Analysis Overview
SHA256
220d7eb3a1f0ef44cc9e4927d9169f44da933eef5931449666cf68d8193b16f8
Threat Level: Known bad
The file 220d7eb3a1f0ef44cc9e4927d9169f44da933eef5931449666cf68d8193b16f8 was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-26 10:51
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-26 10:51
Reported
2024-09-26 10:54
Platform
win10v2004-20240802-en
Max time kernel
129s
Max time network
136s
Command Line
Signatures
VIPKeylogger
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4112 set thread context of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tovfeTCmVIfVuf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tovfeTCmVIfVuf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF59B.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.afcargo.com.my | udp |
| MY | 210.1.224.79:587 | mail.afcargo.com.my | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.224.1.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4112-0-0x000000007471E000-0x000000007471F000-memory.dmp
memory/4112-1-0x0000000000CF0000-0x0000000000DA2000-memory.dmp
memory/4112-2-0x0000000005DE0000-0x0000000006384000-memory.dmp
memory/4112-3-0x0000000005780000-0x0000000005812000-memory.dmp
memory/4112-4-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/4112-5-0x0000000005920000-0x000000000592A000-memory.dmp
memory/4112-6-0x0000000005DD0000-0x0000000005DE0000-memory.dmp
memory/4112-7-0x000000007471E000-0x000000007471F000-memory.dmp
memory/4112-8-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/4112-9-0x0000000007170000-0x00000000071FC000-memory.dmp
memory/4112-10-0x00000000097F0000-0x000000000988C000-memory.dmp
memory/2060-15-0x0000000002740000-0x0000000002776000-memory.dmp
memory/2060-16-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/2060-18-0x0000000005170000-0x0000000005798000-memory.dmp
memory/2060-19-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/2060-17-0x0000000074710000-0x0000000074EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF59B.tmp
| MD5 | 9529a9ccbc7c5658f21f64d591c1160f |
| SHA1 | b83ef58161fc5f38a071af9668627cbc50dcf370 |
| SHA256 | 828132f5c17ff12a7dd3356377bc130d26e347138821a1d0c70aef0d08d86f9c |
| SHA512 | 39e476838668258f3b6c1aa908fa5e52201e5f1e9f9ed38ad871cfe5e6ade30b160676d56a79348bf80028ecaf93c0621ca452a6dbbc5f291bef2e91fb6af8ce |
memory/4048-20-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/4048-22-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/2060-24-0x00000000057A0000-0x0000000005806000-memory.dmp
memory/2060-23-0x00000000050A0000-0x00000000050C2000-memory.dmp
memory/2060-25-0x0000000005810000-0x0000000005876000-memory.dmp
memory/4556-26-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2060-29-0x0000000005A00000-0x0000000005D54000-memory.dmp
memory/4048-27-0x0000000074710000-0x0000000074EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwg3rs3h.pag.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4112-30-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/2060-49-0x0000000006020000-0x000000000603E000-memory.dmp
memory/2060-50-0x00000000060E0000-0x000000000612C000-memory.dmp
memory/4048-53-0x0000000070E60000-0x0000000070EAC000-memory.dmp
memory/2060-51-0x0000000006FF0000-0x0000000007022000-memory.dmp
memory/2060-52-0x0000000070E60000-0x0000000070EAC000-memory.dmp
memory/4048-72-0x0000000007730000-0x000000000774E000-memory.dmp
memory/4048-73-0x0000000007960000-0x0000000007A03000-memory.dmp
memory/4048-75-0x00000000080E0000-0x000000000875A000-memory.dmp
memory/2060-74-0x0000000007360000-0x000000000737A000-memory.dmp
memory/4048-76-0x0000000007B10000-0x0000000007B1A000-memory.dmp
memory/4048-77-0x0000000007D10000-0x0000000007DA6000-memory.dmp
memory/4048-78-0x0000000007C90000-0x0000000007CA1000-memory.dmp
memory/2060-79-0x0000000007590000-0x000000000759E000-memory.dmp
memory/4048-80-0x0000000007CD0000-0x0000000007CE4000-memory.dmp
memory/4048-82-0x0000000007DB0000-0x0000000007DB8000-memory.dmp
memory/4048-81-0x0000000007DD0000-0x0000000007DEA000-memory.dmp
memory/2060-85-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/4048-86-0x0000000074710000-0x0000000074EC0000-memory.dmp
memory/4556-87-0x0000000006240000-0x0000000006402000-memory.dmp
memory/4556-88-0x00000000060E0000-0x0000000006130000-memory.dmp
memory/4556-89-0x0000000006940000-0x0000000006E6C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-26 10:51
Reported
2024-09-26 10:54
Platform
win7-20240903-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
VIPKeylogger
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2960 set thread context of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\payment Slip.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment Slip.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tovfeTCmVIfVuf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tovfeTCmVIfVuf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1536.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | mail.afcargo.com.my | udp |
| MY | 210.1.224.79:587 | mail.afcargo.com.my | tcp |
Files
memory/2960-0-0x000000007408E000-0x000000007408F000-memory.dmp
memory/2960-1-0x0000000000A90000-0x0000000000B42000-memory.dmp
memory/2960-2-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2960-3-0x00000000005D0000-0x00000000005E0000-memory.dmp
memory/2960-4-0x000000007408E000-0x000000007408F000-memory.dmp
memory/2960-5-0x0000000074080000-0x000000007476E000-memory.dmp
memory/2960-6-0x0000000005110000-0x000000000519C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1536.tmp
| MD5 | a36cd43ed17a94b10fcfa5a9e6a94bbb |
| SHA1 | 65f7c940977fa9c4a27371dda63cd17a9377758f |
| SHA256 | 7366316ae4fe7c6ed03e643d2c8b152e3a2c1f6f50777a3164e8f7f8a6d400f7 |
| SHA512 | 0c4355261b972f8f4cf84e50566f3789e55887de4e656731dc7dab51655239fff098eca01ba1129864def47585f2ee07216ba943d7371cab78ac3240bf6bb362 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e6794d88400510aacd2a2b9886a9ee9b |
| SHA1 | 7163ca40f1c69bd08a464198839c53739e8be345 |
| SHA256 | 00fadc14e21d8c2e497d8c4bab4f0bfe78f6ae703e17069f7af585f7dd19aaa0 |
| SHA512 | 5039914aa98e9ede57d42ac1192f0d394b95fe5ad94d1d4f44e5410e2e725428fc38b2cb9c91895b9acdc35525eb3457036325ba63c6e619098235610f726803 |
memory/2792-19-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2792-25-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2792-30-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2792-29-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2792-28-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2792-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2792-23-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2792-21-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2960-31-0x0000000074080000-0x000000007476E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD31A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD34B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |