Malware Analysis Report

2025-08-10 22:51

Sample ID 240107-x241ascchn
Target Mesh Method_65518065.exe
SHA256 be5357f63b036da79d198978cbc5b652ea02b1ccfcb1538352442cdc7f4d5549
Tags
discovery
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

be5357f63b036da79d198978cbc5b652ea02b1ccfcb1538352442cdc7f4d5549

Threat Level: Likely benign

The file Mesh Method_65518065.exe was found to be: Likely benign.

Malicious Activity Summary

discovery

Loads dropped DLL

Checks installed software on the system

Executes dropped EXE

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:22

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:24

Platform

win10v2004-20231215-en

Max time kernel

47s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe"

Signatures

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\setup65518065.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe

"C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe"

C:\Users\Admin\AppData\Local\setup65518065.exe

C:\Users\Admin\AppData\Local\setup65518065.exe hhwnd=459086 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-L18kY

C:\Users\Admin\AppData\Local\setup65518065.exe

C:\Users\Admin\AppData\Local\setup65518065.exe hready

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""

C:\Windows\SysWOW64\find.exe

find /I "2972"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "PID eq 2972" /fo csv

C:\Windows\SysWOW64\timeout.exe

timeout 5

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 www.dlsft.com udp
US 35.190.60.70:443 www.dlsft.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 70.60.190.35.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 dlsft.com udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 247.12.222.173.in-addr.arpa udp
US 35.190.60.70:443 dlsft.com tcp
US 35.190.60.70:443 dlsft.com tcp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 filedm.com udp
US 172.67.195.231:443 filedm.com tcp
US 8.8.8.8:53 231.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 flow.lavasoft.com udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 sos.adaware.com udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 104.17.9.52:443 flow.lavasoft.com tcp
US 8.8.8.8:53 52.9.17.104.in-addr.arpa udp
US 104.18.67.73:443 sos.adaware.com tcp
US 8.8.8.8:53 73.67.18.104.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 download.enigmasoftware.com udp
US 18.172.89.87:443 download.enigmasoftware.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 spyhunter-download-v2.b-cdn.net udp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
US 104.18.67.73:443 sos.adaware.com tcp
US 8.8.8.8:53 87.89.172.18.in-addr.arpa udp
US 8.8.8.8:53 136.38.244.143.in-addr.arpa udp
CA 198.72.111.246:443 tcp
US 8.8.8.8:53 246.111.72.198.in-addr.arpa udp
US 8.8.8.8:53 www.freevpn.win udp
US 172.67.141.75:443 www.freevpn.win tcp
US 8.8.8.8:53 75.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 53.179.17.96.in-addr.arpa udp
US 35.190.60.70:443 dlsft.com tcp
US 8.8.8.8:53 www.ovardu.com udp
US 104.21.96.72:443 www.ovardu.com tcp
US 8.8.8.8:53 72.96.21.104.in-addr.arpa udp
US 104.17.9.52:443 flow.lavasoft.com tcp
US 18.172.89.87:443 download.enigmasoftware.com tcp
GB 54.230.10.4:443 tcp
NL 185.26.182.112:443 tcp
US 8.8.8.8:53 spyhunter-download-v2.b-cdn.net udp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
NL 185.26.182.112:443 tcp
GB 54.230.10.4:443 tcp
GB 54.230.10.4:443 tcp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
GB 54.230.10.4:443 tcp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
GB 54.230.10.4:443 tcp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
GB 54.230.10.4:443 tcp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
GB 54.230.10.4:443 tcp
GB 54.230.10.4:443 tcp

Files

C:\Users\Admin\AppData\Local\setup65518065.exe

MD5 0a3df39d9bcd4ab0ec95c3d3796cbc55
SHA1 af8cd2d12cc544f042377848e7854feb363b21fd
SHA256 67add29ed16851c4ad2b25c5930d0ee34751c7ee391f897a468aeab2aa4d5777
SHA512 1e3f60916544cfa7409f3a645c99145a0ff7f9330ad9a553382b5b927e54593e88f6ce7a1fbe02f2ee8fc4ca41159736634338a94a1d300d15b9d286d199030d

C:\Users\Admin\AppData\Local\setup65518065.exe

MD5 fa1a89eb046686f261ef2b6af004fbe6
SHA1 0922d2a49737cc503ff2164c1b973bc6f420d3b9
SHA256 e13e73830b2dd2904d4942c95dd89fc9b10b26a6aa236773a397663feb4ce8b0
SHA512 ab13720115d9ffeb66ac9002b6123e8b03e49c1dd11aae10b3615315fd81048c7467627f050e2445cc93d56ad75d19f1e9c57a14531a4ff5eaf167dc17d6beb8

memory/2972-16-0x00000000719C0000-0x0000000072170000-memory.dmp

memory/2972-15-0x00000000004A0000-0x0000000000878000-memory.dmp

memory/2972-17-0x0000000005350000-0x0000000005360000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

