Analysis Overview
SHA256
be5357f63b036da79d198978cbc5b652ea02b1ccfcb1538352442cdc7f4d5549
Threat Level: Likely benign
The file Mesh Method_65518065.exe was found to be: Likely benign.
Malicious Activity Summary
Loads dropped DLL
Checks installed software on the system
Executes dropped EXE
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:22
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:21
Reported
2024-01-07 19:24
Platform
win10v2004-20231215-en
Max time kernel
47s
Max time network
124s
Command Line
Signatures
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
Loads dropped DLL
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Opera GXStable | C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable | C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup65518065.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3512 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe | C:\Users\Admin\AppData\Local\setup65518065.exe |
| PID 3512 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe | C:\Users\Admin\AppData\Local\setup65518065.exe |
| PID 3512 wrote to memory of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe | C:\Users\Admin\AppData\Local\setup65518065.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe
"C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe"
C:\Users\Admin\AppData\Local\setup65518065.exe
C:\Users\Admin\AppData\Local\setup65518065.exe hhwnd=459086 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-L18kY
C:\Users\Admin\AppData\Local\setup65518065.exe
C:\Users\Admin\AppData\Local\setup65518065.exe hready
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
C:\Windows\SysWOW64\find.exe
find /I "2972"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 2972" /fo csv
C:\Windows\SysWOW64\timeout.exe
timeout 5
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | www.dlsft.com | udp |
| US | 35.190.60.70:443 | www.dlsft.com | tcp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.60.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dlsft.com | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.12.222.173.in-addr.arpa | udp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | filedm.com | udp |
| US | 172.67.195.231:443 | filedm.com | tcp |
| US | 8.8.8.8:53 | 231.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | flow.lavasoft.com | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | sos.adaware.com | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 104.17.9.52:443 | flow.lavasoft.com | tcp |
| US | 8.8.8.8:53 | 52.9.17.104.in-addr.arpa | udp |
| US | 104.18.67.73:443 | sos.adaware.com | tcp |
| US | 8.8.8.8:53 | 73.67.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.enigmasoftware.com | udp |
| US | 18.172.89.87:443 | download.enigmasoftware.com | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spyhunter-download-v2.b-cdn.net | udp |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| US | 104.18.67.73:443 | sos.adaware.com | tcp |
| US | 8.8.8.8:53 | 87.89.172.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.38.244.143.in-addr.arpa | udp |
| CA | 198.72.111.246:443 | tcp | |
| US | 8.8.8.8:53 | 246.111.72.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.freevpn.win | udp |
| US | 172.67.141.75:443 | www.freevpn.win | tcp |
| US | 8.8.8.8:53 | 75.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 53.179.17.96.in-addr.arpa | udp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 8.8.8.8:53 | www.ovardu.com | udp |
| US | 104.21.96.72:443 | www.ovardu.com | tcp |
| US | 8.8.8.8:53 | 72.96.21.104.in-addr.arpa | udp |
| US | 104.17.9.52:443 | flow.lavasoft.com | tcp |
| US | 18.172.89.87:443 | download.enigmasoftware.com | tcp |
| GB | 54.230.10.4:443 | tcp | |
| NL | 185.26.182.112:443 | tcp | |
| US | 8.8.8.8:53 | spyhunter-download-v2.b-cdn.net | udp |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| NL | 185.26.182.112:443 | tcp | |
| GB | 54.230.10.4:443 | tcp | |
