Analysis Overview
SHA256
0e8a868ba07027224a2d4960a9179be0912ae3ff03bac089283e886414adecb9
Threat Level: Known bad
The file 0e8a868ba07027224a2d4960a9179be0912ae3ff03bac089283e886414adecb9 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
CyberGate, Rebhip
LimeRAT
Modifies Windows Firewall
UPX packed file
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
Enumerates physical storage devices
Modifies registry class
Enumerates system info in registry
Creates scheduled task(s)
NTFS ADS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-04 18:34
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-04 18:34
Reported
2022-06-05 01:56
Platform
win7-20220414-en
Max time kernel
6s
Max time network
157s
Command Line
Signatures
CyberGate, Rebhip
LimeRAT
njRAT/Bladabindi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cpuz.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"
C:\Users\Admin\AppData\Local\Temp\cac.exe
"C:\Users\Admin\AppData\Local\Temp\cac.exe"
C:\Users\Admin\AppData\Local\Temp\Lm.exe
"C:\Users\Admin\AppData\Local\Temp\Lm.exe"
C:\Users\Admin\AppData\Local\Temp\Nj.exe
"C:\Users\Admin\AppData\Local\Temp\Nj.exe"
C:\Users\Admin\AppData\Local\Temp\cpuz.exe
"C:\Users\Admin\AppData\Local\Temp\cpuz.exe"
C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"
C:\Users\Admin\AppData\Local\Temp\Im.exe
"C:\Users\Admin\AppData\Local\Temp\Im.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\redlocal.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\move1.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\move.bat" "
C:\Users\Admin\AppData\Local\Temp\msvc64.exe
msvc64 -l zec.pool.minergate.com:3357 -u [email protected]
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Start.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 647A6E75696B626D7378726F /tr "C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 687365656D6B677564707A68 /tr "C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 69686C70776A6978766B786E /tr "C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 69647A6E75686A706D697A77 /tr "C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 696678666E77717562746F7A /tr "C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
C:\Windows\system32\taskeng.exe
taskeng.exe {997EC816-77A7-4C07-AA29-EB0876FCE06F} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe
C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe
C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe
C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe
C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe
C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe
C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe
C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe
C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe
C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe
C:\Windows\SysWOW64\taskmgr.exe
"C:\Windows\System32\taskmgr.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zec.pool.minergate.com | udp |
| DE | 144.76.44.197:3357 | zec.pool.minergate.com | tcp |
| DE | 46.4.119.209:3357 | zec.pool.minergate.com | tcp |
| DE | 176.9.16.231:3357 | zec.pool.minergate.com | tcp |
| DE | 138.201.19.37:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | guarderia1.mywire.org | udp |
| DE | 46.4.120.18:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | prueba2.hopto.org | udp |
| DE | 78.46.87.181:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | todoaqui.duckdns.org | udp |
| US | 192.169.69.26:1978 | todoaqui.duckdns.org | tcp |
| US | 8.8.8.8:53 | prueba1.hopto.org | udp |
| DE | 136.243.150.172:3357 | zec.pool.minergate.com | tcp |
| DE | 85.10.206.201:3357 | zec.pool.minergate.com | tcp |
| DE | 78.46.49.222:3357 | zec.pool.minergate.com | tcp |
| DE | 94.130.102.210:3357 | zec.pool.minergate.com | tcp |
Files
memory/1680-54-0x0000000076451000-0x0000000076453000-memory.dmp
\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
memory/1328-59-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
memory/1908-67-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
C:\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
C:\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
memory/836-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
C:\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
memory/1836-89-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\cpuz.exe
| MD5 | 15188f93e44f25e6f4584172ffc0aa66 |
| SHA1 | 761173934dbcdc71f9882b8b4a66a0b615457b5f |
| SHA256 | 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db |
| SHA512 | 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b |
memory/1592-92-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\cpuz.exe
| MD5 | 15188f93e44f25e6f4584172ffc0aa66 |
| SHA1 | 761173934dbcdc71f9882b8b4a66a0b615457b5f |
| SHA256 | 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db |
