b66fe08192b1292d906bab41c54baa1f4e7afe39e6590784388adb1220ce9ba5

Analysis

max time kernel
97s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 18:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Executor2024.rar
Size

1.2MB
MD5

88654acdcf41b13ee788f410172a697a
SHA1

14737bf72d32cc7a6815bc73da7df54d152ead05
SHA256

b66fe08192b1292d906bab41c54baa1f4e7afe39e6590784388adb1220ce9ba5
SHA512

6f2fe35e9345415d5aaded3d18106062554ccb9e4a4252e31dc2d0c5d8553026b33c2bb15a9a3a5516278fbab8230ee85e1a31492210c0d93c058e4f3666c93d
SSDEEP

24576:9S7Z2wFD+Qxw6kNTD1WXEVnlPkZrB0ENBn1UYwYgHE1hLKQ3:8Z2wx+p6cT5WclsP0YnCvSLKQ3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Executor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Executor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Executor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Executor.exe

Executes dropped EXE 8 IoCs

pid	Process
2564	Executor.exe
3264	Executor.exe
1748	Both.pif
3260	Both.pif
1984	Executor.exe
412	Executor.exe
5052	Both.pif
4244	Both.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery

T1057

pid	Process
1532	tasklist.exe
4692	tasklist.exe
4428	tasklist.exe
3468	tasklist.exe
3852	tasklist.exe
4824	tasklist.exe
4044	tasklist.exe
3168	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2128	PING.EXE
1516	PING.EXE
3884	PING.EXE
3084	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1748	Both.pif
1748	Both.pif
1748	Both.pif
1748	Both.pif
1748	Both.pif
1748	Both.pif
3260	Both.pif
3260	Both.pif
3260	Both.pif
3260	Both.pif
3260	Both.pif
3260	Both.pif
5052	Both.pif
5052	Both.pif
5052	Both.pif
5052	Both.pif
5052	Both.pif
5052	Both.pif
4244	Both.pif
4244	Both.pif
4244	Both.pif
4244	Both.pif
4244	Both.pif
4244	Both.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3276	7zFM.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	3276	7zFM.exe
Token: 35	3276	7zFM.exe
Token: SeSecurityPrivilege	3276	7zFM.exe
Token: SeSecurityPrivilege	3276	7zFM.exe
Token: SeSecurityPrivilege	3276	7zFM.exe
Token: SeSecurityPrivilege	3276	7zFM.exe
Token: SeDebugPrivilege	4824	tasklist.exe
Token: SeDebugPrivilege	4044	tasklist.exe
Token: SeDebugPrivilege	3168	tasklist.exe
Token: SeDebugPrivilege	1532	tasklist.exe
Token: SeDebugPrivilege	4692	tasklist.exe
Token: SeDebugPrivilege	4428	tasklist.exe
Token: SeDebugPrivilege	3468	tasklist.exe
Token: SeDebugPrivilege	3852	tasklist.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
3276	7zFM.exe
3276	7zFM.exe
3276	7zFM.exe
3276	7zFM.exe
3276	7zFM.exe
1748	Both.pif
1748	Both.pif
1748	Both.pif
3260	Both.pif
3260	Both.pif
3260	Both.pif
5052	Both.pif
5052	Both.pif
5052	Both.pif
4244	Both.pif
4244	Both.pif
4244	Both.pif