| GB | 54.230.10.4:443 | tcp | |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| GB | 54.230.10.4:443 | tcp | |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| GB | 54.230.10.4:443 | tcp | |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| GB | 54.230.10.4:443 | tcp | |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| GB | 54.230.10.4:443 | tcp | |
| GB | 54.230.10.4:443 | tcp |
Files
C:\Users\Admin\AppData\Local\setup65518065.exe
| MD5 | 0a3df39d9bcd4ab0ec95c3d3796cbc55 |
| SHA1 | af8cd2d12cc544f042377848e7854feb363b21fd |
| SHA256 | 67add29ed16851c4ad2b25c5930d0ee34751c7ee391f897a468aeab2aa4d5777 |
| SHA512 | 1e3f60916544cfa7409f3a645c99145a0ff7f9330ad9a553382b5b927e54593e88f6ce7a1fbe02f2ee8fc4ca41159736634338a94a1d300d15b9d286d199030d |
C:\Users\Admin\AppData\Local\setup65518065.exe
| MD5 | fa1a89eb046686f261ef2b6af004fbe6 |
| SHA1 | 0922d2a49737cc503ff2164c1b973bc6f420d3b9 |
| SHA256 | e13e73830b2dd2904d4942c95dd89fc9b10b26a6aa236773a397663feb4ce8b0 |
| SHA512 | ab13720115d9ffeb66ac9002b6123e8b03e49c1dd11aae10b3615315fd81048c7467627f050e2445cc93d56ad75d19f1e9c57a14531a4ff5eaf167dc17d6beb8 |
memory/2972-16-0x00000000719C0000-0x0000000072170000-memory.dmp
memory/2972-15-0x00000000004A0000-0x0000000000878000-memory.dmp
memory/2972-17-0x0000000005350000-0x0000000005360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll
| MD5 | 49e196d29e391aa3af6ba9422a7e5409 |
| SHA1 | dd8dcd08ac83c145a29cc32315d745a9a3ee36ec |
| SHA256 | 0d866ba9f56fe4c77e2f4dabb45db7f1b3f6dbef3b3b6cbfaf060ff2dd6ac2a9 |
| SHA512 | 2ed215506f0af4e97e9f6044cc0843e24b435cb0cf1e2f9ba1cfa9e51f35871437a83b511ee6af2e8bd5d9af171f7424f65c0db6c0fb938a1d98fa54793a5e1f |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll
| MD5 | 6ec6cb03851c63ddb662d353e24f4735 |
| SHA1 | 9322bbe75c2f31e8fd3042a623234e7f9f0e5b7e |
| SHA256 | 2d38ed8dc80b610e8f6552f94873db1377f123544e9cc563b0d27c5449cece38 |
| SHA512 | 9525ded921a15ef1f5f6ebcdc3da357ce7cc6c89c687822953727879e85e2c90a4335d84f2aacb9cdf3e9c269b0e88ffdb3bf2abcda3a98527fae69caea00d9e |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll
| MD5 | ee095d72b4a2536d07dffc1e3ed8dc6f |
| SHA1 | f168f9088ef3d29b36ce36a8aae0d8318eb41acb |
| SHA256 | a0b0fc614bd600fb45e9fdbc0efade6792e4c040cc8ce537239bf442af58d551 |
| SHA512 | 3e72ab9d3232ebaada9d0493d8d6f665f7bf1a3ef3662e8cd4422c0b7b35685b4ed45c8f18ad38cbbed1f5d8cc1e953810a46dc5f4e3e5bfbc9f53868af8560f |
memory/2972-36-0x0000000005220000-0x0000000005234000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll
| MD5 | 6e001f8d0ee4f09a6673a9e8168836b6 |
| SHA1 | 334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38 |
| SHA256 | 6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859 |
| SHA512 | 0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
| MD5 | 2481fe31193e6163ed7f47fea2805c52 |
| SHA1 | 8e01df9c05f2f8a37232df1a37a2bafbfcd181da |
| SHA256 | c144469a07a3398c9e72a9abebf94ff79d2905e0f128a8ab123053c6fc2133de |
| SHA512 | 079cb4e27e912580e918d44086e605403c131f7389efaee62585d549a9534e86e50d09e50dee07d9c347cddb2d1623a70f89fb3464c292a7a469184cbdd8646e |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
| MD5 | 1b92388a3cc6b754ef498f0b9278e010 |
| SHA1 | ea9c8a2778153a8108bd7b7587ce746b10a4fad1 |
| SHA256 | 8c4bfdd2275087800b3a729ec6c03aa7aa82f66e28fd5072e90e5377b8fc4e5d |
| SHA512 | 41da7fc1a5ec512fdef3056ea9dcd0b6a0d7f220e56e6aa659315dd1278fd2a3174a8800c1356c37bae99bbfe7f26e2df804633c845c17c4ec64f1b0c5b551ab |
memory/2972-44-0x0000000005270000-0x0000000005294000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
| MD5 | 50396b98954f64b334f3e6c6fc0920d7 |
| SHA1 | 42b8eb25f1bca67077c49168866319b98087439d |
| SHA256 | 35bd7e29ab8b145f7f37dc8ce4097e6ef446df53a10ccc27413db2376991abd1 |
| SHA512 | c8ce9ada8ff2682219db63e0ab82a809338b637b5e487a92973134ff6292089cb57c9db157354e8900120fb9e253e78353e2666a3ec60d2c200c7db019a0bbcb |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll
| MD5 | 105a9e404f7ac841c46380063cc27f50 |
| SHA1 | ec27d9e1c3b546848324096283797a8644516ee3 |
| SHA256 | 69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b |
| SHA512 | 6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940 |
