Overview

overview

10

Static

static

5

fa218cab68...18.exe

windows7-x64

10

fa218cab68...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2024 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa218cab688dd5f74244773a38ea6310_JaffaCakes118.exe

  • Size

    5.0MB

  • MD5

    fa218cab688dd5f74244773a38ea6310

  • SHA1

    d5243f15bb6cd9a7d3444da5aeaf5c307a77c785

  • SHA256

    d8a1cfc8d4667abafd7af53ea54e53310c7067e9f6ed9bd7234a17cc524a1e7a

  • SHA512

    bd504e1337805bd80321d4e8ad7429dcbf2f759795c25418f51034dca0489dbf4aef5ec9dc32b722f13f2bd535c678fb688a36906c786c0836c428da4760ce2a

  • SSDEEP

    98304:vTqgox/pe8fs+CMm8KGm8cIQHb2uM3OtIdjEnRgoAvuGYtJK:bqggxCMmRXIQHDIdjEnRgTv/GJK

Score
10/10
dcratqulabdiscoveryevasioninfostealerpersistenceransomwareratspywarestealerupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\1\Information.txt

Family

qulab

Ransom Note
# /===============================\ # |=== QULAB CLIPPER + STEALER ===| # |===============================| # |==== BUY CLIPPER + STEALER ====| # |=== http://teleg.run/QulabZ ===| # \===============================/ Date: 27.09.2024, 09:16:06 Main Information: - OS: Windows 10 X64 / Build: 19041 - UserName: Admin - ComputerName: PVMNUDVD - Processor: 12th Gen Intel(R) Core(TM) i5-12400 - VideoCard: Microsoft Basic Display Adapter - Memory: 8.00 Gb - KeyBoard Layout ID: 00000409 - Resolution: 1280x720x32, 64 GHz Other Information: <error> Soft / Windows Components / Windows Updates: - Google Chrome - Microsoft Edge - Microsoft Edge Update - Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 - Java Auto Updater - Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.30.30704 - Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 - Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.40660 - Microsoft Windows Desktop Runtime - 8.0.2 (x64) - Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40660 - Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 - Adobe Acrobat Reader DC - Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 - Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 - Microsoft Visual C++ 2022 X86 Additional Runtime - 14.30.30704 - Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 - Microsoft Windows Desktop Runtime - 6.0.27 (x64) - Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.40660 - Microsoft Windows Desktop Runtime - 7.0.16 (x64) - Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40660 - Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 - Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.30.30704 Process List: - [System Process] / PID: 0 - System / PID: 4 - Registry / PID: 92 - smss.exe / PID: 356 - csrss.exe / PID: 444 - wininit.exe / PID: 520 - csrss.exe / PID: 528 - winlogon.exe / PID: 604 - services.exe / PID: 656 - lsass.exe / PID: 680 - fontdrvhost.exe / PID: 788 - fontdrvhost.exe / PID: 796 - svchost.exe / PID: 804 - svchost.exe / PID: 908 - svchost.exe / PID: 964 - dwm.exe / PID: 384 - svchost.exe / PID: 408 - svchost.exe / PID: 1032 - svchost.exe / PID: 1040 - svchost.exe / PID: 1116 - svchost.exe / PID: 1128 - svchost.exe / PID: 1176 - svchost.exe / PID: 1204 - svchost.exe / PID: 1268 - svchost.exe / PID: 1348 - svchost.exe / PID: 1360 - svchost.exe / PID: 1372 - svchost.exe / PID: 1440 - svchost.exe / PID: 1560 - svchost.exe / PID: 1568 - svchost.exe / PID: 1668 - svchost.exe / PID: 1704 - svchost.exe / PID: 1784 - svchost.exe / PID: 1804 - svchost.exe / PID: 1868 - svchost.exe / PID: 1996 - svchost.exe / PID: 2004 - svchost.exe / PID: 2016 - svchost.exe / PID: 1728 - svchost.exe / PID: 2060 - spoolsv.exe / PID: 2104 - svchost.exe / PID: 2192 - svchost.exe / PID: 2252 - svchost.exe / PID: 2380 - svchost.exe / PID: 2408 - svchost.exe / PID: 2420 - svchost.exe / PID: 2588 - sysmon.exe / PID: 2644 - svchost.exe / PID: 2696 - svchost.exe / PID: 2704 - svchost.exe / PID: 2752 - unsecapp.exe / PID: 2964 - sihost.exe / PID: 3032 - svchost.exe / PID: 2148 - taskhostw.exe / PID: 736 - svchost.exe / PID: 2660 - svchost.exe / PID: 3172 - explorer.exe / PID: 3484 - svchost.exe / PID: 3500 - svchost.exe / PID: 3648 - dllhost.exe / PID: 3836 - StartMenuExperienceHost.exe / PID: 3928 - RuntimeBroker.exe / PID: 3992 - SearchApp.exe / PID: 432 - RuntimeBroker.exe / PID: 4184 - RuntimeBroker.exe / PID: 4520 - sppsvc.exe / PID: 3868 - svchost.exe / PID: 4612 - svchost.exe / PID: 4104 - svchost.exe / PID: 4644 - svchost.exe / PID: 1160 - OfficeClickToRun.exe / PID: 1876 - svchost.exe / PID: 3700 - SppExtComObj.Exe / PID: 4712 - svchost.exe / PID: 4852 - dllhost.exe / PID: 1956 - svchost.exe / PID: 4808 - TextInputHost.exe / PID: 4168 - upfc.exe / PID: 1596 - svchost.exe / PID: 1700 - wscript.exe / PID: 2668 - svchost.exe / PID: 752 - CHxReadingStringIME.exe / PID: 1368
URLs