| SHA512 | 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b |
C:\Users\Admin\AppData\Local\Temp\cpuz.exe
| MD5 | 15188f93e44f25e6f4584172ffc0aa66 |
| SHA1 | 761173934dbcdc71f9882b8b4a66a0b615457b5f |
| SHA256 | 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db |
| SHA512 | 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b |
C:\Users\Admin\AppData\Local\Temp\cpuz.exe
| MD5 | 15188f93e44f25e6f4584172ffc0aa66 |
| SHA1 | 761173934dbcdc71f9882b8b4a66a0b615457b5f |
| SHA256 | 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db |
| SHA512 | 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b |
C:\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
\Users\Admin\AppData\Local\Temp\cpuz.exe
| MD5 | 15188f93e44f25e6f4584172ffc0aa66 |
| SHA1 | 761173934dbcdc71f9882b8b4a66a0b615457b5f |
| SHA256 | 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db |
| SHA512 | 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b |
\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
memory/1892-74-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
C:\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
C:\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
memory/1072-96-0x0000000000000000-mapping.dmp
memory/1256-98-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\redlocal.vbs
| MD5 | 230a9bb12875f2a15fa9695e752af036 |
| SHA1 | 16108e1037abe7c323f433ebdfec69b62f4e059a |
| SHA256 | 39deae526328c7d32cf98744ab8b7c696d598897fa84d7d7128798ce8c7da028 |
| SHA512 | dae2d8ced788ba205b2894e156744be72edbdd8a8f2265d0e590ec66e8cb2d21e93cd90fcfb9fc6e77dfc60ecf427e7601976bfd84449d921ad6f12b32750515 |
memory/1516-97-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Configurar.lnk
| MD5 | cb7e4263eefcb8b4da497f839d07e943 |
| SHA1 | e3dbdae19822b20832ee83a19accf0548c573639 |
| SHA256 | ee0add7e97b5d8043d87c1625691c031cd3de4f875123753bb89b07e8dfd9c55 |
| SHA512 | d34a12740e8ea4396b1d24ef51c7dbd83e26c1182df3c59020ac2062da76db984a2bd40eab82c0d9d3728dccee12cd78cfb46bee9c56e1b4a1ca98498caa63e9 |
C:\Users\Admin\AppData\Local\Temp\redlocal.lnk
| MD5 | bfaa9cbf73498c3f8dcb7179ce9612eb |
| SHA1 | f709f66f9f48a126977a323e990ee418e5aa7a02 |
| SHA256 | ece7d88dabee0d5bde848f7586703d53ef0711e042ecb53d06c726ddc012e7eb |
| SHA512 | 3d7572ca01a456a212207c946f4315e6e70481cac5044a9a687a3a52b7e9bcea2038a922e3b6a451c04252012412a7ae5c1c6b89ecedcb6747b5b3ca23648248 |
C:\Users\Admin\AppData\Local\Temp\move1.bat
| MD5 | f7c176d0da3ca73b43da3305ff66cae8 |
| SHA1 | 7fba3298d9ec28884c8f32ae8806530521ee9154 |
| SHA256 | ea1742e3973d96efa28192f1f499327ef1ce70059ee6e339b654b8a884036562 |
| SHA512 | 4523f60fcce3ea5abb59211db92ccb21eb96d2aba568eb37627f0abf964d2c25cdddf19a4bbfcf8516ad438767e073d10b04014d30bce5afcd6b7dca3d8ab6fc |
C:\Users\Admin\AppData\Local\Temp\move.bat
| MD5 | d0eddeb25950f2bf5d436988af980254 |
| SHA1 | f0ed4f6fa6eea289da78b94832056cdb5d288f0f |
| SHA256 | 914c922cb0c4c4efb37f3661faa9f509ef2bf009f1d070e446358be478dc284e |
| SHA512 | ef340613a176b618c4a4e947f18e8334d8d2fec5eee3003aa26cacab56864332b58314d096da1912fad4cb5c4f3855232588d08a1efa2b0750843763b71892ae |
memory/1088-106-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cuda_tromp.dll
| MD5 | cb3cb16d409efc7d1a119a5cf5cb3363 |
| SHA1 | f835f5c182c6d56d5e24f8936981ccf766e67274 |
| SHA256 | f0b02adec0ed66b10ca0b0e3305110d81f1f829a3e07553649806c99c4f0469e |
| SHA512 | 5b405026aa37244954536465052314f526484b05783f9954271bec920869186ddc6c828420a28f3af96b274bcc99ee04e118f7ef3747831db23adf8a21db89c4 |
C:\Users\Admin\AppData\Local\Temp\MSVCR120.dll
| MD5 | 9c861c079dd81762b6c54e37597b7712 |
| SHA1 | 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0 |
| SHA256 | ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c |
| SHA512 | 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7 |
\Users\Admin\AppData\Local\Temp\cpu_tromp_SSE2.dll
| MD5 | 6fc8b16bf725d94370d9babd1782fe33 |
| SHA1 | 5fc337e7d089764a4a74d721853607fb0d7b3977 |
| SHA256 | b4dfcce83e71815548f6a8c49884ea2feeffefa831a8e7e847bb69d6b3f0261d |
| SHA512 | ee87b86bbbb32afc1611afb0c13d6f2fe3643bf90aa12d9bd882594f0e97829801cfd1eaa6178c999efe8c497280baada0ea0de7a2c8cdc63b0f7ac0785ea5ac |
C:\Users\Admin\AppData\Local\Temp\cpu_tromp_SSE2.dll
| MD5 | 6fc8b16bf725d94370d9babd1782fe33 |
| SHA1 | 5fc337e7d089764a4a74d721853607fb0d7b3977 |
| SHA256 | b4dfcce83e71815548f6a8c49884ea2feeffefa831a8e7e847bb69d6b3f0261d |
| SHA512 | ee87b86bbbb32afc1611afb0c13d6f2fe3643bf90aa12d9bd882594f0e97829801cfd1eaa6178c999efe8c497280baada0ea0de7a2c8cdc63b0f7ac0785ea5ac |
\Users\Admin\AppData\Local\Temp\msvcr120.dll
| MD5 | 9c861c079dd81762b6c54e37597b7712 |
| SHA1 | 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0 |
| SHA256 | ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c |
| SHA512 | 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7 |
\Users\Admin\AppData\Local\Temp\msvcp120.dll
| MD5 | 46060c35f697281bc5e7337aee3722b1 |