memory/2972-52-0x00000000052A0000-0x00000000052C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
| MD5 | 87ca403d58de76ab6dc43cf29aaa5404 |
| SHA1 | 074779ef5b2d45b48048fe959c0a947bf4a36abe |
| SHA256 | 8a67c13cf872c97a19921e7fc851ebccd7ef80b434a60bfc61423c2dac101874 |
| SHA512 | 11b51f5f7f2c8308dc9b656ea65d04fddcb5ab3c5d63191da850ed5d0b67dd1a1439548e3f73e8f0ae94451b76298f0ae61dde027a3503df951539f25f69df09 |
memory/2972-60-0x00000000052D0000-0x00000000052FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
| MD5 | 8858e16374a28c0ffa8dd8952984e860 |
| SHA1 | 719670f1c0fbb283b9faa2e7912fd36035936f7f |
| SHA256 | 80b6535c8933f1f37920943a5c0802b90de3af6aa49491ee89c4b551399b9acc |
| SHA512 | 76e525af7c93747d8e7cdf36d77bdb13789972d3e8348f9fbf462d3182aad0038ed37223aca51ebd15dff047e47cc3ee73bd44d4a7e5e06cf09dec3709418131 |
memory/2972-68-0x0000000005360000-0x0000000005388000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
| MD5 | 90fc7d451885b21787cfa3afb3bf5f85 |
| SHA1 | 317e5ff28d9e66d8509c716ba4a93dff0fe690a8 |
| SHA256 | 85a94c958f8159071053f52f6658e7f4df35ccf712f222bc924862869d8c244c |
| SHA512 | 7988bdc60bac7f7284b2f90790093114b8ca7cded885f690e6f117956ae932cdcdd18588273d40e0cb4e4cfac54ebea6e4b8a317799dd9fb2bbfc5c9ce33e71e |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
| MD5 | 9e3659a329dc8649359e3bee43bd045f |
| SHA1 | 9d406f68737862c401a4ff08bae0e5bb05c8e7b7 |
| SHA256 | 1905c92c7dd40e54d59cdfb5f29bdc04059c1c199042c93ff862766320ae45ea |
| SHA512 | 3e0b9dbd35bc51188fe2e3736e32a2bc26a93ff2663bd97df6c17cce7e089d3bf8c026ac31611da1ac87cbaec4392e18305634762cb3972012a2e4b3147b1267 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
| MD5 | 889de7a517f76ddc65b12d6f7b0e550b |
| SHA1 | 6dbbde92dca67c8cbf5a189686bf4f9c708437d8 |
| SHA256 | d050a865ceae1af56054a2b336d3f467d90cc8d20629e5b7d5e76980aa878979 |
| SHA512 | 133a641795bd15a13f0572bc5c750ad58cc7eb837f90ce0883bb7184b056e14dec69cd7cb8a6b31a3703f2b842c9973e4dc45d219c398de94274c64326d23d0a |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
| MD5 | 7e286c5003a49e3847449f1eacfd5ede |
| SHA1 | 1af3bd6cd35e56f9a46391c1b337c7bc8ebe882c |
| SHA256 | bb34c7c0391e2e43707eba42c2e0048396cf5d10e0d20033694e32cd1ed454b4 |
| SHA512 | 929182eb818201db93a1007caa5aa52be1f95cb016a778c340a10ef557cb434a02d3eb1c313160193bd32d40e74ee1122eaf1daf3010ea59ff634b2e28c08b29 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll
| MD5 | 7beca33acb160111a6653ac3611132dc |
| SHA1 | 674016621db7e865689ea1ee258548e87c0dea72 |
| SHA256 | 58488788e7684deae5b7e89d244dae966c6b5db4da36e3d2ae32360b6c88a5c9 |
| SHA512 | 5170e5a87095959480fd8751bdca6a1621df0f7a63eee3ae8d5b2d49631e20a5577974bff0ad15b95bd48dfa53ac333872b8b38eb10554389bac0b2a76388a68 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll
| MD5 | 8756972db85264026951d3291c23b3c6 |
| SHA1 | f54ea03989d7e33da856c42946cdd325e71a9fa5 |
| SHA256 | 1a166c6697c2c8628b3175fa7ff502c2cc99fd84d38271612c96eb87de858748 |
| SHA512 | bd008e73246f12d18cc3cc5afe37d5f435cc0cd118196e3628ebc205fb0e7a26d2322373b6f49e61a469b3e6c09b74b94a965205b3f27b3dabe1552f4862e803 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
| MD5 | 0245269175581417b77128d8eea28531 |
| SHA1 | a74e8a9660af76cf374efbea23fcb6ee354a4773 |
| SHA256 | 7a1e611e5a94f6e85c3ead4f16a964113b2abe2b96fecc71f8f6fb6a6d15ae6d |
| SHA512 | 13f37c5765621d78bcbf7bddea6a1670419e6940b395007bd248859d7e122e627a3ee0201c89b66bffafa2e4869006b7a1f29e37d54c243681ba34b4adf6b00e |
memory/2972-76-0x0000000005390000-0x00000000053C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll
| MD5 | c06ac6dcfa7780cd781fc9af269e33c0 |
| SHA1 | f6b69337b369df50427f6d5968eb75b6283c199d |
| SHA256 | b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d |
| SHA512 | ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3 |
memory/2972-84-0x0000000005330000-0x000000000534A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll
| MD5 | a11ceed4e75332388b62ad2bed7fb297 |
| SHA1 | c0e513d0714ee77d83cb7a33ceca4e09b76baa25 |
| SHA256 | 2d4b31818ee5b48288c5eedef38e07eb0c99e363c193ca31055c3d5c4f279842 |