http://teleg.run/QulabZ

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Qulab Stealer & Clipper

    Infostealer and clipper created with AutoIt.

    stealerqulab
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • NTFS ADS 2 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa218cab688dd5f74244773a38ea6310_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa218cab688dd5f74244773a38ea6310_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\System\System.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\System\KrXzzhIXVKdi17YT7Z2CN0JlLQNM6x.bat" "
        3⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3320
        • C:\Users\Admin\AppData\Roaming\System\systemscr.exe
          C:\Users\Admin\AppData\Roaming/System/systemscr.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4372
      • C:\Users\Admin\AppData\Roaming\System\WatchBull.exe
        "C:\Users\Admin\AppData\Roaming\System\WatchBull.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2508
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /CC:/Users/Public/Videos/regedit.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5064
          • C:\Users\Public\Videos\regedit.exe
            C:/Users/Public/Videos/regedit.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Runs regedit.exe
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /CC:/Recovery/dasHost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:876
              • C:\Recovery\dasHost.exe
                C:/Recovery/dasHost.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1592
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1404
                  8⤵
                  • Program crash
                  PID:1980
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /CC:/Program Files/Mozilla Firefox/defaults/RuntimeBroker.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2804
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /CC:/Users/Public/Videos/WebHelper.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4328
              • C:\Users\Public\Videos\WebHelper.exe
                C:/Users/Public/Videos/WebHelper.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4128
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1396
                  8⤵
                  • Program crash
                  PID:3404
      • C:\Users\Admin\AppData\Roaming\System\RegeditFrameHost.exe
        "C:\Users\Admin\AppData\Roaming\System\RegeditFrameHost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3760
      • C:\Users\Admin\AppData\Roaming\System\e6ee5674bb9446c78bbc5729af6e2c28.exe
        "C:\Users\Admin\AppData\Roaming\System\e6ee5674bb9446c78bbc5729af6e2c28.exe"
        3⤵
        • Executes dropped EXE
        PID:2952
    • C:\Users\Admin\AppData\Roaming\System\Build.exe
      "C:\Users\Admin\AppData\Roaming\System\Build.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:3252
      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.module.exe
          C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\ENU_801FE974645ED60E9D41.7z" "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\1\*"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4040
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1456
    • C:\Users\Admin\AppData\Roaming\System\Windows defender.exe
      "C:\Users\Admin\AppData\Roaming\System\Windows defender.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2804
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1592 -ip 1592
    1⤵
      PID:740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4128 -ip 4128
      1⤵
        PID:4476
      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4016
      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
        C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:2864

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\aut9AE8.tmp
        Filesize

        360KB

        MD5

        bddc6cb9f60a8f68a108e6c02272e83c

        SHA1

        e829eb69d2366bd4e23d45f01fb324a292993302

        SHA256

        f96a8447ffe71cbd9ae13dca0c562db0b9e056bf2885a5763e0245e387015c8b

        SHA512

        0ee9469f9ceacf4bdc63eac9c2d48115f1b4f838302386bc3741849b3fe17c33345ef1302328a02ff243af9e6a2fcd2ab8c01d83de74ce5d38793eab171a0a82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\Build.exe
        Filesize

        1.8MB

        MD5

        e214a631536d3b7681316734308b8f4c

        SHA1

        a7b69b5d14fb7cb327cbecd90dfa21df59910e54

        SHA256

        4833cb9284e322e49aac5fcc90bd786cc1661e1179c936b9129c4848cccebfbd

        SHA512

        3e87bd06dc71e412493f782c1d4f08f2051a6abdf8a8c2045d8307d88e664d63b353d4d5de5bd3264b824dca74f50c39490a9678a9069f3bdf1ec59c5cb173fe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\KrXzzhIXVKdi17YT7Z2CN0JlLQNM6x.bat
        Filesize