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1748	Both.pif
1748	Both.pif
1748	Both.pif
3260	Both.pif
3260	Both.pif
3260	Both.pif
5052	Both.pif
5052	Both.pif
5052	Both.pif
4244	Both.pif
4244	Both.pif
4244	Both.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3276	5052	cmd.exe	96
PID 5052 wrote to memory of 3276	5052	cmd.exe	96
PID 2564 wrote to memory of 3360	2564	Executor.exe	118
PID 2564 wrote to memory of 3360	2564	Executor.exe	118
PID 2564 wrote to memory of 3360	2564	Executor.exe	118
PID 3360 wrote to memory of 4824	3360	cmd.exe	120
PID 3360 wrote to memory of 4824	3360	cmd.exe	120
PID 3360 wrote to memory of 4824	3360	cmd.exe	120
PID 3360 wrote to memory of 2448	3360	cmd.exe	121
PID 3360 wrote to memory of 2448	3360	cmd.exe	121
PID 3360 wrote to memory of 2448	3360	cmd.exe	121
PID 3360 wrote to memory of 4044	3360	cmd.exe	122
PID 3360 wrote to memory of 4044	3360	cmd.exe	122
PID 3360 wrote to memory of 4044	3360	cmd.exe	122
PID 3360 wrote to memory of 3320	3360	cmd.exe	123
PID 3360 wrote to memory of 3320	3360	cmd.exe	123
PID 3360 wrote to memory of 3320	3360	cmd.exe	123
PID 3264 wrote to memory of 2436	3264	Executor.exe	125
PID 3264 wrote to memory of 2436	3264	Executor.exe	125
PID 3264 wrote to memory of 2436	3264	Executor.exe	125
PID 3360 wrote to memory of 4048	3360	cmd.exe	127
PID 3360 wrote to memory of 4048	3360	cmd.exe	127
PID 3360 wrote to memory of 4048	3360	cmd.exe	127
PID 3360 wrote to memory of 2988	3360	cmd.exe	128
PID 3360 wrote to memory of 2988	3360	cmd.exe	128
PID 3360 wrote to memory of 2988	3360	cmd.exe	128
PID 3360 wrote to memory of 2796	3360	cmd.exe	129
PID 3360 wrote to memory of 2796	3360	cmd.exe	129
PID 3360 wrote to memory of 2796	3360	cmd.exe	129
PID 3360 wrote to memory of 1748	3360	cmd.exe	130
PID 3360 wrote to memory of 1748	3360	cmd.exe	130
PID 3360 wrote to memory of 1748	3360	cmd.exe	130
PID 3360 wrote to memory of 2128	3360	cmd.exe	131
PID 3360 wrote to memory of 2128	3360	cmd.exe	131
PID 3360 wrote to memory of 2128	3360	cmd.exe	131
PID 2436 wrote to memory of 3168	2436	cmd.exe	132
PID 2436 wrote to memory of 3168	2436	cmd.exe	132
PID 2436 wrote to memory of 3168	2436	cmd.exe	132
PID 2436 wrote to memory of 1520	2436	cmd.exe	133
PID 2436 wrote to memory of 1520	2436	cmd.exe	133
PID 2436 wrote to memory of 1520	2436	cmd.exe	133
PID 2436 wrote to memory of 1532	2436	cmd.exe	134
PID 2436 wrote to memory of 1532	2436	cmd.exe	134
PID 2436 wrote to memory of 1532	2436	cmd.exe	134
PID 2436 wrote to memory of 4236	2436	cmd.exe	135
PID 2436 wrote to memory of 4236	2436	cmd.exe	135
PID 2436 wrote to memory of 4236	2436	cmd.exe	135
PID 2436 wrote to memory of 4048	2436	cmd.exe	136
PID 2436 wrote to memory of 4048	2436	cmd.exe	136
PID 2436 wrote to memory of 4048	2436	cmd.exe	136
PID 2436 wrote to memory of 224	2436	cmd.exe	137
PID 2436 wrote to memory of 224	2436	cmd.exe	137
PID 2436 wrote to memory of 224	2436	cmd.exe	137
PID 2436 wrote to memory of 3636	2436	cmd.exe	138
PID 2436 wrote to memory of 3636	2436	cmd.exe	138
PID 2436 wrote to memory of 3636	2436	cmd.exe	138
PID 2436 wrote to memory of 3260	2436	cmd.exe	139
PID 2436 wrote to memory of 3260	2436	cmd.exe	139
PID 2436 wrote to memory of 3260	2436	cmd.exe	139
PID 2436 wrote to memory of 1516	2436	cmd.exe	140
PID 2436 wrote to memory of 1516	2436	cmd.exe	140
PID 2436 wrote to memory of 1516	2436	cmd.exe	140
PID 1984 wrote to memory of 2636	1984	Executor.exe	144
PID 1984 wrote to memory of 2636	1984	Executor.exe	144

