Malware Analysis Report

2024-12-08 03:07

Sample ID 240510-p1fx3sae59
Target DiskGenius.exe
SHA256 72a3cef4d5f806cc81a9585c58590bdebc9c08a8faecf0238756b15aa2d69e1f
Tags
upx vmprotect privateloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72a3cef4d5f806cc81a9585c58590bdebc9c08a8faecf0238756b15aa2d69e1f

Threat Level: Known bad

The file DiskGenius.exe was found to be: Known bad.

Malicious Activity Summary

upx vmprotect privateloader loader

PrivateLoader

VMProtect packed file

UPX packed file

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:47

Reported

2024-05-10 12:50

Platform

win7-20240508-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\system32\cmd.exe
PID 1484 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp
PID 1484 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp
PID 1484 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp
PID 1484 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp
PID 1484 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe
PID 1484 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe
PID 1484 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe
PID 1484 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe
PID 2936 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\diskgenius.exe
PID 2936 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\diskgenius.exe
PID 2936 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\diskgenius.exe
PID 2936 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\diskgenius.exe
PID 2936 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\diskgenius.exe
PID 1484 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe
PID 1484 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe
PID 1484 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe
PID 1484 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe
PID 2024 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\system32\cmd.exe
PID 2024 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe

"C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~2090722159602104039"

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe

"C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe" diskgenius.exe C

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\diskgenius.exe

"diskgenius.exe"

C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe

PECMD**pecmd-cmd* EXEC -wd:C: -IDLE --hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~1833828596621600744.cmd"

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\~1833828596621600744.cmd"

Network

N/A

Files

memory/1484-0-0x0000000000400000-0x000000000056E000-memory.dmp

\Users\Admin\AppData\Local\Temp\~4988141023342866583~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleas.exe

MD5 9a8f681b7d71ea0171bd1ff404a91916
SHA1 5d610b7f135f21c63f686d460df890ad6a0fb02a
SHA256 8056c16b5fb104ea51359801a10083e425696e26014610af8a15b60fbbfac4a8
SHA512 7ffc5ac803ab3b11cc508b4e9d7d087b6af864735462a23e6e21cca0693aa271c16d26773d4fddfe0b752503758221f701568b398cc937e2235a71797d5c1b3e

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\diskgenius.exe

MD5 2910ac89085a9457e9128bd81676dc96
SHA1 cee5e68568a3cdf5d84ccbba70f2160038459996
SHA256 4a408834e693b658b96ecd1b7e96b3a9d5555c997f0642cd9f806fd03589801e
SHA512 c4d4cbdad1a3f1d97486a875ab7d7aa5351fccafac646d965afb4cb186802981cf90f70ea942d998a35631b59d57e19a4248ec6cd86e3f9518ceea27c5e8d9a5

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\avcodec-57.dll

MD5 cbb6c78ba2446b030b06282776d81a0e
SHA1 38739809e1df319cfd7461366d5dbdebc644e89f
SHA256 98121397933acaf25240e2f2a0822f719f4c5b3b47efb5578f97f28dc019c6db
SHA512 2f63ad3f26a2a3cf1d4a94d544e52eaa7aa27afeaf2621fced0b0c693cc6bf9ba9be8b360a9287d19b85adda794daf35121438accff44d23802a88409d4a8293

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\avutil-55.dll

MD5 5e0757f2a34f71620ed11f110e062942
SHA1 4fee170ac188f53ee5c9ddc6762a90aaa0aedb4b
SHA256 cd40baac665cd1315cc9408dd4aeb1b7aa1d88bdca3860d93d305ee2a4fbc065
SHA512 cde625af587e21abc5cb1285faa475203b06fc55e8c0b14c62d87f12d68e1b487c471e1bec95c01cda6c40fc0708af22daaafc13621c535932b53729889ab1fb

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\avformat-57.dll

MD5 ad8605903890285ece1ea1f5a72a9985
SHA1 8320253c53ab004b4e82ce90299814a40cc4db79
SHA256 dea54220257a4cc46455b43295599b1c0a963f794e538fe3bf29ea9d246bb0ec
SHA512 42877f3d5e4392d9a41db6d212331c815fca650f574bee96c01fcdb5a50fbe9f2e9bef784d2690be5392ef43453bd585157ed49af40c1a52c08ee396a945d7e5

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\DGBCDX64.exe

MD5 846b229c55dcecd9b1e3cf11e1585046
SHA1 721621a5266d0c35629382922b62a9af1abad161
SHA256 2a757fe83b2d115d5f2e715c15d917025d7cd7e04dd05cd8889dea90e17f0855
SHA512 a7157727a3d60504028add87699b0d35efb9e049ae4754e71a1aa882dcf0900779e79897a509c503acbdd350ab76f52fb348517d1453d06372ee7a39504d1b27

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\command.com

MD5 f730339b0a5f461b530d93bd57050dff
SHA1 0733db7babadd73a1b98e8983c83b96eacef4e68
SHA256 bb27b9efbe08b4ad85e6d41663c8c6572acdd61c45e2731ec5a288ea21b3ef4c
SHA512 98b50b6012efa66af89b8acd5f84c4eb35bbf9dd14815643fd8ee99e92133ff5339c70ca4ea90c4460b7f2a95f0ed95193822a698fece43dc2d3f8a5ec9a772c

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\CTMOUSE.EXE

MD5 8187bd2c296900d51c103c474776ffb8
SHA1 7334471c7dfb5cd41362281032f5bc608560c051
SHA256 f4cef8579a1699045c37ac0ddf03fe0ca361de5c1003ba375c3e08f01a546d01
SHA512 6b5b64d67d7d8fc08f127d5380633307295de72c19c63513779b9b21d9724014dac2ff7b59062bccf64b2b20bc4a0294db7906d5beff5947aaa284b60e1b2e31