MD5 49e196d29e391aa3af6ba9422a7e5409
SHA1 dd8dcd08ac83c145a29cc32315d745a9a3ee36ec
SHA256 0d866ba9f56fe4c77e2f4dabb45db7f1b3f6dbef3b3b6cbfaf060ff2dd6ac2a9
SHA512 2ed215506f0af4e97e9f6044cc0843e24b435cb0cf1e2f9ba1cfa9e51f35871437a83b511ee6af2e8bd5d9af171f7424f65c0db6c0fb938a1d98fa54793a5e1f

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

MD5 6ec6cb03851c63ddb662d353e24f4735
SHA1 9322bbe75c2f31e8fd3042a623234e7f9f0e5b7e
SHA256 2d38ed8dc80b610e8f6552f94873db1377f123544e9cc563b0d27c5449cece38
SHA512 9525ded921a15ef1f5f6ebcdc3da357ce7cc6c89c687822953727879e85e2c90a4335d84f2aacb9cdf3e9c269b0e88ffdb3bf2abcda3a98527fae69caea00d9e

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

MD5 ee095d72b4a2536d07dffc1e3ed8dc6f
SHA1 f168f9088ef3d29b36ce36a8aae0d8318eb41acb
SHA256 a0b0fc614bd600fb45e9fdbc0efade6792e4c040cc8ce537239bf442af58d551
SHA512 3e72ab9d3232ebaada9d0493d8d6f665f7bf1a3ef3662e8cd4422c0b7b35685b4ed45c8f18ad38cbbed1f5d8cc1e953810a46dc5f4e3e5bfbc9f53868af8560f

memory/2972-36-0x0000000005220000-0x0000000005234000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

MD5 6e001f8d0ee4f09a6673a9e8168836b6
SHA1 334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38
SHA256 6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859
SHA512 0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

MD5 2481fe31193e6163ed7f47fea2805c52
SHA1 8e01df9c05f2f8a37232df1a37a2bafbfcd181da
SHA256 c144469a07a3398c9e72a9abebf94ff79d2905e0f128a8ab123053c6fc2133de
SHA512 079cb4e27e912580e918d44086e605403c131f7389efaee62585d549a9534e86e50d09e50dee07d9c347cddb2d1623a70f89fb3464c292a7a469184cbdd8646e

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

MD5 1b92388a3cc6b754ef498f0b9278e010
SHA1 ea9c8a2778153a8108bd7b7587ce746b10a4fad1
SHA256 8c4bfdd2275087800b3a729ec6c03aa7aa82f66e28fd5072e90e5377b8fc4e5d
SHA512 41da7fc1a5ec512fdef3056ea9dcd0b6a0d7f220e56e6aa659315dd1278fd2a3174a8800c1356c37bae99bbfe7f26e2df804633c845c17c4ec64f1b0c5b551ab

memory/2972-44-0x0000000005270000-0x0000000005294000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

MD5 50396b98954f64b334f3e6c6fc0920d7
SHA1 42b8eb25f1bca67077c49168866319b98087439d
SHA256 35bd7e29ab8b145f7f37dc8ce4097e6ef446df53a10ccc27413db2376991abd1
SHA512 c8ce9ada8ff2682219db63e0ab82a809338b637b5e487a92973134ff6292089cb57c9db157354e8900120fb9e253e78353e2666a3ec60d2c200c7db019a0bbcb

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

MD5 105a9e404f7ac841c46380063cc27f50
SHA1 ec27d9e1c3b546848324096283797a8644516ee3
SHA256 69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b
SHA512 6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

memory/2972-52-0x00000000052A0000-0x00000000052C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

MD5 87ca403d58de76ab6dc43cf29aaa5404
SHA1 074779ef5b2d45b48048fe959c0a947bf4a36abe
SHA256 8a67c13cf872c97a19921e7fc851ebccd7ef80b434a60bfc61423c2dac101874
SHA512 11b51f5f7f2c8308dc9b656ea65d04fddcb5ab3c5d63191da850ed5d0b67dd1a1439548e3f73e8f0ae94451b76298f0ae61dde027a3503df951539f25f69df09

memory/2972-60-0x00000000052D0000-0x00000000052FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

MD5 8858e16374a28c0ffa8dd8952984e860
SHA1 719670f1c0fbb283b9faa2e7912fd36035936f7f
SHA256 80b6535c8933f1f37920943a5c0802b90de3af6aa49491ee89c4b551399b9acc
SHA512 76e525af7c93747d8e7cdf36d77bdb13789972d3e8348f9fbf462d3182aad0038ed37223aca51ebd15dff047e47cc3ee73bd44d4a7e5e06cf09dec3709418131

memory/2972-68-0x0000000005360000-0x0000000005388000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

MD5 90fc7d451885b21787cfa3afb3bf5f85
SHA1 317e5ff28d9e66d8509c716ba4a93dff0fe690a8
SHA256 85a94c958f8159071053f52f6658e7f4df35ccf712f222bc924862869d8c244c
SHA512 7988bdc60bac7f7284b2f90790093114b8ca7cded885f690e6f117956ae932cdcdd18588273d40e0cb4e4cfac54ebea6e4b8a317799dd9fb2bbfc5c9ce33e71e

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

MD5 9e3659a329dc8649359e3bee43bd045f
SHA1 9d406f68737862c401a4ff08bae0e5bb05c8e7b7
SHA256 1905c92c7dd40e54d59cdfb5f29bdc04059c1c199042c93ff862766320ae45ea
SHA512 3e0b9dbd35bc51188fe2e3736e32a2bc26a93ff2663bd97df6c17cce7e089d3bf8c026ac31611da1ac87cbaec4392e18305634762cb3972012a2e4b3147b1267

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

MD5 889de7a517f76ddc65b12d6f7b0e550b
SHA1 6dbbde92dca67c8cbf5a189686bf4f9c708437d8
SHA256 d050a865ceae1af56054a2b336d3f467d90cc8d20629e5b7d5e76980aa878979
SHA512 133a641795bd15a13f0572bc5c750ad58cc7eb837f90ce0883bb7184b056e14dec69cd7cb8a6b31a3703f2b842c9973e4dc45d219c398de94274c64326d23d0a

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

MD5 7e286c5003a49e3847449f1eacfd5ede
SHA1 1af3bd6cd35e56f9a46391c1b337c7bc8ebe882c
SHA256 bb34c7c0391e2e43707eba42c2e0048396cf5d10e0d20033694e32cd1ed454b4
SHA512 929182eb818201db93a1007caa5aa52be1f95cb016a778c340a10ef557cb434a02d3eb1c313160193bd32d40e74ee1122eaf1daf3010ea59ff634b2e28c08b29

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

MD5 7beca33acb160111a6653ac3611132dc
SHA1 674016621db7e865689ea1ee258548e87c0dea72
SHA256 58488788e7684deae5b7e89d244dae966c6b5db4da36e3d2ae32360b6c88a5c9
SHA512 5170e5a87095959480fd8751bdca6a1621df0f7a63eee3ae8d5b2d49631e20a5577974bff0ad15b95bd48dfa53ac333872b8b38eb10554389bac0b2a76388a68

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

MD5 8756972db85264026951d3291c23b3c6
SHA1 f54ea03989d7e33da856c42946cdd325e71a9fa5
SHA256 1a166c6697c2c8628b3175fa7ff502c2cc99fd84d38271612c96eb87de858748
SHA512 bd008e73246f12d18cc3cc5afe37d5f435cc0cd118196e3628ebc205fb0e7a26d2322373b6f49e61a469b3e6c09b74b94a965205b3f27b3dabe1552f4862e803

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

MD5 0245269175581417b77128d8eea28531
SHA1 a74e8a9660af76cf374efbea23fcb6ee354a4773
SHA256 7a1e611e5a94f6e85c3ead4f16a964113b2abe2b96fecc71f8f6fb6a6d15ae6d
SHA512 13f37c5765621d78bcbf7bddea6a1670419e6940b395007bd248859d7e122e627a3ee0201c89b66bffafa2e4869006b7a1f29e37d54c243681ba34b4adf6b00e

memory/2972-76-0x0000000005390000-0x00000000053C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

MD5 c06ac6dcfa7780cd781fc9af269e33c0
SHA1 f6b69337b369df50427f6d5968eb75b6283c199d
SHA256 b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d
SHA512 ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

memory/2972-84-0x0000000005330000-0x000000000534A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

MD5 a11ceed4e75332388b62ad2bed7fb297
SHA1 c0e513d0714ee77d83cb7a33ceca4e09b76baa25
SHA256 2d4b31818ee5b48288c5eedef38e07eb0c99e363c193ca31055c3d5c4f279842
SHA512 2bb22706d78c520cca0c879ac18c677a46e443fa7913ea527480bc50acdec14ca3263a7926e0a94683208c23121f244f92a3e7006f44bf5bd626d816d8aa515e

