Malware Analysis Report

2024-10-16 06:50

Sample ID 240616-f138yavfkm
Target VELOCITY SPOOFER.rar
SHA256 8d2410c9bfb3a1f474b1788b1ceef5e08e46492d2f1ced167ac15ce9612cc66c
Tags
agenttesla evasion keylogger spyware stealer themida trojan discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d2410c9bfb3a1f474b1788b1ceef5e08e46492d2f1ced167ac15ce9612cc66c

Threat Level: Known bad

The file VELOCITY SPOOFER.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla evasion keylogger spyware stealer themida trojan discovery persistence

Agenttesla family

AgentTesla

AgentTesla payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

AgentTesla payload

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Themida packer

Maps connected drives based on registry

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 05:21

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 05:21

Reported

2024-06-16 05:24

Platform

win11-20240611-en

Max time kernel

89s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\net472.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\681eb157d5c1627b33\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\681eb157d5c1627b33\Setup.exe N/A
N/A N/A C:\681eb157d5c1627b33\Setup.exe N/A
N/A N/A C:\681eb157d5c1627b33\Setup.exe N/A
N/A N/A C:\681eb157d5c1627b33\Setup.exe N/A
N/A N/A C:\681eb157d5c1627b33\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\681eb157d5c1627b33\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\681eb157d5c1627b33\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\net472.exe

"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\net472.exe"

C:\681eb157d5c1627b33\Setup.exe

C:\681eb157d5c1627b33\\Setup.exe /x86 /x64 /web

Network

Files

C:\681eb157d5c1627b33\Setup.exe

MD5 9f409f3f3a03d2f0d0c47c1916722b1e
SHA1 2553e3e85a09029398875bfd3983232a1223a22d
SHA256 a175b72bbbf835b648e4a075490cdfa7ecf3e499281b9ecc8b8b9834747968af
SHA512 0b9dabd8bfe996d3a51c20e819d79cd4892f77c45cb285e4829119074840e5735c2164f885ffa0dee2f555f4bfb32a2c333c696e0bff71d28cbab731ab72a1ad

C:\681eb157d5c1627b33\SetupEngine.dll

MD5 8edfa746bcaa4a1d45c02163edd42153
SHA1 98c833a3122133a69f1e14c51c850f4ea3017f75
SHA256 48af6e91a55abca83072200b07e22864f891af80ea99b55e2f755bca786d3d55
SHA512 60436c90cb87f579d3538a3af1487a9122810eb7bd29b4fe12f42550ac18817795b4669423def9c2d4f5b2f66e249f19cd9f23eb6a3972ddbaaf5050706c4240

C:\681eb157d5c1627b33\sqmapi.dll

MD5 0c0e41efeec8e4e78b43d7812857269a
SHA1 846033946013f959e29cd27ff3f0eaa17cb9e33f
SHA256 048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c
SHA512 e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28

C:\Users\Admin\AppData\Local\Temp\HFI4B62.tmp.html

MD5 98a936a09e62a4f16acbefeb4129a254
SHA1 4578028aa54f28d1e67cf741c8c1c7028a758802
SHA256 8dfedbd518fcf52a309cb821b9a0311414b6d1977cf0497bd32be14f24ff9ba1
SHA512 7dc2eb14e486b27f49a9522ad239147f7e49b860786f6c087d916684e45de1af93281ab8a7662e7be8b169dea9b4fb83b4387b0618152cf18f7d1d910944189c

C:\681eb157d5c1627b33\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\681eb157d5c1627b33\UiInfo.xml

MD5 cb78d0ca2b26ab8ed781819e722567a2
SHA1 65b909a6420aae40193ef591565873c6e73a868c
SHA256 7e6d551037d889ee3eb5fab8b84f23cc9ce459c6150104a5d7f5c78ecf81c6d0
SHA512 c6c9ea01dc90e7099a5baa543c1784e18a703cb2a733db92abd7e4be0e19453a765bc0da85054eab1c5452b1f58ae4892cd9e0820fd8b71d4a03cf0b25315ab3

C:\681eb157d5c1627b33\ParameterInfo.xml

MD5 36837cdb9209e5924ff65a69e9be7534
SHA1 a31dedd58d65755cfd3b8edbecf49ee0bc7e2edc
SHA256 1d395b3d453d14f95c80dbd69a66f5b82caee182d3ac5c2cccedf0fe2ab4ee12
SHA512 44c6a4a7131bc30c97e07698b3be7d418880b8940b77e635b503a104bab6916a3a254c48f9e9d58999204995cc278e4a3efdf45f06b0927fd304b68d95e5d1a4