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\fdconfig.sys

MD5 2e7aa3a1b81f958c554622284968cb7b
SHA1 48b6b4c632ea947000bd6de71a91202c5d328909
SHA256 b351c58eb75ed7e17c75e45d84534af7a84e2b68eddecc54204e16fa902368a9
SHA512 b99814f34e1defc1a640c896964118534189051a9885b4a806f7531c5865dfc91799a4baba16ddeae77af7f2a9e726683c9a37b239c9aa7e325eca9c239b48a2

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\fdauto.bat

MD5 9a4efad26e3907495b51b5ae92a6676c
SHA1 d3d30e817a9d4babc0fb1e9800543fa9863f3a46
SHA256 4bc47043780d40cf1bb09cc57439cdc91689d0725520f2542f47ad3e698fc181
SHA512 84c0dd21cb059bc67f0c2a541baaa42df06aa82b9141c36a94261266cbd290ead45ff14e23b31c6e8301003144b2dd14127c7bf8a66e0846b02774fbe34e3159

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\fdapm.com

MD5 d6b105b491cdd328788f568336ef774e
SHA1 202aca693f89d57a00584bb6d7c63d0a74448f36
SHA256 c986e326548d93220b6a6ae47decbf5bd19b6344fc89ca7128e2d477ebd6c0b8
SHA512 17ccf627cbae4a460b543a6c973fa6165eda9055c0140fb83f32f7ff0c779fe7620cefe0a9e2958127aac78d935f824bff49c4a231db531d6df82c4fb0737de7

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\diskgen.exe

MD5 a854b0cc4816cdcb88bbff94095bb67a
SHA1 b32f84d4eca665dba48391f261ac28bdae9eb46e
SHA256 d746deb5afb8441275cd1d639a333abfe2abf8cd632a0692223daa30ef4da366
SHA512 c5a600712de17ad99efbe5fca26349cd0e3f8d70b8ef6fe8f73e96c2a91c0e39a307e94b50ccf393cf1459868b60349219615c8871e0dfbe049b2dc2c0fe29f3

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\himem.exe

MD5 738c9970441873717e954baf4a9a97f9
SHA1 1a16e559a85b6409c90239aab4c4dc9240ca8480
SHA256 7b312ef953f1c6ac3ebf6098d18cb3a26d96e936e5e96a6c30b1837bd431ad6b
SHA512 8729037fdc29392ba26a090c7ae4892965827da29f68c9ba4b7889ce45f5b630ada1b54cb8955d3d0f26e542762f2c31c520158d6528184d0176c8af51644491

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\kernel.sys

MD5 18d296f40f06c8a26eda606c0031f677
SHA1 42568b259ad201bbbc20602aff4139171fef0d10
SHA256 f0ee1605aad08dd327502af98374bc237f4aceb953f26ba5432ecf4db34aeebf
SHA512 c00df3ec0b767a9597f8a64bd287e5602d458dbcd963d69c98ac77ee531956cc3afe41ef726d901bd2e1a831c1a27b26b26d92f70ce3b7f4c8678442d377f008

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\license.txt

MD5 613ba680f328db42a5969ca7f247b294
SHA1 ec84f2e0ba7749eacc21a4d734d37e6432058c79
SHA256 705bf00192ba29c754c7c9964bc42219ec51d837a67087eeeb14fc943d04d2ba
SHA512 def1f9df98071a5d61f2dfdcb3b5c7160ed6ae9497b9f4d8ad9272117db02ea620b7a7062216a2b2a6c6baad13af677215f224df2a22c101dff8b4334f3ba7e6

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\shsucdx.com

MD5 9135b1d3f92243170f243a677340444a
SHA1 c5a9e50ca098fee83d3d09f5a716abf42561219f
SHA256 81872ee962d6143f52f97e32e10366dcd0177856b36cec978beb7132be65d6f8
SHA512 04ca2cab3945f2092e7ead7224f4d7348eadb46cdc7581d45e6647fa701d56108562942b3f97f684837ebb1c524bbd5fe6bb067f0c79340da21ea4c314b0d960

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dos\xcdrom.sys

MD5 ec7da94cb533155fc0ffa4e1e595811d
SHA1 f8e7f70b75cac50e62fe8071678ceef245764370
SHA256 f6c3f3c048faf61e37793ddf789765d8cab315636be75073deb047d89e8bea31
SHA512 685e8231692004dc1c3f877b67b3f5287ecc4eb57b9f4ed5e6543a8f39ced8e854c636149c1741014dac1eb3e4badb6619e207dea2b42ba2ce50d32907fcc7d1

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\Hdrwvdi.dll

MD5 7a8170537afaf5460b19adffb0a1af30
SHA1 f551a902f74498dd4ce77dba5f7169487a513d90
SHA256 ef7889f59643cf96a01ae1ff33b4074a45567d987a1bd1afceae6542a265cc27
SHA512 19ee1f4b63c95965ffbf9c50d87acea8b86a2732fa7239f60a8028eb151038e92bde238f9caac71e876440abe34e0b4c212321fd9a309d7971fc7183ac18d435

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\dsoframer.ocx

MD5 3f4fa9fd2adc31923165465f893e1680
SHA1 0a86bf87b7b30181690216e53957823426b76afa
SHA256 d5019a52524c63cd1b2c1b84af706c023b98b4eec1c2afdbcfe9c1dcb570542a
SHA512 bca51dd97c9a1c53debbd4e54a4d2900a45a577d493d29ebbf12ee92b539b8cbfd5e9505e9add6b96e7a74c7fc362fc1624c39ab656fb07ac967991c75f4f75b

