4b246be91cb37f662827dbfb616b3a0cea66c9ee8db0eeff3808bf057b2b4738

Resubmissions

21-05-2024 15:59

240521-tfcgdabb36 7

21-05-2024 15:51

240521-takwkaba8w 7

Analysis

max time kernel
413s
max time network
411s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

echo.7z
Size

17.3MB
MD5

e0499900323a2a13e715c79df240c8cc
SHA1

aab068f2af116efa533c46e42424f16f3eef90b6
SHA256

4b246be91cb37f662827dbfb616b3a0cea66c9ee8db0eeff3808bf057b2b4738
SHA512

f3b2d599431082f4a0591888ba12ccbf9dd518da64004092ee8dbe8fbff75fadee119694b766dff8cfcebb722600b46b950134304ead0d05069ad588a82d0cfb
SSDEEP

393216:URxIrNnI6f7uzW4RyQZecNoTyBNoQKwKhGM4/kOh3Kv:qI6qqzW4RyncN2wNRKoM4de

Score

7^/10

agilenet upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\ollydbg\Plugins\idaficator.dll	acprotect

Executes dropped EXE 9 IoCs

Processes:

OllyDbg.exe1058352281.exe1058352281.exe1058352281.exe1058352281.exe1058352281.exe1058352281.exe1058352281.exe1058352281.exe

pid	process
3448	OllyDbg.exe
1556	1058352281.exe
2008	1058352281.exe
3976	1058352281.exe
3240	1058352281.exe
5268	1058352281.exe
6008	1058352281.exe
5104	1058352281.exe
5416	1058352281.exe

Loads dropped DLL 51 IoCs

Processes:

OllyDbg.exe

pid	process
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/5416-3240-0x0000000000400000-0x0000000000FA7000-memory.dmp	agile_net

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\ollydbg\Plugins\idaficator.dll	upx
behavioral1/memory/3448-506-0x000000006CC80000-0x000000006CD1D000-memory.dmp	upx
behavioral1/memory/3448-925-0x000000006CC80000-0x000000006CD1D000-memory.dmp	upx
behavioral1/memory/3448-980-0x000000006CC80000-0x000000006CD1D000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

1058352281.exe

pid process

5416 1058352281.exe
5416 1058352281.exe

pid	process
5416	1058352281.exe
5416	1058352281.exe

Suspicious use of SetThreadContext 54 IoCs

Processes:

OllyDbg.exe

description	pid	process	target process
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5268	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5268	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5268	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5268	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5268	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 6008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 6008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 6008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 6008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 6008	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe
PID 3448 set thread context of 5104	3448	OllyDbg.exe	1058352281.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5288 5104 WerFault.exe 1058352281.exe
384 5104 WerFault.exe 1058352281.exe

pid	pid_target	process	target process
5288	5104	WerFault.exe	1058352281.exe
384	5104	WerFault.exe	1058352281.exe

Modifies registry class 64 IoCs

Processes:

OllyDbg.exeOpenWith.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\MRUListEx = ffffffff	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 560031000000000071427c5310006f6c6c7964626700400009000400efbeb5587b7eb5587b7e2e0000003fda0100000007000000000000000000000000000000c9c621016f006c006c007900640062006700000016000000	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OllyDbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	OllyDbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1 = 5a00310000000000b558667c10006f6c6c797061636b0000420009000400efbeb5587b7eb5587b7e2e0000004ada0100000006000000000000000000000000000000288716016f006c006c0079007000610063006b00000018000000	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	OllyDbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	OllyDbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OllyDbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	OllyDbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\NodeSlot = "5"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "4"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OllyDbg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OllyDbg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OllyDbg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OllyDbg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OllyDbg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OllyDbg.exe

pid	process
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeOllyDbg.exe

pid process

1836 7zFM.exe
3448 OllyDbg.exe

pid	process
1836	7zFM.exe
3448	OllyDbg.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exeOllyDbg.exe1058352281.exe

description	pid	process
Token: SeRestorePrivilege	1836	7zFM.exe
Token: 35	1836	7zFM.exe
Token: SeSecurityPrivilege	1836	7zFM.exe
Token: SeDebugPrivilege	3448	OllyDbg.exe
Token: SeDebugPrivilege	3448	OllyDbg.exe
Token: SeDebugPrivilege	5416	1058352281.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exeOllyDbg.exe

pid process

1836 7zFM.exe
1836 7zFM.exe
3448 OllyDbg.exe
3448 OllyDbg.exe

pid	process
1836	7zFM.exe
1836	7zFM.exe
3448	OllyDbg.exe
3448	OllyDbg.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

