Analysis Overview
SHA256
baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6
Threat Level: Shows suspicious behavior
The file baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Reads WinSCP keys stored on the system
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 18:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 18:56
Reported
2024-11-14 18:58
Platform
win10v2004-20241007-en
Max time kernel
104s
Max time network
140s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{99A13984-1AA1-49AC-B349-F99456DA6E65}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 660 set thread context of 3656 | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | C:\Windows\SysWOW64\cmd.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{99A13984-1AA1-49AC-B349-F99456DA6E65}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe
"C:\Users\Admin\AppData\Local\Temp\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe"
C:\Windows\Temp\{99A13984-1AA1-49AC-B349-F99456DA6E65}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe
"C:\Windows\Temp\{99A13984-1AA1-49AC-B349-F99456DA6E65}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe" -burn.filehandle.attached=656 -burn.filehandle.self=532
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\ActiveISO.exe
"C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\ActiveISO.exe"
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sirnisirlo.online | udp |
| US | 172.67.214.86:443 | sirnisirlo.online | tcp |
| US | 8.8.8.8:53 | 86.214.67.172.in-addr.arpa | udp |
Files
C:\Windows\Temp\{99A13984-1AA1-49AC-B349-F99456DA6E65}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe
| MD5 | eb26dfa5e4e3170d90b5629df0715aa9 |
| SHA1 | bbc10367aa29aa36a6e53c63b60a6936bc6f1720 |
| SHA256 | 70721a20760818839c7ef0ce2d684666bd07bbb79b87415944c6efbce58f7906 |
| SHA512 | 11e2683c8f47c62548050f863386e62908c5dd7e456ca13c22644ecb984533d3abdd72d1fd5a3ac53c1b2734e5999554d383f3f5c615d4c94c4c169664787bf9 |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\Helicoid.dll
| MD5 | a9c5977784daf8cebe8408a8b6db3fbe |
| SHA1 | 8ae8d67007cdca9acf96681ffa6200e5847972de |
| SHA256 | 63f5a34563b62de3dffa57401d7225f4687933cef250b78b995eee813c862fad |
| SHA512 | 886fbea2c959ce4245185d1dcec3efcfbb50a71840c964d4fd8e0a46f7fbf8afbf7445bc2d892789f25124b862912fb0c3556c5004a7e6ddb4ee13b87cf58a65 |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\ActiveISO.exe
| MD5 | b84dfabe933d1160f624693d94779ce5 |
| SHA1 | ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f |
| SHA256 | 588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd |
| SHA512 | eeaeef8d6b5fa02dedf9818babaa4b5ffdb87300521883aa290289dcc720b3d543279085ed3fc649b74654143e678502e56eb3f92c4baf53c075977de33c1b0e |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\Qt5Core.dll
| MD5 | 8c735052a2d4e9b01b0e028f0c20f67c |
| SHA1 | b72bde11de3310a495dd16520362f4adbf21717a |
| SHA256 | d751ab0357f71586b1793ce4166295aba085334647d6e3ffcd49287a801273e7 |
| SHA512 | 0bbd920e1b48361c7f3e1540ddb12fa6c9146bfe36e13eba2b2e6ca8bf3ad961d88121c6f70eca6d9ea413900455e696f7233c5bb54415ca7d2c9c1c0d4c1fb3 |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\Qt5Network.dll
| MD5 | fe5ed4c5da03077f98c3efa91ecefd81 |
| SHA1 | e23e839ec0602662788f761ebe7dd4b39c018a7f |
| SHA256 | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| SHA512 | 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071 |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\Qt5Gui.dll