| SHA1 | d0164c041707f297a73abb9ea854111953e99cf1 |
| SHA256 | 2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848 |
| SHA512 | 2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a |
\Users\Admin\AppData\Local\Temp\OpenCL.dll
| MD5 | d143c8d82d8b0ccc0b9cda536596d808 |
| SHA1 | 7ab739bff07cbdac611e898025c12dce9be0b929 |
| SHA256 | 4497529508af8a8608c5b3ffbfa18e32638cac5c8dbdc0ae38856f794d487a8f |
| SHA512 | 86d5996ce441b6a06f4052465a0690a5cb44d175330d24697faa5fa3f63e0e3e4535c3651b11d4c5d076cfc10c0cfb07ff3b3a9c7d907ad37b2c24225076279a |
C:\Users\Admin\AppData\Local\Temp\OpenCL.dll
| MD5 | d143c8d82d8b0ccc0b9cda536596d808 |
| SHA1 | 7ab739bff07cbdac611e898025c12dce9be0b929 |
| SHA256 | 4497529508af8a8608c5b3ffbfa18e32638cac5c8dbdc0ae38856f794d487a8f |
| SHA512 | 86d5996ce441b6a06f4052465a0690a5cb44d175330d24697faa5fa3f63e0e3e4535c3651b11d4c5d076cfc10c0cfb07ff3b3a9c7d907ad37b2c24225076279a |
C:\Users\Admin\AppData\Local\Temp\MSVCP120.dll
| MD5 | 46060c35f697281bc5e7337aee3722b1 |
| SHA1 | d0164c041707f297a73abb9ea854111953e99cf1 |
| SHA256 | 2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848 |
| SHA512 | 2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a |
\Users\Admin\AppData\Local\Temp\cudart64_80.dll
| MD5 | cf198b329fb988983749f891c060245e |
| SHA1 | 8cc81b4e6223069d15f11582191f4d75a44ddbe4 |
| SHA256 | 55d57e2854311915ae5fdcfd1673f92d5bb0cec42773fcda68f740befb655ed1 |
| SHA512 | be331f0335526d2fdfe6fd1d352ffd1515a1d5f3a5fffbd3f2189fd9a61b3aff98c77f32a4f4b5b60fb767b7982f98a8b4bb3c241b44a369a3b4084a710ab478 |
memory/1724-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cudart64_80.dll
| MD5 | cf198b329fb988983749f891c060245e |
| SHA1 | 8cc81b4e6223069d15f11582191f4d75a44ddbe4 |
| SHA256 | 55d57e2854311915ae5fdcfd1673f92d5bb0cec42773fcda68f740befb655ed1 |
| SHA512 | be331f0335526d2fdfe6fd1d352ffd1515a1d5f3a5fffbd3f2189fd9a61b3aff98c77f32a4f4b5b60fb767b7982f98a8b4bb3c241b44a369a3b4084a710ab478 |
\Users\Admin\AppData\Local\Temp\cuda_tromp.dll
| MD5 | cb3cb16d409efc7d1a119a5cf5cb3363 |
| SHA1 | f835f5c182c6d56d5e24f8936981ccf766e67274 |
| SHA256 | f0b02adec0ed66b10ca0b0e3305110d81f1f829a3e07553649806c99c4f0469e |
| SHA512 | 5b405026aa37244954536465052314f526484b05783f9954271bec920869186ddc6c828420a28f3af96b274bcc99ee04e118f7ef3747831db23adf8a21db89c4 |
C:\Users\Admin\AppData\Local\Temp\msvc64.exe
| MD5 | 91a4d769487a8337c2d639c381b87647 |
| SHA1 | 666447000a0f9fd94ef350cf01aa97aad069e4e5 |
| SHA256 | 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f |
| SHA512 | e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378 |
memory/2024-108-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\msvc64.exe
| MD5 | 91a4d769487a8337c2d639c381b87647 |
| SHA1 | 666447000a0f9fd94ef350cf01aa97aad069e4e5 |
| SHA256 | 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f |
| SHA512 | e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378 |
C:\Users\Admin\AppData\Local\Temp\Start.bat
| MD5 | c87f9977d024f42daf8e7036f3092366 |
| SHA1 | d7d855d388ced3fd60203ae84e8c2ce91a30a11a |
| SHA256 | 819008779e1dc0b3dd32e73bbfae43ba9c53b7fa6259279188bb57749ee00ddd |
| SHA512 | 5d90dcb6408c404fcc7f2cb2498d9f2541afa3fc1c41c08291369276dd11437b55ba3e37097acd4035d434fe6ffa48bbd9c9daa3f39ea54cc15e6e0047ac5542 |
memory/1532-124-0x0000000000400000-0x000000000040C000-memory.dmp
memory/612-123-0x0000000000400000-0x000000000044C000-memory.dmp
memory/612-131-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1580-132-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1532-130-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1532-147-0x000000000040805E-mapping.dmp
memory/1580-152-0x000000000040747E-mapping.dmp
memory/780-155-0x000000000040747E-mapping.dmp
memory/612-158-0x000000000040BBCC-mapping.dmp
memory/1532-159-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1532-161-0x0000000000400000-0x000000000040C000-memory.dmp
memory/612-160-0x0000000000400000-0x000000000044C000-memory.dmp
memory/780-162-0x0000000000400000-0x000000000040C000-memory.dmp
memory/780-164-0x0000000000400000-0x000000000040C000-memory.dmp
memory/688-169-0x0000000000000000-mapping.dmp
memory/612-171-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1748-170-0x0000000000000000-mapping.dmp
memory/1720-168-0x0000000000000000-mapping.dmp
memory/1624-167-0x0000000000000000-mapping.dmp
memory/1072-176-0x0000000000000000-mapping.dmp
memory/612-178-0x0000000010410000-0x0000000010471000-memory.dmp
memory/1072-181-0x0000000010410000-0x0000000010471000-memory.dmp
memory/1072-183-0x0000000010410000-0x0000000010471000-memory.dmp
memory/1812-184-0x0000000000090000-0x00000000000E6000-memory.dmp
memory/1812-186-0x0000000000090000-0x00000000000E6000-memory.dmp
memory/1812-191-0x00000000000E1B8E-mapping.dmp
memory/1620-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | fe63b5e61e538e2a328049cbb5a55550 |
