Analysis

  • max time kernel
    1443s
  • max time network
    1449s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 07:47

General

  • Target

    R D X E 6 5/Roblox Executor.exe

  • Size

    150.0MB

  • MD5

    2deeebca12a7ad34853fdcd49c37dce6

  • SHA1

    31b89e4dba3453b6d5586c31a38dea21ffbb8980

  • SHA256

    6f5d9fc697149670937135f56c7201bc59fcc535b6af45924b7b387fa0ce2a9d

  • SHA512

    6826aa344d3a3c6776d43912518ef350c97ac6cd4a5817562e436daebf399f2e7ea25ce36ade106915864b375a8c87377753c87f344717405902f50ad7685e6a

  • SSDEEP

    196608:5kfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfkfT:4

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1252
      • C:\Users\Admin\AppData\Local\Temp\R D X E 6 5\Roblox Executor.exe
        "C:\Users\Admin\AppData\Local\Temp\R D X E 6 5\Roblox Executor.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:560
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Cnn Cnn.cmd & Cnn.cmd & exit
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2284
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3020
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2672
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2732
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 88180
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2636
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "PIZZAHAVENINTERIMVOIP" Ion
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2648
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b Coated + Theoretical + Sharing + Varied + Freebsd + Pads + Partition 88180\H
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2240
          • C:\Users\Admin\AppData\Local\Temp\88180\Masturbation.pif
            Masturbation.pif H
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2156
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2144
      • C:\Users\Admin\AppData\Local\Temp\88180\RegAsm.exe
        C:\Users\Admin\AppData\Local\Temp\88180\RegAsm.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\88180\H

      Filesize

      672KB

      MD5

      4bb431d8a6ae76e8cec5aa6b2344315a

      SHA1

      3072109768466e5030e97164f764fe40b657b5fe

      SHA256

      4f9a0fab22d76f2667eda9508a556449bc20632e2d112addcfad52766034e702

      SHA512

      bf38580c57244a82a0d030a31aaefa3b572e3a66db0d25f2191d0ff9445c118fc7d8e10b36c13c974e5dc7a62891df0bb8b141b07d04a6a0dd1e5f5004b7907c

    • C:\Users\Admin\AppData\Local\Temp\Appliance

      Filesize

      39KB

      MD5

      8f1ef900961713fd15a5485ac82e6db0

      SHA1

      b608d5dae7a8f49f67a7e42d1fc48a0efede23a3

      SHA256

      59540026fd83b82053725f704f45800e74d35e0603de22f518331158d4b7910a

      SHA512

      4e3ae48b1de264b96bba06e24f59d661dfd10bc91f7cd3fbef3cce7752db2b08dddec3ec2003144f63f2bd480b6b72d044e1664f8db5a25ed362688ff5b86093

    • C:\Users\Admin\AppData\Local\Temp\Buys

      Filesize

      22KB

      MD5

      c44b9feb010d324bce7f609c26d55ec5

      SHA1

      408d3c000bc47e74654a81b62c8c7ac33ab10ec1

      SHA256

      122f8ec39cb5c3a51b1a8d6516121a1af533d61168de009cbb0481553834352e

      SHA512

      03a64e2deafe1e12131c187ce18cd3243e5a3b036f4544ddae5d96994449827ef68897f2866ec787f657ba9f690e890ee01b58b609520d7d0018e9ffc61f24a9

    • C:\Users\Admin\AppData\Local\Temp\CabA1DD.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Civil

      Filesize

      14KB

      MD5

      9c3ebc0b1ac3228eda33bc9a2c3140e1

      SHA1

      6c1f71ea964e20ac7d3e8ecc68a8ea88282fbb73

      SHA256

      c5b68fff5ec716c0d8e4a7a1cd6b0cbbce70282269a746df42f63f8e038bb944

      SHA512

      0458f9280eab0bd276c8c0c94d852b4bf1dfd36b8ef81f65daea16c3fde24456fcc403f88f9613b52447a500966ef7940ef74e7c40f1c819004dafedd61e60ea