OpenWith.exeOllyDbg.exe1058352281.exe

pid	process
4796	OpenWith.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
3448	OllyDbg.exe
5416	1058352281.exe
5416	1058352281.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OllyDbg.exe

description	pid	process	target process
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 1556	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 2008	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3976	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe
PID 3448 wrote to memory of 3240	3448	OllyDbg.exe	1058352281.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\echo.7z
1⤵
PID:4888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2688

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\echo.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1836

C:\Users\Admin\Desktop\ollydbg\OllyDbg.exe
"C:\Users\Admin\Desktop\ollydbg\OllyDbg.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\Desktop\1058352281.exe
"C:\Users\Admin\Desktop\1058352281.exe"
2⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\Desktop\1058352281.exe
"C:\Users\Admin\Desktop\1058352281.exe"
2⤵
- Executes dropped EXE
PID:2008

C:\Users\Admin\Desktop\1058352281.exe
"C:\Users\Admin\Desktop\1058352281.exe"
2⤵
- Executes dropped EXE
PID:3976

C:\Users\Admin\Desktop\1058352281.exe
"C:\Users\Admin\Desktop\1058352281.exe"
2⤵
- Executes dropped EXE
PID:3240

C:\Users\Admin\Desktop\1058352281.exe
"C:\Users\Admin\Desktop\1058352281.exe"
2⤵
- Executes dropped EXE
PID:5268

C:\Users\Admin\Desktop\1058352281.exe
"C:\Users\Admin\Desktop\1058352281.exe"
2⤵
- Executes dropped EXE
PID:6008

C:\Users\Admin\Desktop\1058352281.exe
"C:\Users\Admin\Desktop\1058352281.exe"
2⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 188
3⤵
- Program crash
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 328
3⤵
- Program crash
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5104 -ip 5104
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5104 -ip 5104
1⤵
PID:2520

C:\Users\Admin\Desktop\1058352281.exe
"C:\Users\Admin\Desktop\1058352281.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\ollydbg\ICO\BUT_IMG_COSTUM1.BMP
Filesize
1KB

MD5
a9b4e130c97914265a93e38f6dd8d09d

SHA1
1d05a8af0905a5e9d909a203c5da59b0bb4b6455

SHA256
a01728f46bd2ea6f773c45c71ec31a75858023c8d8738b2c238842c0c7cc0dc0

SHA512
84b39d242ab98091cf1ef746eabcf070f91ffedd70a0837543ade9549029a428e1dd52307c4e379bb30fa8ba0d7531917d543ffe89cb5031f451b28f9fd87d5d

Download Submit
C:\Users\Admin\Desktop\ollydbg\ICO\BUT_IMG_COSTUM2.BMP
Filesize
938B

MD5
68086d9072a95ca53d858e8986968ea4

SHA1
a02d43d1f1f0c5d4751ed7937ca6e490536b0d15

SHA256
7fb64e30b734721ac965f8ccc32192438e0ca112c44f424ce8c7a65fe7b7b23a

SHA512
c54f7093f501d6aca9274b416be4fcdfb5a2c58a79653b4fa862293ee847b7e7b0e55969d7cfaf4708c077f8130a1da5f7e47d7d4ad41ef7b15274f4fc0f105e

Download Submit
C:\Users\Admin\Desktop\ollydbg\ICO\BUT_IMG_COSTUM3.BMP
Filesize
1KB

MD5
4760d737698d910452c95981c66519cd

SHA1
557313dbb0b8a29d682ed6c415f5dcd9413ae940

SHA256
8bb3410f6165487206bef5121f0ecaa03ed1d123ab1f7d11323007b884c3f0fe

SHA512
03257217b2922e9018ef2266997009a5e90256113e21cb4083fae7b6f5502019cc531f55416879d73ac46b1634cc23041e4a0936b67232ecbc4e81bae1de56ad

Download Submit
C:\Users\Admin\Desktop\ollydbg\ICO\BUT_IMG_COSTUM4.BMP
Filesize
938B

MD5
2b4d229b10bef193f852a6b3635f0555

SHA1
39afe0fe36b3dc27e9d16df79ed965dc99838778

SHA256
cc9c68bcd497fea1e606ab99370bd0265b5f2d647b9d2018227993784e362ff3

SHA512
54620c7d0c7ee314db2da85c51b9d8a701c8e655f1ea8b936c448e60f9001b25a171b754fe1592383c31dc9b8e5f1cd0fb7f677ab245d397b32ce349ccfc85c8