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\Hdrwvhd.dll

MD5 f2353d58b12e594f0a0db5b65b4495f6
SHA1 ffc8c55222749e8dc4bd947495d0ac2e88baf85c
SHA256 d8d493aae45535abeda88f4b335b300310698dd0229b4814db892d76fba988dc
SHA512 4b831f701de794b07366fd4ec4a32bab8b5cf577e3ebd2ed4ee338241120c4971b2ad8c7d94209dc33c30aeff817797861ce9a5d4a6ecd2a3c20e58379605a55

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\Hdrwvhdx.dll

MD5 07d225299fb30042f5aef71a3c8bcdc1
SHA1 38fe70feb2772ddeac989c98d7bc2ae2d480e6f1
SHA256 4c9471bdbeca5f946bec4009062bd369152ba11ff8cac07f83ffdfa2cd4a553c
SHA512 ee7f55ca4bdbb12808f7bf5cad6a1070909cc9b688f359a9adec49b2db64ef03f5a0009c33e1c4bd9db74727b6f4c7908dc1d7d11b8223a64f6e3e802537550f

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\Hdrwvm.dll

MD5 ecae9ad871291b0bb62790d7d9c6a2bb
SHA1 c513b09c57cc8107d72942c8ce8c11f15171dcac
SHA256 2d4312bf3683f6b8c3bd15a7050f6f7264152a3242f11922b2d57a8273a2cff9
SHA512 9f559f615cd29dd7c6c1320d826d8e6c7c7e310e565a9957d6c286855ce75d597fae90c73c2636e9dcb67cab03927cc25cab107e78379b13b0db462b0c564319

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\LangRes.dll

MD5 408eac73c5ba6701c40e6555b437ee00
SHA1 d4f8e059befc0d77b5f49d357c28a97115a37c51
SHA256 edd04ed6d6f3f62eaac26f5ed81a0edff69ff35492a3d3e4e3dcd26d04036c0b
SHA512 5578c071ed4c746794f7ce4fc02cf7d097b72ddad75469f375da761f4d8d67c0b82e121c69c7b99016527420e31cfbc8096d9ce141e2f1a0b8fa08eadd68ff52

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\libwim.dll

MD5 00861a8093810b20ec8f498e3d0d5eb8
SHA1 b2ada1ea262c87e8af62ee9a0ad8247f698ac375
SHA256 43191ab5fdc7407303ac444b1e9629da0517135eae50066ce38ba26eb0204f3e
SHA512 198f556cffd6b9430b333cab915abb610a42099ca1aff353bd0b32e0e34778b10eee745f9830714f2e6686d61e240a187e98d05fc3613fddeeba3b3cdd9a2e37

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\OfflineReg.exe

MD5 7ec196b27c92f196bd24f5cd472094e4
SHA1 69971396293af487c9a8195cb6e8057ef237d297
SHA256 c48ce0d50ab8989bac1ef0b8dfcdbcaf9be4999448623efa9343d8b38c04108d
SHA512 9f6906b7746b91f9251fd45b27854364ff17e4992517f0593ffc1d4bbc939a6ca43284c5a11ee7595f6d373a893e8bf6755ad086a98cd0d20b459dad88445150

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\ntleai.dll

MD5 afdc8d5b38bc5d297429970776fa27ea
SHA1 8654fb2247651a34887815c4813b8aa98267443a
SHA256 cc68f8c3311bca56150f8c1bfe2b9621d8b7f47341969b62263803f05f135984
SHA512 02b3a36c4d29044526381ce2c22c5d92ee063e9c6f5e1d8bc7b522829f70cc89edd1b7f9a3461abb4551336c473e4601531bed8beaf55268a99a0ed9f7063766

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\msimg32.dll

MD5 7408d34293f617b6a4c35bca100d03dc
SHA1 f2d959173e271487c50ece0ea56d03d7476a2052
SHA256 494acdb350a1a8e95efe431d00643df442b7127108108005f88dac24d7afb114
SHA512 c6536dcb7648854d424aa0a0d59d4eb04520b8519211948ef509f45ff1e5ca6c18a000be6c6312f5ba371a9d7d7a313434cb91f6ccd4e7a8abe0cee9c927edbd

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\license_DG_Jp.txt

MD5 d84ff72308265da4649346b7a231c863
SHA1 1583b103020ef770a355e5f4e497d9d8310c9575
SHA256 2c8a4227906a7c1ed6ebd61c63429c5a830de3b93b5fb6086e8032e07e7f307e
SHA512 1aaed6421498dfd42488654b495e8f3022277362ea84a37befc6dbdc82290383e6db677e087c0e583c29e08910a03c634e6969b8db46df39581d743dce9f9d17

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\Options.ini

MD5 e5f1807dddbcda8c89dbeef919aeecb9
SHA1 1177db3d54a71ea91fb9f4e84ec448abc30fbd7f
SHA256 bdae4915bed21a7968824865c4024c371fe46a80795b46be8ffe7bf2e3089235
SHA512 a6e88cbb5cc3a63f58afdfa4dbd6d5f16e7b3afdcb9534ead055180f68a517d91cc9fe9665d097663a0948032bdd1a8f4081092b652861efee6449efe2d740b5