    • C:\Users\Admin\AppData\Local\Temp\Cnn

      Filesize

      8KB

      MD5

      a293c45f389fd2a8575beb85290a1831

      SHA1

      f682db625b90ce16292bfc2a56d98101fbf0d4bb

      SHA256

      c6058e6866b4dbd24e3b92ed63e3251ea7c913e6565fd759a0e3725cc5b4c6d6

      SHA512

      5b36a5c109dadd0b9b70c4af7126e646b77931cce8d078ee4381696ff172107b3f878fd044d4ad3957f850601b490fdc811d23f281c1131555cbeadc1c543861

    • C:\Users\Admin\AppData\Local\Temp\Coated

      Filesize

      67KB

      MD5

      de6b5151716c518ca828acbeaf268392

      SHA1

      ba5303d8b7629bdafde4fd2b115c00acf09e9086

      SHA256

      9e8cf4d3202a7b2360c082c3a0d2424d6282b356a79f9ee4f9e8e12d83315c50

      SHA512

      06507bd4dcf2111bc15e346ad7369faed9511d65eb7c27e539503286482f5555395bf80e8a8d05d1e6cfbc58ac1df5790d6760602676fff18c501a78d924bf4b

    • C:\Users\Admin\AppData\Local\Temp\Compatibility

      Filesize

      44KB

      MD5

      2b76a50502608718038cd1b6746f8735

      SHA1

      9298ce71cfe475e439d93374f2f0483e143b9a0c

      SHA256

      bd8070c986a8ac35520572712dbc54e4d0a5993593d485061cad46b69b6e54d8

      SHA512

      5c71dc4540b0649ef8b19c6ed91fc591297cec08738d2fd14211cb3fa01b826fd2476e46f596fed85a8286d34648076ed4e27d56224031cfea232f1ef4a733fe

    • C:\Users\Admin\AppData\Local\Temp\Destroy

      Filesize

      46KB

      MD5

      b1afddcb17d350eb4d2eb88f0a9d440a

      SHA1

      307ef5511271ada84188bff3d8e6bc5a3ec757ae

      SHA256

      a34b1fb0cf5d079fd4b445b5546f91bc3a2790ffb752e9e56ddc23faefd784dc

      SHA512

      551b8d7be955ffad936440dd018cc548eafe8e522de070a6cdf6239913a5c4ed363a39a335fecc6a561896007fb24c973df2bbcadeeb8ebc62d6b11d815947dc

    • C:\Users\Admin\AppData\Local\Temp\Dildos

      Filesize

      69KB

      MD5

      dc0f54f1316329c07c70531637b15eab

      SHA1

      2e1a206f6a838d8e36dacb14551888551986574f

      SHA256

      f842aa68b07dc34beaaeff3ea33a94bbfb175ea5af9c5d5c547505ac6e6dedd8

      SHA512

      dc9d8da33fd0ef7a52369f1dc6a9676376557eec178910f20b4b276799de3836f3cbbee28a1af5f3a6440797ef8eec55fc8859fa162e3811b8c38b6fa7490ff3

    • C:\Users\Admin\AppData\Local\Temp\Earrings

      Filesize

      30KB

      MD5

      00ae46ab3aa5a92e9d238b7e6e8fb205

      SHA1

      684eb258478e472c103c7802bc9df849e65e8285

      SHA256

      b9c3d3cf56bdbd7a7e9e256f06dea2b359637224b885549f4f4bc3c08fc6523c

      SHA512

      27c32b060f9f2a00e7da0f397a7ca79afbd38dd02345b095e0b44f3f0ceb678a73e6b912d812e6621dcab36c681d6110d432bb3fc1fcb2fe8f410a15f8eb0850

    • C:\Users\Admin\AppData\Local\Temp\Establish

      Filesize

      43KB

      MD5

      f6904230a7d48c4c2edde69374b21dfc

      SHA1

      04b03cc7343c3605c232725b0d38f976993f0394

      SHA256

      7aaca382da383b7f4d8aef505ad4a9703890ba4f506af89a29e9627ffeb94493

      SHA512

      38e108343408e6774b1b1b149531726f5ed317b882490dea4b6a7566b91284fae42476f3f58a31ff5c3ccaa6463c0e65d3e7cc050278bb6dbd9299ebdcb40ec8