Download Submit
C:\Users\Admin\Desktop\ollydbg\ICO\BUT_IMG_COSTUM5.BMP
Filesize
938B

MD5
4e7a0a016df0b31722ab3c8a10aeacf5

SHA1
d27f2548720de4a00089017214bb2fa01fab1318

SHA256
eb60111128a417689a2f5d6b4a82ec57f2264ca3855dad209b33dad20853afd8

SHA512
17e618b96b4ea8917af26e5a4f1c9630b40847fa9c12949747968ae2c9de76547218d42bc23c435f4f288cca758b7a4e50885f505a26b2e9ac51393497a3f859

Download Submit
C:\Users\Admin\Desktop\ollydbg\OllyDbg.exe
Filesize
1.1MB

MD5
ce17be28fab044e0ecc76cd721170803

SHA1
ecd04ffe9d64303d9d0a3f53814a09dce70bb843

SHA256
14a0424c2940bda2d86169f5936345276b6f71409e6d656c0e721f43216fc563

SHA512
e78961acc4055294b0f9a82485d0ebe5e4d67858e5d95103f4a418c5d38388c4050d792fd58faa4d9859d273877edf7e6db90cb7de680a581c077ff8610e097d

Download Submit
C:\Users\Admin\Desktop\ollydbg\OllyPath.dll
Filesize
7KB

MD5
0babc537f3a189141ca724e84703d35d

SHA1
a2159420f5222f4cecc2b86cdda0cf500cc56ae9

SHA256
5d1e1bd2f1278d3527f1bf23c7a915767d72be69284709cd373134fb0ef88f2f

SHA512
a4e90624aa897e9b07bf05bbc043530cb5c4dc07345cdc83e871b381a499b6b18152543a9a4bef8733261b36e200052e3ab3381e604c8a8c05348861eaa41c45

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\Asm2Clipboard.dll
Filesize
44KB

MD5
5a9bcce60dce9ce4754a4d76ea37e3ac

SHA1
2f547e31c2dff4d8eaa79d07b2855724eec026a2

SHA256
9628e88144a89d4bb9093946fcf708224c151a2a2624ebc2ea69af0d4bb547d0

SHA512
d37e12b563813ccb31c7709fa18adce63347046279b1fef7994421f2306093d3e5feda90acc5d5fa8d1eb7dba5957b8477a3852bccd501baa61021ddfa6c3053

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\ClearUDD.dll
Filesize
44KB

MD5
db63cd1b36753508d491291bf3ad193d

SHA1
5f0f837e28621c655a24ec47436ef10b83bcc002

SHA256
c3dc500b689d82a1d4b379b4a8dddf18e915d282ddf9c5296a3982e0432b812d

SHA512
a747e953e69e7ae00519e2ba2f7669b297c80e7c779daa906842d0e6765593dc11475882385e996245f6f7866c71a77b631fc2df77ec584367a7689e6f6f0a18

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\CmdBar.dll
Filesize
69KB

MD5
59ba282190a4d81f3fe31b6886decb83

SHA1
8edbfd1055996ce2b0198ae782483c14f587ffc4

SHA256
f8bdf6449c1ac4041717cd0e77d809fff3b2b6a735205b7988a174b7e0434b4f

SHA512
a88e78b3de2bd1cc19b4f6c98e2696d2febbb03903012d411938bf6eacce40c0b5c09958b073d4e1b80edb2b5dac2dd867d6f7aad7bdfdef9fa2b801641e1813

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\CmdBar.ini
Filesize
83B

MD5
ca0c5935aace83061fffc05998ae7519

SHA1
7761b0408d1f993f707e87cbbd3395335e80ee96

SHA256
6a268d70349168a4c88c0aef27fcf9986d8b9745973308476432b9a36bbf7403

SHA512
7d9cfff4e35b8d3d3b413f685d7f1ce0eb0e68eee62df6096b788d114233f0f34c1a06613e05ff198d660109bb39edfe5fe6117c551a8af7f61a7612122500c3

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\DataRipper.dll
Filesize
118KB

MD5
566f1d0f3293cb97f77490f3523f0442

SHA1
21921140f31bdf8eb9c0825386f670bcbd2c5e1f

SHA256
1914a0136fc8c1fa1cca45496ebd59cc82789c64057f5df0fcc72da96f66c475

SHA512
b6f04a5e3ef9755f9264cb38ee7e07465dc00a066ab3273f6757d8f9327a15c811dc7d8596536a0b7c646788653c2028c51de8079d3b77591bdf5b833e5c64ec