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

MD5 944192ef7ba64eed01c5359aa0336c34
SHA1 d79ed5c1c7bf42c431be9b7e8f367f190d7db7a0
SHA256 b77a650311ccb3ae670668f8ec9407a430aca77eddd8abe8cc2d39bdfe96a60e
SHA512 aaab0f32bfb4fc231bcb6a86483b536a4b49b5dbdb8fa162956821a5f5d34d0f65411f5dea5c4489dcd0d87e3d97665fa29ee2b4b11a3fd38e074a3b54652cb6

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

MD5 f8c64d3b64cd2ec9c88e74d2681eccbb
SHA1 2e47e28dacd7dd776d12264ce0c2b161cf48fa12
SHA256 0c50560a9e8809d5b4824f4661d2aab389b9360628ae43f79c89059844481f85
SHA512 603784dc1f92ee90bba9e754284c498575e72f78c46da8fc8be1b2d1f95b0ce280874c9a842d3f749e83b96adedee6526a37817e120248025ef4d9bc05570a0a

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

MD5 9b4b7e90a8a748c29d0b88206ad5ea4c
SHA1 f07dcc9d4a938d775e671ed82a7073ecf6f6541b
SHA256 52e219c7cf12ed502ddba034dad0d84eac9b575310d8249c1d0740bd1688c434
SHA512 6dc52897600367547fcc665d64fd160bea4d0f837e15062a2f512345bcbf17d0d124b29846d3272196a8b3a0f60573abea4b45ca3c068728d4e9c2c9b847fd90

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

MD5 f1023ba3d66605b521e7808d827db589
SHA1 93c6c813988f6e193e1dce4e6695496e5d12b985
SHA256 a28ee82cf924add5dacf1df1451c2e0f3bc7dd1d3080138b35aa78b7184c1a90
SHA512 eeedad47c52428f8493f5bea04a88e554e66add2ec11b70cf9168755940dbd4742907217c198139e171d11c8824637ac945803b89eb20fb27bfe9dbd4973dad3

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

MD5 21501415578633b0292d2bed75ee05c9
SHA1 2500da335e158085965cd5d37a36ca822cd6f569
SHA256 8c7c7c5d1f4a37148aa6a7caed5a26f4aa9e87a34335375dbd2e9c075bb2ba34
SHA512 09e1c67ace87b16f39d9b87969d683725605b41c37b1b4699a137b8e749cf015ad7e7f43470023f6239d848682bc9fd67d534655defc8cd465f1bae40a01df4a

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

MD5 422be1a0c08185b107050fcf32f8fa40
SHA1 c8746a8dad7b4bf18380207b0c7c848362567a92
SHA256 723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528
SHA512 dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

memory/2972-100-0x00000000053E0000-0x00000000053EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

MD5 c709046a5629cf84eb949c41253d41fb
SHA1 3c6c191a28ed7c46fab436307d983894ba1ec218
SHA256 33b281f83c76b6990f89dc6a91a5f28fded33b2d96c818cfb304362c5bf61cfc
SHA512 3e315a4394be9d9cd0eb6bb88c8d230887c38c876c8f724f4ad37b3046f2c65353089292292eafea35d6e0de9ff3ee314510d781fc227d8e0eef1cea9aecb3d5

memory/2972-92-0x0000000005400000-0x0000000005424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

MD5 be4c2b0862d2fc399c393fca163094df
SHA1 7c03c84b2871c27fa0f1914825e504a090c2a550
SHA256 c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a
SHA512 d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

memory/2972-108-0x0000000005470000-0x0000000005478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

MD5 2a656444de7a61e8f8f4df8f4a404286
SHA1 f24bef0bd265049a6a5dc2ae3c5dc295781a2e51
SHA256 0790473d1e5da18cf9bf939b3d411dae9424fa9610012d66f5ac97d8c4a0be67
SHA512 0fe2a789d6cec7b9661837d0d67913fb437d379162a56e195f3735ab75ce79a0732f4a7923821a5a117dd77f3b1461410f47d104e3bbc5d86814883108160d48

memory/2972-116-0x00000000054C0000-0x00000000054EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

MD5 17220f65bd242b6a491423d5bb7940c1
SHA1 a33fabf2b788e80f0f7f84524fe3ed9b797be7ad
SHA256 23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f
SHA512 bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

MD5 db75d07167741678265d301bc250bec9
SHA1 e945b742e5e93b023775f48b88c7786596a11320
SHA256 9b419053525c5dc9112a8adbae44a57b3c96c433552b75744720b15e96135755
SHA512 3ba22d5c8c157c59ac9684525732395f6eac50f0ca3b3d25ae8df9b5b41e13fccce4275904c12ec0ed993da76866a32d8dbdc171666af83d14616617c58dcc4e