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\releasenote.txt

MD5 81e42cd8ad8979723e1ed4867a441fc5
SHA1 87f2411b2013677b5fa6aade3066e8a1617c0cd0
SHA256 608bc97cb57f685c272e5913eceb1069160e698a53704e0d93c77d131c03d757
SHA512 6a733495b6226c64de8fe5012dfcb72485c7fae50e0b34ea3b207f0eec5e2ce732ae466a164abd30c662fb7b92ebd4624751f7d074728fdd58a95b4c69485f89

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\VPreview.dll

MD5 9d8a94ea7e162a7b89d07d5599112662
SHA1 bc145819f6e6d63e8d80393089bf18ca3e51729f
SHA256 e73b4fccc9213d5dec7af154aa22f3abe0cdb23818d217bf143424170fbb350b
SHA512 999db99a234e3ec60010bca72f29c01ec6703c3227fad324a09c471be9dfc5ec7314608986957c25e594b8142130e0fd697ee8a92b83e842da0028ec0a25aeca

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\swscale-4.dll

MD5 47390b142be15d2114f555e1aecdd98f
SHA1 1a05ade05a95774676ca16311a5975013f2bf57e
SHA256 416e4edf961fe5f26ee43894cce28b7dd1e4c86413f79262bfd69e26283d51f5
SHA512 fe5f4101dd7e55889a6a48f9f9d4e022505b54843d23b52bdfa9760194611ef0b367668451b6a114c3dfb7976034eca8cabdc0a3b638aa6f99df9dc32914fcb0

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\swresample-2.dll

MD5 262200460e7fa06d8eda710d44ceee52
SHA1 39b0fd571148eb095d77588eedf59f0470d30dc7
SHA256 10f14d69832f35bd8be64bb1fe5b7f181298c0c037633b9af69664fd836ff4b2
SHA512 48028e2f38e23382506f3db950275dba15d59f9e8fc8db81f3a418eb441eeebc6e140e1c171115999731c04f5f759fc046053395eaa994e40f18bdbe7ee7ad18

C:\Users\Admin\AppData\Local\Temp\~2090722159602104039\SDL2.dll

MD5 0c83d629d47895ec130cd791f33e3c90
SHA1 08364418ee9c81cd7f82305aa3dae9e2e37b5c66
SHA256 149781bbcbd38dfe6a0b71200adf7593a4af7bfa3e44975abc7144da494c1fe5
SHA512 05003534f7b363b7db45f0b5d713b500e7b7a44855bb3288769edd190c6bbcce308685d4360af3a60e7323a158b242ab39330925c05275c6cb98c08947629a20

C:\Users\Admin\AppData\Local\Temp\~1833828596621600744.cmd

MD5 908e359e2fa343f32f41df30c9f1e3f8
SHA1 59c4c331002ccdadf3a484c4d90a66e9e2ec9401
SHA256 844ea4e33f62a41e8d8c079c7b8b89958e4f2b66e08287907283f9ec0b5c8d37
SHA512 221ec968ce74f3235d2afe37c12c3d08b44f0a214557f3d2d1ef8848b896e251dd43a7ef4a85ad4853337081622ca24175acff153f42b5c57be939596993e83d

memory/1484-132-0x0000000003770000-0x00000000038DE000-memory.dmp

memory/2024-134-0x0000000000400000-0x000000000056E000-memory.dmp

memory/1484-133-0x0000000000400000-0x000000000056E000-memory.dmp

memory/2024-136-0x0000000000400000-0x000000000056E000-memory.dmp

memory/1484-138-0x0000000000400000-0x000000000056E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:47

Reported

2024-05-10 12:50

Platform

win10v2004-20240508-en

Max time kernel

95s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe"

Signatures

PrivateLoader

loader privateloader

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\SYSTEM32\cmd.exe
PID 2700 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp
PID 2700 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp
PID 2700 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp
PID 2700 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe
PID 2700 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe
PID 2700 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe
PID 2328 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe
PID 2328 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe
PID 2328 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe
PID 2328 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe
PID 2328 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe
PID 2328 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe
PID 2700 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe
PID 2700 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe
PID 2700 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe
PID 1460 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\SYSTEM32\cmd.exe
PID 1460 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe C:\Windows\SYSTEM32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe

"C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c set

C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp

7zG_exe x "C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~5302922757353172526"

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe

"C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe" diskgenius.exe C

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe

"diskgenius.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3136 -ip 3136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1016

C:\Users\Admin\AppData\Local\Temp\DiskGenius.exe

PECMD**pecmd-cmd* EXEC -wd:C: -IDLE --hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~6319743501780032208.cmd"

C:\Windows\SYSTEM32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\~6319743501780032208.cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 248.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
BE 88.221.83.248:443 www.bing.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2700-0-0x0000000000400000-0x000000000056E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~2974638325276524434~\sg.tmp

MD5 7c4718943bd3f66ebdb47ccca72c7b1e
SHA1 f9edfaa7adb8fa528b2e61b2b251f18da10a6969
SHA256 4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc
SHA512 e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleas.exe

MD5 9a8f681b7d71ea0171bd1ff404a91916
SHA1 5d610b7f135f21c63f686d460df890ad6a0fb02a
SHA256 8056c16b5fb104ea51359801a10083e425696e26014610af8a15b60fbbfac4a8
SHA512 7ffc5ac803ab3b11cc508b4e9d7d087b6af864735462a23e6e21cca0693aa271c16d26773d4fddfe0b752503758221f701568b398cc937e2235a71797d5c1b3e

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\diskgenius.exe

MD5 2910ac89085a9457e9128bd81676dc96
SHA1 cee5e68568a3cdf5d84ccbba70f2160038459996
SHA256 4a408834e693b658b96ecd1b7e96b3a9d5555c997f0642cd9f806fd03589801e
SHA512 c4d4cbdad1a3f1d97486a875ab7d7aa5351fccafac646d965afb4cb186802981cf90f70ea942d998a35631b59d57e19a4248ec6cd86e3f9518ceea27c5e8d9a5