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\HiddenThreads.dll
Filesize
20KB

MD5
d32b352c9fab2feea13193503acd5d25

SHA1
1b1e03a3c2330126f755b836357e3fa059b40c70

SHA256
b62f890797226199ed0812767d170b34aef1977b16bd0c887e2cc551705719ad

SHA512
aacad90eaa4cec3cff533283cecb2c8eef5fc7bf6d10eb84a29b2b9ea12b85acd75bf581f9b68fa3144d2c020ed5287af317c8d35496c0e6e371427e55c29e61

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\ICanAttach2.dll
Filesize
20KB

MD5
071b3c65cafcdf54c5fc7d24e9a5412a

SHA1
dc59d7adafefc38ecdf7efe5e5cfa6aba699ed3c

SHA256
94c2c7d999273d3b01c22c327b03025e4c5fd83dca11f98fd2c3f224cfacb0c8

SHA512
dfa4f53a024713805b1b2d767fa91a336a020fbb257d0e0958ff1aa3bada1d0391ed6ba31fa2106742363c10117516e192576a3bffcdd58bdade9588a6671e61

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\MnemonicHelp.dll
Filesize
11KB

MD5
cf1bef4978d4bec45372ceb5d1858d18

SHA1
3eb2d730f9327f0c856d38e5db68ed64f9f1e63c

SHA256
884436231fc161349d054ffaead6597381689f1304a99f5875d285d7254b478b

SHA512
987d8dc90faf50bf6b527c5642371b671532344d807c009fdc4cb470296e64f744a25b6e3681d3f9af13f931c698ec32a85636cd20faaecaea287c6541b34a32

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\ModuleBCL.dll
Filesize
104KB

MD5
be3daf92eef36093251bfad828a99a87

SHA1
7c977899da429993ec21f1a88b0d28878d268267

SHA256
1c92c966efc690b183cb020eaf46c44d42358b582e8b656e2e115a584f33b3e1

SHA512
6f9f1edb5e79bfe503ec076b6d7caf1d84c81350bf1e6172a881e1fdcfed0841233998d26040c19e09f64fabdcbb3a4f44a1ca463b27eaf5a8b2fcf3c3f138ae

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\ODBJscript.dll
Filesize
2.2MB

MD5
e27579e37fc7a902dfe60b788940b4a4

SHA1
4939587fe3a4add1e3a4f0863b8ab6bed33e82af

SHA256
a9862066279f217da1676750e08009653440e91f6c2555523b33385162f3f708

SHA512
47d40e644ab7901b28075c1b6ab5971fbfa4a5a71e7730734af6bd8d846eafa4b039a5cd16464a2049ff2b7c3849020b21211329c1dd91f2a148e8f5a0f62a09

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\ODbgScript.dll
Filesize
232KB

MD5
f817294016a04e257edd8602a8a00e35

SHA1
42c227fe132ee2df80929b7f65fc1541b7e4c8c7

SHA256
b6d752aea6b5ea346f35fc0a649aeb54284edc9d39bac1609a543634a9423c9e

SHA512
7c178f4b0536b30aa34a29ae50bae133494d17496f1084591e22131193cd908ef0e6a09e18d05d76bf8fbd06c9d3764e3ff2d4d76e0027ff28206460bb2339fa

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\OllyCopy.dll
Filesize
26KB

MD5
e5ef8ef1b0b3576b9c7388756e465dd1

SHA1
0a5dd30bd50c7651984728530d6e16986c432537

SHA256
eedcf0ceacf6b8c18cce7292845b330d5ff9d34078f9264dec0c43210456f5e4

SHA512
647e7f1acadc6ba7b0f5947fff4d6284000337f3b787d6ce598775603521d5f9421c99ccde948263cf377e05e47e2733cc48eb8e3ef55f1f9cd0af63ace0c242

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\OllyFlow.dll
Filesize
60KB

MD5
beff405fe2ee3f695df2326c316e6106

SHA1
dd1563d35762bd4fddcd49015f5d436d65d0877e

SHA256
e5221887f6c2d6772899409d7b1f31106527c91ba58279b6ada86fcbaa016a6d

SHA512
9daae312e7ee891bb349a8d47f98530bdbfd3dda79d61e4150587931a678924b2a77543d2cfb8890db2c806b5fabc1d338bca8b66750b1856043fd058c540a50