C:\681eb157d5c1627b33\SplashScreen.bmp

MD5 bc32088bfaa1c76ba4b56639a2dec592
SHA1 84b47aa37bda0f4cd196bd5f4bd6926a594c5f82
SHA256 b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7
SHA512 4708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830

C:\681eb157d5c1627b33\1033\LocalizedData.xml

MD5 2640d0f6737cb3d2a6bdb85bd7cec3d4
SHA1 4948ab621477ae6609d2c87e49f7a6c421b91acf
SHA256 47a78abb0463514e38f58dc852033b3d6a860b6ff78e9eb840252b811ca07b43
SHA512 94fd8a425253861fed41ce4c48b04a298fa9b40ba2b99e16bc5cb52c02d84c405586c805279bc66111ba8fa076dbaf8e3d4c309d9601708206fc632d1c0c8136

C:\681eb157d5c1627b33\1025\LocalizedData.xml

MD5 02ab15e715c7d1ae4ece7690cdf5a294
SHA1 6c998ab25338f369c474ac9e2ac47c5c8538db60
SHA256 954c175f9adb86be3a0f8e9ac3ff8518fa7b6ca18d08aa5ef69b8bccdf90197d
SHA512 bc7bee61267c65c1ba3ddaddf241e4e44201bfbb8f568dcb1f8e69eff338309cdd0dc4f7099da6f2300eb82487ae420701d5819955c5327da1be87d48a926cd0

C:\681eb157d5c1627b33\1032\LocalizedData.xml

MD5 57650e70903871e960b49e65dce6e9f9
SHA1 4574188dfa8d28bfadcf58572e800f1171f89fde
SHA256 1014aedc8e8af3094df5ee650264b5e3a0405e7ff15f9cc2e93c20c2eeb0e48a
SHA512 8158e041b731b53c42d77022b3551049cb8998ff7be7471d874b8b246718392e1a222215dbe44a5f23cb8cec1c86d3abda38d266ed37c2b853e0e65ba8c04e19

C:\681eb157d5c1627b33\1031\LocalizedData.xml

MD5 6dbdfcd42c445771a1be1d6a979e5749
SHA1 d4f9ca38ada2959eb9f1170c7f8186f1146d4cb1
SHA256 1160e3c01d50c4c2a9975e33eb79fd567a6b82f0e68270d705f8abc1f30c2e23
SHA512 5fe927ef6e13ee1386d131f20c265026c9f8977a20c97144d8110c33b7757d626d190c9fb7768cef58666197e2d4a7228eda6eb776e8cade456067ea78479b67

C:\681eb157d5c1627b33\1030\LocalizedData.xml

MD5 8d00b037478dd7d49f71762737240958
SHA1 832772a63671209fba379caa17b2786e5a45e41b
SHA256 3afc5c85a625d9526c13e7a5c088f44ba0ae8155b93f006c7f65cf1cf807dff6
SHA512 024e8430ada12f0e7960fa9f33ab2b6b4f2241afb4b40a883f2344fc04aa0916d3000429fda2059331cf7bd78983c3397a700b1c14dc26af3b1c67c0182e3560

C:\681eb157d5c1627b33\1029\LocalizedData.xml

MD5 f3920542a960c87163a56c543cefd324
SHA1 7d3d3fd793a7d6d9b51c3186f248e85ee2bba926
SHA256 bc268ae7c59a667831d4146e075c31dad36ec7a37d2f4cb786e738c79771252d
SHA512 3dee2ba996a325ab1f42e21de3300307c600d8c1032af0c7282de352805fdde2e07fd2f2336fe2a23ea3ac91cf45a7914f1cb97cf3f5d7e47c879f7c0054ac3e

C:\681eb157d5c1627b33\1028\LocalizedData.xml

MD5 76f7b1cef1a49c82b47b90d04cb039d7
SHA1 4ac2ae25878c6a598b9cb355a59c060ab9f61497
SHA256 05327b7a1c41170fe226ff9079752e26a3a91b5c98e66317e1d90b216df100fc
SHA512 434059db641a566e791868f67248cad551f1d3151b82493fd5beaee05005ae79374b851860b4cb69aeda12a9d6b1daccf9b6f294e5cf3353af1aa044a871f1d3

