Malware Analysis Report

2024-10-23 17:14

Sample ID 240109-xa85yafher
Target ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe
SHA256 7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8
Tags
cryptbot persistence spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8

Threat Level: Known bad

The file ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot persistence spyware stealer discovery

CryptBot

CryptBot payload

Manipulates Digital Signatures

Reads user/profile data of web browsers

Executes dropped EXE

Reads data files stored by FTP clients

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-09 18:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-09 18:40

Reported

2024-01-09 18:42

Platform

win7-20231215-en

Max time kernel

1s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 2344 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 2344 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 2344 wrote to memory of 2776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 2344 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe

"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c dOPsYvb

C:\Windows\SysWOW64\certutil.exe

certutil -decode Sorso.xltm Pallore.accde

C:\Windows\SysWOW64\cmd.exe

cmd /c certutil -decode Sorso.xltm Pallore.accde & cmd < Pallore.accde

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^VagMWnXqBIFcKZdYcTQuiOWIjFBjSYnEBJsCtnoFZOuMjCNfLyEyGViicGmsXKiClqUqIOUWLkuzIlcJRjBNxaYFClubZRHgGDBk$" Sapro.vst

C:\Windows\SysWOW64\certutil.exe

certutil -decode Subitanea.xlsx l

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com l

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com

Illusione.com l

Network

Country Destination Domain Proto
US 8.8.8.8:53 oRegnnIvXUERNtJlw.oRegnnIvXUERNtJlw udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pallore.accde

MD5 ff0a5d410cb9c7ac26fb826444110430
SHA1 999a5a7c1957091e2972974db59f02c7465e1d4a
SHA256 660bf9d18618e101d9f547ee57329731e8c36d9e6b41c22b8d2db5aceadf4e6c
SHA512 6958e216cb2b872f1df7626be10a097ef1ab8990a5cad354e2002f872acab0b162d55d882735c3f477a528cb41142f3254e68ae30b07a1ccf97e58c882c0c8cc

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.xltm

MD5 8ed844dfd87dade7cf42085edcbeed5b
SHA1 6a32bd4c765b720988105f155ff0f7ef24d4d635
SHA256 39960e1c7fe74e983fc1f3772a0fca8be5835d4928524dd56848b459c232756c
SHA512 26258c17fe26db165c583aa91ad33179dc5ed1069382e2dd25ed96b3061376e01bddf5dfc5ef1fdc3004741e87855bd31ddc99c0e0eb3732c575df402c1fd48c

memory/2604-25-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2604-27-0x00000000037B0000-0x0000000003893000-memory.dmp

memory/2604-28-0x00000000037B0000-0x0000000003893000-memory.dmp

memory/2604-26-0x00000000037B0000-0x0000000003893000-memory.dmp

memory/2604-30-0x00000000037B0000-0x0000000003893000-memory.dmp

memory/2604-31-0x00000000037B0000-0x0000000003893000-memory.dmp

memory/2604-29-0x00000000037B0000-0x0000000003893000-memory.dmp

memory/2604-32-0x00000000037B0000-0x0000000003893000-memory.dmp

memory/2604-35-0x00000000037B0000-0x0000000003893000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-09 18:40

Reported

2024-01-09 18:44

Platform

win10v2004-20231215-en

Max time kernel

174s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" C:\Windows\SysWOW64\certutil.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" C:\Windows\SysWOW64\certutil.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4024 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4024 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 4024 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1652 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1652 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1652 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 1652 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 1652 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\certutil.exe
PID 1652 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
PID 1652 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
PID 1652 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
PID 1652 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1652 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1652 wrote to memory of 3108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4408 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
PID 4408 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
PID 4408 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com

Processes

C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe

"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c dOPsYvb

C:\Windows\SysWOW64\cmd.exe

cmd /c certutil -decode Sorso.xltm Pallore.accde & cmd < Pallore.accde

C:\Windows\SysWOW64\certutil.exe

certutil -decode Sorso.xltm Pallore.accde

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^VagMWnXqBIFcKZdYcTQuiOWIjFBjSYnEBJsCtnoFZOuMjCNfLyEyGViicGmsXKiClqUqIOUWLkuzIlcJRjBNxaYFClubZRHgGDBk$" Sapro.vst