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\OllyFlow.ini
Filesize
72B

MD5
2df913287d281b6257cafb1374792778

SHA1
bfba0b8da2cfd99e3951e7d870824fdf2baceeda

SHA256
4504f28034facd36831e8f8f64477bc5a1cb983907b91bbfc356395ca1e930f9

SHA512
8debb17a041ae312e8e18b689f771c289877d9306da9cb8cd3bc17f011f3e1e5061e39b3d55c7655eb069b665387d5a4feff6bfba364d95f1ad499bcaca4a0b9

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\OllyWow64_0.2.dll
Filesize
20KB

MD5
402bef86d5cab24d5f3124bf91a28bec

SHA1
38eb61735c8d968675242542be129a0bbceb4a66

SHA256
13ac858d99a2a5e75431f3d913603c1d6890a6845487bf05d2cfb876a4d03a50

SHA512
be97374a920839dea05f54fb94e84686989f58495bae3b737f097d7191dee4a307cac0ff3436033324ea98a75daaa78ba0ce30618d0e62b5a1eb2734f9725246

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\RemoveCriticality.dll
Filesize
20KB

MD5
b39116cbbc3fe0278d9ae20ba5ae661c

SHA1
1b54e2c3e52bd416deac712ad02f93121115a4bf

SHA256
c4356739502ba088dc2562c40195db2469437bee6ca20cf468e5c94c9a9a855e

SHA512
f0c64eed3754ec7c7b2a7fb542dce0c5f64cef0762ffd4d64a021474be789de00e370cf19eb5b2228fbbabd176b9dbd86fb2235b410855158d21fb24d9575101

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\analyzeThis.dll
Filesize
9KB

MD5
4c815ff7eddbd5a88773beb11bad097f

SHA1
9498e0851459b0fc103f12c97fb24c256d8b6705

SHA256
fd67ae2ba9394c251c95e04c9bcc0c1fdb8d3c53191299dfb846d1bf1ab7e704

SHA512
572a4a5a2be1a1c80a59a05e8eb4796d9d8c3b4887f0901c6e003e30cb1d6ba8ee3cfd75a0187ae8e94c124db733c58c7ca9fbe1f72713a156de08cff6a6ecad

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\bytes.oep
Filesize
2KB

MD5
ba3dd49a09bc1fb6227b76dd2d70ca7b

SHA1
71f78365af25b1ff17b0f3affbde54db42505b2d

SHA256
3f16d1e840b2286347f213333640e94cc56b710fea175ae9f1629d352fb17d33

SHA512
7a0eacc0aa16b589332a4a76159eddb81f07e7a9ffc05522d37d2220c229fb173055614d7545901ce69879a58efc54aacc07a2dce7c76cb3693c55607edc61ae

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\ida_sigs.dll
Filesize
14KB

MD5
7b52f936de7a0cfd615938591687eb06

SHA1
860f8f47bdaa2ade90e997ccff2b3cf235279852

SHA256
1337646819c0c53da21ba441aeb7f44bd426cc22073619f2330037d2bd6c5a81

SHA512
8fb12c574f09bb1df7a6048ff16c7828e00453ffe6faf688d583198843bc11df08cddf3da1b85de6ea7f06883ea6564e1c92fce35cd529da7b7ae8a4632a913f

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\ida_sigs.ini
Filesize
73B

MD5
722cd9e32565880363038fc1a65e8bbd

SHA1
73687ac4ddf295bfa91d36e4c6b9857b17f7b261

SHA256
c8fe429bc12d79a96557973ed413077c4d65821ebc3223fd9d3a08b98d3613f1

SHA512
12d1df3c041a535a0aceec738f29dd014ab3572de318328c1dbb7a1e542460c57ab53010604e0c76706b89be70d5fb0174cb475dbe5130268e9547834e9f6ebd

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\idaficator.dll
Filesize
265KB

MD5
3ff5a0b354b07d26aa9be6c054f5afd3

SHA1
8837c1143202051085693ec20b9d686d7f264ed2

SHA256
e70802ae644ae146764aa850608af8344b5ae2308a3776215b9b8adad91e1fc5

SHA512
613eb9ce53df947ff00052517ef260a5543d53085907bd1da46144c8d2fddb6944666132ea5d7edfdc31903418152f229eaed3f72ac78422a94d2065e28f9a08

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\multiasm_odbg.dll
Filesize
147KB

MD5
9902e40190f0020ced7e3ba8eacb1c62

SHA1
f76b5c6d13d3124e5368e6a2a181179ccb236a38

SHA256
44a22052c681cb8dd088d0820b620084cb3a5d67b98aa5d831c05b2dce070eba

SHA512
b14b55347813c1e5f370297c56ee5c685ba0bee57625d1e67933327434ca2dd2f0c8e3a44477b3941d8e1fc6de9698ebe31204aa9eb86d4747f33598c505519c