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\msimg32.dll

MD5 7408d34293f617b6a4c35bca100d03dc
SHA1 f2d959173e271487c50ece0ea56d03d7476a2052
SHA256 494acdb350a1a8e95efe431d00643df442b7127108108005f88dac24d7afb114
SHA512 c6536dcb7648854d424aa0a0d59d4eb04520b8519211948ef509f45ff1e5ca6c18a000be6c6312f5ba371a9d7d7a313434cb91f6ccd4e7a8abe0cee9c927edbd

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\ntleai.dll

MD5 afdc8d5b38bc5d297429970776fa27ea
SHA1 8654fb2247651a34887815c4813b8aa98267443a
SHA256 cc68f8c3311bca56150f8c1bfe2b9621d8b7f47341969b62263803f05f135984
SHA512 02b3a36c4d29044526381ce2c22c5d92ee063e9c6f5e1d8bc7b522829f70cc89edd1b7f9a3461abb4551336c473e4601531bed8beaf55268a99a0ed9f7063766

memory/3136-88-0x00000000035B0000-0x00000000035B1000-memory.dmp

memory/3136-89-0x00000000035D0000-0x00000000035D1000-memory.dmp

memory/3136-90-0x00000000035E0000-0x00000000035E1000-memory.dmp

memory/3136-91-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3136-92-0x0000000003610000-0x0000000003611000-memory.dmp

memory/3136-93-0x0000000003620000-0x0000000003621000-memory.dmp

memory/3136-94-0x0000000005210000-0x0000000005211000-memory.dmp

memory/3136-95-0x0000000005220000-0x0000000005221000-memory.dmp

memory/3136-96-0x0000000005230000-0x0000000005231000-memory.dmp

memory/3136-97-0x0000000005240000-0x0000000005241000-memory.dmp

memory/3136-98-0x0000000005250000-0x0000000005251000-memory.dmp

memory/3136-99-0x0000000005260000-0x0000000005261000-memory.dmp

memory/3136-100-0x0000000005270000-0x0000000005271000-memory.dmp

memory/3136-101-0x0000000005280000-0x0000000005281000-memory.dmp

memory/3136-102-0x0000000005290000-0x0000000005291000-memory.dmp

memory/3136-103-0x00000000053C0000-0x00000000053C1000-memory.dmp

memory/3136-104-0x00000000053D0000-0x00000000053D1000-memory.dmp

memory/3136-105-0x00000000053E0000-0x00000000053E1000-memory.dmp

memory/3136-106-0x00000000053F0000-0x00000000053F1000-memory.dmp

memory/3136-107-0x0000000005400000-0x0000000005401000-memory.dmp

memory/3136-108-0x0000000005410000-0x0000000005411000-memory.dmp

memory/3136-109-0x0000000005420000-0x0000000005421000-memory.dmp

memory/3136-110-0x0000000005430000-0x0000000005431000-memory.dmp

memory/3136-111-0x0000000005440000-0x0000000005441000-memory.dmp

memory/3136-112-0x0000000005450000-0x0000000005451000-memory.dmp

memory/3136-113-0x0000000005460000-0x0000000005461000-memory.dmp

memory/3136-115-0x0000000005480000-0x0000000005481000-memory.dmp

memory/3136-114-0x0000000005470000-0x0000000005471000-memory.dmp

memory/3136-116-0x0000000005490000-0x0000000005491000-memory.dmp

memory/3136-117-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/3136-118-0x00000000054B0000-0x00000000054B1000-memory.dmp

memory/3136-119-0x00000000054C0000-0x00000000054C1000-memory.dmp

memory/3136-120-0x00000000054D0000-0x00000000054D1000-memory.dmp

memory/3136-121-0x00000000054E0000-0x00000000054E1000-memory.dmp

memory/3136-122-0x00000000054F0000-0x00000000054F1000-memory.dmp

memory/3136-123-0x0000000005500000-0x0000000005501000-memory.dmp

memory/3136-124-0x0000000005510000-0x0000000005511000-memory.dmp

memory/3136-125-0x0000000005520000-0x0000000005521000-memory.dmp

memory/3136-126-0x0000000005530000-0x0000000005531000-memory.dmp

memory/3136-127-0x0000000005540000-0x0000000005541000-memory.dmp

memory/3136-128-0x0000000005550000-0x0000000005551000-memory.dmp

memory/3136-129-0x0000000005560000-0x0000000005561000-memory.dmp

memory/3136-130-0x0000000005570000-0x0000000005571000-memory.dmp

memory/3136-131-0x0000000005580000-0x0000000005581000-memory.dmp

memory/3136-132-0x0000000005590000-0x0000000005591000-memory.dmp

memory/3136-133-0x00000000055A0000-0x00000000055A1000-memory.dmp

memory/3136-134-0x00000000055B0000-0x00000000055B1000-memory.dmp

memory/3136-135-0x00000000055C0000-0x00000000055C1000-memory.dmp

memory/3136-136-0x00000000055D0000-0x00000000055D1000-memory.dmp

memory/3136-137-0x00000000055E0000-0x00000000055E1000-memory.dmp

memory/3136-138-0x00000000055F0000-0x00000000055F1000-memory.dmp

memory/3136-139-0x0000000005600000-0x0000000005601000-memory.dmp

memory/3136-140-0x0000000005610000-0x0000000005611000-memory.dmp

memory/3136-141-0x0000000005620000-0x0000000005621000-memory.dmp

memory/3136-142-0x0000000005630000-0x0000000005631000-memory.dmp

memory/3136-143-0x0000000005640000-0x0000000005641000-memory.dmp

memory/3136-144-0x0000000005650000-0x0000000005651000-memory.dmp

memory/3136-145-0x0000000005660000-0x0000000005661000-memory.dmp

memory/3136-146-0x0000000005670000-0x0000000005671000-memory.dmp

memory/3136-147-0x00000000051D0000-0x00000000051D1000-memory.dmp

memory/3136-148-0x00000000051E0000-0x00000000051E1000-memory.dmp

memory/3136-149-0x0000000000400000-0x00000000033E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\LangRes.dll