C:\681eb157d5c1627b33\1040\LocalizedData.xml

MD5 08d44237c079905a1790ce4f248766d1
SHA1 8b7731a0d2353bc196f4baf882963dcd63208f7f
SHA256 4496e4f201007336d7074e69f489512ed972f22bb7824d6912cf5393ab84aa5a
SHA512 bbc145ef2e9af63c32e43102b6164eda0e6389ab60671ff4cc23606afa743fb07c762711d58fa35d94bd2c1f3354eace6f7642dcd969ec2c56f49f73b8a4b0bf

C:\681eb157d5c1627b33\1038\LocalizedData.xml

MD5 4e4a8d918f7d6f9c7f703d32e02b0616
SHA1 54aa1acaa00e2fed592d9fca89019d5e20953490
SHA256 e7d59bd7f25e498c1beaff4410c99915cf9196a64bcaed65ee78c2050e775265
SHA512 4b5b6db2de1380a11c31f3f70d44740594557c2b36c5aefd8a9b7fcf045821605afb5adc36c5884501af070fd74efeac7e5e6d87e54758574617fd6153fe1f6f

C:\681eb157d5c1627b33\1037\LocalizedData.xml

MD5 56329f193fdd4cb90668342ba38b8bbe
SHA1 9471a902509ad3229a8dff03cee2fa092af2e8b8
SHA256 f40ecf915e020f5e80da0f4507563e6e986d0082e32388e419bb2cb9ab278ba0
SHA512 017d9b2ff58cc3236c4eca34cc502930b69bdb9f77b89ea5075305492437740819375247017d9000932d898f05b526679c879415a243e3da7abb1b39815b33b2

C:\681eb157d5c1627b33\1036\LocalizedData.xml

MD5 c4e7d53b6230a96a51a9229a38649f6b
SHA1 e8803c413e849c2284ecb4e6413a9c806aff4356
SHA256 5063961620f393ec42aca367543bbac7ab060ce755bb21893961c7ed3e0b8181
SHA512 6c55d234cb9016526690c83bc37280bf35bb3e0dd931bc8a8c2042f6544c1411795d1d4c5b4cda8699151c6de50350bb14ea8262ee47a6b630c808650bbc66bc

C:\681eb157d5c1627b33\1035\LocalizedData.xml

MD5 6db3905aa9cdbb5218945b2f039bd918
SHA1 8b083a073476c33619f1a7e59143e834a0aaeba8
SHA256 3b2ae103414d88df359138e6300a42b4b81a4a9ec029647cd92a91507f6790e4
SHA512 0758f118d25177a5b25ea3a28ff1980047006f3635da8f606c2da444e43978d3caf9576a0d40da5fdd06d4b3c93d19b6f3a6ea0ff7a2a4dcf84b12ba5a3d0285

C:\681eb157d5c1627b33\1044\LocalizedData.xml

MD5 0aec9e12bdc036632554bfa7acf02364
SHA1 52fc4760f0b177e02162dbd2e8f864f09dd40b46
SHA256 ca7402592b3d15c1a0cc489e8c6e3bedbe686e6c25491f1d3dfdb8991ca2aeea
SHA512 ed97c2a059dc54cf4952060ec6415b3a3b437c7e4255bcb326789f5977532660bbb9d05a59c9e567742d225e875a88aa5fabb545166460ad8eb108304b666b9b

C:\681eb157d5c1627b33\1045\LocalizedData.xml

MD5 41e0beb3b84b4c515914361d4d0faca2
SHA1 abd800e9b47ea64a1d59ece318e346d17c0a36d9
SHA256 3dc70b6cc40369c955fc93e452d890372375758bd74fae2093c19f79c65c0add
SHA512 39057093b3e698d3a6abd25a25a04a3cd0813ee7803ae818f5c26d150b76cc0474a22521d468bfd1012c99d85a410b16668db4b460894b5d255a0028dc9c0bf5

C:\681eb157d5c1627b33\1043\LocalizedData.xml

MD5 7ed59b3f7090880fdca53615aaf0b1b8
SHA1 ed741c332e76e42dc84e44872fb320679b39d528
SHA256 15896789b0db777822afeab092f5875f1ec34427c149d9a76a73c7d4c305c8a7
SHA512 74b5ad365e208f25d1023b9db5cb450ae8c1a3cc52ae8e850a537010cfea6d47940ddc725638c90413ba4b4e81859cb5f924a894f90e568da76345a26cd09f67