C:\Windows\SysWOW64\certutil.exe

certutil -decode Subitanea.xlsx l

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com

Illusione.com l

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com l

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 oRegnnIvXUERNtJlw.oRegnnIvXUERNtJlw udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp
US 8.8.8.8:53 fhjweheef37.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.xltm

MD5 8ed844dfd87dade7cf42085edcbeed5b
SHA1 6a32bd4c765b720988105f155ff0f7ef24d4d635
SHA256 39960e1c7fe74e983fc1f3772a0fca8be5835d4928524dd56848b459c232756c
SHA512 26258c17fe26db165c583aa91ad33179dc5ed1069382e2dd25ed96b3061376e01bddf5dfc5ef1fdc3004741e87855bd31ddc99c0e0eb3732c575df402c1fd48c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pallore.accde

MD5 ff0a5d410cb9c7ac26fb826444110430
SHA1 999a5a7c1957091e2972974db59f02c7465e1d4a
SHA256 660bf9d18618e101d9f547ee57329731e8c36d9e6b41c22b8d2db5aceadf4e6c
SHA512 6958e216cb2b872f1df7626be10a097ef1ab8990a5cad354e2002f872acab0b162d55d882735c3f477a528cb41142f3254e68ae30b07a1ccf97e58c882c0c8cc

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sapro.vst

MD5 524c5cb95000d79ff092ac1bbc834051
SHA1 9015a75614448901985a74caf632aca9742fb6f9
SHA256 797d9bb4e5dc777f4204fdb50ce85b3ed956e3e151c06e1d78d97663a81cd042
SHA512 6a9af9fc45e87ca35c447a409d554984820b11de2871b3ccfef9b46685055d979b17352b649dd6344f23566a1c1fe829c58994125c58b59622656dae0344a4e1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Subitanea.xlsx

MD5 6f738d19c97ad52482daaeb7dd740f56
SHA1 65c1a1e843906a8f557f9d83001d61925d9bc9d2
SHA256 85cd887056455ce2d4ac5ba252eec2baa91d1f0b75f30afec153bb02941fbb88
SHA512 01733aaa9a0234bedb3714e37fdf585e5b82ece6dc5a2ddc650c4a074fed94f0190fe538e097a8e69b5eba60764c726a5606f122dcba471e1a213baa56d13869

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l

MD5 05eb879d18fb669c75062eef75a5c50d
SHA1 9aec8a888907ece2a20d184324d9d2f61b01e592
SHA256 911dd3e2748cea7b384f51b6c5d41a5d252533b32b299f4480ce23d3595f683d
SHA512 60c832b8a164a59535ace303bd55ecaca48c63d53c46be4e28e7a539f4fcc8327cae5cbeb529119edf862e521c52c3bc529bdd8c08070785847b333836af543b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aveva.vss

MD5 970b6737c469629d6a289d1c1ff45a62
SHA1 c94b7d73545fcfebf16d74864816de0083448afc
SHA256 6d93374eed3e39ed112d76647c8df9a0a4651970d0dec309a1370483ddd06864
SHA512 eabe5c49d52a31cda5b25e3aa8d02ff8f12eec1f02eb07818fcda6f186f87aa23ded297193ef5dcdb56bff7ea6ea42750753685a66d95e6b40a92ab0d8b63016

memory/5000-22-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/5000-23-0x0000000003C80000-0x0000000003D63000-memory.dmp

memory/5000-24-0x0000000003C80000-0x0000000003D63000-memory.dmp

memory/5000-25-0x0000000003C80000-0x0000000003D63000-memory.dmp

memory/5000-26-0x0000000003C80000-0x0000000003D63000-memory.dmp

memory/5000-27-0x0000000003C80000-0x0000000003D63000-memory.dmp

memory/5000-28-0x0000000003C80000-0x0000000003D63000-memory.dmp

memory/5000-30-0x0000000003C80000-0x0000000003D63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Information.txt

