Malware Analysis Report

2024-11-16 13:09

Sample ID 220604-w77spsfahj
Target 0e8a868ba07027224a2d4960a9179be0912ae3ff03bac089283e886414adecb9
SHA256 0e8a868ba07027224a2d4960a9179be0912ae3ff03bac089283e886414adecb9
Tags
cybergate limerat njrat cactus dynu evasion rat stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e8a868ba07027224a2d4960a9179be0912ae3ff03bac089283e886414adecb9

Threat Level: Known bad

The file 0e8a868ba07027224a2d4960a9179be0912ae3ff03bac089283e886414adecb9 was found to be: Known bad.

Malicious Activity Summary

cybergate limerat njrat cactus dynu evasion rat stealer trojan upx

njRAT/Bladabindi

CyberGate, Rebhip

LimeRAT

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

AutoIT Executable

Enumerates physical storage devices

Modifies registry class

Enumerates system info in registry

Creates scheduled task(s)

NTFS ADS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-04 18:34

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-04 18:34

Reported

2022-06-05 01:56

Platform

win7-20220414-en

Max time kernel

6s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

LimeRAT

rat limerat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cac.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A

Legitimate hosting services abused for malware hosting/C2

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\cac.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\cac.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\cac.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\cac.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cac.exe
PID 1680 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cac.exe
PID 1680 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cac.exe
PID 1680 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cac.exe
PID 1680 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Im.exe
PID 1680 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Im.exe
PID 1680 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Im.exe
PID 1680 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Im.exe
PID 1680 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Lm.exe
PID 1680 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Lm.exe
PID 1680 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Lm.exe
PID 1680 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Lm.exe
PID 1680 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Nj.exe
PID 1680 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Nj.exe
PID 1680 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Nj.exe
PID 1680 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Nj.exe
PID 1680 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cpuz.exe
PID 1680 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cpuz.exe
PID 1680 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cpuz.exe
PID 1680 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cpuz.exe
PID 1680 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
PID 1680 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
PID 1680 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
PID 1680 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
PID 1836 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\svchost.exe
PID 1836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1088 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1088 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1088 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1088 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe

"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"

C:\Users\Admin\AppData\Local\Temp\cac.exe

"C:\Users\Admin\AppData\Local\Temp\cac.exe"

C:\Users\Admin\AppData\Local\Temp\Lm.exe

"C:\Users\Admin\AppData\Local\Temp\Lm.exe"

C:\Users\Admin\AppData\Local\Temp\Nj.exe

"C:\Users\Admin\AppData\Local\Temp\Nj.exe"

C:\Users\Admin\AppData\Local\Temp\cpuz.exe

"C:\Users\Admin\AppData\Local\Temp\cpuz.exe"

C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe

"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"

C:\Users\Admin\AppData\Local\Temp\Im.exe

"C:\Users\Admin\AppData\Local\Temp\Im.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\redlocal.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\move1.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\move.bat" "

C:\Users\Admin\AppData\Local\Temp\msvc64.exe

msvc64 -l zec.pool.minergate.com:3357 -u [email protected]

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Start.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\System32\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 647A6E75696B626D7378726F /tr "C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 687365656D6B677564707A68 /tr "C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 69686C70776A6978766B786E /tr "C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 69647A6E75686A706D697A77 /tr "C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 696678666E77717562746F7A /tr "C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\system32\taskeng.exe

taskeng.exe {997EC816-77A7-4C07-AA29-EB0876FCE06F} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe

C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe

C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe

C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe

C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe

C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe

C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe

C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe

C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe

C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zec.pool.minergate.com udp
DE 144.76.44.197:3357 zec.pool.minergate.com tcp
DE 46.4.119.209:3357 zec.pool.minergate.com tcp
DE 176.9.16.231:3357 zec.pool.minergate.com tcp
DE 138.201.19.37:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 guarderia1.mywire.org udp
DE 46.4.120.18:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 prueba2.hopto.org udp
DE 78.46.87.181:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 todoaqui.duckdns.org udp
US 192.169.69.26:1978 todoaqui.duckdns.org tcp
US 8.8.8.8:53 prueba1.hopto.org udp
DE 136.243.150.172:3357 zec.pool.minergate.com tcp
DE 85.10.206.201:3357 zec.pool.minergate.com tcp
DE 78.46.49.222:3357 zec.pool.minergate.com tcp
DE 94.130.102.210:3357 zec.pool.minergate.com tcp