C:\681eb157d5c1627b33\1042\LocalizedData.xml

MD5 bd35a3f092019cdda9aed34580aad75b
SHA1 2716acf6f85be4b98e8b113f053e072a437b9aea
SHA256 08bd53d0c3500faf56aca1aaa3066887415581977d3b1dc87c82d7243a0fc74c
SHA512 fd2110ead353f46bda1c055deaaebdd3fd6c72df274ec1826e1e1429d8ed87dfbe24c2e0aa09d32271161d136515cf31ddca334041c71d355aafb995d2fd6a98

C:\681eb157d5c1627b33\1041\LocalizedData.xml

MD5 cd14395e8e607de625a274651eb5a52b
SHA1 402dc99037a2cc2c8da53f52dc9559782bcc1851
SHA256 4c5ead9dbe4444405f9d9cfe1d400996f336251d75c264f31521d634cb0095ca
SHA512 32accc7cfd5b3a2973db995d4c846844e72d5d6ff7adddb89b7a4fb274e4acb18478e7e357e5151bfd99fafe43e1e55ca0518d79d9b8ffdff06484a5c6c627df

C:\681eb157d5c1627b33\3082\LocalizedData.xml

MD5 9dd24f4d210e2139badbb7e0ea897c87
SHA1 4aace4240fcc09d433bd82684064136e2145ac4f
SHA256 509cfa220321582a56ec21959dfd8a7c55bb3070ad5bb738b074a14188e80593
SHA512 97af7279463e4dd69344745dbe7a29b7bd536e795524ce0c24b5672e4c7a4203d3ae0cf6c46f69d491edfcb3efe3a57ddc27ea9f6e213fbc0f4a537cf93d2949

C:\681eb157d5c1627b33\2070\LocalizedData.xml

MD5 4c00a85cd7bf97400b70d1de3859e061
SHA1 fd5e38e0c92da14373e28600a8396a17102b15fe
SHA256 93039cf880eaca54ccc48f159848a17f2c30fa70d334cf2b9eedbcc5aefb27fb
SHA512 7005b3c8c6b775a31bce1cea6924bcb929217d288e6bce390a5e591098a39ac0de321474591b56333b6d84167862bcfa12cbb65b9fa0b767961248ae3eae0f64

C:\681eb157d5c1627b33\2052\LocalizedData.xml

MD5 ef091f3efb7b9270502f2eb939c970cf
SHA1 62f0a992fe9f032bc8197b89daf0a37a34e34a40
SHA256 6063d64a1d09d1a33ea3c4fe0a9446bafd5ca69786351f3bdbbd9a9ddc283676
SHA512 1713da86ea18be10984314139d3fa78d55de47c04e51c2e869875fec313a5ac8d9da9850a0c1295dc95b62b43351aa735fe407446ed3c8a5a590e64a98378e30

C:\681eb157d5c1627b33\1055\LocalizedData.xml

MD5 9b47a98c389ced8315fe4b477c9ad06d
SHA1 a52933f5e3e40fa5bb871a3ce33e41342d751ecd
SHA256 979d4402c8ba85a265cdabda3de7e0f5ab0715fb83faa63c8484095e866ed4ef
SHA512 32e2c5bed2c18122bbd434f983dffb4ee318aa28200e4a2e1343591387c81acd4af063874787e4eb9ff110bc456ea888420f59f5afbfe7e0a5fac62213deb597

C:\681eb157d5c1627b33\1053\LocalizedData.xml

MD5 a6c1f2a9c0c3367bb484a0322392ecf3
SHA1 26887a144de9e1961be84cec5aab58225967dd77
SHA256 8abcf315769b6fae1751133bb2dbcba6bf0b0ef4c37304dc466824c77db22ba9
SHA512 cb39a1435c0721bac2c44b8ca8873218a1dfda849d478de0e5e75f8fd6762b556a869de3646c5a3394e5367914a87170d5743bcb5c2f91773561d8a526eaa487

C:\681eb157d5c1627b33\1049\LocalizedData.xml

MD5 1bc37bac6c635d56bd68e785950955d1
SHA1 4e16ed5dde6f2d37449137f2e414761718e4e6f5
SHA256 5c6eeb4c977a4c371dbc787d0cf1ad503fbe5d13c10d9b69664954974e15a899
SHA512 9a7ae5e495a9863ca0c44107b253d387b8a4c442081974acb030593e98895cdcd80f93b16397a244e45b80d99d2b22edca8b7bdfff5715cb633bf040e7a35192