| SHA512 | 2bb22706d78c520cca0c879ac18c677a46e443fa7913ea527480bc50acdec14ca3263a7926e0a94683208c23121f244f92a3e7006f44bf5bd626d816d8aa515e |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll
| MD5 | 944192ef7ba64eed01c5359aa0336c34 |
| SHA1 | d79ed5c1c7bf42c431be9b7e8f367f190d7db7a0 |
| SHA256 | b77a650311ccb3ae670668f8ec9407a430aca77eddd8abe8cc2d39bdfe96a60e |
| SHA512 | aaab0f32bfb4fc231bcb6a86483b536a4b49b5dbdb8fa162956821a5f5d34d0f65411f5dea5c4489dcd0d87e3d97665fa29ee2b4b11a3fd38e074a3b54652cb6 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll
| MD5 | f8c64d3b64cd2ec9c88e74d2681eccbb |
| SHA1 | 2e47e28dacd7dd776d12264ce0c2b161cf48fa12 |
| SHA256 | 0c50560a9e8809d5b4824f4661d2aab389b9360628ae43f79c89059844481f85 |
| SHA512 | 603784dc1f92ee90bba9e754284c498575e72f78c46da8fc8be1b2d1f95b0ce280874c9a842d3f749e83b96adedee6526a37817e120248025ef4d9bc05570a0a |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll
| MD5 | 9b4b7e90a8a748c29d0b88206ad5ea4c |
| SHA1 | f07dcc9d4a938d775e671ed82a7073ecf6f6541b |
| SHA256 | 52e219c7cf12ed502ddba034dad0d84eac9b575310d8249c1d0740bd1688c434 |
| SHA512 | 6dc52897600367547fcc665d64fd160bea4d0f837e15062a2f512345bcbf17d0d124b29846d3272196a8b3a0f60573abea4b45ca3c068728d4e9c2c9b847fd90 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
| MD5 | f1023ba3d66605b521e7808d827db589 |
| SHA1 | 93c6c813988f6e193e1dce4e6695496e5d12b985 |
| SHA256 | a28ee82cf924add5dacf1df1451c2e0f3bc7dd1d3080138b35aa78b7184c1a90 |
| SHA512 | eeedad47c52428f8493f5bea04a88e554e66add2ec11b70cf9168755940dbd4742907217c198139e171d11c8824637ac945803b89eb20fb27bfe9dbd4973dad3 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
| MD5 | 21501415578633b0292d2bed75ee05c9 |
| SHA1 | 2500da335e158085965cd5d37a36ca822cd6f569 |
| SHA256 | 8c7c7c5d1f4a37148aa6a7caed5a26f4aa9e87a34335375dbd2e9c075bb2ba34 |
| SHA512 | 09e1c67ace87b16f39d9b87969d683725605b41c37b1b4699a137b8e749cf015ad7e7f43470023f6239d848682bc9fd67d534655defc8cd465f1bae40a01df4a |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll
| MD5 | 422be1a0c08185b107050fcf32f8fa40 |
| SHA1 | c8746a8dad7b4bf18380207b0c7c848362567a92 |
| SHA256 | 723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528 |
| SHA512 | dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599 |
memory/2972-100-0x00000000053E0000-0x00000000053EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll
| MD5 | c709046a5629cf84eb949c41253d41fb |
| SHA1 | 3c6c191a28ed7c46fab436307d983894ba1ec218 |
| SHA256 | 33b281f83c76b6990f89dc6a91a5f28fded33b2d96c818cfb304362c5bf61cfc |
| SHA512 | 3e315a4394be9d9cd0eb6bb88c8d230887c38c876c8f724f4ad37b3046f2c65353089292292eafea35d6e0de9ff3ee314510d781fc227d8e0eef1cea9aecb3d5 |
memory/2972-92-0x0000000005400000-0x0000000005424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll
| MD5 | be4c2b0862d2fc399c393fca163094df |
| SHA1 | 7c03c84b2871c27fa0f1914825e504a090c2a550 |
| SHA256 | c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a |
| SHA512 | d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799 |
memory/2972-108-0x0000000005470000-0x0000000005478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll
| MD5 | 2a656444de7a61e8f8f4df8f4a404286 |
| SHA1 | f24bef0bd265049a6a5dc2ae3c5dc295781a2e51 |
| SHA256 | 0790473d1e5da18cf9bf939b3d411dae9424fa9610012d66f5ac97d8c4a0be67 |
| SHA512 | 0fe2a789d6cec7b9661837d0d67913fb437d379162a56e195f3735ab75ce79a0732f4a7923821a5a117dd77f3b1461410f47d104e3bbc5d86814883108160d48 |
memory/2972-116-0x00000000054C0000-0x00000000054EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll
| MD5 | 17220f65bd242b6a491423d5bb7940c1 |
| SHA1 | a33fabf2b788e80f0f7f84524fe3ed9b797be7ad |
| SHA256 | 23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f |
| SHA512 | bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll
| MD5 | db75d07167741678265d301bc250bec9 |
| SHA1 | e945b742e5e93b023775f48b88c7786596a11320 |
| SHA256 | 9b419053525c5dc9112a8adbae44a57b3c96c433552b75744720b15e96135755 |