Download Submit
C:\Users\Admin\Desktop\ollydbg\Plugins\oDump.dll
Filesize
20KB

MD5
1aed3d6720b1dcf0506be03319e8e12c

SHA1
e2fd1a7c149546cc92a355fbac5c9f672978ed14

SHA256
ed170b8f58da5c8ff6d33a7d7f488bf97f70b8a5670d5b8670b752f1f44d548d

SHA512
291dd6a680c7e20f06405ca52c6bfc6c3c9950947d16e448e112a7b7e6714c424c5fbf8ce16448e4cf9ffb45f4b613dceaea180856bd33c53746b89b91510a37

Download Submit
C:\Users\Admin\Desktop\ollydbg\UDD\1058352281.udd
Filesize
10KB

MD5
8b0a75e8a3d73b49bf5f500ab6047ecf

SHA1
87f2077245b3e4018a0e7d779348996fbf3479f4

SHA256
f7a7f9b9e49f423e8c30f29eabeca77eb6b1b8e2d9ef2c96aa13ded440b6b043

SHA512
961b0f891fccb9034fbbb8c90f210b908a119f19f209be7df024513414ef4a70adee43a5ed53c9adb6f9b5cb061ef9a6427bdde866a81807d3ef65e67cda6237

Download Submit
C:\Users\Admin\Desktop\ollydbg\UDD\kernel32.udd
Filesize
211B

MD5
3ea3952b61368be6ecdc4cae6a16de40

SHA1
0d5096e56551ea52b430fd9736591b61af217f14

SHA256
5d1352393d9259cdfffe2373f598d2555876e767e6e96a3651ca5c1260f4240a

SHA512
3abb3e3eb27582ebd4306ddd32254caa537eba2df9d500207300a248560be2218cd3d1364c2b9943c99fc3316bc888c878729fe5cbaccfd5eeaadef85e01ce67

Download Submit
C:\Users\Admin\Desktop\ollydbg\UDD\kernel32.udd
Filesize
228B

MD5
3bc49c51c0dd1711a898644f32ab04cc

SHA1
bdbbd22eaea727ffdc648d70d18512fb811b61a0

SHA256
e529a16cfa6cd691c24c7c92cdbbfa16d85f572ad291049c3a4818c0c9a1b7d4

SHA512
0239669a892d21bbb26132850c1cb25499261dbe55e047efbf5c1ee7f0a3841f4d05a07c901420e3921fa49f6a636abb0a445e3720d71a25247e7d3e292fb0a0

Download Submit
C:\Users\Admin\Desktop\ollydbg\dbghelp.dll
Filesize
1.0MB

MD5
379afd26403cca7908f4b39c1ad0a86c

SHA1
3e787ac853c7608b725a2020380ed2364cb00f04

SHA256
cbc2285624088f24550bac9e5c56624ca72f1c3cba3bd51e55f50aafa409581c

SHA512
2e3236277254e351ccb5b189f1dedbea7a9688690c661b6ef602cc4969a435d762693a83b894573e732595b714f36428189bdd330b875991f9cbcc09416a588a

Download Submit
C:\Users\Admin\Desktop\ollydbg\ollydbg.ini
Filesize
12KB

MD5
3c7e9b2e91aba89c288b31c32275f1e4

SHA1
7c756064d4a70e6fd79978d86267d28be5afcead

SHA256
829d23f00ef356fcdbf5c8b47dbf213e6e4478df761ec6aaa042fdc0fc369b5d

SHA512
868538f55c1df9d55051c5c4ed5cce29f2e9cadb8543610334bfdefeaa302c840bd9e6ce4bebb5854313eeffd42b40df1161d84d0635a5a5b109aa35b67e479e

Download Submit
C:\Users\Admin\Desktop\ollydbg\ollydbg.ini
Filesize
12KB

MD5
58561d0fda8c1ea2fcbbc86a4bb13074

SHA1
aaae22616f2c1b17320393f8ef00593b0f444d10

SHA256
1029e80150a077b3351331be7bade81019e49c252651571c0abd97481f686ec3

SHA512
b7d5b096fb4561cf788f783d7a2c5c864d155f4b84f7b3aa9e20bd25f0a50321c9b4ca65e683274c60d03b38b6c56e74cf11ea664c26a6f6713d3be2b8fb53cf