| MD5 | 34893cb3d9a2250f0edecd68aedb72c7 |
| SHA1 | 37161412df2c1313a54749fe6f33e4dbf41d128a |
| SHA256 | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| SHA512 | 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\Qt5Widgets.dll
| MD5 | c502bb8a4a7dc3724ab09292cd3c70d6 |
| SHA1 | ff44fddeec2d335ec0eaa861714b561f899675fd |
| SHA256 | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| SHA512 | 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617 |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\Qt5PrintSupport.dll
| MD5 | d0634933db2745397a603d5976bee8e7 |
| SHA1 | ddec98433bcfec1d9e38557d803bc73e1ff883b6 |
| SHA256 | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| SHA512 | 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1 |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\StarBurn.dll
| MD5 | 41e19ba2364f2c834b2487e1d02bb99a |
| SHA1 | 6c61d603dddfe384a93ad33775b70681d0a396d9 |
| SHA256 | c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340 |
| SHA512 | 6ebf4a9e80f16c6a03ff357d2da9a34a4227bfd65eb66d1d335349a77ba066d069ba0d47d46229b3c77b59052c42d388678662f970b418d8cc3cfb1223427d8c |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\vcruntime140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
memory/2820-42-0x00007FFF74FC0000-0x00007FFF7550E000-memory.dmp
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\msvcp140.dll
| MD5 | 7db24201efea565d930b7ec3306f4308 |
| SHA1 | 880c8034b1655597d0eebe056719a6f79b60e03c |
| SHA256 | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| SHA512 | bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\vechpt
| MD5 | dd899ca13e5bef55bcea07e167da891b |
| SHA1 | e883f0240f127520486f063b033fb34fa2dfe5c1 |
| SHA256 | a818d6fa8caddaa608345ea40b75073a7c98637161794918566e2ddeeede47e7 |
| SHA512 | e38437899fcc433ef89a04c6a68684ea5110181af48a4699836939cf167d0c1fe7932432518445e90acbcbc151ee324d77de064147d97fdedf6ecabaac788c06 |
C:\Windows\Temp\{9B806209-ECA1-47E8-B9FF-6F82D3B561B6}\.ba\dcfa
| MD5 | 456596683dad1217c76d8c0f47b5cfbc |
| SHA1 | 001ae3f937aa75ad2175289c6e8f09561a1cbb35 |
| SHA256 | a7e578d0f7a5d522e4b4e62864f77cbb1830dc7e7026c9ee0b5f6fa7156c727f |
| SHA512 | 537420007a4985f2deb4b2a48af1ba61cf8cc112359ec1cdbd02dfb8e958ab5ab4ec302cd0698a14d4560afe6c23627d1d4d080eac9daa7cb5edc7259cb73591 |
memory/2820-46-0x00007FFF74030000-0x00007FFF741A2000-memory.dmp
memory/660-81-0x00007FFF738F0000-0x00007FFF73E3E000-memory.dmp
memory/660-84-0x00007FFF74760000-0x00007FFF748D2000-memory.dmp
memory/660-85-0x00007FFF74760000-0x00007FFF748D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9cdc239
| MD5 | 9b243bacdbb182589fa1cb78b4156df1 |
| SHA1 | f97151d1b61ebe89c44945e71de55621a5df79a5 |
| SHA256 | af3a89dc6749a165428e779903ec9c4293571052500c5a06d0a2dece3fe1e3ef |
| SHA512 | e6eef51f74b65e0edf486290079521804236b40cbbe395c600d90a2030431d993cf2d9a09e9e2d4d2df248bdd17642d18213e465356c52ed8c832970ad08ddf1 |
memory/3656-88-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/3656-91-0x0000000074E80000-0x0000000074FFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
| MD5 | 967f4470627f823f4d7981e511c9824f |
| SHA1 | 416501b096df80ddc49f4144c3832cf2cadb9cb2 |
| SHA256 | b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91 |
| SHA512 | 8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c |
memory/3156-98-0x00007FF77F8B0000-0x00007FF77FB96000-memory.dmp
memory/3156-99-0x00007FF77F8B0000-0x00007FF77FB96000-memory.dmp