| SHA1 | b7062cb3b7eaf07dd265d5063c3a3571710b195a |
| SHA256 | f25c6d3bcc77fddc410703fae90c280f8c196789154471f7c6e630ce557778df |
| SHA512 | cfecde1d6e5e4ff0a5c715fffc3465407f5c433a80e787722c20ffb0ef9509a7df362a2245bc6bd46c0629d29ab9771deaea478999fbf4ae914e9a19ff507a57 |
memory/1072-196-0x0000000010410000-0x0000000010471000-memory.dmp
memory/1984-197-0x0000000000000000-mapping.dmp
memory/1812-198-0x0000000000090000-0x00000000000E6000-memory.dmp
memory/1580-199-0x00000000735B0000-0x0000000073B5B000-memory.dmp
memory/1532-200-0x00000000735B0000-0x0000000073B5B000-memory.dmp
memory/780-201-0x00000000735B0000-0x0000000073B5B000-memory.dmp
memory/1812-202-0x0000000000260000-0x0000000000270000-memory.dmp
memory/1812-203-0x0000000004910000-0x00000000049BE000-memory.dmp
memory/1812-204-0x0000000000280000-0x00000000002A8000-memory.dmp
memory/988-205-0x0000000000000000-mapping.dmp
memory/1580-207-0x00000000723C0000-0x0000000072EB8000-memory.dmp
memory/780-206-0x00000000723C0000-0x0000000072EB8000-memory.dmp
memory/1812-208-0x000000006D5C0000-0x000000006D6E3000-memory.dmp
memory/780-211-0x0000000071C20000-0x00000000723BC000-memory.dmp
memory/1580-212-0x0000000071C20000-0x00000000723BC000-memory.dmp
memory/1532-213-0x0000000071C20000-0x00000000723BC000-memory.dmp
memory/1532-216-0x0000000071A80000-0x0000000071C1B000-memory.dmp
memory/780-215-0x0000000071A80000-0x0000000071C1B000-memory.dmp
memory/1580-214-0x0000000071A80000-0x0000000071C1B000-memory.dmp
memory/780-217-0x0000000070560000-0x00000000706E8000-memory.dmp
memory/1580-218-0x0000000070560000-0x00000000706E8000-memory.dmp
memory/2348-220-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
memory/2376-222-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
memory/2404-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
memory/2424-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe
| MD5 | e0fbfe477ea9736b977e435af868c5af |
| SHA1 | 9e4076c8eaaa3c9f9b45438aee7cb499af7c57df |
| SHA256 | d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953 |
| SHA512 | d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962 |
memory/2444-228-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
memory/1812-229-0x0000000002140000-0x0000000002156000-memory.dmp
memory/2484-230-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
C:\Users\Admin\AppData\Local\Temp\msvc64.exe
| MD5 | 91a4d769487a8337c2d639c381b87647 |
| SHA1 | 666447000a0f9fd94ef350cf01aa97aad069e4e5 |
| SHA256 | 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f |
| SHA512 | e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378 |
\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
memory/1812-246-0x00000000706F0000-0x0000000071A7F000-memory.dmp
memory/780-247-0x000000006F980000-0x000000007055E000-memory.dmp
memory/1580-248-0x000000006F980000-0x000000007055E000-memory.dmp
memory/1580-249-0x00000000735B0000-0x0000000073B5B000-memory.dmp
memory/1532-250-0x0000000073E80000-0x0000000073F84000-memory.dmp
memory/2888-258-0x000000000040805E-mapping.dmp
memory/2880-268-0x000000000040747E-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-04 18:34
Reported
2022-06-05 01:55
Platform
win10v2004-20220414-en
Max time kernel
7s
Max time network
154s
Command Line
Signatures
CyberGate, Rebhip
LimeRAT
njRAT/Bladabindi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cpuz.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cpuz.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\cpuz.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\cac.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\Im.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\Lm.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 | C:\Users\Admin\AppData\Local\Temp\Nj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"
C:\Users\Admin\AppData\Local\Temp\cac.exe
"C:\Users\Admin\AppData\Local\Temp\cac.exe"
C:\Users\Admin\AppData\Local\Temp\Im.exe
"C:\Users\Admin\AppData\Local\Temp\Im.exe"
C:\Users\Admin\AppData\Local\Temp\Nj.exe
"C:\Users\Admin\AppData\Local\Temp\Nj.exe"
C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"
C:\Users\Admin\AppData\Local\Temp\cpuz.exe
"C:\Users\Admin\AppData\Local\Temp\cpuz.exe"
C:\Users\Admin\AppData\Local\Temp\Lm.exe
"C:\Users\Admin\AppData\Local\Temp\Lm.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\redlocal.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\move.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\move1.bat" "
C:\Users\Admin\AppData\Local\Temp\msvc64.exe
msvc64 -l zec.pool.minergate.com:3357 -u [email protected]
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Start.bat" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 687365656D6B677564707A68 /tr "C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 69647A6E75686A706D697A77 /tr "C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 696678666E77717562746F7A /tr "C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 69686C70776A6978766B786E /tr "C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn 647A6E75696B626D7378726F /tr "C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe" /sc minute /mo 1 /F
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe
C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe
C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe
C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe
C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe
C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe
C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe
C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zec.pool.minergate.com | udp |
| DE | 78.46.49.222:3357 | zec.pool.minergate.com | tcp |
| DE | 46.4.120.18:3357 | zec.pool.minergate.com | tcp |
| US | 13.107.21.200:443 | tcp | |
| DE | 176.9.16.231:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| DE | 78.46.87.181:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | guarderia1.mywire.org | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | prueba2.hopto.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | prueba1.hopto.org | udp |
| US | 8.8.8.8:53 | todoaqui.duckdns.org | udp |
| US | 192.169.69.26:1978 | todoaqui.duckdns.org | tcp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| DE | 136.243.150.172:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| DE | 85.10.206.201:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | guarderia1.mywire.org | udp |
| DE | 94.130.102.210:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 192.169.69.26:1978 | todoaqui.duckdns.org | tcp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| DE | 138.201.19.37:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | guarderia1.mywire.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | todoaqui.duckdns.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 192.169.69.26:1978 | todoaqui.duckdns.org | tcp |
| DE | 138.201.20.89:3357 | zec.pool.minergate.com | tcp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
| US | 8.8.8.8:53 | guarderia1.mywire.org | udp |
| US | 8.8.8.8:53 | empezarll.mywire.org | udp |
| US | 8.8.8.8:53 | houdinicasa.mywire.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
memory/4028-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cac.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
C:\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
memory/1944-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Im.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
C:\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
C:\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
memory/4940-139-0x0000000000000000-mapping.dmp
memory/2552-142-0x0000000000000000-mapping.dmp
memory/2964-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cpuz.exe
| MD5 | 15188f93e44f25e6f4584172ffc0aa66 |
| SHA1 | 761173934dbcdc71f9882b8b4a66a0b615457b5f |
| SHA256 | 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db |
| SHA512 | 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b |
C:\Users\Admin\AppData\Local\Temp\cpuz.exe
| MD5 | 15188f93e44f25e6f4584172ffc0aa66 |
| SHA1 | 761173934dbcdc71f9882b8b4a66a0b615457b5f |
| SHA256 | 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db |
| SHA512 | 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b |
C:\Users\Admin\AppData\Local\Temp\Nj.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
C:\Users\Admin\AppData\Local\Temp\Lm.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
memory/2880-136-0x0000000000000000-mapping.dmp
memory/4260-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Start.bat
| MD5 | c87f9977d024f42daf8e7036f3092366 |
| SHA1 | d7d855d388ced3fd60203ae84e8c2ce91a30a11a |
| SHA256 | 819008779e1dc0b3dd32e73bbfae43ba9c53b7fa6259279188bb57749ee00ddd |
| SHA512 | 5d90dcb6408c404fcc7f2cb2498d9f2541afa3fc1c41c08291369276dd11437b55ba3e37097acd4035d434fe6ffa48bbd9c9daa3f39ea54cc15e6e0047ac5542 |
memory/2272-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Configurar.lnk
| MD5 | cb7e4263eefcb8b4da497f839d07e943 |
| SHA1 | e3dbdae19822b20832ee83a19accf0548c573639 |
| SHA256 | ee0add7e97b5d8043d87c1625691c031cd3de4f875123753bb89b07e8dfd9c55 |
| SHA512 | d34a12740e8ea4396b1d24ef51c7dbd83e26c1182df3c59020ac2062da76db984a2bd40eab82c0d9d3728dccee12cd78cfb46bee9c56e1b4a1ca98498caa63e9 |
C:\Users\Admin\AppData\Local\Temp\cpu_tromp_SSE2.dll
| MD5 | 6fc8b16bf725d94370d9babd1782fe33 |
| SHA1 | 5fc337e7d089764a4a74d721853607fb0d7b3977 |
| SHA256 | b4dfcce83e71815548f6a8c49884ea2feeffefa831a8e7e847bb69d6b3f0261d |
| SHA512 | ee87b86bbbb32afc1611afb0c13d6f2fe3643bf90aa12d9bd882594f0e97829801cfd1eaa6178c999efe8c497280baada0ea0de7a2c8cdc63b0f7ac0785ea5ac |
C:\Users\Admin\AppData\Local\Temp\cuda_tromp.dll
| MD5 | cb3cb16d409efc7d1a119a5cf5cb3363 |
| SHA1 | f835f5c182c6d56d5e24f8936981ccf766e67274 |