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Executor2024.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Executor2024.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:2192

C:\Users\Admin\Desktop\New folder\Executor.exe
"C:\Users\Admin\Desktop\New folder\Executor.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Mhz Mhz.bat & Mhz.bat & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 13102
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 13102\Both.pif + Performer + Cooked + Penalty + Leads + Regarded 13102\Both.pif
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Business + Shape + Serum + Combination 13102\p
    3⤵
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\13102\Both.pif
    13102\Both.pif 13102\p
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1748
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2128

C:\Users\Admin\Desktop\New folder\Executor.exe
"C:\Users\Admin\Desktop\New folder\Executor.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Mhz Mhz.bat & Mhz.bat & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 13116
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 13116\Both.pif + Performer + Cooked + Penalty + Leads + Regarded 13116\Both.pif
    3⤵
    PID:224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Business + Shape + Serum + Combination 13116\p
    3⤵
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\13116\Both.pif
    13116\Both.pif 13116\p
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3260
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1516

C:\Users\Admin\Desktop\Executor.exe
"C:\Users\Admin\Desktop\Executor.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Mhz Mhz.bat & Mhz.bat & exit
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 13184
    3⤵
    PID:380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 13184\Both.pif + Performer + Cooked + Penalty + Leads + Regarded 13184\Both.pif
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Business + Shape + Serum + Combination 13184\p
    3⤵
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\13184\Both.pif
    13184\Both.pif 13184\p
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5052
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3884

C:\Users\Admin\Desktop\Executor.exe
"C:\Users\Admin\Desktop\Executor.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k move Mhz Mhz.bat & Mhz.bat & exit
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3468
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa.exe opssvc.exe"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3852
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 13197
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 13197\Both.pif + Performer + Cooked + Penalty + Leads + Regarded 13197\Both.pif
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b Business + Shape + Serum + Combination 13197\p
    3⤵
    PID:5112
- - C:\Users\Admin\AppData\Local\Temp\13197\Both.pif
    13197\Both.pif 13197\p
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4244
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13102\Both.pif

Filesize
170KB

MD5
34ecdba03ffec4903b1db2ec3891115b

SHA1
1447823ff046d15295676ea75d3dc293c261ed10

SHA256
233dcdbe0d36e74d18a02e1a34af3ef9f99b7be4b71b0e063a7144eef4fae7a9

SHA512
2a31ca8fdc3b5348cec1da3b57029955b95bd030ffb540748e30f8a696884366786afe437b2ab9b3c378d95113d7a12f4aaa6ec32e04d086a15e1f1a66e65c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\13102\Both.pif

Filesize
872KB

MD5
6ee7ddebff0a2b78c7ac30f6e00d1d11

SHA1
f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

SHA256
865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

SHA512
57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\13102\p

Filesize
958KB

MD5
36c638de8604deaac7ca4a77ec7701c0

SHA1
32a948bbd441182ea7233966da8a64832438a3f6

SHA256
d9d1e09ac5befff2994384f69220a23748e91ab4e1b025c784e1b3ab8b444989

SHA512
b7d0897d942aa4b46fe1f10726eabca377c093f1f374d19d77ac31a230ea36f6617484cd6e77523cb31059fed0ffd153cc4d058f7c84efd5de98573a8b2f5018

Download Submit
C:\Users\Admin\AppData\Local\Temp\13116\Both.pif

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\13184\Both.pif

Filesize
512KB

MD5
0d1d68f4d9d55edd7571fd468140fcfc

SHA1
4c4607b45637b299032a407682c9d2a844bed807

SHA256
4544412b19ad66f0ff8396d178da58557f4826289ed3c802338e45e51d3d99a7

SHA512
8be744f4c51bb6401f20ef1f87ddb68599a88e601bd07452f0270848fc7aa5e5fe5720dc22954fe782714040a286ccf2e39f220b301ddb7a766faddabfc5bc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\13184\p