MD5 408eac73c5ba6701c40e6555b437ee00
SHA1 d4f8e059befc0d77b5f49d357c28a97115a37c51
SHA256 edd04ed6d6f3f62eaac26f5ed81a0edff69ff35492a3d3e4e3dcd26d04036c0b
SHA512 5578c071ed4c746794f7ce4fc02cf7d097b72ddad75469f375da761f4d8d67c0b82e121c69c7b99016527420e31cfbc8096d9ce141e2f1a0b8fa08eadd68ff52

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\Options.ini

MD5 e5f1807dddbcda8c89dbeef919aeecb9
SHA1 1177db3d54a71ea91fb9f4e84ec448abc30fbd7f
SHA256 bdae4915bed21a7968824865c4024c371fe46a80795b46be8ffe7bf2e3089235
SHA512 a6e88cbb5cc3a63f58afdfa4dbd6d5f16e7b3afdcb9534ead055180f68a517d91cc9fe9665d097663a0948032bdd1a8f4081092b652861efee6449efe2d740b5

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\avcodec-57.dll

MD5 cbb6c78ba2446b030b06282776d81a0e
SHA1 38739809e1df319cfd7461366d5dbdebc644e89f
SHA256 98121397933acaf25240e2f2a0822f719f4c5b3b47efb5578f97f28dc019c6db
SHA512 2f63ad3f26a2a3cf1d4a94d544e52eaa7aa27afeaf2621fced0b0c693cc6bf9ba9be8b360a9287d19b85adda794daf35121438accff44d23802a88409d4a8293

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\avformat-57.dll

MD5 ad8605903890285ece1ea1f5a72a9985
SHA1 8320253c53ab004b4e82ce90299814a40cc4db79
SHA256 dea54220257a4cc46455b43295599b1c0a963f794e538fe3bf29ea9d246bb0ec
SHA512 42877f3d5e4392d9a41db6d212331c815fca650f574bee96c01fcdb5a50fbe9f2e9bef784d2690be5392ef43453bd585157ed49af40c1a52c08ee396a945d7e5

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\avutil-55.dll

MD5 5e0757f2a34f71620ed11f110e062942
SHA1 4fee170ac188f53ee5c9ddc6762a90aaa0aedb4b
SHA256 cd40baac665cd1315cc9408dd4aeb1b7aa1d88bdca3860d93d305ee2a4fbc065
SHA512 cde625af587e21abc5cb1285faa475203b06fc55e8c0b14c62d87f12d68e1b487c471e1bec95c01cda6c40fc0708af22daaafc13621c535932b53729889ab1fb

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\DGBCDX64.exe

MD5 846b229c55dcecd9b1e3cf11e1585046
SHA1 721621a5266d0c35629382922b62a9af1abad161
SHA256 2a757fe83b2d115d5f2e715c15d917025d7cd7e04dd05cd8889dea90e17f0855
SHA512 a7157727a3d60504028add87699b0d35efb9e049ae4754e71a1aa882dcf0900779e79897a509c503acbdd350ab76f52fb348517d1453d06372ee7a39504d1b27

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\command.com

MD5 f730339b0a5f461b530d93bd57050dff
SHA1 0733db7babadd73a1b98e8983c83b96eacef4e68
SHA256 bb27b9efbe08b4ad85e6d41663c8c6572acdd61c45e2731ec5a288ea21b3ef4c
SHA512 98b50b6012efa66af89b8acd5f84c4eb35bbf9dd14815643fd8ee99e92133ff5339c70ca4ea90c4460b7f2a95f0ed95193822a698fece43dc2d3f8a5ec9a772c

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\CTMOUSE.EXE

MD5 8187bd2c296900d51c103c474776ffb8
SHA1 7334471c7dfb5cd41362281032f5bc608560c051
SHA256 f4cef8579a1699045c37ac0ddf03fe0ca361de5c1003ba375c3e08f01a546d01
SHA512 6b5b64d67d7d8fc08f127d5380633307295de72c19c63513779b9b21d9724014dac2ff7b59062bccf64b2b20bc4a0294db7906d5beff5947aaa284b60e1b2e31

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\diskgen.exe

MD5 a854b0cc4816cdcb88bbff94095bb67a
SHA1 b32f84d4eca665dba48391f261ac28bdae9eb46e
SHA256 d746deb5afb8441275cd1d639a333abfe2abf8cd632a0692223daa30ef4da366
SHA512 c5a600712de17ad99efbe5fca26349cd0e3f8d70b8ef6fe8f73e96c2a91c0e39a307e94b50ccf393cf1459868b60349219615c8871e0dfbe049b2dc2c0fe29f3

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\fdapm.com

MD5 d6b105b491cdd328788f568336ef774e
SHA1 202aca693f89d57a00584bb6d7c63d0a74448f36
SHA256 c986e326548d93220b6a6ae47decbf5bd19b6344fc89ca7128e2d477ebd6c0b8
SHA512 17ccf627cbae4a460b543a6c973fa6165eda9055c0140fb83f32f7ff0c779fe7620cefe0a9e2958127aac78d935f824bff49c4a231db531d6df82c4fb0737de7

