aed9e32722
SHA512 02b927eef7350e5b93daca09def24208a31eb9fad79f0c5f2d9651d543083fc6409110623f8f3b9e64493151abed1aa13709ba73fe5079fd6e8f9f1470dc85b3

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\Directories\Desktop.txt

MD5 cdb31330ec034846c8099f35d43e5e2b
SHA1 2ae925774e6fdc84021ca9179ac67c6a23420a20
SHA256 f76eb756f8c31ab98a8985cf7c574751f2b0a98f696a56d49ab38714d8e9321f
SHA512 82cde747a31c23235c4c1921c76deed5532db566dcb64c68e2448d048136ae0826565504cc445922b09188163735f917baaef71af15221a1018936f380bdba63

C:\Users\Admin\AppData\Local\Temp\tmpDCE8.tmp.dat

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmpDB22.tmp.dat

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\tmpDB21.tmp.dat

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

MD5 43141e85e7c36e31b52b22ab94d5e574
SHA1 cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256 ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA512 9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\System\Process.txt

MD5 1f5dac98fb2b30bf10fa36da9bcc4562
SHA1 fa8b926b7c78e36c1ad3de2cbe6366368f883deb
SHA256 39f343fc631c3d6398510d4ef31e2606cee51f13893d4866b25ae8754096ec30
SHA512 f47888b4ba8c1124d189418cf5b65eda62ee966e06394aa97a307e775a2807c6efaf6c8835b8762c34ddf0e02c78d9635f6015a79a4cd570fc4273575ae47c6c

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 3081e87d66daec682c173c4c491f28a4
SHA1 8863a6b99f76af504d0f230657904c8c4d7800b5
SHA256 18a30196fa719b35d012143169a6e0abb39fbd7d9a7832c2711dd02fcf3155c6
SHA512 bab89e0aed8f24c9e5a4d4f26a546e4656b54cf5e757269b462dec9f0b5161dbfe86dc681357e161ac8c6408f92cafe513905beadc9cd35b31643befabf2cb49

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 0c7cf6f1dd5b150fcac50777bc1fa8ee
SHA1 f271d8ee006e3485ceeca08bb05dd60aa40f8e43
SHA256 098e1eb361aa2e803f36c76cd34e9e531f30ab777b81ddb3e5aa15ce8292e38b
SHA512 4f8fb20817c75552ec0576b3f5f0f97167074b323902a1458809937aec03aa84533a5f637daf2cc7066d5250d203766f8549a46f940f802af496b4b1060dae48

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

MD5 87a524a2f34307c674dba10708585a5e
SHA1 e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201
SHA256 d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9
SHA512 7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

MD5 d48fce44e0f298e5db52fd5894502727
SHA1 fce1e65756138a3ca4eaaf8f7642867205b44897
SHA256 231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8
SHA512 a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Directories\Downloads.txt

MD5 9a4a96ceb31972432f924e3752d1d8a0
SHA1 baaead1f645b8a30d46e4cb9ac0ebde51b6cc66d
SHA256 92b248c8aaa4ae6e2b3eda8779cfbd3d6ebfdcd3c5b8b2bbe21018bc27d55c37
SHA512 b43ab41065e8853aa38bf325871ba9431648f6f04f078738ed452bd684b0d9ee59ce8ff974f0339a371e497dc351978db73a4370114dd5299f562fb1b966b14e

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Directories\Pictures.txt

MD5 f7537dbbbe25551ab27944cac6b25edd
SHA1 aca103f62c0288d20ff8f8d71883b481b5901aa9
SHA256 8da48821503db0a69f7518cc6237dddefbe4aabbbcdddb8641d2453f32fee982
SHA512 7738bd3dc427e7a3f4cffa6ff31bd5a242dac89c39f5461584d7fc1fd21434bf69e09ed588770c338fcc34df0d479a46987237d71172e95c45b4fb4ec5106476

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Directories\Documents.txt

MD5 aa7327a3e623dd93312a13ed3ff5f6b3
SHA1 8067f1aa48c676f60c3994e3ba7fb927d1894a3d
SHA256 8436ab61a4566663d56a738f42792f41509492a41c79ac1df597d9aed9e32722
SHA512 02b927eef7350e5b93daca09def24208a31eb9fad79f0c5f2d9651d543083fc6409110623f8f3b9e64493151abed1aa13709ba73fe5079fd6e8f9f1470dc85b3