| SHA512 | 3ba22d5c8c157c59ac9684525732395f6eac50f0ca3b3d25ae8df9b5b41e13fccce4275904c12ec0ed993da76866a32d8dbdc171666af83d14616617c58dcc4e |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
| MD5 | de83a7d048875950920bc9149f4b2300 |
| SHA1 | 69fec554657dc8889a5e29fb4b5e808bcc0060d2 |
| SHA256 | d1d59374143af78198aaab08e0ad6530afc18fb286a5e579351e5d9421bc6ef5 |
| SHA512 | c6058ae6474d4c046009a9687a4596a59c3c9e31e77e12bae041bbdd5b61efdff0716254b93e391ef70f8cbeaa517e4422a9c4baa39c67f6e6d34dba71dc6aa1 |
memory/2972-126-0x0000000005450000-0x000000000546D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
| MD5 | 6a11c2ea83deac7e053d932ce8e9ad81 |
| SHA1 | 390f410d5bcab072b9f610a1a63b92cab398df24 |
| SHA256 | 227e55e4c8ee45012e7171657ed20f466585347cec74f66d0b62e6ee268acc8d |
| SHA512 | f8cfdee9824f3c189847b52057849edd2899a1ef187b21075129cda4b33382a6280460c8876d6c98a4b45455b97b6eebf83b6adbfc44b4afccd8b3779967b83f |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
| MD5 | 257d12117eba0a6a26af45bc1e2a445d |
| SHA1 | 41863227c6e96af482f4524fdf4ea3e6f658cd3a |
| SHA256 | ce27da294a9d7c28fc47b57510d89303d1ae452cec155717bb4c9d08202af1ac |
| SHA512 | c608be2bd056069cf42cb9e7b2f96309cf9772830b57d7aefea9cf1d0dfa6364cfcd96269c9f3812b285cc8b5577cc0bf3cfd7b306025032765cfc43a9ec99c4 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
| MD5 | dbd743727af4c5c6588a431692639858 |
| SHA1 | a60087f2887e2afc9a1a1f2c573e5292d35cc92f |
| SHA256 | b0d3ca1ff294e0ca2b2a51e7b3042103acc0bdafb940b7e5660847331a8889c0 |
| SHA512 | f285ff5387e934a9523513e8d1f221bc4007c5bb89d8eb61772b5764fb62df692a942202736c6729394ddd842a64124c57a60fcbc6d32a0a7d8928cad25f14a2 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll
| MD5 | f931e960cc4ed0d2f392376525ff44db |
| SHA1 | 1895aaa8f5b8314d8a4c5938d1405775d3837109 |
| SHA256 | 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870 |
| SHA512 | 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0 |
memory/2972-142-0x0000000005B30000-0x0000000005B42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll
| MD5 | b1be54996132ef6f967e82c06197f2ed |
| SHA1 | b102128191b3238a23c918642ef9437d27187cb7 |
| SHA256 | 0d6423642c1b006729319fbdb75c7323771e2b28f70ba1e424a14216d2cda6ef |
| SHA512 | 1a89dd10ff33843db4613d2df57d389b2f731d700709724e7a99126c5257f9b99ad31ecbaa9ad25c150756f8b9d210caed45bb1014b39f52e9882a5b6b5c7607 |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll
| MD5 | eb7602bd3f0e545b5a2d78ffcf1e73b8 |
| SHA1 | 5102dfe9bcaaddb99c8f022e5cee5e1181153ef1 |
| SHA256 | 92130dc84be8f3475978942d53dc9497b97adca613c4f7ff0a717bd7ccad65e8 |
| SHA512 | 772b891a7deb5e94b47d4bc6f6b264d6590b0264a02d679d6b66106c69e0b3b065c5f64e2e4ceff183a22a5270edbbcc474a93ae8d33f5f4ccdb3f7557b023e4 |
memory/2972-190-0x0000000006220000-0x00000000062AC000-memory.dmp
memory/2972-195-0x0000000005820000-0x000000000582A000-memory.dmp
memory/2972-196-0x0000000006190000-0x00000000061B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll
| MD5 | 0cfb383baf9569e66e6c38a4fd41384f |
| SHA1 | f4ae1bec3ddf3a8efffe9d0a0e4b557d476aec72 |
| SHA256 | 5267db5cbf42bdcc8542f66533ecf4bfb812ae3a2e3c118636a8647b3dc839d4 |
| SHA512 | a1cadb2771dfb9c7d393085246b29ae030af21cdd3bb55a5ed9ff562c36a76b756a13934f4124ae424e791a6027b9bffdb31953010b503aed1861d28c71dc9d9 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll
| MD5 | 7e771fef9aae0871aced76c5c93034ca |
| SHA1 | 96b2e2eabc8485bbfdce5ffd076b538a627966ae |
| SHA256 | 8f03f2b936bc0637133288b37f5884fb59b941efb9c57c8b1590c884b6125204 |
| SHA512 | e32d984bf854c0b1e4722b634a498d08a6277f65bca95078036b0cdb557a36c29e10f780277f07a5347f19a9f98ade3a0ba82ce9ee3e6da9895fbb6a5a8f2d21 |
memory/2972-197-0x0000000006610000-0x0000000006964000-memory.dmp
memory/2972-203-0x0000000006B00000-0x0000000006B0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll
| MD5 | f781057df8df96f93222e24613e1e645 |
| SHA1 | e7d4b4bd594b7305ab2d5431aa5460a0abfefde1 |
| SHA256 | 39f81af8ddb6d3fbd51bc0d3b92968b397e9a98a6d55ded3230591db1e8291a5 |
| SHA512 | fc179bc7d814cc99666547e729bb9e1bccc92ea80888e236e6ecd7793afb0f67eef398e31d5ee4e51c60eea5340233f11881bbdd0aff8f320eff53bf0939fe85 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll
| MD5 | 772c043902426f9bb4780c4716cbaf03 |
| SHA1 | a7eff14f9ad065609c0842ed2bc6e333a9d4b82f |
| SHA256 | 5b5d4f6f588532d884e03acbbb48e729c8ada8803f2b0e29388909b20346ab56 |
| SHA512 | 2e612343661203806c43d8bf650f2a76c0bd278af4ef3767d8fd47c278f4c6f14e3da335152bb4c55d73d0dc71dee576fd3c5ba132c0f693384a43c261ae2e4c |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll
| MD5 | 554c3e1d68c8b5d04ca7a2264ca44e71 |
| SHA1 | ef749e325f52179e6875e9b2dd397bee2ca41bb4 |
| SHA256 | 1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e |
| SHA512 | 58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6 |
memory/2972-206-0x00000000070E0000-0x0000000007684000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll
| MD5 | 2a08f11b578e6995ff8b35992b661ea0 |
| SHA1 | 1ac20b29755e2cd4d8902a4478ab79cb34f126bf |
| SHA256 | c9cfd803197bedb663bf51eae8ceb3aefd26898c0a2ebbbdc733c29eb8b8d24e |
| SHA512 | 68a4b9773c91b9e0a8e28357d7b45afeb524d783f5032fee8bc52f5c1e67b083383d2344a602fe9ec723967aa40729e40e0c168eea6c0172af0e45eb59060575 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll
| MD5 | e5dbecfeba0cfe14496c44c580ffcae5 |
| SHA1 | f41ed0a3e5bf0a390cc940429656819677cba4dc |
| SHA256 | 8ecb79447650e904cd33ae5c7a5ebab51848efb5b1dc3b3b9ef7a5bd383a73e8 |
| SHA512 | a1320e933488fa06eef2fee470a18ec3e78532f4ef7e3e4b9e72a6f1af7736ac75157185d1dfd378010282fbafa10a662ffa3c4d877b717495603d1033f832d0 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll
| MD5 | 082ffec21dad9484e3a3d5efed8aa24e |
| SHA1 | e7d403e1cf18e45d57c606da87196cd68d4eb5ff |
| SHA256 | eb94818d4fec567aa0844d4aa1509491d709851d93bbe9b0df7285c0d359bffe |
| SHA512 | 9501837e0f2a201c2f4e00e9deda3b2ea71f7d4f3e09536df25a677898ccd29b5bcb146870e210dde5a0937815e7467261554ceeddf98313c3d01156e33f807a |
memory/2972-212-0x0000000007C50000-0x0000000008204000-memory.dmp
memory/2972-216-0x0000000006D60000-0x0000000006DF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll
| MD5 | 96fd2afe4e38b3144cc7b9662fe68458 |
| SHA1 | fd0a40599cd5c8f69c4d9cf10cf663bdd276314f |
| SHA256 | c1b64b36e0713f8154ab0590022541e683913d4135db3803dabba08b0364fa1a |
| SHA512 | cecee7491defbde7b3193b086305a26c723299514c91ba55bfd95e7b5b5668821bd051968015a14b699b9ccd68d5f1def6ff1d748f422643351b15e81eda3526 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll
| MD5 | 15f334bd0bd63dc3e84d1bcaa96be4ad |
| SHA1 | 77aae99fafdd701907936e6b05afd9e605482059 |
| SHA256 | c4607a917b7f3263e1b9c79ce7054a5df25f43e05c00fbb863c48d9e30611802 |
| SHA512 | 1960bdff6a970d0e338487971949aa9cc1397b8bb1032a050904b3cea4e564731f19804e217b74551c5ba20124c5dca34088ff69f6745fa0c76282d7cae574d0 |
memory/2972-243-0x0000000006AA0000-0x0000000006ACE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll
| MD5 | 61fa438eed4b11ac2f5be9a08fad9330 |
| SHA1 | 9422561d95687aa5129cb7a9caa44dbdb51efc51 |
| SHA256 | 3bb1a3f90e958a6633d2616ddfb27a3c3e3459734b7422d7c2d93fbc847b1325 |
| SHA512 | 13050c8abe7f7ad63c0dc55b62726b0a9e9f23b93de70d0a96a9ff6d26647f54e5d331c352f9ba1b7034aa94c5236d98dfa872a9acbf5bcd9a2dca155a22f55c |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll
| MD5 | 1c9b6d1e0f09ab0912a405db0487deef |
| SHA1 | c5f7da40f96bd09f39b13133769d9576b9374768 |
| SHA256 | c6f792e96aded1ae099b1bf8c29c23071796e54022a8ace5e591d34b894a7d8e |
| SHA512 | a67845effe344aec293b5de81a62d59287a2adeaf3f0f754dddf9eee09713a802a0df90a4665f18c51c782d92cb6612413c2e158f9222f0675e2185f3c7eb9ff |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html
| MD5 | 9ba0a91b564e22c876e58a8a5921b528 |
| SHA1 | 8eb23cab5effc0d0df63120a4dbad3cffcac6f1e |
| SHA256 | 2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941 |
| SHA512 | 38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9 |
memory/2972-263-0x00000000719C0000-0x0000000072170000-memory.dmp
memory/2972-266-0x0000000005350000-0x0000000005360000-memory.dmp
C:\Users\Admin\AppData\Local\setup65518065.exe
| MD5 | d7e98ab75647387bbf389a0297cc0145 |
| SHA1 | c85cf8ce420cdffe248cf097f7813cb135d9ce79 |