| SHA256 | f0b02adec0ed66b10ca0b0e3305110d81f1f829a3e07553649806c99c4f0469e |
| SHA512 | 5b405026aa37244954536465052314f526484b05783f9954271bec920869186ddc6c828420a28f3af96b274bcc99ee04e118f7ef3747831db23adf8a21db89c4 |
C:\Users\Admin\AppData\Local\Temp\msvcr120.dll
| MD5 | 9c861c079dd81762b6c54e37597b7712 |
| SHA1 | 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0 |
| SHA256 | ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c |
| SHA512 | 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7 |
C:\Users\Admin\AppData\Local\Temp\cuda_tromp.dll
| MD5 | cb3cb16d409efc7d1a119a5cf5cb3363 |
| SHA1 | f835f5c182c6d56d5e24f8936981ccf766e67274 |
| SHA256 | f0b02adec0ed66b10ca0b0e3305110d81f1f829a3e07553649806c99c4f0469e |
| SHA512 | 5b405026aa37244954536465052314f526484b05783f9954271bec920869186ddc6c828420a28f3af96b274bcc99ee04e118f7ef3747831db23adf8a21db89c4 |
C:\Users\Admin\AppData\Local\Temp\cudart64_80.dll
| MD5 | cf198b329fb988983749f891c060245e |
| SHA1 | 8cc81b4e6223069d15f11582191f4d75a44ddbe4 |
| SHA256 | 55d57e2854311915ae5fdcfd1673f92d5bb0cec42773fcda68f740befb655ed1 |
| SHA512 | be331f0335526d2fdfe6fd1d352ffd1515a1d5f3a5fffbd3f2189fd9a61b3aff98c77f32a4f4b5b60fb767b7982f98a8b4bb3c241b44a369a3b4084a710ab478 |
memory/3688-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cudart64_80.dll
| MD5 | cf198b329fb988983749f891c060245e |
| SHA1 | 8cc81b4e6223069d15f11582191f4d75a44ddbe4 |
| SHA256 | 55d57e2854311915ae5fdcfd1673f92d5bb0cec42773fcda68f740befb655ed1 |
| SHA512 | be331f0335526d2fdfe6fd1d352ffd1515a1d5f3a5fffbd3f2189fd9a61b3aff98c77f32a4f4b5b60fb767b7982f98a8b4bb3c241b44a369a3b4084a710ab478 |
C:\Users\Admin\AppData\Local\Temp\msvcr120.dll
| MD5 | 9c861c079dd81762b6c54e37597b7712 |
| SHA1 | 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0 |
| SHA256 | ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c |
| SHA512 | 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7 |
C:\Users\Admin\AppData\Local\Temp\msvcr120.dll
| MD5 | 9c861c079dd81762b6c54e37597b7712 |
| SHA1 | 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0 |
| SHA256 | ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c |
| SHA512 | 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7 |
C:\Users\Admin\AppData\Local\Temp\MSVCR120.dll
| MD5 | 9c861c079dd81762b6c54e37597b7712 |
| SHA1 | 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0 |
| SHA256 | ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c |
| SHA512 | 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7 |
C:\Users\Admin\AppData\Local\Temp\msvcp120.dll
| MD5 | 46060c35f697281bc5e7337aee3722b1 |
| SHA1 | d0164c041707f297a73abb9ea854111953e99cf1 |
| SHA256 | 2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848 |
| SHA512 | 2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a |
C:\Users\Admin\AppData\Local\Temp\MSVCP120.dll
| MD5 | 46060c35f697281bc5e7337aee3722b1 |
| SHA1 | d0164c041707f297a73abb9ea854111953e99cf1 |
| SHA256 | 2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848 |
| SHA512 | 2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a |
C:\Users\Admin\AppData\Local\Temp\OpenCL.dll
| MD5 | d143c8d82d8b0ccc0b9cda536596d808 |
| SHA1 | 7ab739bff07cbdac611e898025c12dce9be0b929 |
| SHA256 | 4497529508af8a8608c5b3ffbfa18e32638cac5c8dbdc0ae38856f794d487a8f |
| SHA512 | 86d5996ce441b6a06f4052465a0690a5cb44d175330d24697faa5fa3f63e0e3e4535c3651b11d4c5d076cfc10c0cfb07ff3b3a9c7d907ad37b2c24225076279a |
C:\Users\Admin\AppData\Local\Temp\OpenCL.dll
| MD5 | d143c8d82d8b0ccc0b9cda536596d808 |
| SHA1 | 7ab739bff07cbdac611e898025c12dce9be0b929 |
| SHA256 | 4497529508af8a8608c5b3ffbfa18e32638cac5c8dbdc0ae38856f794d487a8f |
| SHA512 | 86d5996ce441b6a06f4052465a0690a5cb44d175330d24697faa5fa3f63e0e3e4535c3651b11d4c5d076cfc10c0cfb07ff3b3a9c7d907ad37b2c24225076279a |
C:\Users\Admin\AppData\Local\Temp\cpu_tromp_SSE2.dll
| MD5 | 6fc8b16bf725d94370d9babd1782fe33 |
| SHA1 | 5fc337e7d089764a4a74d721853607fb0d7b3977 |
| SHA256 | b4dfcce83e71815548f6a8c49884ea2feeffefa831a8e7e847bb69d6b3f0261d |
| SHA512 | ee87b86bbbb32afc1611afb0c13d6f2fe3643bf90aa12d9bd882594f0e97829801cfd1eaa6178c999efe8c497280baada0ea0de7a2c8cdc63b0f7ac0785ea5ac |
C:\Users\Admin\AppData\Local\Temp\msvc64.exe
| MD5 | 91a4d769487a8337c2d639c381b87647 |
| SHA1 | 666447000a0f9fd94ef350cf01aa97aad069e4e5 |
| SHA256 | 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f |
| SHA512 | e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378 |
memory/4416-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\msvc64.exe
| MD5 | 91a4d769487a8337c2d639c381b87647 |
| SHA1 | 666447000a0f9fd94ef350cf01aa97aad069e4e5 |
| SHA256 | 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f |
| SHA512 | e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378 |
memory/4500-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\move1.bat
| MD5 | f7c176d0da3ca73b43da3305ff66cae8 |
| SHA1 | 7fba3298d9ec28884c8f32ae8806530521ee9154 |
