Analysis Overview
SHA256
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
Threat Level: Known bad
The file ED4D2E0F901BC478BE16D3DAD0D02792.exe was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Raccoon Stealer Payload
Raccoon
Azorult
Modifies Windows Defender Real-time Protection settings
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Remcos
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
Oski
AsyncRat
Async RAT payload
Blocklisted process makes network request
Executes dropped EXE
Downloads MZ/PE file
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Reads user/profile data of local email clients
Windows security modification
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Kills process with taskkill
Modifies registry key
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-13 07:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-13 07:57
Reported
2021-08-13 08:03
Platform
win7v20210410
Max time kernel
146s
Max time network
203s
Command Line
Signatures
AsyncRat
Azorult
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Oski
Raccoon
Raccoon Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr = "C:\\Users\\Public\\Libraries\\rpdsdjJ.url" | C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw = "C:\\Users\\Public\\Libraries\\wtyjodB.url" | C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
"C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe"
C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
"C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe"
C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
"C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe"
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
"C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe"
C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
"C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Trast.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
"C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\nest.bat" "
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
"{path}"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF26.tmp"
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
"{path}"
\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\eiyxrtf0.inf
C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1088 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\865607833000956\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 1088
C:\Windows\system32\taskeng.exe
taskeng.exe {3F00FE28-2921-4FE6-B46F-53914580BBC3} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | telete.in | udp |
| N/A | 195.201.225.248:443 | telete.in | tcp |
| N/A | 45.67.231.40:80 | 45.67.231.40 | tcp |
| N/A | 8.8.8.8:53 | danielmi.ac.ug | udp |
| N/A | 185.215.113.77:80 | danielmi.ac.ug | tcp |
| N/A | 185.215.113.77:80 | danielmi.ac.ug | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | sergio.ac.ug | udp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | danielmax.ac.ug | udp |
| N/A | 185.215.113.77:80 | danielmax.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | icacxndo.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | icando.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | www.microsoft.com | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
Files
memory/1028-62-0x0000000075591000-0x0000000075593000-memory.dmp
\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/1736-65-0x0000000000000000-mapping.dmp
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/1704-75-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1736-76-0x0000000000350000-0x0000000000358000-memory.dmp
memory/1736-74-0x0000000000240000-0x0000000000241000-memory.dmp
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/1028-72-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1704-71-0x000000000041A684-mapping.dmp
\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/1628-80-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/1532-82-0x000000000044003F-mapping.dmp
memory/1704-85-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/1532-86-0x0000000000400000-0x0000000000495000-memory.dmp
memory/1532-87-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
memory/1720-97-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/1720-100-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/1720-102-0x00000000020D0000-0x0000000002136000-memory.dmp