| SHA256 | c9359b0b83a2f471a7967f946e0ab423502d8c7cc92a464f4a9670a5ab66f99f |
| SHA512 | 731e2831bdc2916ceccd440f42966cee4d9801e0d6585efc43c5976d2aaf6e06f28bfdb4a89b63945fc5511e0b188c6ddf389c2e6b361321abfcee4231818114 |
memory/3736-268-0x00000000719C0000-0x0000000072170000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll
| MD5 | 72990c7e32ee6c811ea3d2ea64523234 |
| SHA1 | a7fcbf83ec6eefb2235d40f51d0d6172d364b822 |
| SHA256 | e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3 |
| SHA512 | 2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
| MD5 | 6df226bda27d26ce4523b80dbf57a9ea |
| SHA1 | 615f9aba84856026460dc54b581711dad63da469 |
| SHA256 | 17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc |
| SHA512 | 988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
| MD5 | 8db691813a26e7d0f1db5e2f4d0d05e3 |
| SHA1 | 7c7a33553dd0b50b78bf0ca6974c77088da253eb |
| SHA256 | 3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701 |
| SHA512 | d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
| MD5 | b199dcd6824a02522a4d29a69ab65058 |
| SHA1 | f9c7f8c5c6543b80fa6f1940402430b37fa8dce4 |
| SHA256 | 9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4 |
| SHA512 | 1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1 |
memory/3736-296-0x00000000719C0000-0x0000000072170000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
| MD5 | 08112f27dcd8f1d779231a7a3e944cb1 |
| SHA1 | 39a98a95feb1b6295ad762e22aa47854f57c226f |
| SHA256 | 11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa |
| SHA512 | afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb |
memory/3736-278-0x0000000003180000-0x0000000003190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll
| MD5 | 8ff1898897f3f4391803c7253366a87b |
| SHA1 | 9bdbeed8f75a892b6b630ef9e634667f4c620fa0 |
| SHA256 | 51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad |
| SHA512 | cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll
| MD5 | 1a84957b6e681fca057160cd04e26b27 |
| SHA1 | 8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe |
| SHA256 | 9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5 |
| SHA512 | 5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis
| MD5 | bf5328e51e8ab1211c509b5a65ab9972 |
| SHA1 | 480dfb920e926d81bce67113576781815fbd1ea4 |
| SHA256 | 98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b |
| SHA512 | 92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico
| MD5 | 4003efa6e7d44e2cbd3d7486e2e0451a |
| SHA1 | a2a9ab4a88cd4732647faa37bbdf726fd885ea1e |
| SHA256 | effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508 |
| SHA512 | 86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
| MD5 | cef027c3341afbcdb83c72080df7f002 |
| SHA1 | e538f1dd4aee8544d888a616a6ebe4aeecaf1661 |
| SHA256 | e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7 |
| SHA512 | 71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf |
memory/976-320-0x00000000719C0000-0x0000000072170000-memory.dmp
memory/976-319-0x0000000000220000-0x000000000022C000-memory.dmp
memory/976-321-0x0000000004B30000-0x0000000004B40000-memory.dmp
memory/2972-324-0x00000000719C0000-0x0000000072170000-memory.dmp
C:\Users\Admin\AppData\Local\Adaware\OfferInstaller.exe_Url_1hem3jux35iv1vzfopbi55gu03hcnxpl\7.14.2.0\user.config
| MD5 | f3da41e2f01ec12a28efa662df2fa963 |
| SHA1 | 9760227f497132829ec34fffec6184969043bba1 |
| SHA256 | a4544f806b5637e45e2e702c7997d0b6a52b805670a72aac518d189c3004d1c2 |
| SHA512 | ae4f56f93a2386abe8891ba5ba1cc7de166a28c6a2f3913870bed2926ac43469bbbf0b4b18acf2fce7c7f120056e36b3777aabbdf9715cc12d2159403e392e59 |
memory/976-336-0x0000000006840000-0x000000000684A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:21
Reported
2024-01-07 19:24
Platform
win7-20231215-en
Max time kernel
0s
Max time network
149s
Command Line
Signatures
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe
"C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe"
C:\Users\Admin\AppData\Local\setup65518065.exe
C:\Users\Admin\AppData\Local\setup65518065.exe hhwnd=459042 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-L18kY