| SHA256 | ea1742e3973d96efa28192f1f499327ef1ce70059ee6e339b654b8a884036562 |
| SHA512 | 4523f60fcce3ea5abb59211db92ccb21eb96d2aba568eb37627f0abf964d2c25cdddf19a4bbfcf8516ad438767e073d10b04014d30bce5afcd6b7dca3d8ab6fc |
C:\Users\Admin\AppData\Local\Temp\redlocal.lnk
| MD5 | bfaa9cbf73498c3f8dcb7179ce9612eb |
| SHA1 | f709f66f9f48a126977a323e990ee418e5aa7a02 |
| SHA256 | ece7d88dabee0d5bde848f7586703d53ef0711e042ecb53d06c726ddc012e7eb |
| SHA512 | 3d7572ca01a456a212207c946f4315e6e70481cac5044a9a687a3a52b7e9bcea2038a922e3b6a451c04252012412a7ae5c1c6b89ecedcb6747b5b3ca23648248 |
C:\Users\Admin\AppData\Local\Temp\move.bat
| MD5 | d0eddeb25950f2bf5d436988af980254 |
| SHA1 | f0ed4f6fa6eea289da78b94832056cdb5d288f0f |
| SHA256 | 914c922cb0c4c4efb37f3661faa9f509ef2bf009f1d070e446358be478dc284e |
| SHA512 | ef340613a176b618c4a4e947f18e8334d8d2fec5eee3003aa26cacab56864332b58314d096da1912fad4cb5c4f3855232588d08a1efa2b0750843763b71892ae |
memory/3492-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\redlocal.vbs
| MD5 | 230a9bb12875f2a15fa9695e752af036 |
| SHA1 | 16108e1037abe7c323f433ebdfec69b62f4e059a |
| SHA256 | 39deae526328c7d32cf98744ab8b7c696d598897fa84d7d7128798ce8c7da028 |
| SHA512 | dae2d8ced788ba205b2894e156744be72edbdd8a8f2265d0e590ec66e8cb2d21e93cd90fcfb9fc6e77dfc60ecf427e7601976bfd84449d921ad6f12b32750515 |
memory/2736-176-0x0000000000000000-mapping.dmp
memory/3708-177-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3532-179-0x0000000000000000-mapping.dmp
memory/2736-181-0x0000000000820000-0x0000000000876000-memory.dmp
memory/3532-183-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2412-178-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3708-175-0x0000000000000000-mapping.dmp
memory/2412-174-0x0000000000000000-mapping.dmp
memory/2412-202-0x0000000000400000-0x000000000044C000-memory.dmp
memory/1420-205-0x0000000000000000-mapping.dmp
memory/4900-206-0x0000000000000000-mapping.dmp
memory/3872-204-0x0000000000000000-mapping.dmp
memory/4868-207-0x0000000000000000-mapping.dmp
memory/2412-203-0x0000000000400000-0x000000000044C000-memory.dmp
memory/3708-208-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2616-211-0x0000000000000000-mapping.dmp
memory/2736-210-0x0000000005160000-0x00000000051FC000-memory.dmp
memory/2736-216-0x00000000058B0000-0x0000000005E54000-memory.dmp
memory/3708-214-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/2736-218-0x0000000005440000-0x00000000054D2000-memory.dmp
memory/3360-212-0x0000000000000000-mapping.dmp
memory/3532-220-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/3532-222-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/1752-223-0x0000000000000000-mapping.dmp
memory/3808-224-0x0000000000000000-mapping.dmp
memory/2736-225-0x0000000005E60000-0x0000000005EC6000-memory.dmp
memory/2616-226-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2616-227-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/3708-229-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/2616-228-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/3164-231-0x0000000000000000-mapping.dmp
memory/3532-230-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/3164-232-0x00000000005B0000-0x00000000005BC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 91046f2e147049d3e53cd9bf9d4d95ed |
| SHA1 | 228e347d062840b2edcbd16904475aacad414c62 |
| SHA256 | ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc |
| SHA512 | 071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0 |
memory/2412-238-0x0000000010410000-0x0000000010471000-memory.dmp
memory/3164-240-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/3360-242-0x0000000010410000-0x0000000010471000-memory.dmp
memory/3164-243-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/3164-245-0x000000006F9A0000-0x0000000070148000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | fe63b5e61e538e2a328049cbb5a55550 |
| SHA1 | b7062cb3b7eaf07dd265d5063c3a3571710b195a |
| SHA256 | f25c6d3bcc77fddc410703fae90c280f8c196789154471f7c6e630ce557778df |
| SHA512 | cfecde1d6e5e4ff0a5c715fffc3465407f5c433a80e787722c20ffb0ef9509a7df362a2245bc6bd46c0629d29ab9771deaea478999fbf4ae914e9a19ff507a57 |
C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
memory/3360-248-0x0000000010410000-0x0000000010471000-memory.dmp
memory/4664-249-0x0000000000000000-mapping.dmp
memory/3164-250-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/3164-251-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/2120-252-0x0000000000000000-mapping.dmp
memory/2120-258-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2120-259-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/2120-260-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/3532-261-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/2120-262-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2120-263-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/3708-264-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/3708-265-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/4936-267-0x0000000000000000-mapping.dmp