Files

memory/1680-54-0x0000000076451000-0x0000000076453000-memory.dmp

\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

memory/1328-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

memory/1908-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

C:\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

C:\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

memory/836-82-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

C:\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

memory/1836-89-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\cpuz.exe

MD5 15188f93e44f25e6f4584172ffc0aa66
SHA1 761173934dbcdc71f9882b8b4a66a0b615457b5f
SHA256 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db
SHA512 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b

memory/1592-92-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\cpuz.exe

MD5 15188f93e44f25e6f4584172ffc0aa66
SHA1 761173934dbcdc71f9882b8b4a66a0b615457b5f
SHA256 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db
SHA512 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b

C:\Users\Admin\AppData\Local\Temp\cpuz.exe

MD5 15188f93e44f25e6f4584172ffc0aa66
SHA1 761173934dbcdc71f9882b8b4a66a0b615457b5f
SHA256 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db
SHA512 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b

C:\Users\Admin\AppData\Local\Temp\cpuz.exe

MD5 15188f93e44f25e6f4584172ffc0aa66
SHA1 761173934dbcdc71f9882b8b4a66a0b615457b5f
SHA256 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db
SHA512 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b

C:\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

\Users\Admin\AppData\Local\Temp\cpuz.exe

MD5 15188f93e44f25e6f4584172ffc0aa66
SHA1 761173934dbcdc71f9882b8b4a66a0b615457b5f
SHA256 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db
SHA512 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b

\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

memory/1892-74-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

C:\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

C:\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

memory/1072-96-0x0000000000000000-mapping.dmp

memory/1256-98-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\redlocal.vbs

MD5 230a9bb12875f2a15fa9695e752af036
SHA1 16108e1037abe7c323f433ebdfec69b62f4e059a
SHA256 39deae526328c7d32cf98744ab8b7c696d598897fa84d7d7128798ce8c7da028
SHA512 dae2d8ced788ba205b2894e156744be72edbdd8a8f2265d0e590ec66e8cb2d21e93cd90fcfb9fc6e77dfc60ecf427e7601976bfd84449d921ad6f12b32750515

memory/1516-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Configurar.lnk

MD5 cb7e4263eefcb8b4da497f839d07e943
SHA1 e3dbdae19822b20832ee83a19accf0548c573639
SHA256 ee0add7e97b5d8043d87c1625691c031cd3de4f875123753bb89b07e8dfd9c55
SHA512 d34a12740e8ea4396b1d24ef51c7dbd83e26c1182df3c59020ac2062da76db984a2bd40eab82c0d9d3728dccee12cd78cfb46bee9c56e1b4a1ca98498caa63e9

C:\Users\Admin\AppData\Local\Temp\redlocal.lnk

MD5 bfaa9cbf73498c3f8dcb7179ce9612eb
SHA1 f709f66f9f48a126977a323e990ee418e5aa7a02
SHA256 ece7d88dabee0d5bde848f7586703d53ef0711e042ecb53d06c726ddc012e7eb
SHA512 3d7572ca01a456a212207c946f4315e6e70481cac5044a9a687a3a52b7e9bcea2038a922e3b6a451c04252012412a7ae5c1c6b89ecedcb6747b5b3ca23648248

C:\Users\Admin\AppData\Local\Temp\move1.bat

MD5 f7c176d0da3ca73b43da3305ff66cae8
SHA1 7fba3298d9ec28884c8f32ae8806530521ee9154
SHA256 ea1742e3973d96efa28192f1f499327ef1ce70059ee6e339b654b8a884036562
SHA512 4523f60fcce3ea5abb59211db92ccb21eb96d2aba568eb37627f0abf964d2c25cdddf19a4bbfcf8516ad438767e073d10b04014d30bce5afcd6b7dca3d8ab6fc

C:\Users\Admin\AppData\Local\Temp\move.bat

MD5 d0eddeb25950f2bf5d436988af980254
SHA1 f0ed4f6fa6eea289da78b94832056cdb5d288f0f
SHA256 914c922cb0c4c4efb37f3661faa9f509ef2bf009f1d070e446358be478dc284e
SHA512 ef340613a176b618c4a4e947f18e8334d8d2fec5eee3003aa26cacab56864332b58314d096da1912fad4cb5c4f3855232588d08a1efa2b0750843763b71892ae

memory/1088-106-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cuda_tromp.dll

MD5 cb3cb16d409efc7d1a119a5cf5cb3363
SHA1 f835f5c182c6d56d5e24f8936981ccf766e67274
SHA256 f0b02adec0ed66b10ca0b0e3305110d81f1f829a3e07553649806c99c4f0469e
SHA512 5b405026aa37244954536465052314f526484b05783f9954271bec920869186ddc6c828420a28f3af96b274bcc99ee04e118f7ef3747831db23adf8a21db89c4

C:\Users\Admin\AppData\Local\Temp\MSVCR120.dll

MD5 9c861c079dd81762b6c54e37597b7712
SHA1 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256 ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA512 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

\Users\Admin\AppData\Local\Temp\cpu_tromp_SSE2.dll

MD5 6fc8b16bf725d94370d9babd1782fe33
SHA1 5fc337e7d089764a4a74d721853607fb0d7b3977
SHA256 b4dfcce83e71815548f6a8c49884ea2feeffefa831a8e7e847bb69d6b3f0261d
SHA512 ee87b86bbbb32afc1611afb0c13d6f2fe3643bf90aa12d9bd882594f0e97829801cfd1eaa6178c999efe8c497280baada0ea0de7a2c8cdc63b0f7ac0785ea5ac

C:\Users\Admin\AppData\Local\Temp\cpu_tromp_SSE2.dll

MD5 6fc8b16bf725d94370d9babd1782fe33
SHA1 5fc337e7d089764a4a74d721853607fb0d7b3977
SHA256 b4dfcce83e71815548f6a8c49884ea2feeffefa831a8e7e847bb69d6b3f0261d
SHA512 ee87b86bbbb32afc1611afb0c13d6f2fe3643bf90aa12d9bd882594f0e97829801cfd1eaa6178c999efe8c497280baada0ea0de7a2c8cdc63b0f7ac0785ea5ac

\Users\Admin\AppData\Local\Temp\msvcr120.dll

MD5 9c861c079dd81762b6c54e37597b7712
SHA1 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256 ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA512 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

\Users\Admin\AppData\Local\Temp\msvcp120.dll

MD5 46060c35f697281bc5e7337aee3722b1
SHA1 d0164c041707f297a73abb9ea854111953e99cf1
SHA256 2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA512 2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a

\Users\Admin\AppData\Local\Temp\OpenCL.dll

MD5 d143c8d82d8b0ccc0b9cda536596d808
SHA1 7ab739bff07cbdac611e898025c12dce9be0b929
SHA256 4497529508af8a8608c5b3ffbfa18e32638cac5c8dbdc0ae38856f794d487a8f
SHA512 86d5996ce441b6a06f4052465a0690a5cb44d175330d24697faa5fa3f63e0e3e4535c3651b11d4c5d076cfc10c0cfb07ff3b3a9c7d907ad37b2c24225076279a

C:\Users\Admin\AppData\Local\Temp\OpenCL.dll

MD5 d143c8d82d8b0ccc0b9cda536596d808
SHA1 7ab739bff07cbdac611e898025c12dce9be0b929
SHA256 4497529508af8a8608c5b3ffbfa18e32638cac5c8dbdc0ae38856f794d487a8f
SHA512 86d5996ce441b6a06f4052465a0690a5cb44d175330d24697faa5fa3f63e0e3e4535c3651b11d4c5d076cfc10c0cfb07ff3b3a9c7d907ad37b2c24225076279a

C:\Users\Admin\AppData\Local\Temp\MSVCP120.dll

MD5 46060c35f697281bc5e7337aee3722b1
SHA1 d0164c041707f297a73abb9ea854111953e99cf1
SHA256 2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA512 2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a

\Users\Admin\AppData\Local\Temp\cudart64_80.dll

MD5 cf198b329fb988983749f891c060245e
SHA1 8cc81b4e6223069d15f11582191f4d75a44ddbe4
SHA256 55d57e2854311915ae5fdcfd1673f92d5bb0cec42773fcda68f740befb655ed1
SHA512 be331f0335526d2fdfe6fd1d352ffd1515a1d5f3a5fffbd3f2189fd9a61b3aff98c77f32a4f4b5b60fb767b7982f98a8b4bb3c241b44a369a3b4084a710ab478

memory/1724-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cudart64_80.dll

MD5 cf198b329fb988983749f891c060245e
SHA1 8cc81b4e6223069d15f11582191f4d75a44ddbe4
SHA256 55d57e2854311915ae5fdcfd1673f92d5bb0cec42773fcda68f740befb655ed1
SHA512 be331f0335526d2fdfe6fd1d352ffd1515a1d5f3a5fffbd3f2189fd9a61b3aff98c77f32a4f4b5b60fb767b7982f98a8b4bb3c241b44a369a3b4084a710ab478

\Users\Admin\AppData\Local\Temp\cuda_tromp.dll

MD5 cb3cb16d409efc7d1a119a5cf5cb3363
SHA1 f835f5c182c6d56d5e24f8936981ccf766e67274
SHA256 f0b02adec0ed66b10ca0b0e3305110d81f1f829a3e07553649806c99c4f0469e
SHA512 5b405026aa37244954536465052314f526484b05783f9954271bec920869186ddc6c828420a28f3af96b274bcc99ee04e118f7ef3747831db23adf8a21db89c4

C:\Users\Admin\AppData\Local\Temp\msvc64.exe

MD5 91a4d769487a8337c2d639c381b87647
SHA1 666447000a0f9fd94ef350cf01aa97aad069e4e5
SHA256 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f
SHA512 e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378

memory/2024-108-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\msvc64.exe

MD5 91a4d769487a8337c2d639c381b87647
SHA1 666447000a0f9fd94ef350cf01aa97aad069e4e5
SHA256 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f
SHA512 e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378

C:\Users\Admin\AppData\Local\Temp\Start.bat

MD5 c87f9977d024f42daf8e7036f3092366
SHA1 d7d855d388ced3fd60203ae84e8c2ce91a30a11a
SHA256 819008779e1dc0b3dd32e73bbfae43ba9c53b7fa6259279188bb57749ee00ddd
SHA512 5d90dcb6408c404fcc7f2cb2498d9f2541afa3fc1c41c08291369276dd11437b55ba3e37097acd4035d434fe6ffa48bbd9c9daa3f39ea54cc15e6e0047ac5542

memory/1532-124-0x0000000000400000-0x000000000040C000-memory.dmp

memory/612-123-0x0000000000400000-0x000000000044C000-memory.dmp

memory/612-131-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1580-132-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1532-130-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1532-147-0x000000000040805E-mapping.dmp

memory/1580-152-0x000000000040747E-mapping.dmp

memory/780-155-0x000000000040747E-mapping.dmp

memory/612-158-0x000000000040BBCC-mapping.dmp

memory/1532-159-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1532-161-0x0000000000400000-0x000000000040C000-memory.dmp

memory/612-160-0x0000000000400000-0x000000000044C000-memory.dmp

memory/780-162-0x0000000000400000-0x000000000040C000-memory.dmp

memory/780-164-0x0000000000400000-0x000000000040C000-memory.dmp

memory/688-169-0x0000000000000000-mapping.dmp

memory/612-171-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1748-170-0x0000000000000000-mapping.dmp

memory/1720-168-0x0000000000000000-mapping.dmp

memory/1624-167-0x0000000000000000-mapping.dmp

memory/1072-176-0x0000000000000000-mapping.dmp

memory/612-178-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1072-181-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1072-183-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1812-184-0x0000000000090000-0x00000000000E6000-memory.dmp

memory/1812-186-0x0000000000090000-0x00000000000E6000-memory.dmp

memory/1812-191-0x00000000000E1B8E-mapping.dmp

memory/1620-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 fe63b5e61e538e2a328049cbb5a55550
SHA1 b7062cb3b7eaf07dd265d5063c3a3571710b195a
SHA256 f25c6d3bcc77fddc410703fae90c280f8c196789154471f7c6e630ce557778df
SHA512 cfecde1d6e5e4ff0a5c715fffc3465407f5c433a80e787722c20ffb0ef9509a7df362a2245bc6bd46c0629d29ab9771deaea478999fbf4ae914e9a19ff507a57