Filesize
64KB

MD5
08f2377e4d08af1e02937afd897d95a8

SHA1
c792e6be3e564346ec79e51d3b5c8ca8c5fc448e

SHA256
0e9612b198f37625001ca1ca9bc78a82d53e6997f82ae67216621f2bd27d00ea

SHA512
3e561bed85cae466764a75e2a439866d1ba3ed30e394d1b0103137b448f1fb21a3a283609231faf33ef3a9fdb4fd8a6da34df1ad97b89634f1099bfa9930b564

Download Submit
C:\Users\Admin\AppData\Local\Temp\Business

Filesize
256KB

MD5
6b1249adc30b06f1cede71b8e5c36954

SHA1
a12e7e9f4207b61733f05fd5448649c79c0300a0

SHA256
c1977aae78865919acf7bd071e97819c23debe296856522c77deb45e7f7112bf

SHA512
08472fedbfa00e7a4d5dbc50ded65e3496a64dd436b06b6421440e4607187cd9cd169b931e465470511d39264389d9c38d405b0161ba6373edabf946c907c514

Download Submit
C:\Users\Admin\AppData\Local\Temp\Business

Filesize
290KB

MD5
73592b8e0aeb3e90b5f7b3d770682586

SHA1
b4ca4ca2ad13d0c45abd398ff238f94c6b381846

SHA256
389db53d058814bdac3d6d787ccb0d55d2d3d5f11b2d2beb02c66d3e01c1eeda

SHA512
ed97afffa6185c5eeb9abae01b3cf4db4dbf9328617c1d44528b5b5b901fe8725cb2ec3957501f115c0e4ec42af6a22328565b5795564bb464a7f904acdfdb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Combination

Filesize
222KB

MD5
bf91838186fc042e0e41d7992f5022cc

SHA1
1bc84a20c1fcaa54f95c6cdd3169db1e72eba3d2

SHA256
18623918daeb635e0ed2482e192e4bc172241aaaaae9a338ca8598199f96cf00

SHA512
87f9b04b0346701c6b621db7d749610e2e170e54dba6387cba615a697998cb89b0a455e5792311f64cc8de276f8b2cc14b863b63e26d46a03d00db921dddfae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cooked

Filesize
263KB

MD5
5dc9239f7886a2b247195a34526c936c

SHA1
0b7e091bf61de7b5639c44c36e32a1d8a5150676

SHA256
8b6a72f649ad917e94848c0c371faa7df8bfbd4e7e7bc7c7f52322ccafcf8b0f

SHA512
c20defb3dd5b662670329845dc7751a08def148c4bc00a802ba4c11aeda46f90ebd93691ea0eedfb3606ee71802efd0ab016868b4c11db5b667bdbac5bc194f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Leads

Filesize
230KB

MD5
c7a88567d9bf0eb5baaab629b11fac24

SHA1
d623421a3b10c8f3f5542c33c2deb79876795e75

SHA256
e947baeee75710dc024aa578ed61a8e7dd8962f55184bace518e0d71e4c37c0a

SHA512
ba9ba00b7acaec33d0a3bebff1afa67af783d6921bd59edc70ed4fda9211e09884194afb7bf2e444c4f513cf848d1b25bead0a50c06c266140c0926a127128d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mhz

Filesize
14KB

MD5
f933d4d8fefdd63c1bc3b28881bd10a4

SHA1
3e937eb5a5e6fc6d3e118e87a458ac28a4b62a8b

SHA256
f0db0fd8e25024a4c9d9d9014f6f16e49d5e064ace7ff209fc13b34c0530d6f9

SHA512
5f6a6d8fe067e09d7a93ceed86205ae5ae5185b9471198261693b845da8340a2fbf8cc22e4a4dcbd062dbee99dcc0cd1bee238ab33a78200e7c47072984ff05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Penalty

Filesize
31KB

MD5
653897e7358e2edc6304adf049fb0c27

SHA1
6acc0a18e99f6b06237305b55d6a11b1865c9b8e

SHA256
36b45e16505342a67ae81b58d1ba66eabe3d7ebb9ec728df648ce0c0f2a30f84

SHA512
af5bc1a4bde2ac4da222254eaa0751661712ad40e111fee69734a8bbcfa03676c7f25a6b5fa41b63e3f6d6dcc4c3dac5d23493689e040a3ce399ddec72043856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Penalty

