Malware Analysis Report

2025-04-13 12:42

Sample ID 250324-mytp2s1pz3
Target Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe
SHA256 2b75bafbdbd5788fc4a180cc2270d7e4a1b91d979e8abeaab3b3a9c91e8c55a5
Tags
azorult pony collection credential_access discovery infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b75bafbdbd5788fc4a180cc2270d7e4a1b91d979e8abeaab3b3a9c91e8c55a5

Threat Level: Known bad

The file Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe was found to be: Known bad.

Malicious Activity Summary

azorult pony collection credential_access discovery infostealer rat spyware stealer trojan

Pony family

Azorult

Azorult family

Pony,Fareit

Reads local data of messenger clients

Loads dropped DLL

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Delays execution with timeout.exe

outlook_win_path

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-24 10:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-24 10:52

Reported

2025-03-24 10:53

Platform

win10v2004-20250314-en

Max time kernel

40s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe C:\Windows\system32\cmd.exe
PID 4672 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
PID 4672 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
PID 4672 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
PID 4672 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
PID 4672 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
PID 4672 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
PID 4672 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\control.exe
PID 4672 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\control.exe
PID 4288 wrote to memory of 2928 N/A C:\Windows\System32\control.exe C:\Windows\system32\rundll32.exe
PID 4288 wrote to memory of 2928 N/A C:\Windows\System32\control.exe C:\Windows\system32\rundll32.exe
PID 2928 wrote to memory of 1548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 1548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2928 wrote to memory of 1548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1172 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 1172 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 1172 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
PID 4212 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2572 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe

"C:\Users\Admin\AppData\Local\Temp\Adobe_Illustrator_CS2_v12_keygen_by_KeyGenDB.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe

keygen-pj.exe -pAevKviq48c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

keygen-step-1.exe

C:\Windows\System32\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240628734.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "keygen-step-1.exe"

C:\Windows\SysWOW64\timeout.exe

C:\Windows\system32\timeout.exe 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 upqx.ru udp
RU 185.180.231.18:80 upqx.ru tcp
RU 185.180.231.18:80 upqx.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

MD5 b7da5b5251bfd8f57cbac943155601a9
SHA1 133751b2b7a68a92ad1e21417dd4d2b1d44cc2da
SHA256 023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee
SHA512 7e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe

MD5 c0f34f38475aa244c9c8696aeed709a5
SHA1 0194b56c80c4b5192873400fdc96ce7d8df682a2
SHA256 831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046
SHA512 15defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5 43eb47b71c9f1003adc2d0f108d2679c
SHA1 5965eb51d289dc79ab56cb995d47f371472d4846
SHA256 913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1
SHA512 7713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl

MD5 302267a8757b88bbe67ed41215aeb525
SHA1 4a43c786460832a438121baf5674b76967f5cd71
SHA256 00fbce5de0c466e3692934cd8f04b3ce7093ec614ff0f1d92a68b2353160c059
SHA512 ba5ef89a9bbe3e741e9a3974f7132410333cfd02fd49932e99b4d324eac14c9d6a4c5a03502a4f0ec8cc709e76963db0b718fcd66130a48cfb3f4e5803d8a38c

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

MD5 2fbf80a7ba32f036bb97a2d0d909283c
SHA1 ed00a832320f3806ef3ecacfb54356e55b8e713f
SHA256 aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee
SHA512 a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef

C:\Users\Admin\AppData\Local\Temp\240628734.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

C:\Users\Admin\AppData\Local\Temp\A11992DE\nss3.dll

MD5 556ea09421a0f74d31c4c0a89a70dc23
SHA1 f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256 f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA512 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

C:\Users\Admin\AppData\Local\Temp\A11992DE\mozglue.dll

MD5 9e682f1eb98a9d41468fc3e50f907635
SHA1 85e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

C:\Users\Admin\AppData\Local\Temp\A11992DE\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

C:\Users\Admin\AppData\Local\Temp\A11992DE\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

memory/2488-152-0x0000000000400000-0x0000000000420000-memory.dmp