memory/1720-103-0x00000000049B0000-0x00000000049B1000-memory.dmp
memory/1720-104-0x00000000004B0000-0x00000000004B2000-memory.dmp
\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
memory/1716-107-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
memory/1716-109-0x0000000000220000-0x0000000000221000-memory.dmp
\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/1308-111-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/1308-114-0x0000000001280000-0x0000000001281000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/1308-116-0x0000000000B80000-0x0000000000BE0000-memory.dmp
memory/1308-117-0x0000000001210000-0x0000000001211000-memory.dmp
\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/1712-120-0x0000000000000000-mapping.dmp
memory/1712-123-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/1712-125-0x00000000006E0000-0x0000000000740000-memory.dmp
memory/1712-126-0x00000000049C0000-0x00000000049C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/760-132-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1780-134-0x0000000000000000-mapping.dmp
memory/1728-135-0x0000000000000000-mapping.dmp
memory/760-136-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1232-137-0x0000000000000000-mapping.dmp
memory/1600-138-0x0000000000000000-mapping.dmp
memory/1232-139-0x0000000000100000-0x0000000000101000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1232-142-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1232-144-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1232-145-0x0000000010580000-0x00000000105F3000-memory.dmp
C:\Users\Public\Trast.bat
| MD5 | 4068c9f69fcd8a171c67f81d4a952a54 |
| SHA1 | 4d2536a8c28cdcc17465e20d6693fb9e8e713b36 |
| SHA256 | 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810 |
| SHA512 | a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d |
memory/1492-147-0x0000000000000000-mapping.dmp
C:\Users\Public\UKO.bat
| MD5 | eaf8d967454c3bbddbf2e05a421411f8 |
| SHA1 | 6170880409b24de75c2dc3d56a506fbff7f6622c |
| SHA256 | f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56 |
| SHA512 | fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9 |
memory/2024-149-0x0000000000000000-mapping.dmp
memory/1344-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a1ed9c3a15d01d06774e635b80f737b |
| SHA1 | 7860c6f384029586c3a2d8145bf140c6f09f965f |
| SHA256 | 895e6ca799bcb258432e9fb1334a4a2ca5f1d3d4c12b08dda129c87d367fed3f |
| SHA512 | 6bd71f1cd8878769689f262b2f59e9ce867228a90a56651afe974cd78c77dee55d8536c7d9a06b510f9877d8ba57a10a761c996556ec95b33ac5d30218b33a70 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 3eff1d28a83d7c01ebbd6fdbeeb51b9b |
| SHA1 | 4f34a875b74b9b002ab25fb2a95a18ce94fbb783 |
| SHA256 | 668692f2c0638542a373e6622e97ab2e356a18d3b500a2bc82da133de1b7ac43 |
| SHA512 | 1c64b1895f0d8aaec135e36f99ff95c63193230dd2a361513c6b1a9964630455ebe6c7504e8eb172f83784d6617b5bd5b06ea9d3f898ec2684b996c167710505 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 3bb37c22086514b2d7e4bd549e818687 |
| SHA1 | f68d17c86e433744bb6361f8aae591a08458e42f |
| SHA256 | c2c0a13b83269da2bdcf59a48db6d5c27ccccd43940b4169f21a40287a415277 |
| SHA512 | eeeade50eac37d0a3f20a831dec15e101c13b19ed24c09937625aca2dcffa6a521bcfb1918423454d870e4f9ebff0645cbabbd23ef5bdf92c1421224d2a22462 |
memory/1384-154-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1764-156-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1232-157-0x0000000000400000-0x0000000000470000-memory.dmp
memory/1720-158-0x0000000004E30000-0x0000000004EA7000-memory.dmp
memory/1764-159-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1308-160-0x00000000010B0000-0x0000000001122000-memory.dmp
memory/980-161-0x0000000000000000-mapping.dmp
memory/1764-162-0x0000000000400000-0x0000000000405000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/1308-166-0x0000000000A80000-0x0000000000AA0000-memory.dmp
memory/1764-169-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1720-165-0x0000000000750000-0x0000000000776000-memory.dmp
C:\Users\Public\nest.bat
| MD5 | 8ada51400b7915de2124baaf75e3414c |
| SHA1 | 1a7b9db12184ab7fd7fce1c383f9670a00adb081 |
| SHA256 | 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7 |
| SHA512 | 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68 |
memory/1088-178-0x0000000000417A8B-mapping.dmp