memory/3156-101-0x00007FF77F8B0000-0x00007FF77FB96000-memory.dmp
memory/3156-106-0x00007FF77F8B0000-0x00007FF77FB96000-memory.dmp
memory/3156-107-0x00007FF77F8B0000-0x00007FF77FB96000-memory.dmp
memory/3156-112-0x00007FF77F8B0000-0x00007FF77FB96000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 18:56
Reported
2024-11-14 18:58
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{5BC06D92-50AB-4267-9FC7-BF67C9644FD0}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2460 set thread context of 1904 | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{5BC06D92-50AB-4267-9FC7-BF67C9644FD0}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe
"C:\Users\Admin\AppData\Local\Temp\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe"
C:\Windows\Temp\{5BC06D92-50AB-4267-9FC7-BF67C9644FD0}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe
"C:\Windows\Temp\{5BC06D92-50AB-4267-9FC7-BF67C9644FD0}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\ActiveISO.exe
"C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\ActiveISO.exe"
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Users\Admin\AppData\Roaming\MonitorBrowser2\ActiveISO.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
C:\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
Network
Files
\Windows\Temp\{5BC06D92-50AB-4267-9FC7-BF67C9644FD0}\.cr\baa56e574d8deed445d0e58487add9d429d60bbb1b39943c581bcf50e9bd91d6.exe
| MD5 | eb26dfa5e4e3170d90b5629df0715aa9 |
| SHA1 | bbc10367aa29aa36a6e53c63b60a6936bc6f1720 |
| SHA256 | 70721a20760818839c7ef0ce2d684666bd07bbb79b87415944c6efbce58f7906 |
| SHA512 | 11e2683c8f47c62548050f863386e62908c5dd7e456ca13c22644ecb984533d3abdd72d1fd5a3ac53c1b2734e5999554d383f3f5c615d4c94c4c169664787bf9 |
\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\Helicoid.dll
| MD5 | a9c5977784daf8cebe8408a8b6db3fbe |
| SHA1 | 8ae8d67007cdca9acf96681ffa6200e5847972de |
| SHA256 | 63f5a34563b62de3dffa57401d7225f4687933cef250b78b995eee813c862fad |
| SHA512 | 886fbea2c959ce4245185d1dcec3efcfbb50a71840c964d4fd8e0a46f7fbf8afbf7445bc2d892789f25124b862912fb0c3556c5004a7e6ddb4ee13b87cf58a65 |
\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\ActiveISO.exe
| MD5 | b84dfabe933d1160f624693d94779ce5 |
| SHA1 | ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f |
| SHA256 | 588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd |
| SHA512 | eeaeef8d6b5fa02dedf9818babaa4b5ffdb87300521883aa290289dcc720b3d543279085ed3fc649b74654143e678502e56eb3f92c4baf53c075977de33c1b0e |
\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\StarBurn.dll
| MD5 | 41e19ba2364f2c834b2487e1d02bb99a |
| SHA1 | 6c61d603dddfe384a93ad33775b70681d0a396d9 |
| SHA256 | c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340 |
| SHA512 | 6ebf4a9e80f16c6a03ff357d2da9a34a4227bfd65eb66d1d335349a77ba066d069ba0d47d46229b3c77b59052c42d388678662f970b418d8cc3cfb1223427d8c |
\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\Qt5PrintSupport.dll
| MD5 | d0634933db2745397a603d5976bee8e7 |
| SHA1 | ddec98433bcfec1d9e38557d803bc73e1ff883b6 |
| SHA256 | 7d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1 |
| SHA512 | 9271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1 |
\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\Qt5Widgets.dll
| MD5 | c502bb8a4a7dc3724ab09292cd3c70d6 |
| SHA1 | ff44fddeec2d335ec0eaa861714b561f899675fd |
| SHA256 | 4266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d |