        733B

        MD5

        c222c105a5357b75cbc8e69409800bab

        SHA1

        3b8db954893030fd4216b7dd19489fd63d7bc42e

        SHA256

        6910147b79d4cf9d6a55075a6778fe19de3ebb72860cfd36802a7ba7800dd6c8

        SHA512

        8a8cadb04dbb6a3f2ac3329564d037f8016a4ceeb7efaa9e02196c213fdae4de5cb3ac7d6a0ca16b695c38bd831450b6dcee5c2e2241669a9dbdc2b63b1608aa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\RegeditFrameHost.exe
        Filesize

        3.8MB

        MD5

        94d83c5e933bdcdec6eb211ba6318634

        SHA1

        529117a416b6bfff33359676e3feb2c465174350

        SHA256

        31a7d581720e2dc1a18a8abc8dbd4ad5cc06c6480719327aeb0e37f9f16fda0b

        SHA512

        061d8c1edca43cdc4d5e999c69cf59b5eccfdece868c7b93af453130bc57b13fd0a966622d88cf7a8c0503c76d99f667428376c3e7f5fc4afb341e80b035caba

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\System.lnk
        Filesize

        1KB

        MD5

        e19596cc8867d945800cf6c4ac04ddd0

        SHA1

        8ae3953caad4febd32f1b887a03b143a112d603d

        SHA256

        2bfdaaaf892ff036354f0e385181e84ca6f3ad1dccce685677d97db75f497dae

        SHA512

        243ed40786c839add4a1b7d648be28c74cb5271c700f0ebce156ffa7d1115288cec4989b98eb83c5911c6824e44662b96f05001d2aae6d9ad7be5219a831f61f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\System.vbe
        Filesize

        632B

        MD5

        aae9c70ec1d7723555344949c86f3aab

        SHA1

        cbd5e469ba6114b20b223d62c019f15e166bc85c

        SHA256

        519858705803ff2ecff263b371d6f7cc21a5f541948600dc8335b7837a4fb2e0

        SHA512

        abddf1a9cb1a5e3c524d1a0182fffb7f1a4d2902314b357703b59d28474a429208837f8bd8bb4fefb6f7b3e54625ad55d5ba9c30dc55f0650c876d89318d3e28

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\WatchBull.exe
        Filesize

        10KB

        MD5

        2c3f35edde01ede4867bcfb16d47779b

        SHA1

        30591c98341c2874a23cd1f3d705e0c2ad2022c4

        SHA256

        c2cf8cba38db6296f975f21dabd51bda88263390d9545eb4dd45f839d5623397

        SHA512

        ace8675eeaded14256309358b04a43cfd98cb57be163035855e4fdbff6ccb444e7dc9c45af2ac57e4ce2d17e1697a4251fc4d545c2f6920b5b0280354d9be365

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\Windows defender.exe
        Filesize

        10KB

        MD5

        c90b7f9c9526b4b75b72964e9dafe686

        SHA1

        5ea103a3ecf44c57c22cb6b1ac31db1f15418754

        SHA256

        8c58edd9b95eb12dd82c8eb54dd879f9c712239c2795daddf747b3ac59869953

        SHA512

        2f6d3f9b83ae0a6bc346779e5e52ba78ce35615fee7728db42c968e6ea8d631cbd534a49e48f803991862155a95af00fcb27f03d7701e03cac7b85ae13252061

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\dogs\RuntimeBroker.exe
        Filesize

        9KB

        MD5

        ec7aa2ad43812b17c57d95c7f91417a5

        SHA1

        f08a742d59c6b3f596afbc1c4f0e90a03721817a

        SHA256

        566556a0a75a7a3b480639ad7d46f1f54a2f2fd312adbe4fd45c9972a62841cc

        SHA512

        27e5fbfc12f6bb355f01f367f7bd9a26751d28bb950acca29610f7e9f5fb78ef186f9670ed9aa8b9d92bc71fb2be447b32fccbdc8b9ecb61417401b20a303924

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\dogs\WebHelper.exe
        Filesize

        9KB

        MD5

        f631b959bc5ba60c60cbab64d1b76d62

        SHA1

        f2d2064aa43204313f5a3bc5d6454055a62d7a2b

        SHA256

        f6889c0f7a31ca655df699ecb4c67295ce5e792a5b64fabb9154f73a1c641b7f

        SHA512

        8589e603f3512c07246c3edfb3f331236eac2ce12f80bad5fc828c872232fb67e2413e9bb594e7986fc7ce26605dc6dcf9264fb8ed21bbbc312eedf864d60221