\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/1088-189-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1088-188-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1628-184-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1816-183-0x000000000040616E-mapping.dmp
memory/1712-182-0x0000000002160000-0x000000000217F000-memory.dmp
memory/1816-180-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/1768-196-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/1816-193-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/636-174-0x0000000000000000-mapping.dmp
memory/1572-172-0x0000000000000000-mapping.dmp
memory/1712-170-0x0000000004A50000-0x0000000004AC2000-memory.dmp
memory/1764-164-0x00000000004019E4-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFF26.tmp
| MD5 | ac9ba09a7d6fa1b7b28bdfccb8891315 |
| SHA1 | 911e075176c36daeee8ea457939b56385de09fc2 |
| SHA256 | e8eaba3b34b3aa0b45fc3258cbfdd20dff2432a2e5c130fc194ac37d619fc5a9 |
| SHA512 | 67c0247df9fbb06a14bd794513fa9354bf9551eaa8b69926988e74452fed5c46b4c8dd2e6e21a4bcff651b70ee99f3c19605044509a4f98cde4ac75fd17e55b2 |
memory/744-203-0x0000000000000000-mapping.dmp
memory/1080-206-0x0000000000400000-0x0000000000412000-memory.dmp
\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
C:\Windows\temp\eiyxrtf0.inf
| MD5 | ff83a2f7aa0a0f76adc23a780e4a77ba |
| SHA1 | 654a2a6496c713b2458bcb754ec78f1fad61a60e |
| SHA256 | 45d6214a004a317c16170ce72c1a12bd8a875e621cbfd6a3d56e8d13198fd186 |
| SHA512 | 1fec7dbe17d1e222e3ff7f43e4a9e6181f61e3a0c269e2e5b2dab598cb1e1dd21af1ee718c14b914263cc1ee1d61907577d392c148b01990bfb33f2fcbd3b551 |
C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/1080-208-0x000000000040C71E-mapping.dmp
memory/1080-210-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1816-212-0x00000000047D0000-0x00000000047D1000-memory.dmp
memory/1816-213-0x00000000047D5000-0x00000000047E6000-memory.dmp
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
\ProgramData\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\ProgramData\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
memory/1520-219-0x0000000000000000-mapping.dmp
memory/1696-220-0x0000000000000000-mapping.dmp
memory/1080-222-0x00000000042B0000-0x00000000042B1000-memory.dmp
memory/980-223-0x0000000000000000-mapping.dmp
memory/980-224-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/992-230-0x00000000004019E4-mapping.dmp
memory/1900-233-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-13 07:57
Reported
2021-08-13 08:02
Platform
win10v20210410
Max time kernel
152s
Max time network
159s
Command Line
Signatures
AsyncRat
Azorult
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
Oski
Raccoon
Raccoon Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Remcos
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr = "C:\\Users\\Public\\Libraries\\rpdsdjJ.url" | C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw = "C:\\Users\\Public\\Libraries\\wtyjodB.url" | C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe | N/A |
| N/A | N/A | C:\ProgramData\GFDyrtucbvfdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\ProgramData\GFDyrtucbvfdg.exe
"C:\ProgramData\GFDyrtucbvfdg.exe"
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 3248 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\731583472955140\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 3248
C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
"C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe"
C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe
"C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe"
C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe
"C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe"
C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe
"C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe"
C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
"C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
"C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "
C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "
C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe
"{path}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\asj2ixla.inf
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8907.tmp"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
"{path}"
C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\2hw54vq4.exe
C:\Windows\temp\2hw54vq4.exe
C:\Windows\temp\2hw54vq4.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | telete.in | udp |
