Malware Analysis Report

2025-06-16 06:19

Sample ID 231226-rjwnbafbf4
Target 74c738ec680d1ff87c135833211a88dd
SHA256 bcb6d900f86664d0a97e69510c99b519f26f376316e761fadf2a8ef4f672b975
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcb6d900f86664d0a97e69510c99b519f26f376316e761fadf2a8ef4f672b975

Threat Level: Known bad

The file 74c738ec680d1ff87c135833211a88dd was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 14:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 14:13

Reported

2024-01-06 16:45

Platform

win7-20231215-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Service\tcpsvc.exe C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A
File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe

"C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe"

C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE

"C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE"

C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe

"C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp

Files

memory/2916-1-0x00000000746C0000-0x0000000074DAE000-memory.dmp

memory/2916-0-0x0000000000F40000-0x0000000000FBE000-memory.dmp

memory/2916-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp

memory/2916-18-0x000000000B3F0000-0x000000000B87E000-memory.dmp

memory/2744-21-0x0000000000400000-0x000000000088E000-memory.dmp

memory/2916-20-0x000000000B3F0000-0x000000000B87E000-memory.dmp

memory/2916-19-0x00000000746C0000-0x0000000074DAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE

MD5 1608a4780695ff52fe056d10fb96b431
SHA1 82faa86536b679c98fa97dbcdd8e480f0bb56e7f
SHA256 784fdab31f9cc7ef4965da3e53195ab8d0c0949b3527642b3f50c8246f06f216
SHA512 d30337caa3f2dacc454e78d6f1489c699f1b024c2d6a393e760279909cb236e8f259335ced6dc83c69865b14fb8b33b10ed85df1b60b71c6987c914a23fd4895

\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE

MD5 6ea8e4328dc6e65b3d1d5e171dde65a3
SHA1 8d22cdd24ee740089e0149c49bdc1331b23ea483
SHA256 3d0e8284f0973ce40b3ae3229daba374bc049387a64278c69cb594ec4e1ef5c4
SHA512 07974754f0d5e0affff5e8287855300bc1aafdaf6ea96bd6d628fcf485778fa7515713c3b7305241664d5417c3ba7d19feb1425dce4c82ab92065febc5735dce

C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe

MD5 4814523ce1c91543cc329463e6633976
SHA1 98a86e42bcb10104cfb9c8a8def49847da0f74dc
SHA256 a9796452153847fbe1d83737a24d50e32dd2c709749af33d76f5fc197967a2d2
SHA512 faee912319e48265c1d4ad1aa0eee4dc7c45921335aef266967ec04972c6a3077737ac2427afc7c016de8ec1074e742f0623f9cdbc095b229cfbaddce54d73a7

\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe

MD5 b64607d93442cf1bb2cd58974a573111
SHA1 2b9e6fc67573809ff8b9da697b052f761d1ae634
SHA256 c638eda49dbcaaeb7458403832daf82a0b6e2ba2ab630d9c52341b6d1c433b6a
SHA512 51886961ae98343bc0233dc14a3315a1789a26c44bd9d1f9721c55128ff252c2e5ce2fe64aa70e2e4bff2f717fa6fb0f9029b7449366c837631ed9aa9cbda389

\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe

MD5 c817e0e262270baf4dc5bbbe766cb414
SHA1 8a5c1909d826d135f8fe9172d105f998bb415cbe
SHA256 62e1803db0e0dc9712dc8042297afc43c712714bc65b2e0b26b653d32baf892e
SHA512 9b32b4f780182d31db52928ffc3d9aba4f61203317fdcb216d2cce7350027671dde8587128a6b53aff3e547cf4bc1e8682efc5f5d628069a2b06cc1811a1b643

memory/2744-23-0x00000000776B0000-0x00000000776B2000-memory.dmp

memory/2744-26-0x0000000076EA0000-0x0000000076F90000-memory.dmp

memory/2744-27-0x0000000074C90000-0x0000000074CDA000-memory.dmp

memory/2744-25-0x0000000074F90000-0x0000000074F99000-memory.dmp

memory/2744-24-0x00000000752E0000-0x00000000753AC000-memory.dmp

memory/2744-28-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2744-29-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2744-31-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2744-30-0x0000000004460000-0x00000000044A0000-memory.dmp

memory/2744-32-0x00000000745B0000-0x00000000745BB000-memory.dmp

memory/2744-34-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2744-33-0x0000000074D00000-0x0000000074D80000-memory.dmp

memory/2744-35-0x0000000074CE0000-0x0000000074CF3000-memory.dmp

memory/2744-36-0x0000000073B40000-0x0000000073B57000-memory.dmp

memory/2744-41-0x000000005E3A0000-0x000000005E42D000-memory.dmp

memory/2744-43-0x00000000752E0000-0x00000000753AC000-memory.dmp

memory/2744-44-0x0000000076EA0000-0x0000000076F90000-memory.dmp

memory/2744-45-0x0000000074C90000-0x0000000074CDA000-memory.dmp

memory/2744-46-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2744-47-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2744-48-0x0000000004460000-0x00000000044A0000-memory.dmp

memory/2744-49-0x0000000074D00000-0x0000000074D80000-memory.dmp

memory/2744-50-0x0000000074660000-0x0000000074C0B000-memory.dmp

memory/2744-52-0x000000005E3A0000-0x000000005E42D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 14:13