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

MD5 de83a7d048875950920bc9149f4b2300
SHA1 69fec554657dc8889a5e29fb4b5e808bcc0060d2
SHA256 d1d59374143af78198aaab08e0ad6530afc18fb286a5e579351e5d9421bc6ef5
SHA512 c6058ae6474d4c046009a9687a4596a59c3c9e31e77e12bae041bbdd5b61efdff0716254b93e391ef70f8cbeaa517e4422a9c4baa39c67f6e6d34dba71dc6aa1

memory/2972-126-0x0000000005450000-0x000000000546D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

MD5 6a11c2ea83deac7e053d932ce8e9ad81
SHA1 390f410d5bcab072b9f610a1a63b92cab398df24
SHA256 227e55e4c8ee45012e7171657ed20f466585347cec74f66d0b62e6ee268acc8d
SHA512 f8cfdee9824f3c189847b52057849edd2899a1ef187b21075129cda4b33382a6280460c8876d6c98a4b45455b97b6eebf83b6adbfc44b4afccd8b3779967b83f

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

MD5 257d12117eba0a6a26af45bc1e2a445d
SHA1 41863227c6e96af482f4524fdf4ea3e6f658cd3a
SHA256 ce27da294a9d7c28fc47b57510d89303d1ae452cec155717bb4c9d08202af1ac
SHA512 c608be2bd056069cf42cb9e7b2f96309cf9772830b57d7aefea9cf1d0dfa6364cfcd96269c9f3812b285cc8b5577cc0bf3cfd7b306025032765cfc43a9ec99c4

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

MD5 dbd743727af4c5c6588a431692639858
SHA1 a60087f2887e2afc9a1a1f2c573e5292d35cc92f
SHA256 b0d3ca1ff294e0ca2b2a51e7b3042103acc0bdafb940b7e5660847331a8889c0
SHA512 f285ff5387e934a9523513e8d1f221bc4007c5bb89d8eb61772b5764fb62df692a942202736c6729394ddd842a64124c57a60fcbc6d32a0a7d8928cad25f14a2

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

MD5 f931e960cc4ed0d2f392376525ff44db
SHA1 1895aaa8f5b8314d8a4c5938d1405775d3837109
SHA256 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA512 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

memory/2972-142-0x0000000005B30000-0x0000000005B42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

MD5 b1be54996132ef6f967e82c06197f2ed
SHA1 b102128191b3238a23c918642ef9437d27187cb7
SHA256 0d6423642c1b006729319fbdb75c7323771e2b28f70ba1e424a14216d2cda6ef
SHA512 1a89dd10ff33843db4613d2df57d389b2f731d700709724e7a99126c5257f9b99ad31ecbaa9ad25c150756f8b9d210caed45bb1014b39f52e9882a5b6b5c7607

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

MD5 eb7602bd3f0e545b5a2d78ffcf1e73b8
SHA1 5102dfe9bcaaddb99c8f022e5cee5e1181153ef1
SHA256 92130dc84be8f3475978942d53dc9497b97adca613c4f7ff0a717bd7ccad65e8
SHA512 772b891a7deb5e94b47d4bc6f6b264d6590b0264a02d679d6b66106c69e0b3b065c5f64e2e4ceff183a22a5270edbbcc474a93ae8d33f5f4ccdb3f7557b023e4

memory/2972-190-0x0000000006220000-0x00000000062AC000-memory.dmp

memory/2972-195-0x0000000005820000-0x000000000582A000-memory.dmp

memory/2972-196-0x0000000006190000-0x00000000061B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

MD5 0cfb383baf9569e66e6c38a4fd41384f
SHA1 f4ae1bec3ddf3a8efffe9d0a0e4b557d476aec72
SHA256 5267db5cbf42bdcc8542f66533ecf4bfb812ae3a2e3c118636a8647b3dc839d4
SHA512 a1cadb2771dfb9c7d393085246b29ae030af21cdd3bb55a5ed9ff562c36a76b756a13934f4124ae424e791a6027b9bffdb31953010b503aed1861d28c71dc9d9

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

MD5 7e771fef9aae0871aced76c5c93034ca
SHA1 96b2e2eabc8485bbfdce5ffd076b538a627966ae
SHA256 8f03f2b936bc0637133288b37f5884fb59b941efb9c57c8b1590c884b6125204
SHA512 e32d984bf854c0b1e4722b634a498d08a6277f65bca95078036b0cdb557a36c29e10f780277f07a5347f19a9f98ade3a0ba82ce9ee3e6da9895fbb6a5a8f2d21

memory/2972-197-0x0000000006610000-0x0000000006964000-memory.dmp

memory/2972-203-0x0000000006B00000-0x0000000006B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