C:\681eb157d5c1627b33\1046\LocalizedData.xml

MD5 11776bf8799541b1fe275f316800f736
SHA1 67b2b1893ce2d4ea3a7db5bbc9276d1a5b19ac01
SHA256 9139f6acae8399628c522e8bd1d714e92be225bc33e696c1bfbeccd6d0e233de
SHA512 b7bdb2c9f4f81d21281ccd553f7882e4475c2e01c9c37a2045e5caa48974a7dd796806ae1a76286360e9d314d4da18f4a4cac77e73ca84c9eb3705097c881879

C:\681eb157d5c1627b33\SetupUi.dll

MD5 21efe4d0b6ffb7caf7a6ea256877e930
SHA1 5aaef5d7a4541b579555e8f913565a0ad77b7494
SHA256 4a01bcc389fe637af4d79b698c77e2cc2d73f1acca3b5e654b9ba4123311de1a
SHA512 43f8bb6eef60425292eb2d4afdaa178213c7d6c2a116d8d280608baceb7a7d4e6875a809e68419fcd5aa087ca6ce78c1ea48e2cc231812033ecc858dc54addd4

C:\681eb157d5c1627b33\SetupUi.xsd

MD5 a9f6a028e93f3f6822eb900ec3fda7ad
SHA1 8ff2e8f36d690a687233dbd2e72d98e16e7ef249
SHA256 aaf8cb1a9af89d250cbc0893a172e2c406043b1f81a211cb93604f165b051848
SHA512 1c51392c334aea17a25b20390cd4e7e99aa6373e2c2b97e7304cf7ec1a16679051a41e124c7bc890b02b890d4044b576b666ef50d06671f7636e4701970e8ddc

C:\681eb157d5c1627b33\1033\SetupResources.dll

MD5 c860fc21966746cfaf204ec887bb50ba
SHA1 2a4f6056ea39406dd4dfdb7904813dee8b5fb78a
SHA256 cc7305f65b9d6468330a9e7f8f95f78044202832b9fe681423ed880293d82ef3
SHA512 4a5c4ca0d009411fd5f0d9d6c4b11ab2e7094938f3d5be618b1bde4e919f8dcaa5663110a31d0de82a2c8111804b3bbd22a973b6aec66c0e5657a60c76511019

C:\681eb157d5c1627b33\Strings.xml

MD5 8a28b474f4849bee7354ba4c74087cea
SHA1 c17514dfc33dd14f57ff8660eb7b75af9b2b37b0
SHA256 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b
SHA512 a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

memory/864-256-0x0000000002E70000-0x0000000002E71000-memory.dmp

C:\681eb157d5c1627b33\graphics\setup.ico

MD5 6125f32aa97772afdff2649bd403419b
SHA1 d84da82373b599aed496e0d18901e3affb6cfaca
SHA256 a0c7b4b17a69775e1d94123dfceec824744901d55b463ba9dca9301088f12ea5
SHA512 c4bdcd72fa4f2571c505fdb0adc69f7911012b6bdeb422dca64f79f7cc1286142e51b8d03b410735cd2bd7bc7c044c231a3a31775c8e971270beb4763247850f

C:\681eb157d5c1627b33\graphics\print.ico

MD5 d39bad9dda7b91613cb29b6bd55f0901
SHA1 6d079df41e31fbc836922c19c5be1a7fc38ac54e
SHA256 d80ffeb020927f047c11fc4d9f34f985e0c7e5dfea9fb23f2bc134874070e4e6
SHA512 fad8cb2b9007a7240421fbc5d621c3092d742417c60e8bb248e2baa698dcade7ca54b24452936c99232436d92876e9184eaf79d748c96aa1fe8b29b0e384eb82

C:\681eb157d5c1627b33\graphics\save.ico

MD5 c66bbe8f84496ef85f7af6bed5212cec
SHA1 1e4eab9cc728916a8b1c508f5ac8ae38bb4e7bf1
SHA256 1372c7f132595ddad210c617e44fedff7a990a9e8974cc534ca80d897dd15abd
SHA512 5dabf65ec026d8884e1d80dcdacb848c1043ef62c9ebd919136794b23be0deb3f7f1acdff5a4b25a53424772b32bd6f91ba1bd8c5cf686c41477dd65cb478187