C:\Users\Admin\AppData\Local\setup65518065.exe
C:\Users\Admin\AppData\Local\setup65518065.exe hready
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
C:\Windows\SysWOW64\find.exe
find /I "832"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 832" /fo csv
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\find.exe
find /I "2692"
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 2692" /fo csv
C:\Windows\SysWOW64\find.exe
find /I "2692"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 2692" /fo csv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dlsft.com | udp |
| US | 35.190.60.70:443 | www.dlsft.com | tcp |
| US | 8.8.8.8:53 | dlsft.com | udp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | flow.lavasoft.com | udp |
| US | 104.17.8.52:443 | flow.lavasoft.com | tcp |
| US | 8.8.8.8:53 | sos.adaware.com | udp |
| US | 104.18.68.73:443 | sos.adaware.com | tcp |
| US | 8.8.8.8:53 | filedm.com | udp |
| US | 172.67.195.231:443 | filedm.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 104.18.68.73:443 | sos.adaware.com | tcp |
| US | 8.8.8.8:53 | package.avira.com | udp |
| US | 95.100.245.86:443 | package.avira.com | tcp |
| US | 104.18.68.73:443 | sos.adaware.com | tcp |
| US | 8.8.8.8:53 | www.freevpn.win | udp |
| US | 188.114.96.2:443 | www.freevpn.win | tcp |
| US | 8.8.8.8:53 | download2021.pdf-suite.com | udp |
| CA | 198.72.111.246:443 | download2021.pdf-suite.com | tcp |
| CA | 198.72.111.246:443 | download2021.pdf-suite.com | tcp |
| US | 8.8.8.8:53 | download.enigmasoftware.com | udp |
| US | 18.172.89.117:443 | download.enigmasoftware.com | tcp |
| US | 8.8.8.8:53 | spyhunter-download-v2.b-cdn.net | udp |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| US | 8.8.8.8:53 | webcompanion.com | udp |
| US | 104.18.212.25:80 | webcompanion.com | tcp |
| US | 104.17.8.52:443 | flow.lavasoft.com | tcp |
| US | 8.8.8.8:53 | www.ovardu.com | udp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 172.67.174.4:443 | www.ovardu.com | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
Files
memory/832-27-0x0000000072BB0000-0x000000007329E000-memory.dmp
memory/832-26-0x0000000000CA0000-0x0000000001078000-memory.dmp
memory/832-47-0x0000000000470000-0x0000000000484000-memory.dmp
memory/832-139-0x0000000004BC0000-0x0000000004BDD000-memory.dmp
memory/832-155-0x0000000004C70000-0x0000000004C82000-memory.dmp
memory/832-127-0x00000000047C0000-0x00000000047EC000-memory.dmp
memory/832-119-0x0000000004790000-0x0000000004798000-memory.dmp
memory/832-111-0x00000000044C0000-0x00000000044CA000-memory.dmp
memory/832-103-0x0000000004510000-0x0000000004534000-memory.dmp
memory/832-95-0x0000000000A80000-0x0000000000A9A000-memory.dmp
memory/832-87-0x0000000004480000-0x00000000044B2000-memory.dmp
memory/832-79-0x0000000000B50000-0x0000000000B78000-memory.dmp
memory/832-71-0x0000000000B20000-0x0000000000B4E000-memory.dmp
memory/832-63-0x0000000000A50000-0x0000000000A78000-memory.dmp
memory/832-55-0x0000000000A20000-0x0000000000A44000-memory.dmp
memory/832-30-0x0000000004D80000-0x0000000004DC0000-memory.dmp
memory/832-273-0x0000000004CE0000-0x0000000004CEA000-memory.dmp
memory/832-266-0x00000000060B0000-0x000000000613C000-memory.dmp
memory/832-282-0x00000000055A0000-0x00000000055AC000-memory.dmp
memory/832-290-0x0000000007300000-0x00000000078B4000-memory.dmp
memory/832-317-0x0000000005620000-0x000000000564E000-memory.dmp
memory/2228-482-0x0000000072BB0000-0x000000007329E000-memory.dmp
memory/2228-480-0x00000000004E0000-0x0000000000520000-memory.dmp
memory/2228-466-0x0000000072BB0000-0x000000007329E000-memory.dmp
memory/832-520-0x0000000072BB0000-0x000000007329E000-memory.dmp
memory/832-521-0x0000000004D80000-0x0000000004DC0000-memory.dmp
memory/2692-740-0x0000000072BB0000-0x000000007329E000-memory.dmp
memory/2692-741-0x0000000004850000-0x0000000004890000-memory.dmp
memory/2692-739-0x00000000000E0000-0x00000000000EC000-memory.dmp
memory/832-751-0x0000000072BB0000-0x000000007329E000-memory.dmp
memory/2692-759-0x0000000072BB0000-0x000000007329E000-memory.dmp