Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/xw.exe
-
Size
28KB
-
MD5
07863605fe5206c0f5eaf8f119ba71fc
-
SHA1
8747e0363ab081bdcdb212f64cf32db3b25e61fc
-
SHA256
098b1c1b7ccb2be3f1f1d98e430d3c2f81ae56075a03b58ac6c24c77fc62d920
-
SHA512
1b7fa923c1c7fb883cb3d5e2dc53a728c67df74abf5f9d9c8c2391f779faa94efeaa40e66062968d602eef813a1f639d19d0b7e6bf8028bafd11dd08a0d956f5
-
SSDEEP
768:2AqFNDcBN3SBldDiHjQW/081aBV/Rqcbdqb:2AacBN3YW8y08grqcb4b
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral24/memory/2600-3-0x0000000007200000-0x0000000007768000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-7-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-9-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-11-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-15-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-17-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-19-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-23-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-21-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-27-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-29-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-31-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-33-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-35-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-39-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-41-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-45-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-47-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-51-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-53-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-57-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-55-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-61-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-65-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-63-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-67-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-59-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-49-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-43-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-37-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-25-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-13-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-5-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 behavioral24/memory/2600-4-0x0000000007200000-0x0000000007763000-memory.dmp family_zgrat_v1 -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation xw.exe -
Drops startup file 2 IoCs
Processes:
loaderX.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe loaderX.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe loaderX.exe -
Executes dropped EXE 2 IoCs
Processes:
loaderX.exebuild.exepid process 5112 loaderX.exe 4924 build.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xw.exedescription pid process target process PID 2600 set thread context of 3764 2600 xw.exe xw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
build.exepid process 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe 4924 build.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
xw.exeloaderX.exebuild.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2600 xw.exe Token: SeDebugPrivilege 5112 loaderX.exe Token: SeDebugPrivilege 4924 build.exe Token: SeSecurityPrivilege 1876 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
build.exepid process 4924 build.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
xw.exexw.exebuild.execmd.execmd.exedescription pid process target process PID 2600 wrote to memory of 3764 2600 xw.exe xw.exe PID 2600 wrote to memory of 3764 2600 xw.exe xw.exe PID 2600 wrote to memory of 3764 2600 xw.exe xw.exe PID 2600 wrote to memory of 3764 2600 xw.exe xw.exe PID 2600 wrote to memory of 3764 2600 xw.exe xw.exe PID 2600 wrote to memory of 3764 2600 xw.exe xw.exe PID 2600 wrote to memory of 3764 2600 xw.exe xw.exe PID 2600 wrote to memory of 3764 2600 xw.exe xw.exe PID 3764 wrote to memory of 5112 3764 xw.exe loaderX.exe PID 3764 wrote to memory of 5112 3764 xw.exe loaderX.exe PID 3764 wrote to memory of 4924 3764 xw.exe build.exe PID 3764 wrote to memory of 4924 3764 xw.exe build.exe PID 3764 wrote to memory of 4924 3764 xw.exe build.exe PID 4924 wrote to memory of 5020 4924 build.exe cmd.exe PID 4924 wrote to memory of 5020 4924 build.exe cmd.exe PID 4924 wrote to memory of 5020 4924 build.exe cmd.exe PID 