    • C:\Users\Admin\AppData\Local\Temp\Extensive

      Filesize

      15KB

      MD5

      ac42d5441de0adef871954986410ba00

      SHA1

      eb6db0d64ecead6e915f3bc0e35c83ee3601c1f4

      SHA256

      e15447ad274539d2ca86aafdf8842bcb051a725591daac6566eccc9448a1a533

      SHA512

      4ee4622a52e269fd8ea554b7dd47c72e34d5a609d5ba15d502c065857878149ca8bff0a2cd243ebfe2f928c57302e0e367d9e5e1c3bd3a1675d5775446044828

    • C:\Users\Admin\AppData\Local\Temp\Form

      Filesize

      14KB

      MD5

      a3799c30c49f427fd428e7f6a0fff003

      SHA1

      a058a6b8273fb473f845b7c6b04d5c6a59b2a948

      SHA256

      9d71433072845a8c14858307cef5e2ffcf8698763e5aab2af9b114c602e0b296

      SHA512

      9ecc01c28edfc2d471da558d53ac986db0786b9bbbb6731104e60d054709349c13b9d650ae8680da3c4d1b30b5df4c5e91f44a2f3467e21c3dce4cd8b15ceca6

    • C:\Users\Admin\AppData\Local\Temp\Franklin

      Filesize

      19KB

      MD5

      440abf8c6117a7c63d1a89907d101c82

      SHA1

      6c8d04e413d266d9036dd0295ac81b18a807823b

      SHA256

      87951b9b3aebda9baf38712457ff167f29a7bea7f3fda8dc504915906c0a1391

      SHA512

      89e00cea40591d94453e637d6fa41273f95f9a1313964f8c659cb8cc522351e7896eb478dc659baa5f290dd0115fbf7b31f532087c31b4814ff9bd1c8a52602c

    • C:\Users\Admin\AppData\Local\Temp\Freebsd

      Filesize

      113KB

      MD5

      31deed9172c897b8875b43a8944a9fb3

      SHA1

      a4fe387247e0de4a06e31e2d624ca362dce93816

      SHA256

      bd337dae0d2e57a03082881145f29e283cbba37cc19457775b42b098016be0e9

      SHA512

      7d8f3d8984c163eafbf44287696f3165e5dce1e551e85bc4dc3705dd8b126c5f9a0a8a47644efd00d140e8bfcb11916baa91807747a3e0e6409a6935ba3196aa

    • C:\Users\Admin\AppData\Local\Temp\Fully

      Filesize

      24KB

      MD5

      f9582c6b9c97bb8d55ae88fcbd7feecc

      SHA1

      8e323c259482d46a1f1fb9152e42be003a55fb64

      SHA256

      302a4d9b3b0b7ba686ee579981ff98eee3ccc4d851d0e0535db9344d43ce58b1

      SHA512

      00a2ba1f4dcfdbb273ffb3ac3eed97de8c5d1d546dbc70422c215b59e830919b86046519f815b0e8e0a704b5d6ea85b31c160eb1c16b63458bc9d0740258f4f9

    • C:\Users\Admin\AppData\Local\Temp\Gmt

      Filesize

      25KB

      MD5

      186d64fdfc3ea4224f8e06c0edace3a1

      SHA1

      9a49fa93c3244c4f95b9ce00e41a5f4ed1ecc9c6

      SHA256

      828c26d76315593f0a048556f416a7800a344a9b7d28fcf4ef3af26653b31058

      SHA512

      9b32e48d54a584fee7c9ee8315a3a25e32754954b0fc14ca36a85f578a928c1506f2a2b6beb8bcbb818ca1c1bea0c57704281faf49292f400aef472dbb81460f

    • C:\Users\Admin\AppData\Local\Temp\Guard

      Filesize

      6KB

      MD5

      5690590aeeeea1aac5755afd16033e2d

      SHA1

      2d148b1ce8e3d0b91d330e1bec4a37a1db1c9609

      SHA256

      c6c575141fb0581b6f6d633358f39bac4cddc587e68e32e48f0261081e5a8556

      SHA512

      b181cbea6e35477a3fa66bb980751cc4a6431641557a184bc8d7adbc9875dc4bbca11d381c97566aa75f78eb118768e28f50cbe56ca7c0efbe068e0932035380