Reported

2024-01-06 16:45

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host = "C:\\Program Files (x86)\\SMTP Host\\smtphost.exe" C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SMTP Host\smtphost.exe C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A
File opened for modification C:\Program Files (x86)\SMTP Host\smtphost.exe C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe

"C:\Users\Admin\AppData\Local\Temp\74c738ec680d1ff87c135833211a88dd.exe"

C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe

"C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe"

C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE

"C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 planless.ddns.net udp
US 8.8.4.4:53 planless.ddns.net udp
US 8.8.8.8:53 planless.ddns.net udp

Files

memory/4924-1-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4924-2-0x00000000059C0000-0x0000000005A5C000-memory.dmp

memory/4924-0-0x0000000000FE0000-0x000000000105E000-memory.dmp

memory/4924-3-0x0000000006060000-0x0000000006604000-memory.dmp

memory/4924-4-0x0000000005B50000-0x0000000005BE2000-memory.dmp

memory/4924-5-0x0000000005D80000-0x0000000005D90000-memory.dmp

memory/4924-6-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

memory/4924-7-0x0000000005D90000-0x0000000005DE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe

MD5 57ba73427cde91ad57f4472d09b62921
SHA1 7eb6d00a4998f4f4789d779a769a14835d8a01e7
SHA256 01458f77180e6e9fdafbac37e867d416afb07ac7b794ce6e2accb3ecc08083c1
SHA512 405da5ed8f264249dbca303314733b77b0a18f525209c1288c203822151e873b8e4189eecda1cddea27bb1af66af9fe6542cebc320ad582e8ea5ca8a3c453f33

C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE

MD5 68f4261c11bf82e9910904760a839d21
SHA1 baecc9b629846d124c15da232f0dd5e14dfa0890
SHA256 057a609719f60e996c79cb83ccbf058f730b99e0d59958771197e356960c53d3
SHA512 2b298edab634aeee8e1014f06ceed26e028ea42de8100e86c340e46e33dcec658aa0ce8ec14a467aa624c5aaf8939cd787621b351a8ddb182ceaf37246d49ae2

C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE

MD5 e9d9350db7bfb3c40ec0b2dc2d656e89
SHA1 8d1a9600e13d73a3ab25f4a8358a9dba0123c6b3
SHA256 4a40d3c4146cb0e3235f277959a7057d8368190f6a1ae38b24a27586718ec41c
SHA512 04f36156e4ded47d792d380cbd299fcf87f7d934271084ad784586d808d495bc5a4e827bef317630d5930cc948fcf1ce4455b1a67190d15dc8508c30762a347b

memory/4924-26-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/1928-21-0x0000000000400000-0x000000000088E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BLiTZ_v5.2_2.84_64_Bit_Fixed.EXE

MD5 887cf56ee8422bbab6ef2d036ad280cb
SHA1 2cbe422c60b51253db6f4bb59dfe08c98ec6c047
SHA256 2f6ce59e336aa60780cf3533f1db8c5755a2e106a6cfe19948876207b8f9e26b
SHA512 d61720e9bad8779ee0efe3fc3ed4495c6cd3c5314c04d83e2fc5d800639a3bb4f215eacfaf8f57501c86b862a143dbff7a018f1123c10a4c88a99e10e3a2e422

C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe

MD5 e728e6770f979b4c8ebbce5f5505b032
SHA1 6f3849f50ad4d17e1c708803954eb7337511c2a2
SHA256 6beb9678e0dbce9ec3b85de0442e95aebdc6eab2183cc0ef680c519efb2a0c43
SHA512 e4023e84c8022f1e6f696ac3e3acd9239cc6377a0cb6d6fe47b581847b3bb928900911687c0e63cd43cc375f372156bbb89fdf6b7eec1a8150a9f043dc89d6aa

C:\Users\Admin\AppData\Local\Temp\Onion_2.84 (1)-cleaned.exe

MD5 a203546462872fef13ad6021a3f39c36
SHA1 215dbb6beb1c835f0941225dae81a7015e15f3e1
SHA256 385410968b706ba7185ab472e2d3ef74024448919885cc9c4345e2a8762b4dbb
SHA512 ee120b68ae920c3e04775f1bd1f5e27495c6f7e355f442d0c6c1ec61ab634cc2029a11141c31db2111c89b12ebbef8127aaadc49f16f14b92e2d6b1178d33882

memory/1928-27-0x0000000077444000-0x0000000077446000-memory.dmp

memory/1928-28-0x00000000745D0000-0x0000000074B81000-memory.dmp

memory/1928-29-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/1928-30-0x00000000745D0000-0x0000000074B81000-memory.dmp

memory/1928-31-0x00000000745D0000-0x0000000074B81000-memory.dmp

memory/1928-33-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/1928-37-0x0000000000400000-0x000000000088E000-memory.dmp

memory/1928-38-0x00000000745D0000-0x0000000074B81000-memory.dmp

memory/1928-41-0x00000000745D0000-0x0000000074B81000-memory.dmp

memory/1928-40-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/1928-42-0x00000000745D0000-0x0000000074B81000-memory.dmp

memory/1928-43-0x0000000004A90000-0x0000000004AA0000-memory.dmp