Filesize
133KB

MD5
960a03856c5ce0d1ee5e0fb29f52f21c

SHA1
5a31d8aa9b9ee099a8e80e669f9c017d12ca10ad

SHA256
6dfefa55d8ef4774ab3c96ddfac615bd3c1f60746fbe13ec684526adfd77c1a6

SHA512
9aff652a1f6f44801c66c4b13ba9592f8d3cbd6bdd57d053547c15ec6a8dedee20596dfa13e782dac1e9ca983c9155ac2a90c06bb29140124245a183204fd859

Download Submit
C:\Users\Admin\AppData\Local\Temp\Penalty

Filesize
61KB

MD5
5374eb258b17b9fe8de66af7c57e1ee1

SHA1
c5c8c37b73b701b0362bcc4b4894af92257f7990

SHA256
3e57bcd169a68349d76c07ac49febdeca37f78ee3e999eabf3a939fabc1e3b11

SHA512
341762bc470eea9c347446b3eb686def43cce9b0f652676f4882e4622430a60b6429fcb9621f1edee17fa5b6819c4617678005e97eb794e28f009880bfe0d611

Download Submit
C:\Users\Admin\AppData\Local\Temp\Performer

Filesize
170KB

MD5
ae714ce88feaa7d3ce22000460f79225

SHA1
b15d8da4f03a866d6c6e826abdf7d9f90a6ca187

SHA256
b17ed09f28e080421b4750ac6f51caf0f8d9ae8135d58ca61b1b56fdc32821e9

SHA512
c3eea9aedaeb721137015941491b12bd5bf28f553e820174e6a6d05271d00b9471f20b1aebb346ff5a588e4214f54820e25e92c6c3e267962800ca2c15e36574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regarded

Filesize
76KB

MD5
aad10933f4160bb118c7f848a6ca5b54

SHA1
46d7ec07f14ae00b6c29c743b86c0b435ff1ef34

SHA256
96becafe4a8679adcbf321614a5941c960a8d43c56dd561c59de952001772393

SHA512
0f637988093880939845be91edfeafd951da14a2017592979b9fca8b471122d840c24e8cddf68ae1076db6d7d3ddfac580c01214510fec2a960e40c8474f0f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serum

Filesize
203KB

MD5
bd50507413b8ada971ea0b4674e36835

SHA1
c99127ba0dc853966dd61309ae59ca2374db0981

SHA256
05c4956a30145f9c3054825b92bb61bd71e8e74e85da17246f6fe91d60deca85

SHA512
d5acb6177193afa8c850c7b0a6ec382be092f15cb393f718d2d02c8649a7fc5ada084e472ea4c724c37e1a19e8cc72d7999f9f33f37cd8739158ba4ac531acd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shape

Filesize
243KB

MD5
8cdbc17d71f999b1852ad89870826a61

SHA1
34cec4b0b95f17b671d1ae086d8e04b4ac408154

SHA256
4af8bdc84552bb91375dc514ab160cbfeddd5d0f6b1bcf8bbb890a06cf29d3a4

SHA512
c21515fd99ffb4eb2561844e5ab04d9cb02f1b9dd2d774bb1736180095341934e91f15ea0ff25335beb2b3cb45704d09014dfc6f58aee20f568c971fe872b003

Download Submit
C:\Users\Admin\Desktop\New folder\Executor.exe

Filesize
835KB

MD5
e73f009f3103a750c35cb5a0096b6e15

SHA1
1dff589e7b3533b3cc42e755b06fa769d9744253

SHA256
30f23f3aa2a1fd69d046c435c8ea9000adbffaea3209e52119768f68f804c8d2

SHA512
3f47b224522df956c5665549554103048acb2bb2bcfe27c3a6bb9b30ba2055cd1d1afaac0361f4a80bf302954e5c8c4ee9df954cb482d560bbc72bd1d5443621

Download Submit
memory/1748-59-0x00000000777C1000-0x00000000778E1000-memory.dmp

Filesize
1.1MB

Download