Download Submit
C:\Users\Admin\Desktop\ollydbg\ollydbg.ini
Filesize
12KB

MD5
9bb4f2316f395c3e9ef747cc0186ea7c

SHA1
550615394fbf38a051d46700702a14f5e159d1da

SHA256
1526773bb58a2c5b539bdfb3cdcf73fccf53b99765fbd1d4a0573fb219690f01

SHA512
3c1a26604dfca323d2670ff685f6ec63e91b598c838bf00f728b165964578cc6abd05a25c16442cb251b0b3498310e4405296433c65e07e1ca094533abcc5d17

Download Submit
memory/1556-919-0x0000000000400000-0x0000000000FA7000-memory.dmp

Filesize
11.7MB

Download
memory/1556-975-0x0000000000400000-0x0000000000FA7000-memory.dmp

Filesize
11.7MB

Download
memory/1556-931-0x0000000000400000-0x0000000000FA7000-memory.dmp

Filesize
11.7MB

Download
memory/1556-965-0x0000000000400000-0x0000000000FA7000-memory.dmp

Filesize
11.7MB

Download
memory/2008-1508-0x0000000000400000-0x0000000000FA7000-memory.dmp

Filesize
11.7MB

Download
memory/3448-932-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-2806-0x000000000CE00000-0x000000000D9A7000-memory.dmp

Filesize
11.7MB

Download
memory/3448-660-0x0000000007190000-0x00000000071A8000-memory.dmp

Filesize
96KB

Download
memory/3448-661-0x00000000071C0000-0x000000000724A000-memory.dmp

Filesize
552KB

Download
memory/3448-663-0x00000000038D0000-0x0000000003982000-memory.dmp

Filesize
712KB

Download
memory/3448-664-0x00000000038D0000-0x0000000003982000-memory.dmp

Filesize
712KB

Download
memory/3448-635-0x00000000071C0000-0x000000000724A000-memory.dmp

Filesize
552KB

Download
memory/3448-637-0x00000000071C0000-0x000000000724A000-memory.dmp

Filesize
552KB

Download
memory/3448-920-0x00000000076D0000-0x0000000008277000-memory.dmp

Filesize
11.7MB

Download
memory/3448-921-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-925-0x000000006CC80000-0x000000006CD1D000-memory.dmp

Filesize
628KB

Download
memory/3448-926-0x00000000038D0000-0x0000000003982000-memory.dmp

Filesize
712KB

Download
memory/3448-924-0x0000000006070000-0x0000000006089000-memory.dmp

Filesize
100KB

Download
memory/3448-923-0x000000006BA40000-0x000000006BA4A000-memory.dmp

Filesize
40KB

Download
memory/3448-922-0x0000000069F40000-0x0000000069F48000-memory.dmp

Filesize
32KB

Download
memory/3448-626-0x0000000006E40000-0x0000000006E51000-memory.dmp

Filesize
68KB

Download
memory/3448-557-0x0000000006990000-0x0000000006BBB000-memory.dmp

Filesize
2.2MB

Download
memory/3448-941-0x00000000071C0000-0x000000000724A000-memory.dmp

Filesize
552KB

Download
memory/3448-937-0x00000000038D0000-0x0000000003982000-memory.dmp

Filesize
712KB

Download
memory/3448-522-0x0000000006730000-0x000000000678F000-memory.dmp

Filesize
380KB

Download
memory/3448-969-0x0000000006070000-0x0000000006089000-memory.dmp

Filesize
100KB

Download
memory/3448-966-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-506-0x000000006CC80000-0x000000006CD1D000-memory.dmp

Filesize
628KB

Download
memory/3448-976-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-980-0x000000006CC80000-0x000000006CD1D000-memory.dmp

Filesize
628KB

Download
memory/3448-986-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-997-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-1006-0x0000000007410000-0x0000000007435000-memory.dmp

Filesize
148KB

Download
memory/3448-1033-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-1267-0x000000000BA50000-0x000000000C5F7000-memory.dmp

Filesize
11.7MB

Download
memory/3448-479-0x00000000061C0000-0x00000000061E2000-memory.dmp

Filesize
136KB

Download
memory/3448-473-0x0000000006070000-0x0000000006089000-memory.dmp

Filesize
100KB

Download
memory/3448-469-0x0000000006040000-0x000000000604C000-memory.dmp

Filesize
48KB

Download
memory/3448-1775-0x000000000CE00000-0x000000000D9A7000-memory.dmp

Filesize
11.7MB

Download
memory/3448-161-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-2622-0x00000000076D0000-0x0000000008277000-memory.dmp