| N/A | 195.201.225.248:443 | telete.in | tcp |
| N/A | 8.8.8.8:53 | danielmi.ac.ug | udp |
| N/A | 185.215.113.77:80 | danielmi.ac.ug | tcp |
| N/A | 45.67.231.40:80 | 45.67.231.40 | tcp |
| N/A | 8.8.8.8:53 | danielmax.ac.ug | udp |
| N/A | 185.215.113.77:80 | danielmax.ac.ug | tcp |
| N/A | 185.215.113.77:80 | danielmax.ac.ug | tcp |
| N/A | 8.8.8.8:53 | cdn.discordapp.com | udp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 8.8.8.8:53 | sergio.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | icacxndo.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | aertdfvaz.ac.ug | udp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 79.134.225.25:6969 | sergio.ac.ug | tcp |
| N/A | 8.8.8.8:53 | ramosasdj.ac.ug | udp |
| N/A | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| N/A | 194.5.98.107:6970 | icacxndo.ac.ug | tcp |
| N/A | 8.8.8.8:53 | icando.ug | udp |
| N/A | 8.8.8.8:53 | parhatcsafxz.ac.ug | udp |
| N/A | 8.8.8.8:53 | heartdoaz.ac.ug | udp |
| N/A | 8.8.8.8:53 | icando.ug | udp |
Files
memory/2836-116-0x0000000000000000-mapping.dmp
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/3252-120-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/3152-126-0x0000000000640000-0x000000000078A000-memory.dmp
memory/2836-127-0x0000000000440000-0x00000000004EE000-memory.dmp
memory/3252-128-0x0000000000450000-0x00000000004FE000-memory.dmp
memory/3496-129-0x000000000044003F-mapping.dmp
memory/3784-130-0x000000000041A684-mapping.dmp
C:\ProgramData\GFDyrtucbvfdg.exe
| MD5 | 701f6f95d5e205b53b3a74403d46981a |
| SHA1 | 3e614af86675b0de761adb5d2fa271bfb3142b95 |
| SHA256 | 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459 |
| SHA512 | a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15 |
memory/3248-132-0x0000000000417A8B-mapping.dmp
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
| MD5 | 93fffc6736b1dd95a4f4e88734e9d540 |
| SHA1 | 509a9acffd9b9123fff2a3df9a860b829210f80a |
| SHA256 | 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0 |
| SHA512 | d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed |
memory/3496-135-0x0000000000400000-0x0000000000495000-memory.dmp
memory/3152-134-0x0000000003550000-0x0000000003558000-memory.dmp
memory/3496-136-0x0000000001F40000-0x0000000001F41000-memory.dmp
memory/3784-138-0x0000000000520000-0x000000000066A000-memory.dmp
memory/3248-139-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3784-137-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3248-140-0x00000000004A0000-0x00000000004A1000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | f964811b68f9f1487c2b41e1aef576ce |
| SHA1 | b423959793f14b1416bc3b7051bed58a1034025f |
| SHA256 | 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7 |
| SHA512 | 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4 |
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/348-145-0x0000000000000000-mapping.dmp
memory/3680-146-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
| MD5 | 02cc7b8ee30056d5912de54f1bdfc219 |
| SHA1 | a6923da95705fb81e368ae48f93d28522ef552fb |
| SHA256 | 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5 |
| SHA512 | 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
| MD5 | eae9273f8cdcf9321c6c37c244773139 |
| SHA1 | 8378e2a2f3635574c106eea8419b5eb00b8489b0 |
| SHA256 | a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc |
| SHA512 | 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
| MD5 | 4e8df049f3459fa94ab6ad387f3561ac |
| SHA1 | 06ed392bc29ad9d5fc05ee254c2625fd65925114 |
| SHA256 | 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871 |
| SHA512 | 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
| MD5 | 60acd24430204ad2dc7f148b8cfe9bdc |
| SHA1 | 989f377b9117d7cb21cbe92a4117f88f9c7693d9 |
| SHA256 | 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97 |
| SHA512 | 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01 |
memory/3208-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/3956-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe
| MD5 | 457e1bf09958f400b72e470e672dad6b |
| SHA1 | 15e2efa61dc81321614dfb32b45901b938f001d1 |
| SHA256 | d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee |
| SHA512 | 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7 |
memory/736-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
memory/1408-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/736-164-0x0000000000320000-0x0000000000321000-memory.dmp