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\fdauto.bat

MD5 9a4efad26e3907495b51b5ae92a6676c
SHA1 d3d30e817a9d4babc0fb1e9800543fa9863f3a46
SHA256 4bc47043780d40cf1bb09cc57439cdc91689d0725520f2542f47ad3e698fc181
SHA512 84c0dd21cb059bc67f0c2a541baaa42df06aa82b9141c36a94261266cbd290ead45ff14e23b31c6e8301003144b2dd14127c7bf8a66e0846b02774fbe34e3159

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\fdconfig.sys

MD5 2e7aa3a1b81f958c554622284968cb7b
SHA1 48b6b4c632ea947000bd6de71a91202c5d328909
SHA256 b351c58eb75ed7e17c75e45d84534af7a84e2b68eddecc54204e16fa902368a9
SHA512 b99814f34e1defc1a640c896964118534189051a9885b4a806f7531c5865dfc91799a4baba16ddeae77af7f2a9e726683c9a37b239c9aa7e325eca9c239b48a2

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\himem.exe

MD5 738c9970441873717e954baf4a9a97f9
SHA1 1a16e559a85b6409c90239aab4c4dc9240ca8480
SHA256 7b312ef953f1c6ac3ebf6098d18cb3a26d96e936e5e96a6c30b1837bd431ad6b
SHA512 8729037fdc29392ba26a090c7ae4892965827da29f68c9ba4b7889ce45f5b630ada1b54cb8955d3d0f26e542762f2c31c520158d6528184d0176c8af51644491

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\kernel.sys

MD5 18d296f40f06c8a26eda606c0031f677
SHA1 42568b259ad201bbbc20602aff4139171fef0d10
SHA256 f0ee1605aad08dd327502af98374bc237f4aceb953f26ba5432ecf4db34aeebf
SHA512 c00df3ec0b767a9597f8a64bd287e5602d458dbcd963d69c98ac77ee531956cc3afe41ef726d901bd2e1a831c1a27b26b26d92f70ce3b7f4c8678442d377f008

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\license.txt

MD5 613ba680f328db42a5969ca7f247b294
SHA1 ec84f2e0ba7749eacc21a4d734d37e6432058c79
SHA256 705bf00192ba29c754c7c9964bc42219ec51d837a67087eeeb14fc943d04d2ba
SHA512 def1f9df98071a5d61f2dfdcb3b5c7160ed6ae9497b9f4d8ad9272117db02ea620b7a7062216a2b2a6c6baad13af677215f224df2a22c101dff8b4334f3ba7e6

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\shsucdx.com

MD5 9135b1d3f92243170f243a677340444a
SHA1 c5a9e50ca098fee83d3d09f5a716abf42561219f
SHA256 81872ee962d6143f52f97e32e10366dcd0177856b36cec978beb7132be65d6f8
SHA512 04ca2cab3945f2092e7ead7224f4d7348eadb46cdc7581d45e6647fa701d56108562942b3f97f684837ebb1c524bbd5fe6bb067f0c79340da21ea4c314b0d960

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dos\xcdrom.sys

MD5 ec7da94cb533155fc0ffa4e1e595811d
SHA1 f8e7f70b75cac50e62fe8071678ceef245764370
SHA256 f6c3f3c048faf61e37793ddf789765d8cab315636be75073deb047d89e8bea31
SHA512 685e8231692004dc1c3f877b67b3f5287ecc4eb57b9f4ed5e6543a8f39ced8e854c636149c1741014dac1eb3e4badb6619e207dea2b42ba2ce50d32907fcc7d1

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\dsoframer.ocx

MD5 3f4fa9fd2adc31923165465f893e1680
SHA1 0a86bf87b7b30181690216e53957823426b76afa
SHA256 d5019a52524c63cd1b2c1b84af706c023b98b4eec1c2afdbcfe9c1dcb570542a
SHA512 bca51dd97c9a1c53debbd4e54a4d2900a45a577d493d29ebbf12ee92b539b8cbfd5e9505e9add6b96e7a74c7fc362fc1624c39ab656fb07ac967991c75f4f75b

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\Hdrwvdi.dll

MD5 7a8170537afaf5460b19adffb0a1af30
SHA1 f551a902f74498dd4ce77dba5f7169487a513d90
SHA256 ef7889f59643cf96a01ae1ff33b4074a45567d987a1bd1afceae6542a265cc27
SHA512 19ee1f4b63c95965ffbf9c50d87acea8b86a2732fa7239f60a8028eb151038e92bde238f9caac71e876440abe34e0b4c212321fd9a309d7971fc7183ac18d435

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\Hdrwvhd.dll

MD5 f2353d58b12e594f0a0db5b65b4495f6
SHA1 ffc8c55222749e8dc4bd947495d0ac2e88baf85c
SHA256 d8d493aae45535abeda88f4b335b300310698dd0229b4814db892d76fba988dc
SHA512 4b831f701de794b07366fd4ec4a32bab8b5cf577e3ebd2ed4ee338241120c4971b2ad8c7d94209dc33c30aeff817797861ce9a5d4a6ecd2a3c20e58379605a55

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\Hdrwvhdx.dll

MD5 07d225299fb30042f5aef71a3c8bcdc1
SHA1 38fe70feb2772ddeac989c98d7bc2ae2d480e6f1
SHA256 4c9471bdbeca5f946bec4009062bd369152ba11ff8cac07f83ffdfa2cd4a553c
SHA512 ee7f55ca4bdbb12808f7bf5cad6a1070909cc9b688f359a9adec49b2db64ef03f5a0009c33e1c4bd9db74727b6f4c7908dc1d7d11b8223a64f6e3e802537550f