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\dogs\dasHost.exe
        Filesize

        9KB

        MD5

        325322c5fd3536dd757516d7ca24fb51

        SHA1

        9121ac1f530a2503e54c256981f719030cc8e4c7

        SHA256

        db9903a7c07e347ce0f41e16ca35c51cfbffc57cfae2e99402cb2cc7c9b2bc29

        SHA512

        c84608652c6430c5d4001ad22a8d0b3d24f2dd5e9942a1f3da0dfe32d0638feee4d68e4d6833b70882d432f0f7b96086f443b88ec3b8d8e73b0b423ff6dc81e7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\dogs\regedit.exe
        Filesize

        8KB

        MD5

        38ca476c512decc14fe9858b960591a0

        SHA1

        3326055d1baae4dbb6af2d9fd73c59844346fd54

        SHA256

        5335ad811f5e9119be764681172268dc2c05e2a57fde995e2d3747b3159ce45b

        SHA512

        844f16bd2704b6644e78e3759d9df33aa3769951b81781a545e6775274c078d2b648b1287e39180de6c2c75be0f7a111844f2033326874bca29d5a7847875214

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\e6ee5674bb9446c78bbc5729af6e2c28.exe
        Filesize

        8KB

        MD5

        c4a3c2cad895e1922b778b91c519f7f0

        SHA1

        9c8267bd68db7ecd98af6420195e2ddbc5faf99b

        SHA256

        50d672e104dfc82540dd8246f6a177e869a8154a1f8750bde373d3c0466cae1e

        SHA512

        8032a1e7fccaaf353308e8d5da1477d94dd89baebdbf736e84f062679dfa1859f51f1b11ef570d96602c78820484921aa68c77874175c2bb8f439135a46ce99c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\rubycon
        Filesize

        172B

        MD5

        2bd295901cf390576ae8455c1a93aacb

        SHA1

        a0d0dd36110d36972159375193f4c20bf1d79d32

        SHA256

        6a46947ed61c5b65ad3c2e6f1cb190bf9e652cf22be6664518d173191c9d8000

        SHA512

        619e6bc8c002193ce43446d900220a2d2c76e94c00915d4badb5b99cc3bdd0b9d68497e93f107070881b1dbae208e8f2b026d38819f60290fe82f0886879ac72

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\systemscr.exe
        Filesize

        2.4MB

        MD5

        912a43a3b83410b5d408a147bb80c269

        SHA1

        9b9750c69517e9e66f4a841b867357ce19b58205

        SHA256

        a50420b2333491def7acba3bfa09017d38f54a03ad996dcc2f74f8c60fa1c919

        SHA512

        5b4fec09d0151d2346111e2f9255a3271298b7ad8a35c2e41286bbef1c8f0eed5f570689f1547e7019c292423a4cba46818966cf466082d2b8cc8631cd91c604

        Download Submit

      • C:\Users\Admin\AppData\Roaming\System\vmcheck32.dll
        Filesize

        384B

        MD5

        82d1aaaf7e910979cdaaa12b569bb64d

        SHA1

        b3c1de1b09bacec11cf7a0aa09005c5fbd8825f7

        SHA256

        ea8ba2f78503c4ef5e07837ba780a18bfcc227500f01df0fd16ff814b61e5c57

        SHA512

        52bb6ca9b443323e88a73497d827cbe724bc0fc2aa3a231d517e60424c600b33b0fe8628d4609e1668af67ea68ebc026dbefc33945b81cddb3c3c2760c0c5c0a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\1\Information.txt
        Filesize

        4KB

        MD5

        10d69f9cd3a053425e59d0a331942cc2

        SHA1

        ff05a2074301448bc13feaeebc279254e9397d54

        SHA256

        5a99f0f6aa3fc3fdcea5496681e6672772575fa4c0b87020f0cfd4ef95dbdae3

        SHA512

        2ea347d721dc5faccb9e60b48873f705f47d1861363ba568c0727af0d0a93340b4e89eb057b4f23d5ef9c9cd3b32390528077f0fe5368731146573f83e873396

        Download Submit

      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\1\Screen.jpg
        Filesize

        51KB

        MD5

        51ce81538226eed8314862d1c8c7bd32

        SHA1

        95d878583807f0aad35eceb24bcddf1701d65624

        SHA256

        e86fd420218d6a18ab25d9524088eab6d453045aef0f59d108cd606066940805

        SHA512

        4bef9da5c081f2530272b4b4eb541944bd1d738359a010fba0b9ac5a47452ee92effae4d3552fd4a790b8e74f42fbcb5c3bee5b4bd652641a197f02e4898b0ee

