Malware Analysis Report

2025-01-18 09:30

Sample ID 240201-q88hqsghbl
Target samples.zip
SHA256 bcb6561a9a8fbaaad702961e156a80c77d3e7f317178bf3f4ab04086bcd526ab
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcb6561a9a8fbaaad702961e156a80c77d3e7f317178bf3f4ab04086bcd526ab

Threat Level: Known bad

The file samples.zip was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 13:57

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 13:57

Reported

2024-02-01 14:19

Platform

win10v2004-20231215-en

Max time kernel

1174s

Max time network

1176s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 2368 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4832 wrote to memory of 2368 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2368 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2368 wrote to memory of 2964 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 2368 wrote to memory of 4248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2368 wrote to memory of 4248 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2368 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2368 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 5076 wrote to memory of 756 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5076 wrote to memory of 756 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 756 wrote to memory of 264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 756 wrote to memory of 264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 756 wrote to memory of 840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 756 wrote to memory of 840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 756 wrote to memory of 4072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 756 wrote to memory of 4072 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4472 wrote to memory of 4876 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4472 wrote to memory of 4876 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4876 wrote to memory of 4468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4876 wrote to memory of 4468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4876 wrote to memory of 4320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4876 wrote to memory of 4320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4876 wrote to memory of 3504 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4876 wrote to memory of 3504 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"

C:\Windows\system32\findstr.exe

findstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode licenseanxious alivebooks.dll

C:\Windows\system32\rundll32.exe

rundll32 alivebooks.dll,main

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"

C:\Windows\system32\findstr.exe

findstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode licenseanxious alivebooks.dll

C:\Windows\system32\rundll32.exe

rundll32 alivebooks.dll,main

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"

C:\Windows\system32\findstr.exe

findstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode licenseanxious alivebooks.dll

C:\Windows\system32\rundll32.exe

rundll32 alivebooks.dll,main

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 235.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\trainreproduce.bat

MD5 97ef45c0303878a80b44a236e27fd30b
SHA1 14cdc83dae55ad1e6d9d5f01c7bd431db1b1654f
SHA256 3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3
SHA512 1f8bee9f9922b89eef565465fba7a70d45babed06a59c9e72730672bfe2f3c6e542ecb43336121e00a2bcf5b345547b61615d1c6a7b6f6753b153f914bac96ee

C:\Users\Admin\licenseanxious

MD5 cccbee3669234b546da8c922dae5515b
SHA1 6545a901c5b40a29967ed0c30e308a413485bbf9
SHA256 2ddcf13b108c3cda14cff5ff089539281bc95b6072a16aed5e5432d46daaa5ce
SHA512 6107ed80789bade3e624b742f76d5f409c7dc4005ad8d2caf192bd8b2b58adf84d0e1a61ea7559088baad3bfc2b130fe208a2162b49e0f297775db594b7b857c

C:\Users\Admin\alivebooks.dll

MD5 50e82a0939f2e5e07db2883b6d8f0f57
SHA1 f9455b140bd8577d852927905ab3b432b0047b02
SHA256 0cc102da3a0f71e77164ac351b19796dad1affa0a3283753f46708ee921d762c
SHA512 2d96ce17ae184b67695f5cf017eb4af8c8e05d60df9d5a6b98f502b835bae2cfea40d393967fa6d6cd17842b2a100e629433ce79d930408e64aef0bc9d2350b7

memory/2308-1771-0x000001B6CD940000-0x000001B6CD963000-memory.dmp

memory/2308-1770-0x00007FFEBEC20000-0x00007FFEBED79000-memory.dmp

C:\Users\Admin\trainreproduce.bat

MD5 7b9b251c87bd3959eb6daf22ef5a95d4
SHA1 57dddbb33d9769993a4633dcdb9341c6d3611979
SHA256 81b8ea02158c925448668d5c041e8b83856b293ed31886c5921d0ad60a3f4f11
SHA512 c6503cdd38e539669cd7d64c402a450205bbaa6176bbea3bea855ce0ad868de7bf47843be81165ba24ddbdde8cb7d7f3a29a3550b2a869728fc28cdb00f988ac

C:\Users\Admin\licenseanxious

MD5 e0fdf13959e902a8f04ad8ac419bef7a
SHA1 ad18df88debbd0af8d8c623cf1823b983ab80e8f
SHA256 0cd50f9403330cac7c06718af50d83789b805310c2a207abc3507aaab1c24a08
SHA512 7f4221702ceafd91991129ed28d5e12efa7f7261763359f5bda77c724531ba68cbf7f7e2f1d7806682bf1bc5f090ed18fa081b2eab3708f994995fcd6947fb2d

C:\Users\Admin\alivebooks.dll

MD5 ef6035b14fd8885507ced592f336f9f8
SHA1 f636c1aa5c13f1b9d2287dc701102e65880639a7
SHA256 055735d13611e484ff4220c2b45c6d96fa72298dc841b7ed8af409b7e3845e5e
SHA512 ab177ad8c4a700d559235c994d02d41f43f549583dbccd6df8fbc5054a9ba2ddc4bc4edc1a10ea8f3c61aa79ff2f87fd8284f6b1ae4508968eed2ebdb8ba0907

C:\Users\Admin\alivebooks.dll

MD5 122cb5f616cfb20f67e1a31420f531d7
SHA1 78560db9f7801dfee3fc01f72b7154d44e17c5e4
SHA256 6d110058be6456131a573fa494d131518ff5fd76c30a975ab56e95c515a23c24
SHA512 6e3d6130e772167bd17fb95ceda2a0b61aeef8b96a14d9aa6a4125404b8b6aaeb8be03e21d8634f3f4f312cb95f3d78bc7acd072a0f7e6843a1f7497c4bddbd5

memory/4072-3542-0x00007FFEBEC20000-0x00007FFEBED79000-memory.dmp

memory/4072-3543-0x000001CC874C0000-0x000001CC874E3000-memory.dmp

C:\Users\Admin\trainreproduce.bat

MD5 f420c6e2b75278a05ada549649e5fb59
SHA1 ceacf069d47b036480b968d0b3048a88f62d040d
SHA256 d3319da67e41d37b6b9358403577e6440316643d76191abdc3cdb63f73a0f5ff
SHA512 0081b834ff8a33d379d44b6868d78a6e0ed44774d922d975382af6bfbe8994867f2b9b3376f6000e2b4617afcdc44d79c5923bcb97d50521365022ff46db01fe

C:\Users\Admin\licenseanxious

MD5 bab0014deb14f24d20658e95e1e32f65
SHA1 ed17543cf92b081d78c090a972ae4f49435746b3
SHA256 7f3f8cd9dbc11e09a65d9a92e46c5ec5b8fc547617057883a80342e75d6329f9
SHA512 a1bff1f0774bcb671cda9c1c9767ec5727e568f6b723deb5a5ddca7f41a39b91cd1c8d74617a91a6a17e69dc39f615df773f4ebc89506830c7c381ee8bf52b82

C:\Users\Admin\alivebooks.dll

MD5 e827253fbfeaa39f6465bbbe8ef6f9e1
SHA1 8a0a53da7d7d38d1023fb31feaeb5da71e61e428
SHA256 9e565ee1fd4b16c66d06e274a2ed04439b9368af613798ba189db6873c8b350c
SHA512 1521a179c31b7afaab8e93cd8877dbd838a6dc77a8014614f571b72b5f3824f5fb8bb1f751f2870f8c46b3032f03630ec950b604e5fbdc360748fdaeba74c587

C:\Users\Admin\alivebooks.dll

MD5 a614137204d6b90175da5a1b7c5b05f7
SHA1 0eddb9b2c9afb9c61e7ec7413472a8a14253b190
SHA256 8ab76629f969514aa55d61f0439e97b0b5f1ce5af843eeb33d65ca50b1d9848b
SHA512 964aa24f1000635e08015bac80c210638a6e188f5002cb1ad84c94514befea25bc9430fd2bb40514739062405d1da58a24ae191fbf9118f6f2ddec28e37496a3

memory/3504-5315-0x000001C7D13A0000-0x000001C7D13C3000-memory.dmp

memory/3504-5314-0x00007FFEC9950000-0x00007FFEC9AA9000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 13:57