memory/3208-165-0x0000000000670000-0x0000000000671000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/1408-168-0x0000000000130000-0x0000000000131000-memory.dmp
memory/3956-170-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/788-171-0x0000000000000000-mapping.dmp
memory/2196-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/736-175-0x0000000004BA0000-0x0000000004C00000-memory.dmp
memory/3208-176-0x0000000004FA0000-0x0000000005006000-memory.dmp
memory/736-177-0x0000000007600000-0x0000000007601000-memory.dmp
memory/1408-178-0x0000000004A80000-0x0000000004AE0000-memory.dmp
memory/1824-181-0x0000000000000000-mapping.dmp
memory/736-182-0x00000000071A0000-0x00000000071A1000-memory.dmp
memory/788-185-0x00000000004C0000-0x000000000060A000-memory.dmp
memory/3208-186-0x0000000005060000-0x0000000005061000-memory.dmp
memory/736-188-0x0000000004C70000-0x0000000004C71000-memory.dmp
memory/1408-187-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/736-189-0x0000000007110000-0x0000000007111000-memory.dmp
memory/3208-192-0x0000000004910000-0x0000000004912000-memory.dmp
memory/3208-193-0x0000000005110000-0x0000000005111000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | 3eff1d28a83d7c01ebbd6fdbeeb51b9b |
| SHA1 | 4f34a875b74b9b002ab25fb2a95a18ce94fbb783 |
| SHA256 | 668692f2c0638542a373e6622e97ab2e356a18d3b500a2bc82da133de1b7ac43 |
| SHA512 | 1c64b1895f0d8aaec135e36f99ff95c63193230dd2a361513c6b1a9964630455ebe6c7504e8eb172f83784d6617b5bd5b06ea9d3f898ec2684b996c167710505 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
| MD5 | f2934056a7bec839dd054b65ca52830f |
| SHA1 | 4ea629bbe1d1b903a87e19843216a5189a54bfa3 |
| SHA256 | 334ac1e50cf8d000929ab80b41491e8bbc47a4f1130528f4a97427216a5ab565 |
| SHA512 | 777d0a9fa54e119353d55c7eb8df517ff15101732edb4f01cad2e1b99e2ff0f32195f3d34184bc0eb3c0747dca950da9709e9a200c95a9e2b3e8e17dc098c934 |
memory/3536-200-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3536-201-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3536-202-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3536-204-0x00000000004019E4-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/3536-206-0x0000000000400000-0x0000000000405000-memory.dmp
memory/2768-207-0x0000000000000000-mapping.dmp
memory/3444-208-0x0000000000000000-mapping.dmp
memory/2084-209-0x0000000000000000-mapping.dmp
memory/3444-210-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Users\Public\Trast.bat
| MD5 | 4068c9f69fcd8a171c67f81d4a952a54 |
| SHA1 | 4d2536a8c28cdcc17465e20d6693fb9e8e713b36 |
| SHA256 | 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810 |
| SHA512 | a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d |
memory/636-212-0x0000000000000000-mapping.dmp
C:\Users\Public\UKO.bat
| MD5 | eaf8d967454c3bbddbf2e05a421411f8 |
| SHA1 | 6170880409b24de75c2dc3d56a506fbff7f6622c |
| SHA256 | f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56 |
| SHA512 | fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9 |
memory/3004-214-0x0000000000000000-mapping.dmp
memory/2264-215-0x0000000000000000-mapping.dmp
memory/1804-216-0x0000000000000000-mapping.dmp
memory/3444-217-0x00000000006C0000-0x00000000006C1000-memory.dmp
memory/3444-218-0x0000000000590000-0x0000000000591000-memory.dmp
memory/3444-219-0x0000000010580000-0x00000000105F3000-memory.dmp
memory/3444-220-0x0000000002D10000-0x0000000002D80000-memory.dmp
memory/8-221-0x0000000000000000-mapping.dmp
C:\Users\Public\nest.bat
| MD5 | 8ada51400b7915de2124baaf75e3414c |
| SHA1 | 1a7b9db12184ab7fd7fce1c383f9670a00adb081 |
| SHA256 | 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7 |
| SHA512 | 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68 |
memory/3880-223-0x0000000000000000-mapping.dmp
memory/1408-224-0x00000000049F0000-0x0000000004A62000-memory.dmp
memory/736-226-0x0000000004CF0000-0x0000000004D62000-memory.dmp
memory/3208-225-0x0000000004F10000-0x0000000004F87000-memory.dmp
memory/3208-228-0x0000000004EA0000-0x0000000004EC6000-memory.dmp
memory/1408-229-0x0000000004B80000-0x0000000004B9F000-memory.dmp
memory/736-227-0x0000000004C80000-0x0000000004CA0000-memory.dmp
memory/1796-230-0x0000000000400000-0x0000000000408000-memory.dmp
memory/3956-231-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1796-233-0x0000000000403BEE-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe
| MD5 | df5e3ee9a6098d1e29b31603672d5a8f |
| SHA1 | 0af2378effff0a7451317874efe4e6682365c03e |
| SHA256 | fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2 |
| SHA512 | 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9 |
C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe
| MD5 | 6439889cfd410e3b57422781c93e26cf |
| SHA1 | 12280091094281fa60fa8321006abfc7c4bd4e33 |
| SHA256 | c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d |
| SHA512 | 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e |
memory/3956-232-0x000000000040616E-mapping.dmp
memory/2660-240-0x0000000000000000-mapping.dmp
memory/2892-244-0x0000000000000000-mapping.dmp
memory/3532-242-0x0000000000000000-mapping.dmp
C:\Windows\temp\asj2ixla.inf
| MD5 | 2a5c1249e02eb2c010ebff66acf0d053 |
| SHA1 | 3944f3d13725cc1bf71259304814d7daa40c53dd |
| SHA256 | 2b9bcc3b0b0b6219ddffa38c9a01ca7cc77146b9c1b9abb047396dcd0e15c5de |
| SHA512 | e7ea7cdb674a5981304dd20ffafebcffa5bb4b43dddafbf0d3f8bc669288d16f8057109ca686269bfba65cfd470aea894d5e7e930434243d7b0f4662419852ef |
memory/2660-248-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8907.tmp
| MD5 | 50d737a225ebc2c2d077a343c3c11709 |
| SHA1 | 0895a15e9a032de102190091cf69812a07ee4adf |
| SHA256 | 81ef09df8940f52e36e7a9ec58f173fca32589518e7842135537e1b162b1394e |
| SHA512 | 7eb2686149c67f9d8ae83c2832c9323a28f374997cf36007e7ec2c2c2463466a703a0bd1cc593ec500b7055a8f8b2a54ab7362d27b049b1ed856ad27626614a8 |
memory/2660-250-0x0000000006DC0000-0x0000000006DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/1956-252-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1956-253-0x000000000040C71E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\he9LmnMhHX.exe.log
| MD5 | 0c2899d7c6746f42d5bbe088c777f94c |
| SHA1 | 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1 |
| SHA256 | 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458 |
| SHA512 | ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078 |
C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
| MD5 | abeb86fdec0060ffb80f364cabd30b1b |
| SHA1 | 3c9c7b3ee66ff071eb32848ad5a62fab9683427c |
| SHA256 | 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b |
| SHA512 | c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4 |
memory/2660-258-0x0000000006B10000-0x0000000006B11000-memory.dmp
memory/2660-259-0x0000000006BB0000-0x0000000006BB1000-memory.dmp
memory/2660-260-0x0000000006D40000-0x0000000006D41000-memory.dmp
memory/2660-263-0x00000000074F0000-0x00000000074F1000-memory.dmp
memory/3956-264-0x0000000005530000-0x0000000005A2E000-memory.dmp
memory/3956-261-0x0000000005530000-0x0000000005A2E000-memory.dmp
memory/2660-265-0x0000000006780000-0x0000000006781000-memory.dmp
memory/2660-266-0x0000000006782000-0x0000000006783000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wdRIxA75Iu.exe.log
| MD5 | 0c2899d7c6746f42d5bbe088c777f94c |
| SHA1 | 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1 |
| SHA256 | 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458 |
| SHA512 | ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078 |
memory/2332-268-0x0000000000000000-mapping.dmp
memory/1552-269-0x0000000000000000-mapping.dmp
memory/1552-273-0x0000000000DC0000-0x0000000000DC1000-memory.dmp
C:\Windows\temp\2hw54vq4.exe
| MD5 | f4b5c1ebf4966256f52c4c4ceae87fb1 |
| SHA1 | ca70ec96d1a65cb2a4cbf4db46042275dc75813b |
| SHA256 | 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03 |
| SHA512 | 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e |
memory/2660-271-0x0000000006C80000-0x0000000006C81000-memory.dmp
C:\Windows\Temp\2hw54vq4.exe
| MD5 | f4b5c1ebf4966256f52c4c4ceae87fb1 |
| SHA1 | ca70ec96d1a65cb2a4cbf4db46042275dc75813b |
| SHA256 | 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03 |
| SHA512 | 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e |
memory/2660-275-0x0000000007B50000-0x0000000007B51000-memory.dmp
memory/2768-276-0x0000000000000000-mapping.dmp
memory/196-277-0x0000000000000000-mapping.dmp
memory/2660-281-0x0000000007C80000-0x0000000007C81000-memory.dmp
memory/2768-283-0x0000021ACF020000-0x0000021ACF021000-memory.dmp
memory/2768-286-0x0000021ACF1D0000-0x0000021ACF1D1000-memory.dmp
memory/2768-289-0x0000021ACEF10000-0x0000021ACEF12000-memory.dmp
memory/2768-290-0x0000021ACEF13000-0x0000021ACEF15000-memory.dmp
memory/2768-310-0x0000021ACEF16000-0x0000021ACEF18000-memory.dmp