| SHA512 | 73bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617 |
C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\Qt5Gui.dll
| MD5 | 34893cb3d9a2250f0edecd68aedb72c7 |
| SHA1 | 37161412df2c1313a54749fe6f33e4dbf41d128a |
| SHA256 | ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34 |
| SHA512 | 484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c |
C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\Qt5Core.dll
| MD5 | 8c735052a2d4e9b01b0e028f0c20f67c |
| SHA1 | b72bde11de3310a495dd16520362f4adbf21717a |
| SHA256 | d751ab0357f71586b1793ce4166295aba085334647d6e3ffcd49287a801273e7 |
| SHA512 | 0bbd920e1b48361c7f3e1540ddb12fa6c9146bfe36e13eba2b2e6ca8bf3ad961d88121c6f70eca6d9ea413900455e696f7233c5bb54415ca7d2c9c1c0d4c1fb3 |
\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\vcruntime140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\msvcp140.dll
| MD5 | 7db24201efea565d930b7ec3306f4308 |
| SHA1 | 880c8034b1655597d0eebe056719a6f79b60e03c |
| SHA256 | 72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e |
| SHA512 | bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e |
\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\vcruntime140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\Qt5Network.dll
| MD5 | fe5ed4c5da03077f98c3efa91ecefd81 |
| SHA1 | e23e839ec0602662788f761ebe7dd4b39c018a7f |
| SHA256 | d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b |
| SHA512 | 22514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071 |
memory/3012-42-0x000007FEF5D80000-0x000007FEF62CE000-memory.dmp
C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\vechpt
| MD5 | dd899ca13e5bef55bcea07e167da891b |
| SHA1 | e883f0240f127520486f063b033fb34fa2dfe5c1 |
| SHA256 | a818d6fa8caddaa608345ea40b75073a7c98637161794918566e2ddeeede47e7 |
| SHA512 | e38437899fcc433ef89a04c6a68684ea5110181af48a4699836939cf167d0c1fe7932432518445e90acbcbc151ee324d77de064147d97fdedf6ecabaac788c06 |
C:\Windows\Temp\{5AA0FD84-B34E-4A90-B2EE-167F54075D02}\.ba\dcfa
| MD5 | 456596683dad1217c76d8c0f47b5cfbc |
| SHA1 | 001ae3f937aa75ad2175289c6e8f09561a1cbb35 |
| SHA256 | a7e578d0f7a5d522e4b4e62864f77cbb1830dc7e7026c9ee0b5f6fa7156c727f |
| SHA512 | 537420007a4985f2deb4b2a48af1ba61cf8cc112359ec1cdbd02dfb8e958ab5ab4ec302cd0698a14d4560afe6c23627d1d4d080eac9daa7cb5edc7259cb73591 |
memory/2460-79-0x000007FEF5D80000-0x000007FEF62CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d4962728
| MD5 | 762dc70e006f66620c3f358218d47315 |
| SHA1 | aa099ec420aca03a20b02b53f71f637ac5bbcc64 |
| SHA256 | ac5bf472f8fe11af3ddb16fa42f81286e2fb8497d0b17496e6164fd6e37a72e9 |
| SHA512 | 9c3143cf6c07693db36ee0fc43c184d4ba771383e8ab11202c3bff71f9669d768e5b95f39dd6ce901b837748a2b2b83d62b0448d0c4ffa12a4810bd4edb6ba1c |
memory/1904-86-0x0000000077570000-0x0000000077719000-memory.dmp
memory/1904-134-0x0000000074CC0000-0x0000000074E34000-memory.dmp
\Users\Admin\AppData\Local\Temp\UploadAlt_Ti.exe
| MD5 | 967f4470627f823f4d7981e511c9824f |
| SHA1 | 416501b096df80ddc49f4144c3832cf2cadb9cb2 |
| SHA256 | b22bf1210b5fd173a210ebfa9092390aa0513c41e1914cbe161eb547f049ef91 |
| SHA512 | 8883ead428c9d4b415046de9f8398aa1f65ae81fe7945a840c822620e18f6f9930cce2e10acff3b5da8b9c817ade3dabc1de576cbd255087267f77341900a41c |
memory/1636-139-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/1636-138-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/1636-141-0x0000000000160000-0x0000000000446000-memory.dmp
memory/1636-142-0x0000000000160000-0x0000000000446000-memory.dmp