Filesize
11.7MB

Download
memory/3448-2749-0x000000000BA50000-0x000000000C5F7000-memory.dmp

Filesize
11.7MB

Download
memory/3448-621-0x0000000006E70000-0x0000000007181000-memory.dmp

Filesize
3.1MB

Download
memory/3448-158-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/3448-3232-0x00000000071C0000-0x000000000724A000-memory.dmp

Filesize
552KB

Download
memory/3448-3233-0x00000000076D0000-0x00000000077C8000-memory.dmp

Filesize
992KB

Download
memory/5416-3391-0x000000000FFF0000-0x000000000FFFA000-memory.dmp

Filesize
40KB

Download
memory/5416-3284-0x0000000006620000-0x0000000006686000-memory.dmp

Filesize
408KB

Download
memory/5416-3244-0x000000000B6E0000-0x000000000B9A4000-memory.dmp

Filesize
2.8MB

Download
memory/5416-3240-0x0000000000400000-0x0000000000FA7000-memory.dmp

Filesize
11.7MB

Download
memory/5416-3281-0x00000000065D0000-0x0000000006614000-memory.dmp

Filesize
272KB

Download
memory/5416-3282-0x0000000006530000-0x0000000006552000-memory.dmp

Filesize
136KB

Download
memory/5416-3283-0x000000000F4D0000-0x000000000FA74000-memory.dmp

Filesize
5.6MB

Download
memory/5416-3392-0x0000000010180000-0x0000000010188000-memory.dmp

Filesize
32KB

Download
memory/5416-3297-0x00000000066A0000-0x00000000066AA000-memory.dmp

Filesize
40KB

Download
memory/5416-3298-0x00000000066D0000-0x00000000066EA000-memory.dmp

Filesize
104KB

Download
memory/5416-3299-0x000000000F3F0000-0x000000000F3F8000-memory.dmp

Filesize
32KB

Download
memory/5416-3312-0x000000000F400000-0x000000000F40C000-memory.dmp

Filesize
48KB

Download
memory/5416-3326-0x000000000F470000-0x000000000F48E000-memory.dmp

Filesize
120KB

Download
memory/5416-3430-0x0000000011100000-0x0000000011108000-memory.dmp

Filesize
32KB

Download
memory/5416-3365-0x000000000F490000-0x000000000F4AC000-memory.dmp

Filesize
112KB

Download
memory/5416-3352-0x0000000010010000-0x000000001007E000-memory.dmp

Filesize
440KB

Download
memory/5416-3268-0x000000000F180000-0x000000000F212000-memory.dmp

Filesize
584KB

Download
memory/5416-3243-0x0000000009CF0000-0x000000000A6E2000-memory.dmp

Filesize
9.9MB

Download
memory/5416-3378-0x000000000F460000-0x000000000F46A000-memory.dmp

Filesize
40KB

Download
memory/5416-3444-0x0000000011180000-0x00000000111D4000-memory.dmp

Filesize
336KB

Download
memory/5416-3431-0x0000000011110000-0x000000001111A000-memory.dmp

Filesize
40KB

Download
memory/5416-3496-0x0000000011250000-0x0000000011282000-memory.dmp

Filesize
200KB

Download
memory/5416-3483-0x00000000111E0000-0x0000000011210000-memory.dmp

Filesize
192KB

Download
memory/5416-3470-0x0000000011140000-0x000000001114E000-memory.dmp

Filesize
56KB

Download
memory/5416-3457-0x0000000011130000-0x000000001113E000-memory.dmp

Filesize
56KB

Download
memory/5416-3510-0x0000000013340000-0x0000000013358000-memory.dmp

Filesize
96KB

Download
memory/5416-3557-0x00000000137C0000-0x00000000138D4000-memory.dmp

Filesize
1.1MB

Download
memory/5416-3572-0x0000000013760000-0x0000000013786000-memory.dmp

Filesize
152KB

Download
memory/5416-3560-0x0000000013700000-0x0000000013722000-memory.dmp

Filesize
136KB

Download
memory/5416-3544-0x0000000013690000-0x000000001369A000-memory.dmp

Filesize
40KB

Download
memory/5416-3586-0x00000000136D0000-0x00000000136DA000-memory.dmp

Filesize
40KB

Download
memory/5416-3644-0x0000000006F00000-0x0000000006FB0000-memory.dmp

Filesize
704KB

Download
memory/5416-3665-0x0000000006FB0000-0x0000000007026000-memory.dmp

Filesize
472KB

Download