memory/1956-311-0x0000000005480000-0x0000000005481000-memory.dmp
memory/2660-321-0x0000000008B30000-0x0000000008B63000-memory.dmp
memory/2660-334-0x000000007F4F0000-0x000000007F4F1000-memory.dmp
memory/3948-351-0x0000000000000000-mapping.dmp
memory/804-356-0x0000000000000000-mapping.dmp
memory/3252-360-0x0000000000000000-mapping.dmp
memory/3468-367-0x0000000000000000-mapping.dmp
memory/3948-377-0x0000025273F10000-0x0000025273F12000-memory.dmp
memory/4168-376-0x0000000000000000-mapping.dmp
memory/2660-374-0x0000000006783000-0x0000000006784000-memory.dmp
memory/4280-384-0x0000000000000000-mapping.dmp
memory/3948-380-0x0000025273F13000-0x0000025273F15000-memory.dmp
memory/4376-392-0x0000000000000000-mapping.dmp
memory/4508-402-0x0000000000000000-mapping.dmp
memory/4636-412-0x0000000000000000-mapping.dmp
memory/804-423-0x0000027B04D60000-0x0000027B04D62000-memory.dmp
memory/804-426-0x0000027B04D63000-0x0000027B04D65000-memory.dmp
memory/3252-429-0x000001C771C80000-0x000001C771C82000-memory.dmp
memory/4376-432-0x0000022A56AF0000-0x0000022A56AF2000-memory.dmp
memory/4376-435-0x0000022A56AF3000-0x0000022A56AF5000-memory.dmp
memory/3252-438-0x000001C771C83000-0x000001C771C85000-memory.dmp
memory/3468-441-0x00000277372C0000-0x00000277372C2000-memory.dmp
memory/3468-443-0x00000277372C3000-0x00000277372C5000-memory.dmp
memory/4168-446-0x000002EC1B740000-0x000002EC1B742000-memory.dmp
memory/4508-449-0x0000020491B60000-0x0000020491B62000-memory.dmp
memory/4508-452-0x0000020491B63000-0x0000020491B65000-memory.dmp
memory/4168-456-0x000002EC1B743000-0x000002EC1B745000-memory.dmp
memory/4280-458-0x000001F61DA80000-0x000001F61DA82000-memory.dmp
memory/4636-461-0x0000017097100000-0x0000017097102000-memory.dmp
memory/4636-462-0x0000017097103000-0x0000017097105000-memory.dmp
memory/4280-464-0x000001F61DA83000-0x000001F61DA85000-memory.dmp
memory/4708-490-0x0000000000000000-mapping.dmp
memory/4876-496-0x0000000000000000-mapping.dmp
memory/4928-518-0x0000000000000000-mapping.dmp
memory/4708-522-0x000002B811ED0000-0x000002B811ED2000-memory.dmp
memory/4708-524-0x000002B811ED3000-0x000002B811ED5000-memory.dmp
memory/3948-527-0x0000025273F16000-0x0000025273F18000-memory.dmp
memory/4508-529-0x0000020491B66000-0x0000020491B68000-memory.dmp
memory/4876-532-0x0000020744360000-0x0000020744362000-memory.dmp
memory/4876-537-0x0000020744363000-0x0000020744365000-memory.dmp
memory/4928-581-0x00000222EF610000-0x00000222EF612000-memory.dmp
memory/4928-586-0x00000222EF613000-0x00000222EF615000-memory.dmp
memory/3252-590-0x000001C771C86000-0x000001C771C88000-memory.dmp
memory/804-594-0x0000027B04D66000-0x0000027B04D68000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/3468-631-0x00000277372C6000-0x00000277372C8000-memory.dmp
memory/4168-637-0x000002EC1B746000-0x000002EC1B748000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a17ad8ee753e2f1f63e79d43ad16d608 |
| SHA1 | ebf0c8ee528e6a4e25a9a0d6df97c35e94a4cd53 |
| SHA256 | 4179200e37a810eeba4c042984282f217193338abae23ec672e67facb2edf72b |
| SHA512 | 9e4dc85a34b064ea45cdcb9207591da006e1d005ed5672ae90a395ee46900205ac43703df1498e6327757c9e07a0d99360c78957d6ea51baa847bb4768d08c7a |
memory/4280-682-0x000001F61DA86000-0x000001F61DA88000-memory.dmp
memory/4376-686-0x0000022A56AF6000-0x0000022A56AF8000-memory.dmp
memory/4636-731-0x0000017097106000-0x0000017097108000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/4708-778-0x000002B811ED6000-0x000002B811ED8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa25b2200314dffc21e8c1335a0fffb2 |
| SHA1 | 21520e029fe2d3aea7b865641a4d4f8706cb3560 |
| SHA256 | 614c6ba5368578c445bb951040f384cccb51b6e30c57153144954539857c3cb9 |
| SHA512 | 7c1b4a339ec2df55eda17b0ccf9842747d684b2a5a334bd7fa80a5533dcc76a1a972f2a73190c3541c8bfeefd75a8fa7f43a8d5e119ca839d9010b47f894c2ab |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 034215a0325ba9038112a23bc0999f6f |
| SHA1 | 3fbf21f096321105816603df2f3e6b05e6b15dc7 |
| SHA256 | df68e6b07637bcd01df0df023f2e14632baa7a7bb3519fc24ee6a45915aff5ad |
| SHA512 | 5a5964ce4ced0e038ba66b74d72114a4edd1ee01407decf16dd4253bef658170b906db42d554ec81b66627519b25ba17aeb23f081722a9658e07e1bb16cbf85b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rqJB2Bm7T4.exe.log
| MD5 | 0c2899d7c6746f42d5bbe088c777f94c |
| SHA1 | 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1 |
| SHA256 | 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458 |