5020 wrote to memory of 2408 5020 cmd.exe chcp.com PID 5020 wrote to memory of 2408 5020 cmd.exe chcp.com PID 5020 wrote to memory of 2408 5020 cmd.exe chcp.com PID 5020 wrote to memory of 2328 5020 cmd.exe netsh.exe PID 5020 wrote to memory of 2328 5020 cmd.exe netsh.exe PID 5020 wrote to memory of 2328 5020 cmd.exe netsh.exe PID 5020 wrote to memory of 816 5020 cmd.exe findstr.exe PID 5020 wrote to memory of 816 5020 cmd.exe findstr.exe PID 5020 wrote to memory of 816 5020 cmd.exe findstr.exe PID 4924 wrote to memory of 1144 4924 build.exe cmd.exe PID 4924 wrote to memory of 1144 4924 build.exe cmd.exe PID 4924 wrote to memory of 1144 4924 build.exe cmd.exe PID 1144 wrote to memory of 2068 1144 cmd.exe chcp.com PID 1144 wrote to memory of 2068 1144 cmd.exe chcp.com PID 1144 wrote to memory of 2068 1144 cmd.exe chcp.com PID 1144 wrote to memory of 932 1144 cmd.exe netsh.exe PID 1144 wrote to memory of 932 1144 cmd.exe netsh.exe PID 1144 wrote to memory of 932 1144 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
outlook_win_path 1 IoCs
Processes:
build.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exeC:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\xw.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\loaderX.exe"C:\Users\Admin\AppData\Local\Temp\loaderX.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4924 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\findstr.exefindstr All5⤵PID:816
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵PID:2328
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:2408
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
PID:1144
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid1⤵PID:932
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:2068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
238B
MD50f5f7a38759e578c92bcf62c45d80b8a
SHA1211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA25639059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA5128130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d
-
Filesize
1KB
MD5dcf0f2f524e0e1d2752f64dc7fce8ea0
SHA14cb2ae016e67f7fa88d9598313f6092fffc55559
SHA256bf6796861138edc7e2eb7807fd388d91922408853c8dccb495aca889dd2e89b6
SHA512fea9118e846801b82bb04c057624ab727c3f4116c7c194164da49f6541cfad65daa70e6a5c5dfc8f148e75ac5b96763b18dcf6a427c01fa4f8a7ab2b4aa51330
-
Filesize
50KB
MD5aeb20a62dc5daec0e2f60165f9829b07
SHA1fdafa16dfbd0d2d6a1f88add8db1120721edead2
SHA25608b11f91e2081d5ddf637d64784c4101ec65653d36299a7a22d9b457aae65a14
SHA512388f9d76bf79d9c5e53a4c994ff9853356b6a0f2c5ef7feae84813f1be1d3a2c09e1838a3286acf980e66a270028595191cd35dd6593a920a8862b3cf10e387b
-
Filesize
92KB
MD5a90e4f6bdd44a71e2246160693884539
SHA1940ebec474e0b4d87dc4f06f37a1d32d2315cf56
SHA256b2c5ecae8bdeb480fb306372d7a12d943531bd0de1b15f45168ba659f25694d4
SHA5129a7fcd588ef5842798481bacfb7b32dd57efe06db3c852c69916d0045f806894d475ccf8f52bed942a35f4160bb6c3be7d635b17928d29148318c2858b62d937
-
Filesize
92KB
MD545ea343e335d2d6400ccbc1e3fc85f11
SHA17f2267d1f27a076e284696c30a4cf4768fd1a52f
SHA256f38fbc005bcaadb661f8f57f00eb44960e27a1cbf4c4012c3f27834e62a9c203
SHA512c7689143605327ed63d967b81e7eb8eecf786b5273d772209d7581fc36517953b686a4c8196f9100acf026e9e8c5edc7724e5f0f77d0c982377dfd5d039e33a1
-
Filesize
14KB
MD56e0741d4586628386a6f1df47a03655e
SHA1610950a24bb3c8b318130ffb98690ecba89c1018
SHA25665a5758d31c44e29e26a3444333ed585e13117daed14bff83e33df06ad9133f7
SHA5124a3e09b6f5c6a33a9c919477b488aef6d3bf18e793fa3ff82dd105015b95ba0cd4451e52fbcf5ff5c9e37bc138856aaa5d83a18529512fdc4794eaff9a401393
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
5KB
MD5b1d58554f33c991f9454f81bf1f6a7a6
SHA11a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA2562809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6
-
Filesize
1007B
MD5e08defb48fa31212026eba24f895a35f
SHA1c0b9d3c1aec64bf21af878cab77d67999399437d
SHA256e32ef5b1291cd83151ccce58e0a74f9fc287cbb4276670407972b1f79a2f561e
SHA5126beb8c75d37b99674e28010cf6f1bc3862632cc299e1a297c0dfcd987771c5f1249d1818b5b0800b30b478fcf6e83392f75436ec186f3d1c73de67974958ff8d
-
C:\Users\Admin\AppData\Local\a3c3eac75a665cb7955b2c5159e1dfed\Admin@AAKWQUEG_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
19B
MD5c010c7aa7b322c786d79b8846cb067ed
SHA1fbd6564d70b404df38f7357fc5d1439cd44672a1
SHA2569fb3307f61d84c4da05cc9e075a5512d168db16bad673994fc44ff8489b22f6e
SHA5121197fc5a15271d40dc3732e9ffb3dc93e148d5714e18ac66c9af7da52b3005e4ea10b848215e566576f605bd72b43d3b5a8c0d2014396d0d493de40069bb873b