    • C:\Users\Admin\AppData\Local\Temp\Invoice

      Filesize

      39KB

      MD5

      cb07d58f891a8882a6859dbe316121b3

      SHA1

      ad2a31afa12eafb21e330ab9a03a7414f9ed4550

      SHA256

      14af985138f2a953f9ac7edf7a762bafe77fa6c94f96e06c3422885599edd7d0

      SHA512

      f6ac8a1552c39312c4678ce0fa5e61e87827ec513238836729942849c12ee6fe4acd91e6ce10d18e12622c18ba02803acff3ee6fb81c89d246b72d55d9b717dc

    • C:\Users\Admin\AppData\Local\Temp\Ion

      Filesize

      176B

      MD5

      35f036723a701a0c511cf097c162a71d

      SHA1

      11785374e3b9a0e80774b78dc6002c43dc643f04

      SHA256

      d4e1f385367f991e9b34867e4ef6b49e3b3febd705a83b5a9c4dd88399533a85

      SHA512

      2f4dd527e5f60beda81a164717e740113d170ecb21573927c1b9b8adb1a1666eb2bb4e13910078b31c0b50f60563c0c989f15e8d0a2256b210cf4dd7bbb3a4d1

    • C:\Users\Admin\AppData\Local\Temp\Keeping

      Filesize

      38KB

      MD5

      951d87e751c988347ff79d4be518326f

      SHA1

      bb4309dd329a5fe34132c338cd1934c4e7d64bcd

      SHA256

      57e571bccad8908c05a06d297a201717b71d3d480e5773dade358b022e1fd330

      SHA512

      714d45ec18f63c2de681cfcedb4c8ff788b2a81f93fb756a8187dfb6386d391a65ce3e0f0752fa06ff4e519ef3a4abd297437832549c8baf646c4ed91f873474

    • C:\Users\Admin\AppData\Local\Temp\Metres

      Filesize

      48KB

      MD5

      34bfb2aa79e113d931013c7717ef46ee

      SHA1

      cc453454655a5b9ac29c740e9315b5b6d7b208ee

      SHA256

      45d4793ef419a1febae271f689ae45c545e6e730a4a32475a366f1fa5de4973a

      SHA512

      21e596a60fcf4577b22009d24832bae912a0cad8edbd0108f7401056c7f484072aa90f64e3c347d692a15044a600734e0996aed2a1e6577c372d172c444f0925

    • C:\Users\Admin\AppData\Local\Temp\Mia

      Filesize

      33KB

      MD5

      fae370a9d45dc127c8fbd8766b99a9fd

      SHA1

      81dc77eee07a0aedf10a5a2b6525f85411ed3bd5

      SHA256

      d60fe1c9a6067b93f3960921ec8a5925dbb7f229d71cf8a6b5e55e455eda3544

      SHA512

      7927f79925525c93026b604bf796bd67f20f2e3390c9becd0caddb1fa1e9d805a33b305f5e5157de32e0a4b767272145d354b8b357cbe1ca28b375b22562f298

    • C:\Users\Admin\AppData\Local\Temp\Min

      Filesize

      49KB

      MD5

      0588fd3c0eab57324dd0fa9c555375ec

      SHA1

      6ede4fe8ba3e326c0e402adbf2d53b9ec1cf3bff

      SHA256

      144de2255e156910e1f1eb5030627d7c3102522a3401ef750afe70797897f300

      SHA512

      6b96d8ce363165c8accc831a8c5137e32490faacfa3b0e18a3aa4841949829c9b48b0040a752523ff06309514d175cdc092459e5ef3ad9cb643bafa90e016ce5

    • C:\Users\Admin\AppData\Local\Temp\Negotiations

      Filesize

      20KB

      MD5

      c4def423e93ce3cfb1fc4290c1970a50

      SHA1

      711a88306461e6135fdd4eef98cd0fce41b9642d

      SHA256

      c09b88e1d762ba99c4a917ef5cf5e11f6daee96c8f680d6b1dad5cdff2535b77

      SHA512

      9fbbb7629b067422d076b584ca153f3cd7fb8a75dd5691aa273c80e32dd2520d395f212c40613d21a31ddae7c484f981a358d0503c49f419141423e0912f26f2