Reported

2024-02-01 14:18

Platform

win10v2004-20231215-en

Max time kernel

1164s

Max time network

1169s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\samples.zip

Signatures

Strela

stealer strela

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1740 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2372 wrote to memory of 1740 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1740 wrote to memory of 1400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1740 wrote to memory of 1400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 1740 wrote to memory of 4948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1740 wrote to memory of 4948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 1740 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1740 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 556 wrote to memory of 4872 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 556 wrote to memory of 4872 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4872 wrote to memory of 396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4872 wrote to memory of 396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\findstr.exe
PID 4872 wrote to memory of 468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4872 wrote to memory of 468 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 4872 wrote to memory of 3660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4872 wrote to memory of 3660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\samples.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\samples\" -spe -an -ai#7zMap4734:94:7zEvent10073

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"

C:\Windows\system32\findstr.exe

findstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode licenseanxious alivebooks.dll

C:\Windows\system32\rundll32.exe

rundll32 alivebooks.dll,main

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy "C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js" "C:\Users\Admin\\trainreproduce.bat" && "C:\Users\Admin\\trainreproduce.bat"

C:\Windows\system32\findstr.exe

findstr /V hammerachiever ""C:\Users\Admin\\trainreproduce.bat""

C:\Windows\system32\certutil.exe

certutil -f -decode licenseanxious alivebooks.dll

C:\Windows\system32\rundll32.exe

rundll32 alivebooks.dll,main

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\samples\3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3.js

MD5 97ef45c0303878a80b44a236e27fd30b
SHA1 14cdc83dae55ad1e6d9d5f01c7bd431db1b1654f
SHA256 3b1e6f545d77b1999b877967fd736c7ba01531b26874311b436d014f91803bf3
SHA512 1f8bee9f9922b89eef565465fba7a70d45babed06a59c9e72730672bfe2f3c6e542ecb43336121e00a2bcf5b345547b61615d1c6a7b6f6753b153f914bac96ee

C:\Users\Admin\trainreproduce.bat

MD5 8de56a50f6ad2682277860101b8996c7
SHA1 f53772aaac0baa71fed3c5953a788c7b59aeb9f1
SHA256 4941db609c0650bdffa6fcea7af4844c3e7886b0f03d376715f87b10766a1bb4
SHA512 e3e7487d25faf6d6a0e870928aecdff59617de8f7843f44770d8149abefd5d462ba992e7eeeede6a957f5058aef70770dfe3e394b9a390fc4087f2cc237b74c7

C:\Users\Admin\licenseanxious

MD5 cccbee3669234b546da8c922dae5515b
SHA1 6545a901c5b40a29967ed0c30e308a413485bbf9
SHA256 2ddcf13b108c3cda14cff5ff089539281bc95b6072a16aed5e5432d46daaa5ce
SHA512 6107ed80789bade3e624b742f76d5f409c7dc4005ad8d2caf192bd8b2b58adf84d0e1a61ea7559088baad3bfc2b130fe208a2162b49e0f297775db594b7b857c

C:\Users\Admin\alivebooks.dll

MD5 50e82a0939f2e5e07db2883b6d8f0f57
SHA1 f9455b140bd8577d852927905ab3b432b0047b02
SHA256 0cc102da3a0f71e77164ac351b19796dad1affa0a3283753f46708ee921d762c
SHA512 2d96ce17ae184b67695f5cf017eb4af8c8e05d60df9d5a6b98f502b835bae2cfea40d393967fa6d6cd17842b2a100e629433ce79d930408e64aef0bc9d2350b7

memory/1784-1846-0x00007FFBBAC50000-0x00007FFBBADA9000-memory.dmp

memory/1784-1847-0x0000019C78A20000-0x0000019C78A43000-memory.dmp

memory/3660-1854-0x00007FFBBAC50000-0x00007FFBBADA9000-memory.dmp

memory/3660-1855-0x0000014D2DBD0000-0x0000014D2DBF3000-memory.dmp

memory/3660-1856-0x0000014D2DBD0000-0x0000014D2DBF3000-memory.dmp