C:\681eb157d5c1627b33\graphics\warn.ico

MD5 c8824ea3ce0a54ff1e89f8a296b4e64b
SHA1 333feb78e9bb088650ce90dea0f0ccc57d54a803
SHA256 4bb9ea033f4e93dbf42fc74e6faf94fe8b777a34836f7d537436cbe409fd743f
SHA512 c40e40e0cb2aaa7cf7cccbe29ca4530ff0e0a4de9a7328996305db6dfd6994cbe085fab7b8f666bbd3d1efd95406ea26b1376aa81908ace60dc131a4e9c32d40

memory/864-261-0x0000000002E70000-0x0000000002E71000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 05:21

Reported

2024-06-16 05:24

Platform

win11-20240611-en

Max time kernel

88s

Max time network

93s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Serial Checker\Checker.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Serial Checker\Checker.bat"

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get model, serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic bios get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\getmac.exe

getmac

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-16 05:21

Reported

2024-06-16 05:24

Platform

win11-20240508-en

Max time kernel

145s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\Guna.UI2.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\Guna.UI2.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-16 05:21

Reported

2024-06-16 05:24

Platform

win11-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe

"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 5.0.26.104.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3724-0-0x0000000000400000-0x0000000001C1E000-memory.dmp

memory/3724-2-0x00000000771B0000-0x00000000772A0000-memory.dmp

memory/3724-1-0x00000000771C6000-0x00000000771C7000-memory.dmp

memory/3724-3-0x00000000771B0000-0x00000000772A0000-memory.dmp

memory/3724-4-0x00000000771B0000-0x00000000772A0000-memory.dmp

memory/3724-6-0x0000000000400000-0x0000000001C1E000-memory.dmp

memory/3724-7-0x0000000000400000-0x0000000001C1E000-memory.dmp

memory/3724-8-0x0000000006290000-0x0000000006836000-memory.dmp

memory/3724-9-0x0000000006840000-0x00000000068D2000-memory.dmp

memory/3724-10-0x0000000006220000-0x0000000006232000-memory.dmp

memory/3724-11-0x0000000006A80000-0x0000000006C94000-memory.dmp

memory/3724-12-0x0000000007000000-0x000000000700A000-memory.dmp

memory/3724-13-0x000000000A120000-0x000000000A15C000-memory.dmp

memory/3724-14-0x00000000771B0000-0x00000000772A0000-memory.dmp

memory/3724-16-0x000000000A230000-0x000000000A296000-memory.dmp

memory/3724-17-0x0000000000400000-0x0000000001C1E000-memory.dmp

memory/3724-18-0x00000000771C6000-0x00000000771C7000-memory.dmp

memory/3724-20-0x00000000771B0000-0x00000000772A0000-memory.dmp

memory/3724-21-0x00000000771B0000-0x00000000772A0000-memory.dmp

memory/3724-22-0x00000000771B0000-0x00000000772A0000-memory.dmp

memory/3724-23-0x00000000771B0000-0x00000000772A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 05:21

Reported

2024-06-16 05:24

Platform

win11-20240611-en

Max time kernel

91s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe"

C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe

"C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe" -burn.filehandle.attached=560 -burn.filehandle.self=684

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe

MD5 ae0540106cfd901b091d3d241e5cb4b0
SHA1 97f93b6e00a5069155a52aa5551e381b6b4221eb
SHA256 8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c
SHA512 29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

C:\Windows\Temp\{9CB81274-3340-401E-B7FC-44A354D28761}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{9CB81274-3340-401E-B7FC-44A354D28761}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 05:21

Reported

2024-06-16 05:24

Platform

win11-20240508-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup32.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\DirectX\WebSetup C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SETA0A5.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SETA0A5.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\dsetup.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File opened for modification C:\Windows\SysWOW64\directx\websetup\SETA0B5.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A
File created C:\Windows\SysWOW64\directx\websetup\SETA0B5.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DirectX.log C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe

"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

MD5 ac3a5f7be8cd13a863b50ab5fe00b71c
SHA1 eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9
SHA256 8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da
SHA512 c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

MD5 ad8982eaa02c7ad4d7cdcbc248caa941
SHA1 4ccd8e038d73a5361d754c7598ed238fc040d16b
SHA256 d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00
SHA512 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

MD5 984cad22fa542a08c5d22941b888d8dc
SHA1 3e3522e7f3af329f2235b0f0850d664d5377b3cd
SHA256 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308
SHA512 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

MD5 a5412a144f63d639b47fcc1ba68cb029
SHA1 81bd5f1c99b22c0266f3f59959dfb4ea023be47e
SHA256 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6
SHA512 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405