memory/1072-196-0x0000000010410000-0x0000000010471000-memory.dmp

memory/1984-197-0x0000000000000000-mapping.dmp

memory/1812-198-0x0000000000090000-0x00000000000E6000-memory.dmp

memory/1580-199-0x00000000735B0000-0x0000000073B5B000-memory.dmp

memory/1532-200-0x00000000735B0000-0x0000000073B5B000-memory.dmp

memory/780-201-0x00000000735B0000-0x0000000073B5B000-memory.dmp

memory/1812-202-0x0000000000260000-0x0000000000270000-memory.dmp

memory/1812-203-0x0000000004910000-0x00000000049BE000-memory.dmp

memory/1812-204-0x0000000000280000-0x00000000002A8000-memory.dmp

memory/988-205-0x0000000000000000-mapping.dmp

memory/1580-207-0x00000000723C0000-0x0000000072EB8000-memory.dmp

memory/780-206-0x00000000723C0000-0x0000000072EB8000-memory.dmp

memory/1812-208-0x000000006D5C0000-0x000000006D6E3000-memory.dmp

memory/780-211-0x0000000071C20000-0x00000000723BC000-memory.dmp

memory/1580-212-0x0000000071C20000-0x00000000723BC000-memory.dmp

memory/1532-213-0x0000000071C20000-0x00000000723BC000-memory.dmp

memory/1532-216-0x0000000071A80000-0x0000000071C1B000-memory.dmp

memory/780-215-0x0000000071A80000-0x0000000071C1B000-memory.dmp

memory/1580-214-0x0000000071A80000-0x0000000071C1B000-memory.dmp

memory/780-217-0x0000000070560000-0x00000000706E8000-memory.dmp

memory/1580-218-0x0000000070560000-0x00000000706E8000-memory.dmp

memory/2348-220-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

memory/2376-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

memory/2404-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

memory/2424-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe

MD5 e0fbfe477ea9736b977e435af868c5af
SHA1 9e4076c8eaaa3c9f9b45438aee7cb499af7c57df
SHA256 d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953
SHA512 d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962

memory/2444-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

memory/1812-229-0x0000000002140000-0x0000000002156000-memory.dmp

memory/2484-230-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

C:\Users\Admin\AppData\Local\Temp\msvc64.exe

MD5 91a4d769487a8337c2d639c381b87647
SHA1 666447000a0f9fd94ef350cf01aa97aad069e4e5
SHA256 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f
SHA512 e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378

\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

memory/1812-246-0x00000000706F0000-0x0000000071A7F000-memory.dmp

memory/780-247-0x000000006F980000-0x000000007055E000-memory.dmp

memory/1580-248-0x000000006F980000-0x000000007055E000-memory.dmp

memory/1580-249-0x00000000735B0000-0x0000000073B5B000-memory.dmp

memory/1532-250-0x0000000073E80000-0x0000000073F84000-memory.dmp

memory/2888-258-0x000000000040805E-mapping.dmp

memory/2880-268-0x000000000040747E-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-04 18:34

Reported

2022-06-05 01:55

Platform

win10v2004-20220414-en

Max time kernel

7s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"

Signatures

CyberGate, Rebhip

trojan stealer cybergate

LimeRAT

rat limerat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cac.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cpuz.exe N/A

Legitimate hosting services abused for malware hosting/C2

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\cac.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\cac.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\cac.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\cpuz.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\cac.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\Im.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\Lm.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\root\cimv2 C:\Users\Admin\AppData\Local\Temp\Nj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cac.exe
PID 552 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cac.exe
PID 552 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cac.exe
PID 552 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Im.exe
PID 552 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Im.exe
PID 552 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Im.exe
PID 552 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Lm.exe
PID 552 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Lm.exe
PID 552 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Lm.exe
PID 552 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Nj.exe
PID 552 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Nj.exe
PID 552 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Nj.exe
PID 552 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cpuz.exe
PID 552 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cpuz.exe
PID 552 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\cpuz.exe
PID 552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
PID 552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
PID 552 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe
PID 2552 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\WScript.exe
PID 2552 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cpuz.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe

"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"

C:\Users\Admin\AppData\Local\Temp\cac.exe

"C:\Users\Admin\AppData\Local\Temp\cac.exe"