MD5 2bf79bf9edc025cdd506262ff04778c8
SHA1 b104dbbecc498d0e2dafce37547f6df86d04b9c9
SHA256 67223d8c890c33a8a06f3fd86f2b1d15420398a505973eec5658457a304d06a9
SHA512 7791c77d35adb926ca5d2e33bd1284a994ae2b328024dd5150d4f20538f0ee4dfda30d100f7de3e93f0305fd1bcfd6c52618702292427c6c661566aaed79feae

C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Information.txt

MD5 5acacc18c14175f65496c9e456d10b3f
SHA1 7be1529525269f71d920ac20f2a9e6cbb20a5e52
SHA256 84efc45170a3b75b5725f42196ddaf9d5e3d9ded7dca7789e7737ab3144af6d5
SHA512 c5a4c9153cdde62b61881a55e19e0f50a01d38c7deb033d5f14f9ce86db08f14aceda383cf0cdcc14fe893941e8a9e6bef39ce47c092609f4ce96fdc6f8ae065

C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Screen_Desktop.jpeg

MD5 a2b6fe410de3a3aa8495868c9e59dc7d
SHA1 104d47f6192e0a4986251da56df58837d34eb6e9
SHA256 dfdd4d026c5cdae7526181080ba465294e8f7fb84407af8aab41e0e1ab50da95
SHA512 f0eeade79b9563dc1341b7e49b650ef9555c0ae01fea17c53e9300c48495f3c71767052c3e6c009c9d3cf3ea605e59d4803a30b1f80d3bac82a2acda6b7eb785

C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\files_\system_info.txt

MD5 62f646cdc1347714a98cd4994ed274dc
SHA1 fe72676cb86e51295f432cfe2c4d52c9996ad6de
SHA256 40ae7ef5cc6143869dab891da7c13fcc9444fa2617c3d0939af041dccdc4475a
SHA512 4c56fbb8fe08440df764a6366feffb307dec0b72bedb8ce5052961fa9ca6e69a47109b8f1eb2f3ec445e518518924f315a7cbfec0f3f654cf98849c2f07ca629

C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\files_\system_info.txt

MD5 cd9b62233ad25912384bbb98c9c1b7d6
SHA1 b365c3c1f99ffdcd45dde38952ad133d28a2f0d0
SHA256 0053d55f566a6701ec596032ba1c7fa0861832968cb26ad4dada4b130dfcfcb0
SHA512 cce4d2948789c6d146b2629cf6234889dec989813fcad38d38232751606056dc0cf8120b1b26fb4e4c009a06d2a98e47f43589f31c6cf2c598a3635fb85da601

C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Files\OptimizeUninstall.txt

MD5 7f43502e321a9638eca593044a20ee3d
SHA1 48583ce38eee8c899641bda2e3fefe3f36aac19e
SHA256 ca1fac42968df2ee10f16b153a7133ecfbc611a321d8209981a83a4aa07f1493
SHA512 ab84aaad62f9e9fa0fda032811db5aee2e05e78b9a9c5d067c1016eadd5d65a1c01798cb478366ce4854f3956b40613da4105314b9923f7fb32d4e14e1f2946a

C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\_Files\_Files\RenameEnable.txt

MD5 06374e31ac45bdf090518c00cea0acd7
SHA1 76ae839518a7fa0e31ffe781dfa87cb76cc26c02
SHA256 ed0ca6e20c094d7d59caca6781758bcd8ae85ec16ebd3088edd486706e2dcf61
SHA512 ab5e19b12b444c413130c3720857b81fd0aad1935c7758f4f60fbbe482c6cda7a3ddeda501709e0e20314ee63be37cd05568d050b30ae1401042a7ef59c5472a

memory/5000-250-0x0000000003C80000-0x0000000003D63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fFHhCRcSq\fiYRGoGXMOv.zip

MD5 ddbbf6bd61d7ff783622803cd29441db
SHA1 ac3033b0ff4f250ab8fdbf660c173efc8d7ac436
SHA256 7e4bff1e6ef87e5f4d4a0dfc7b659b65d5b536114e3a523d5bb14efa9508f01a
SHA512 61619a6edc5dd8af4d507309b2ca5b41cdb042c506dc0342b9b0094a0b41c6a8fbbafe4283bb9477af6558fd0ce73603b2c01af5a7e1f462ed0ca4cd37cc0ae0