| SHA512 | ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 14f4f893d2e7cc3ef6af7c7d8df2e5e8 |
| SHA1 | 800e6addf73822ff83eb53aca3f8965e0ec272c4 |
| SHA256 | 5b62b6c22f0cae44495303dfc35e3106d9a3c1b9e1fa75c0bd1e10b159ce2de4 |
| SHA512 | 42b83a75535cc85ff5a8cc262f26cdc42ccbff0ff479aef8c7bf6a3f688fab3c525fcedd536f322b86aef9069cc90efbcfcd2670549dc0e425164df4fa43cb7f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 40f583f516e0510c21745bea18ed7fc7 |
| SHA1 | 1c8eed618dde7e2776d2e935123f027f947c9cec |
| SHA256 | 5711b707eb6ea0bfe0b128febe7e7e7d5861d6ca5cf6e9b945dd25f5b8ee834f |
| SHA512 | afde45aca3c11cb977b5b926afad2baf295112b5f0799c0ac305284ef204424e46b77b88e00235ff719a3cd62f68a266a283bf6b45b56940acae8fdfa30f6b04 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 40f583f516e0510c21745bea18ed7fc7 |
| SHA1 | 1c8eed618dde7e2776d2e935123f027f947c9cec |
| SHA256 | 5711b707eb6ea0bfe0b128febe7e7e7d5861d6ca5cf6e9b945dd25f5b8ee834f |
| SHA512 | afde45aca3c11cb977b5b926afad2baf295112b5f0799c0ac305284ef204424e46b77b88e00235ff719a3cd62f68a266a283bf6b45b56940acae8fdfa30f6b04 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49817e3096f023e743edb9f4bc004b20 |
| SHA1 | 5f767dc6d8cd204a99e430396f58d8037ddee897 |
| SHA256 | ef277accd9d65bb592ba4f7078b8237fe70d9b23cd533befc88f177b94b822ba |
| SHA512 | f392bfefea00a1f69fd78b5fdc300b6661514dc6d35bd270217f5a0fe64f1066dd6456db7f78b5dce1842314f73dcefd3da6dc001138ff2d3f298a9576f4c026 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49817e3096f023e743edb9f4bc004b20 |
| SHA1 | 5f767dc6d8cd204a99e430396f58d8037ddee897 |
| SHA256 | ef277accd9d65bb592ba4f7078b8237fe70d9b23cd533befc88f177b94b822ba |
| SHA512 | f392bfefea00a1f69fd78b5fdc300b6661514dc6d35bd270217f5a0fe64f1066dd6456db7f78b5dce1842314f73dcefd3da6dc001138ff2d3f298a9576f4c026 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7256c512087fca627e4d8ad77d3ef2b |
| SHA1 | 92a6884cda0a3cb90af5d681715ac59b81a4bafb |
| SHA256 | 875fb04a4f6a42e25ff8fd162b240151beed2f8c5b202a03bef55dffe4c4e782 |
| SHA512 | 9a718bbef16385d53fb58e8511c9c8c82881902c5128bbf0e80dcfc54232e86b44b963198ed77ab898df84f7b42185c6b6028f2d578f218334e6ab42ffd418e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f7256c512087fca627e4d8ad77d3ef2b |
| SHA1 | 92a6884cda0a3cb90af5d681715ac59b81a4bafb |
| SHA256 | 875fb04a4f6a42e25ff8fd162b240151beed2f8c5b202a03bef55dffe4c4e782 |
| SHA512 | 9a718bbef16385d53fb58e8511c9c8c82881902c5128bbf0e80dcfc54232e86b44b963198ed77ab898df84f7b42185c6b6028f2d578f218334e6ab42ffd418e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 088d433eaeb40c732b52eb50654bfd25 |
| SHA1 | 021eecfc8a9caf84c8b7cd5dfcd838ebe74d0270 |
| SHA256 | d1cbd00d73a42ca0faaed2208d89c3b4cd3efd5c6766f9d898dfbc12bc305be7 |
| SHA512 | 6cdd45c478ad54f95b11dce53d50973c2e29d3729fba6d78a0b6c1e70d9a6daebbb9f0eac8691dd70d3442e85840418687d7e764a30bb193b3f0258abd9b3717 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 636821a18cc2b4208f45f7d405d400d6 |
| SHA1 | 24adaf7d19a3b76f22edb3258c3edab247835cf7 |
| SHA256 | 5202f94ae49c63822dcfc7ee6d96c259136800f699e036e46450ba84a19df3e3 |
| SHA512 | 80f8d42fc70d0d14a0d4d6f026615c77e0005ac251470126542fe28dafb3945d53bd8f736c1050cfe9611320b96ba335a26fd797ab4506d6928f8f8c20947d4e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4cff3a07654618a2e9ea34bcf344ef37 |
| SHA1 | ee8344ee81d3b8a80c28ce974331cd28d927a3f0 |
| SHA256 | 77d448bb0baaaa9ed1c3577b58f68e76ba86589a9b28125312688177e2118bbd |
| SHA512 | 1e9f785ee831343d13bb36695938d534cf181d39fbfe451e0338db9759203ea9476fe560432e3e75eb40c81e086bba7714f33ebeb6f8f1cd288acc4c829839c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5TQ9Z63L\Bdojytwvbcgagbvmwkdspythmuhhgvq[1]
| MD5 | 0381b7281382fd974fa960f89f893d92 |
| SHA1 | e49a5832692ef9bda4bf8a7e55765b154e37bc12 |
| SHA256 | 0dc7f9eef6ad651077ea0f77b2963d5fecb0f1cdc8f229a207e3b94c42b33d37 |
| SHA512 | 41a35220bd15777177fde4031021341fa140cd6f92fb0a549eabcd7286d7d507d4121d6fdebe5db57faa0eef475d56a998e1c529cc0cc0a6f3c59d2a328039c6 |
memory/5232-1018-0x00000000004019E4-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
| MD5 | 3694ac62d90c1e9f89145f324dc0e204 |
| SHA1 | f2953a9ba829d6fd1e0955dbc95e55abd08234e1 |
| SHA256 | ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9 |
| SHA512 | 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d |
memory/5304-1021-0x0000000000000000-mapping.dmp