memory/2736-266-0x0000000006B60000-0x0000000006B6A000-memory.dmp
memory/3708-270-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/3532-268-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/3532-272-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/3544-273-0x0000000000000000-mapping.dmp
memory/4936-269-0x0000000000590000-0x000000000059C000-memory.dmp
memory/4936-277-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/4936-278-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/4936-279-0x000000006F9A0000-0x0000000070148000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe
| MD5 | 757cdc4b50e6ee9fb9d904be1bb72fae |
| SHA1 | 649d9a872ac5e247374988e8a57390652714d0ca |
| SHA256 | b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523 |
| SHA512 | b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5 |
memory/3360-281-0x0000000010410000-0x0000000010471000-memory.dmp
memory/4936-282-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/4936-283-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/1996-284-0x0000000000000000-mapping.dmp
memory/1996-290-0x00000000729E0000-0x0000000072F91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe
| MD5 | e5a9ca5399244644e10c1efe94ecb24a |
| SHA1 | b2ed050f0de3e1f88bb59ed37fdca20947793b2d |
| SHA256 | d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f |
| SHA512 | 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf |
memory/1996-292-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/1996-293-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/3360-295-0x0000000005CA0000-0x0000000005CE6000-memory.dmp
memory/3360-296-0x0000000005DF0000-0x0000000005E36000-memory.dmp
memory/3360-294-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1996-297-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/1996-298-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/2064-299-0x0000000000000000-mapping.dmp
memory/2064-305-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2064-306-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/2064-307-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/2064-308-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2064-309-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/2132-310-0x0000000000000000-mapping.dmp
memory/2132-316-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2132-317-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/2132-318-0x000000006F9A0000-0x0000000070148000-memory.dmp
memory/2132-319-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2132-320-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/4988-321-0x0000000000000000-mapping.dmp
memory/4988-327-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/4988-328-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/4988-329-0x000000006F9A0000-0x0000000070148000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
\??\c:\users\admin\appdata\local\temp\hgubcqgsmnsw\yhiehxvpudbb.exe
| MD5 | 3316064512569f8a1f2c0e862fce2e66 |
| SHA1 | 5f8996d38afbcad8caa3da6388e1b4d50d902e86 |
| SHA256 | 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6 |
| SHA512 | 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195 |
memory/4988-333-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/4988-334-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/4356-335-0x0000000000000000-mapping.dmp
memory/4356-341-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/4356-342-0x0000000071E40000-0x0000000072940000-memory.dmp
memory/4356-343-0x000000006F9A0000-0x0000000070148000-memory.dmp
\??\c:\users\admin\appdata\roaming\qmcoiguiklrx\jjnrmrnndmoy.exe
| MD5 | e0fbfe477ea9736b977e435af868c5af |
| SHA1 | 9e4076c8eaaa3c9f9b45438aee7cb499af7c57df |
| SHA256 | d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953 |
| SHA512 | d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962 |
\??\c:\users\admin\appdata\local\temp\romefmippdsq\poxqwoowwktv.exe
| MD5 | 39279ca212224a32e82770656d711a77 |
| SHA1 | 8f0bc2fd72dffa523c5a41767d7566da71cdfda4 |
| SHA256 | 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed |
| SHA512 | 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300 |
C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe
| MD5 | e0fbfe477ea9736b977e435af868c5af |
| SHA1 | 9e4076c8eaaa3c9f9b45438aee7cb499af7c57df |
| SHA256 | d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953 |
| SHA512 | d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962 |
memory/4356-347-0x00000000729E0000-0x0000000072F91000-memory.dmp
memory/2420-349-0x0000000000000000-mapping.dmp
memory/1592-360-0x0000000000000000-mapping.dmp
memory/3572-371-0x0000000000000000-mapping.dmp
memory/408-382-0x0000000000000000-mapping.dmp
memory/2056-393-0x0000000000000000-mapping.dmp