    • C:\Users\Admin\AppData\Local\Temp\Pads

      Filesize

      113KB

      MD5

      52b2e6f8b4011e965ec6f7dbfe8e1b50

      SHA1

      2129060c67c7ad95e574d0b8c7269f09c7db7330

      SHA256

      303fe0456bc85d89424eabce9e35e34b69051a8b801f668bd6ef8e21ad5ce880

      SHA512

      ecce3b8e27dcd5506f33a7d43fb6d633fcc85e71f4a5209c484dafb070bccba1fdf7c487655b454e1bb3fb301e07cd09eee5d6c1a95e6c3a345453ec40f4e9ea

    • C:\Users\Admin\AppData\Local\Temp\Partition

      Filesize

      86KB

      MD5

      8f84706c182e01d62deb20f6b423c735

      SHA1

      3d8619ea24c496669b9c8bfee2be1310b09653b1

      SHA256

      de23f07a8625a56aea5606deed7b8315f3eadb73d3bbf01d72055c4532c255cc

      SHA512

      3aa75c4b0df72af7120933887a07b215e43f127ee4ad9c41b36a438122a4e011c88997c057c8d14157b2cbc28595ecb512c0aa317cd92bd4045e438552908711

    • C:\Users\Admin\AppData\Local\Temp\Perception

      Filesize

      7KB

      MD5

      0e9da9dd06e780c7d146ad6911ba03e7

      SHA1

      6c3a6b058306c207d9b03b1f281ce7b329c579b7

      SHA256

      4f67016250c9e8f4a94e25d3f4ee0e99e8e68dfd7583d2178c5647d2d92f9b8d

      SHA512

      f230d8ea76b9b9da4b78fbc6a5917f8cf446dec9db4d11dc77b2f549cb6ad8f247c5970453b6c8f896eb7cacd585961a24c6011644bfc786a2570b6575b02f97

    • C:\Users\Admin\AppData\Local\Temp\Phantom

      Filesize

      58KB

      MD5

      fe324ddd0dbba610f2f516fbd2d17edb

      SHA1

      cd249f198b26392641f4e0ba5d21a731df308b4a

      SHA256

      c1230664f8c6ea953763682f254f78507120fc29d7e8c42be1d8a6648b0e3ed6

      SHA512

      71ff85e4fcca5d7bdd0d4aad3c7db27284a3efee71007a416c353bcf54e243fd8e18d8daddef7f80b03c574ab123f246f7a7cea08b7cb610af9b99923c411e26

    • C:\Users\Admin\AppData\Local\Temp\Racial

      Filesize

      24KB

      MD5

      7436bdf8dfb8273f5f6e1cbd7e62f99d

      SHA1

      d3cd76a2b4a7ff3685f6771a6fef9f2db4294b4a

      SHA256

      4b4f50e8572f19a31fa5a2843f3659142a0c3f465c643ab294d65970f763f5d0

      SHA512

      acc4e0dd7e0b4e65738a6aa964221751c51fdb8c5bedf61463af7da2fce50af75210e03412e16313010277d0f4098359346448177e40bc721deb9a79e9c29dc8

    • C:\Users\Admin\AppData\Local\Temp\Realized

      Filesize

      63KB

      MD5

      0eea7bffb1a9c205f9b4180ed85b31e9

      SHA1

      bf69361221caad1d1904ed71988a2192f97c1109

      SHA256

      baacb210f51fb70083b106a45ce303f33acc789be19c9185aa6490e1dc6ae5e0

      SHA512

      dc2679f4dd5b1c805e8b9b7527b94d6607d96779340477e5c18af2a44b0fcdee32a47997f98e53562cbf689e3bee3362a6b9664ff6505559b127b260a481d44e

    • C:\Users\Admin\AppData\Local\Temp\Serving

      Filesize

      69KB

      MD5

      8dbb85b35a2b4055cb548b7f9bdb88fd

      SHA1

      c90d47da0fc760e9648983a206a285cfd38b9f04

      SHA256

      c78223a5a2d3d6841f549fc49108f5253712338f8d3d6256528a4afb88d3a0c9

      SHA512

      114b8de10fbed7a8481d62430610f1be05efaa8ef55a445a6783d563e0b06cde267bfc06fbbc9ec3890fec783782ca61336a10e49b28a89c03c182fde4fa9b4b