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\Hdrwvm.dll

MD5 ecae9ad871291b0bb62790d7d9c6a2bb
SHA1 c513b09c57cc8107d72942c8ce8c11f15171dcac
SHA256 2d4312bf3683f6b8c3bd15a7050f6f7264152a3242f11922b2d57a8273a2cff9
SHA512 9f559f615cd29dd7c6c1320d826d8e6c7c7e310e565a9957d6c286855ce75d597fae90c73c2636e9dcb67cab03927cc25cab107e78379b13b0db462b0c564319

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\libwim.dll

MD5 00861a8093810b20ec8f498e3d0d5eb8
SHA1 b2ada1ea262c87e8af62ee9a0ad8247f698ac375
SHA256 43191ab5fdc7407303ac444b1e9629da0517135eae50066ce38ba26eb0204f3e
SHA512 198f556cffd6b9430b333cab915abb610a42099ca1aff353bd0b32e0e34778b10eee745f9830714f2e6686d61e240a187e98d05fc3613fddeeba3b3cdd9a2e37

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\license_DG_Jp.txt

MD5 d84ff72308265da4649346b7a231c863
SHA1 1583b103020ef770a355e5f4e497d9d8310c9575
SHA256 2c8a4227906a7c1ed6ebd61c63429c5a830de3b93b5fb6086e8032e07e7f307e
SHA512 1aaed6421498dfd42488654b495e8f3022277362ea84a37befc6dbdc82290383e6db677e087c0e583c29e08910a03c634e6969b8db46df39581d743dce9f9d17

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\OfflineReg.exe

MD5 7ec196b27c92f196bd24f5cd472094e4
SHA1 69971396293af487c9a8195cb6e8057ef237d297
SHA256 c48ce0d50ab8989bac1ef0b8dfcdbcaf9be4999448623efa9343d8b38c04108d
SHA512 9f6906b7746b91f9251fd45b27854364ff17e4992517f0593ffc1d4bbc939a6ca43284c5a11ee7595f6d373a893e8bf6755ad086a98cd0d20b459dad88445150

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\releasenote.txt

MD5 81e42cd8ad8979723e1ed4867a441fc5
SHA1 87f2411b2013677b5fa6aade3066e8a1617c0cd0
SHA256 608bc97cb57f685c272e5913eceb1069160e698a53704e0d93c77d131c03d757
SHA512 6a733495b6226c64de8fe5012dfcb72485c7fae50e0b34ea3b207f0eec5e2ce732ae466a164abd30c662fb7b92ebd4624751f7d074728fdd58a95b4c69485f89

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\SDL2.dll

MD5 0c83d629d47895ec130cd791f33e3c90
SHA1 08364418ee9c81cd7f82305aa3dae9e2e37b5c66
SHA256 149781bbcbd38dfe6a0b71200adf7593a4af7bfa3e44975abc7144da494c1fe5
SHA512 05003534f7b363b7db45f0b5d713b500e7b7a44855bb3288769edd190c6bbcce308685d4360af3a60e7323a158b242ab39330925c05275c6cb98c08947629a20

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\swresample-2.dll

MD5 262200460e7fa06d8eda710d44ceee52
SHA1 39b0fd571148eb095d77588eedf59f0470d30dc7
SHA256 10f14d69832f35bd8be64bb1fe5b7f181298c0c037633b9af69664fd836ff4b2
SHA512 48028e2f38e23382506f3db950275dba15d59f9e8fc8db81f3a418eb441eeebc6e140e1c171115999731c04f5f759fc046053395eaa994e40f18bdbe7ee7ad18

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\swscale-4.dll

MD5 47390b142be15d2114f555e1aecdd98f
SHA1 1a05ade05a95774676ca16311a5975013f2bf57e
SHA256 416e4edf961fe5f26ee43894cce28b7dd1e4c86413f79262bfd69e26283d51f5
SHA512 fe5f4101dd7e55889a6a48f9f9d4e022505b54843d23b52bdfa9760194611ef0b367668451b6a114c3dfb7976034eca8cabdc0a3b638aa6f99df9dc32914fcb0

C:\Users\Admin\AppData\Local\Temp\~5302922757353172526\VPreview.dll

MD5 9d8a94ea7e162a7b89d07d5599112662
SHA1 bc145819f6e6d63e8d80393089bf18ca3e51729f
SHA256 e73b4fccc9213d5dec7af154aa22f3abe0cdb23818d217bf143424170fbb350b
SHA512 999db99a234e3ec60010bca72f29c01ec6703c3227fad324a09c471be9dfc5ec7314608986957c25e594b8142130e0fd697ee8a92b83e842da0028ec0a25aeca

C:\Users\Admin\AppData\Local\Temp\~6319743501780032208.cmd

MD5 14ee7d2144d8120e0cb1443510cabd0c
SHA1 9fdabfe5de77cda6e97773d5f7e05535214ac6cf
SHA256 a4b76dd197ca3b68b5b6779a4454a2994b06487b72d86e6628c649cf131af642
SHA512 94aafadb77911b51bd14db63a8128d610321ce05a0161e890a92d0e8e0256acad509c4ddbca2e91fd39a79a2825e241862982a97be1866c87755bb3aac716050

memory/2700-197-0x0000000000400000-0x000000000056E000-memory.dmp

memory/1460-198-0x0000000000400000-0x000000000056E000-memory.dmp

memory/1460-200-0x0000000000400000-0x000000000056E000-memory.dmp