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Directories\Desktop.txt

MD5 cdb31330ec034846c8099f35d43e5e2b
SHA1 2ae925774e6fdc84021ca9179ac67c6a23420a20
SHA256 f76eb756f8c31ab98a8985cf7c574751f2b0a98f696a56d49ab38714d8e9321f
SHA512 82cde747a31c23235c4c1921c76deed5532db566dcb64c68e2448d048136ae0826565504cc445922b09188163735f917baaef71af15221a1018936f380bdba63

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\System\Process.txt

MD5 01f65e7b9c2f51b5f86c69ee1f9fdaff
SHA1 f428644712c3c3f1cf441b9a5b4ea2f26e67137f
SHA256 f3b5e0e3cb02459f0309ddd0220fc8a4672f95d9dabcf77ab3e49561adc55f62
SHA512 f4969b06f514e03d994dbf94e338799d3752780779aeabf95bcc4f426398d72a55c61607dca6e6cd77cb91cb57249b7c4df2919a59e0088e2869743470953292

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\System\Process.txt

MD5 1f5dac98fb2b30bf10fa36da9bcc4562
SHA1 fa8b926b7c78e36c1ad3de2cbe6366368f883deb
SHA256 39f343fc631c3d6398510d4ef31e2606cee51f13893d4866b25ae8754096ec30
SHA512 f47888b4ba8c1124d189418cf5b65eda62ee966e06394aa97a307e775a2807c6efaf6c8835b8762c34ddf0e02c78d9635f6015a79a4cd570fc4273575ae47c6c

C:\Users\Admin\AppData\Local\f5ccaa3e4ec763c653900713191a2b4e\Admin@MTMNHEOR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\System\Process.txt

MD5 1ec8eaa968e08578ea2b486a59f1a8c5
SHA1 7aa3bb2e44b5488a6418bef0c8043e99fce2cfc1
SHA256 7a871a1ac23a67136b696e34c932237f38196a76bfd9636cd77bc89a44f4fdda
SHA512 6b8cf3b44c7aea48bc32930d5d871a178aa66f358e7018737d3a9575591bd35793cddc3d307e159e0517d433b46deb4276c2bfba8b42ae5c9b75cbc16643dfc3

C:\Users\Admin\AppData\Local\Temp\SetupTCPDriver.exe

MD5 7c6e036bd92dbb0188f5e23ee1eaa58f
SHA1 24ee6d5e947e8140ab74c08701eea30c962b8a93
SHA256 048c4680ef60580e1a921a42f1907848b0400d944d65bb73b502f19c6b30d307
SHA512 e3f99658cb5f4ed2c30eee91bc4783df273f15362a2e537dbb18db184b327c8648a89bc452733419922260c06dc9d51e1f7544482b2ed67f2ca812da175356de

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 5baa52781a8220326a3092899d37035b
SHA1 d847307871ff026d10060da76a3be73f408986cb
SHA256 1ad03a649ae38230706ff425a81d911ffc5dbc6c0324fec9097fda6b1c8608db
SHA512 0ca302661289cc382230cdfece9757291596640d2bcd3482d6d2df7a304218421eadb3a31160b0b12bcebfe4f0f6cfd5dfdbbd4d7ab7d71fa31d58a8a521ac49

C:\Windows\Bubbles.scr

MD5 9be903555f182c72996ff2dfad2551f8
SHA1 0f72fef2b58e8cb66a38d98410817fe4df525c52
SHA256 0e65aadd6c3aede82c01e66723fd3688ffa3a0ab6600c8556b393c5f2615a15d
SHA512 938ad6f46440061cbb1ddb2cc7b93458156fdcedd1538ac52ff6b20deef33a91e202ae604ac503bd10a96a398555c784837920464795663cbf659523767f1119

C:\Users\Admin\AppData\Local\f6fe0dc2f85d1416817393bfac926b23\Admin@MTMNHEOR_en-US\System\Process.txt

MD5 06761b8b7d681837e67a0c957aac388c
SHA1 4643afdc489348b13d735130f25f56f5c5aaa1b7
SHA256 3601869d723431ddf3cc12399fc90a718f9aeadcb62b23bc0c18110d97251786
SHA512 7f98331df067d82fedf90ad3cb8b684ce5e518d8c7e9a2b16b45124da4599b8137a70a08a33ff2fadf6958da15a54b1fc282fe741c06a21aba0ac2920de1427b