    • C:\Users\Admin\AppData\Local\Temp\Sharing

      Filesize

      90KB

      MD5

      99d30f06f589c3074716a74e2a64bff6

      SHA1

      494d2d764acd9edceb5ac2d8ffb5d57173116c28

      SHA256

      881eca41fc9d0f05c1062d1ba3c7e4024aa3e6b6f5a2b7789631fcf59a74047c

      SHA512

      ac18a93eb0ea14ded538332deb123a94e42b1970e42b86d33643fcb0901eab2011bae4f20f75fb8442a5e8a07e82c2c030c0b9c41cfa00f950d476decdf8be3b

    • C:\Users\Admin\AppData\Local\Temp\Surrounded

      Filesize

      12KB

      MD5

      a15a41b2b2bb0ac2fc6eb1c717aa1639

      SHA1

      3d3e65c4d414c9f38903dd2320d22af259be3c43

      SHA256

      c076f6bc4c6a1fcebfa7bcc0cc5d743fec0e6869ac15f76737ab76d569fbe6c5

      SHA512

      52d4da4bec46868833311831b418aee4d4f8eaff128e579a4516fb6760ac1407df32c0cdc0e29b289a94f748472b55f0cf5de17ab47bbc4918b6173c63afe651

    • C:\Users\Admin\AppData\Local\Temp\Theoretical

      Filesize

      82KB

      MD5

      388cb7d901d74749c5ced24e23f55a90

      SHA1

      e7e7377fd08841a1dccc006ae516c48028225506

      SHA256

      3941784811b5bbb7b44adf03f4c5232545590c9757d78b6c3e659d1a7ad3251f

      SHA512

      8694eda3d2bcb5ed28de6d9fad4d685e2b4cf67082f4d6efdc34b278a6c6f7aa93d78c1943add0e0859b142a013e61efb419a907fa542375e8d04d2f95f98092

    • C:\Users\Admin\AppData\Local\Temp\Varied

      Filesize

      121KB

      MD5

      713df21dd320f54dbb0f7897068a863f

      SHA1

      136ea33c36112cace0509cb28911c730a7bf8020

      SHA256

      83dec032ba6b2c154c4059896368181aaa4926e0e25351f4f86bc72a8cb72612

      SHA512

      8febe30318ceaf4d704580b4c81268a947400bdfb85395dbd744ef74ebff0edc0614d019f59a904b8bb1f55801090e8e860b90660d218ee68ac60ae373b6305d

    • C:\Users\Admin\AppData\Local\Temp\Wi

      Filesize

      54KB

      MD5

      b849636795f3fbab557d277e4308adc8

      SHA1

      37fea2933b17f835c8f968fe3886f6728814fde0

      SHA256

      6517bd8e6f3d9064f5ccd5befef469fe7606ac5cdbbe7e6cdbacd7752b41111e

      SHA512

      faad7bcff07ef3e4306544a20d4b1916865630fd20ce5667dd158c84fd1c6304dda0007287e90e4316546cc2b9eb41d54dace67e9c6bb72776024893ea1f9e5f

    • \Users\Admin\AppData\Local\Temp\88180\Masturbation.pif

      Filesize

      924KB

      MD5

      848164d084384c49937f99d5b894253e

      SHA1

      3055ef803eeec4f175ebf120f94125717ee12444

      SHA256

      f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

      SHA512

      aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

    • \Users\Admin\AppData\Local\Temp\88180\RegAsm.exe

      Filesize

      63KB

      MD5

      b58b926c3574d28d5b7fdd2ca3ec30d5

      SHA1

      d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

      SHA256

      6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

      SHA512

      b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

    • memory/2332-85-0x00000000000D0000-0x0000000000156000-memory.dmp

      Filesize

      536KB

    • memory/2332-88-0x00000000000D0000-0x0000000000156000-memory.dmp

      Filesize

      536KB

    • memory/2332-87-0x00000000000D0000-0x0000000000156000-memory.dmp

      Filesize

      536KB