        Download Submit

      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.module.exe
        Filesize

        197KB

        MD5

        946285055913d457fda78a4484266e96

        SHA1

        668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285

        SHA256

        23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb

        SHA512

        30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

        Download Submit

      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.module.exe.3
        Filesize

        197KB

        MD5

        2ae3489412947341d1eb5ec40f29dd4d

        SHA1

        b8d328fcfd707bfc19b7d26893eeefaa8e784033

        SHA256

        3af53ad20e6abddf6b1aa85ce5cfbf8b3c376c8b6db15d8d31d075726388d1c0

        SHA512

        dbe8edef2ef89e3738c87d96f36713ecb83d1de833f389bb60a72f3fe514115e11f3c67a9f588f6250cd56ee10652ec7152bdbe6ca8d41b55db5e6c86b4fc634

        Download Submit

      • C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-setup-events\CHxReadingStringIME.sqlite3.module.dll
        Filesize

        360KB

        MD5

        8c127ce55bfbb55eb9a843c693c9f240

        SHA1

        75c462c935a7ff2c90030c684440d61d48bb1858

        SHA256

        4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028

        SHA512

        d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

        Download Submit

      • C:\Users\Public\Videos\Adre
        Filesize

        99B

        MD5

        0fd3aa359c4e5277637ac15035988f58

        SHA1

        4033480635e92c4398e88bda1761ac318ca12789

        SHA256

        747dbc28a9aa50f9b9cd066403ad63760e27b8eb7a3f19bc69dc8d774da533ce

        SHA512

        660813672212b50f707378fa2470c2838987d37d4649a3d1cc43930d28630a418c56c63298f432efdb0bf8e5e3e370564ec1eece0a5f9cbcc9a7fe653d65707d

        Download Submit

      • C:\Users\Public\Videos\WatchDog.data
        Filesize

        328B

        MD5

        7dd88711118c979a60056b4c24ebcfc3

        SHA1

        01e15456fde7885241db8141f4e82658dfbbdaf9

        SHA256

        91aa3ca27c1cf2fdbdd3f026d337c74b133f8ca91219e08512d455c52b2cec77

        SHA512

        a09bf2900b0ee7921cb1ad1f41a46b01c1dc6e30b4a506b399d6a6ca20e1043c2dcb0fee2effa7261a1e338299e454091265e7ebe0b82c2e36ed49749ab40395

        Download Submit

      • memory/1368-84-0x0000000061E00000-0x0000000061ED2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/1368-81-0x0000000061E00000-0x0000000061ED2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/1368-259-0x0000000061E00000-0x0000000061ED2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/1368-260-0x0000000061E00000-0x0000000061ED2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/1592-257-0x00000000004F0000-0x00000000004F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2508-125-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2736-252-0x0000000000560000-0x0000000000568000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2804-63-0x00000000745AE000-0x00000000745AF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2804-64-0x0000000000840000-0x0000000000848000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3252-68-0x0000000000490000-0x0000000000662000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3760-209-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-171-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-197-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-150-0x0000000002580000-0x00000000025A6000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3760-211-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-130-0x0000000000210000-0x00000000005E2000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/3760-208-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-205-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-203-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-201-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-199-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-195-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-193-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-191-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-189-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-187-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-185-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-183-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-181-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-179-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-177-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-175-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-173-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-152-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-169-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-167-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-165-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-163-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-161-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-159-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-157-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-155-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/3760-153-0x0000000002580000-0x000000000259F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/4040-119-0x0000000000400000-0x000000000047D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/4040-114-0x0000000000400000-0x000000000047D000-memory.dmp

        Filesize

        500KB

        Download

      • memory/4128-269-0x00000000003E0000-0x00000000003E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4372-244-0x0000000005850000-0x00000000058E2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4372-151-0x0000000005D60000-0x0000000006304000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4372-149-0x0000000000CB0000-0x0000000000F10000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4372-261-0x0000000006BA0000-0x0000000006BAA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4372-262-0x0000000007CA0000-0x0000000007DCE000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4372-263-0x0000000008040000-0x00000000080A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4372-264-0x00000000093C0000-0x000000000946A000-memory.dmp

        Filesize

        680KB

        Download

      • memory/4576-0-0x00000000007D0000-0x000000000084A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4576-62-0x00000000007D0000-0x000000000084A000-memory.dmp

        Filesize

        488KB

        Download