MD5 f781057df8df96f93222e24613e1e645
SHA1 e7d4b4bd594b7305ab2d5431aa5460a0abfefde1
SHA256 39f81af8ddb6d3fbd51bc0d3b92968b397e9a98a6d55ded3230591db1e8291a5
SHA512 fc179bc7d814cc99666547e729bb9e1bccc92ea80888e236e6ecd7793afb0f67eef398e31d5ee4e51c60eea5340233f11881bbdd0aff8f320eff53bf0939fe85

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

MD5 772c043902426f9bb4780c4716cbaf03
SHA1 a7eff14f9ad065609c0842ed2bc6e333a9d4b82f
SHA256 5b5d4f6f588532d884e03acbbb48e729c8ada8803f2b0e29388909b20346ab56
SHA512 2e612343661203806c43d8bf650f2a76c0bd278af4ef3767d8fd47c278f4c6f14e3da335152bb4c55d73d0dc71dee576fd3c5ba132c0f693384a43c261ae2e4c

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

MD5 554c3e1d68c8b5d04ca7a2264ca44e71
SHA1 ef749e325f52179e6875e9b2dd397bee2ca41bb4
SHA256 1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e
SHA512 58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

memory/2972-206-0x00000000070E0000-0x0000000007684000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

MD5 2a08f11b578e6995ff8b35992b661ea0
SHA1 1ac20b29755e2cd4d8902a4478ab79cb34f126bf
SHA256 c9cfd803197bedb663bf51eae8ceb3aefd26898c0a2ebbbdc733c29eb8b8d24e
SHA512 68a4b9773c91b9e0a8e28357d7b45afeb524d783f5032fee8bc52f5c1e67b083383d2344a602fe9ec723967aa40729e40e0c168eea6c0172af0e45eb59060575

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

MD5 e5dbecfeba0cfe14496c44c580ffcae5
SHA1 f41ed0a3e5bf0a390cc940429656819677cba4dc
SHA256 8ecb79447650e904cd33ae5c7a5ebab51848efb5b1dc3b3b9ef7a5bd383a73e8
SHA512 a1320e933488fa06eef2fee470a18ec3e78532f4ef7e3e4b9e72a6f1af7736ac75157185d1dfd378010282fbafa10a662ffa3c4d877b717495603d1033f832d0

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

MD5 082ffec21dad9484e3a3d5efed8aa24e
SHA1 e7d403e1cf18e45d57c606da87196cd68d4eb5ff
SHA256 eb94818d4fec567aa0844d4aa1509491d709851d93bbe9b0df7285c0d359bffe
SHA512 9501837e0f2a201c2f4e00e9deda3b2ea71f7d4f3e09536df25a677898ccd29b5bcb146870e210dde5a0937815e7467261554ceeddf98313c3d01156e33f807a

memory/2972-212-0x0000000007C50000-0x0000000008204000-memory.dmp

memory/2972-216-0x0000000006D60000-0x0000000006DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

MD5 96fd2afe4e38b3144cc7b9662fe68458
SHA1 fd0a40599cd5c8f69c4d9cf10cf663bdd276314f
SHA256 c1b64b36e0713f8154ab0590022541e683913d4135db3803dabba08b0364fa1a
SHA512 cecee7491defbde7b3193b086305a26c723299514c91ba55bfd95e7b5b5668821bd051968015a14b699b9ccd68d5f1def6ff1d748f422643351b15e81eda3526

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

MD5 15f334bd0bd63dc3e84d1bcaa96be4ad
SHA1 77aae99fafdd701907936e6b05afd9e605482059
SHA256 c4607a917b7f3263e1b9c79ce7054a5df25f43e05c00fbb863c48d9e30611802
SHA512 1960bdff6a970d0e338487971949aa9cc1397b8bb1032a050904b3cea4e564731f19804e217b74551c5ba20124c5dca34088ff69f6745fa0c76282d7cae574d0

memory/2972-243-0x0000000006AA0000-0x0000000006ACE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

MD5 61fa438eed4b11ac2f5be9a08fad9330
SHA1 9422561d95687aa5129cb7a9caa44dbdb51efc51
SHA256 3bb1a3f90e958a6633d2616ddfb27a3c3e3459734b7422d7c2d93fbc847b1325
SHA512 13050c8abe7f7ad63c0dc55b62726b0a9e9f23b93de70d0a96a9ff6d26647f54e5d331c352f9ba1b7034aa94c5236d98dfa872a9acbf5bcd9a2dca155a22f55c

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

MD5 1c9b6d1e0f09ab0912a405db0487deef
SHA1 c5f7da40f96bd09f39b13133769d9576b9374768
SHA256 c6f792e96aded1ae099b1bf8c29c23071796e54022a8ace5e591d34b894a7d8e
SHA512 a67845effe344aec293b5de81a62d59287a2adeaf3f0f754dddf9eee09713a802a0df90a4665f18c51c782d92cb6612413c2e158f9222f0675e2185f3c7eb9ff

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

MD5 9ba0a91b564e22c876e58a8a5921b528
SHA1 8eb23cab5effc0d0df63120a4dbad3cffcac6f1e
SHA256 2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941
SHA512 38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

memory/2972-263-0x00000000719C0000-0x0000000072170000-memory.dmp

memory/2972-266-0x0000000005350000-0x0000000005360000-memory.dmp

C:\Users\Admin\AppData\Local\setup65518065.exe

MD5 d7e98ab75647387bbf389a0297cc0145
SHA1 c85cf8ce420cdffe248cf097f7813cb135d9ce79
SHA256 c9359b0b83a2f471a7967f946e0ab423502d8c7cc92a464f4a9670a5ab66f99f
SHA512 731e2831bdc2916ceccd440f42966cee4d9801e0d6585efc43c5976d2aaf6e06f28bfdb4a89b63945fc5511e0b188c6ddf389c2e6b361321abfcee4231818114

memory/3736-268-0x00000000719C0000-0x0000000072170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

MD5 72990c7e32ee6c811ea3d2ea64523234
SHA1 a7fcbf83ec6eefb2235d40f51d0d6172d364b822
SHA256 e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3
SHA512 2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

MD5 6df226bda27d26ce4523b80dbf57a9ea
SHA1 615f9aba84856026460dc54b581711dad63da469
SHA256 17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc
SHA512 988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

MD5 8db691813a26e7d0f1db5e2f4d0d05e3
SHA1 7c7a33553dd0b50b78bf0ca6974c77088da253eb
SHA256 3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701
SHA512 d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

MD5 b199dcd6824a02522a4d29a69ab65058
SHA1 f9c7f8c5c6543b80fa6f1940402430b37fa8dce4
SHA256 9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4
SHA512 1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

memory/3736-296-0x00000000719C0000-0x0000000072170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

MD5 08112f27dcd8f1d779231a7a3e944cb1
SHA1 39a98a95feb1b6295ad762e22aa47854f57c226f
SHA256 11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa
SHA512 afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

memory/3736-278-0x0000000003180000-0x0000000003190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

MD5 8ff1898897f3f4391803c7253366a87b
SHA1 9bdbeed8f75a892b6b630ef9e634667f4c620fa0
SHA256 51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
SHA512 cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

MD5 1a84957b6e681fca057160cd04e26b27
SHA1 8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe
SHA256 9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
SHA512 5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

MD5 bf5328e51e8ab1211c509b5a65ab9972
SHA1 480dfb920e926d81bce67113576781815fbd1ea4
SHA256 98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b
SHA512 92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

MD5 4003efa6e7d44e2cbd3d7486e2e0451a
SHA1 a2a9ab4a88cd4732647faa37bbdf726fd885ea1e
SHA256 effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508
SHA512 86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

MD5 cef027c3341afbcdb83c72080df7f002
SHA1 e538f1dd4aee8544d888a616a6ebe4aeecaf1661
SHA256 e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7
SHA512 71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf

memory/976-320-0x00000000719C0000-0x0000000072170000-memory.dmp

memory/976-319-0x0000000000220000-0x000000000022C000-memory.dmp

memory/976-321-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2972-324-0x00000000719C0000-0x0000000072170000-memory.dmp

C:\Users\Admin\AppData\Local\Adaware\OfferInstaller.exe_Url_1hem3jux35iv1vzfopbi55gu03hcnxpl\7.14.2.0\user.config

MD5 f3da41e2f01ec12a28efa662df2fa963
SHA1 9760227f497132829ec34fffec6184969043bba1
SHA256 a4544f806b5637e45e2e702c7997d0b6a52b805670a72aac518d189c3004d1c2
SHA512 ae4f56f93a2386abe8891ba5ba1cc7de166a28c6a2f3913870bed2926ac43469bbbf0b4b18acf2fce7c7f120056e36b3777aabbdf9715cc12d2159403e392e59

memory/976-336-0x0000000006840000-0x000000000684A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:24

Platform

win7-20231215-en

Max time kernel

0s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe"

Signatures

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe

"C:\Users\Admin\AppData\Local\Temp\Mesh Method_65518065.exe"

C:\Users\Admin\AppData\Local\setup65518065.exe

C:\Users\Admin\AppData\Local\setup65518065.exe hhwnd=459042 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-L18kY

C:\Users\Admin\AppData\Local\setup65518065.exe

C:\Users\Admin\AppData\Local\setup65518065.exe hready

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"

C:\Windows\SysWOW64\find.exe

find /I "832"

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "PID eq 832" /fo csv

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\find.exe

find /I "2692"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "PID eq 2692" /fo csv

C:\Windows\SysWOW64\find.exe

find /I "2692"

C:\Windows\SysWOW64\timeout.exe

timeout 1

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "PID eq 2692" /fo csv

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dlsft.com udp
US 35.190.60.70:443 www.dlsft.com tcp
US 8.8.8.8:53 dlsft.com udp
US 35.190.60.70:443 dlsft.com tcp
US 35.190.60.70:443 dlsft.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 flow.lavasoft.com udp
US 104.17.8.52:443 flow.lavasoft.com tcp
US 8.8.8.8:53 sos.adaware.com udp
US 104.18.68.73:443 sos.adaware.com tcp
US 8.8.8.8:53 filedm.com udp
US 172.67.195.231:443 filedm.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 104.18.68.73:443 sos.adaware.com tcp
US 8.8.8.8:53 package.avira.com udp
US 95.100.245.86:443 package.avira.com tcp
US 104.18.68.73:443 sos.adaware.com tcp
US 8.8.8.8:53 www.freevpn.win udp
US 188.114.96.2:443 www.freevpn.win tcp
US 8.8.8.8:53 download2021.pdf-suite.com udp
CA 198.72.111.246:443 download2021.pdf-suite.com tcp
CA 198.72.111.246:443 download2021.pdf-suite.com tcp
US 8.8.8.8:53 download.enigmasoftware.com udp
US 18.172.89.117:443 download.enigmasoftware.com tcp
US 8.8.8.8:53 spyhunter-download-v2.b-cdn.net udp
GB 143.244.38.136:443 spyhunter-download-v2.b-cdn.net tcp
US 8.8.8.8:53 webcompanion.com udp
US 104.18.212.25:80 webcompanion.com tcp
US 104.17.8.52:443 flow.lavasoft.com tcp
US 8.8.8.8:53 www.ovardu.com udp
US 35.190.60.70:443 dlsft.com tcp
US 35.190.60.70:443 dlsft.com tcp
US 172.67.174.4:443 www.ovardu.com tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:443 net.geo.opera.com tcp

Files

memory/832-27-0x0000000072BB0000-0x000000007329E000-memory.dmp

memory/832-26-0x0000000000CA0000-0x0000000001078000-memory.dmp

memory/832-47-0x0000000000470000-0x0000000000484000-memory.dmp

memory/832-139-0x0000000004BC0000-0x0000000004BDD000-memory.dmp

memory/832-155-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/832-127-0x00000000047C0000-0x00000000047EC000-memory.dmp

memory/832-119-0x0000000004790000-0x0000000004798000-memory.dmp

memory/832-111-0x00000000044C0000-0x00000000044CA000-memory.dmp

memory/832-103-0x0000000004510000-0x0000000004534000-memory.dmp

memory/832-95-0x0000000000A80000-0x0000000000A9A000-memory.dmp

memory/832-87-0x0000000004480000-0x00000000044B2000-memory.dmp

memory/832-79-0x0000000000B50000-0x0000000000B78000-memory.dmp

memory/832-71-0x0000000000B20000-0x0000000000B4E000-memory.dmp

memory/832-63-0x0000000000A50000-0x0000000000A78000-memory.dmp

memory/832-55-0x0000000000A20000-0x0000000000A44000-memory.dmp

memory/832-30-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/832-273-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

memory/832-266-0x00000000060B0000-0x000000000613C000-memory.dmp

memory/832-282-0x00000000055A0000-0x00000000055AC000-memory.dmp

memory/832-290-0x0000000007300000-0x00000000078B4000-memory.dmp

memory/832-317-0x0000000005620000-0x000000000564E000-memory.dmp

memory/2228-482-0x0000000072BB0000-0x000000007329E000-memory.dmp

memory/2228-480-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/2228-466-0x0000000072BB0000-0x000000007329E000-memory.dmp

memory/832-520-0x0000000072BB0000-0x000000007329E000-memory.dmp

memory/832-521-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/2692-740-0x0000000072BB0000-0x000000007329E000-memory.dmp

memory/2692-741-0x0000000004850000-0x0000000004890000-memory.dmp

memory/2692-739-0x00000000000E0000-0x00000000000EC000-memory.dmp

memory/832-751-0x0000000072BB0000-0x000000007329E000-memory.dmp

memory/2692-759-0x0000000072BB0000-0x000000007329E000-memory.dmp