C:\Users\Admin\AppData\Local\Temp\Im.exe

"C:\Users\Admin\AppData\Local\Temp\Im.exe"

C:\Users\Admin\AppData\Local\Temp\Nj.exe

"C:\Users\Admin\AppData\Local\Temp\Nj.exe"

C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe

"C:\Users\Admin\AppData\Local\Temp\Proxyless Fortnite Cracker By Crank.exe"

C:\Users\Admin\AppData\Local\Temp\cpuz.exe

"C:\Users\Admin\AppData\Local\Temp\cpuz.exe"

C:\Users\Admin\AppData\Local\Temp\Lm.exe

"C:\Users\Admin\AppData\Local\Temp\Lm.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\redlocal.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\move.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\move1.bat" "

C:\Users\Admin\AppData\Local\Temp\msvc64.exe

msvc64 -l zec.pool.minergate.com:3357 -u [email protected]

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Start.bat" "

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\System32\svchost.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 687365656D6B677564707A68 /tr "C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 69647A6E75686A706D697A77 /tr "C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 696678666E77717562746F7A /tr "C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 69686C70776A6978766B786E /tr "C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn 647A6E75696B626D7378726F /tr "C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe

C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe

C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe

C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe

C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe

C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe

C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe

C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zec.pool.minergate.com udp
DE 78.46.49.222:3357 zec.pool.minergate.com tcp
DE 46.4.120.18:3357 zec.pool.minergate.com tcp
US 13.107.21.200:443 tcp
DE 176.9.16.231:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
DE 78.46.87.181:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 guarderia1.mywire.org udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 prueba2.hopto.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 prueba1.hopto.org udp
US 8.8.8.8:53 todoaqui.duckdns.org udp
US 192.169.69.26:1978 todoaqui.duckdns.org tcp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
DE 136.243.150.172:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
DE 85.10.206.201:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 guarderia1.mywire.org udp
DE 94.130.102.210:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
US 192.169.69.26:1978 todoaqui.duckdns.org tcp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
DE 138.201.19.37:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 guarderia1.mywire.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 todoaqui.duckdns.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 192.169.69.26:1978 todoaqui.duckdns.org tcp
DE 138.201.20.89:3357 zec.pool.minergate.com tcp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp
US 8.8.8.8:53 guarderia1.mywire.org udp
US 8.8.8.8:53 empezarll.mywire.org udp
US 8.8.8.8:53 houdinicasa.mywire.org udp

Files

C:\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

memory/4028-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cac.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

C:\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

memory/1944-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Im.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

C:\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

C:\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

memory/4940-139-0x0000000000000000-mapping.dmp

memory/2552-142-0x0000000000000000-mapping.dmp

memory/2964-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cpuz.exe

MD5 15188f93e44f25e6f4584172ffc0aa66
SHA1 761173934dbcdc71f9882b8b4a66a0b615457b5f
SHA256 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db
SHA512 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b

C:\Users\Admin\AppData\Local\Temp\cpuz.exe

MD5 15188f93e44f25e6f4584172ffc0aa66
SHA1 761173934dbcdc71f9882b8b4a66a0b615457b5f
SHA256 06b5fd9f4694841dece95cd1e1e2e10bd03db20d1daa0fb791e53e896ae555db
SHA512 8434b8796591e009e5453aecc3612ea20eed1590a2cb8f999e29d8e1278326b203b67e0c4227dc5b8b62ed888909907c198b5a6d8a8882ea040dd14971aca50b

C:\Users\Admin\AppData\Local\Temp\Nj.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

C:\Users\Admin\AppData\Local\Temp\Lm.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

memory/2880-136-0x0000000000000000-mapping.dmp

memory/4260-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Start.bat

MD5 c87f9977d024f42daf8e7036f3092366
SHA1 d7d855d388ced3fd60203ae84e8c2ce91a30a11a
SHA256 819008779e1dc0b3dd32e73bbfae43ba9c53b7fa6259279188bb57749ee00ddd
SHA512 5d90dcb6408c404fcc7f2cb2498d9f2541afa3fc1c41c08291369276dd11437b55ba3e37097acd4035d434fe6ffa48bbd9c9daa3f39ea54cc15e6e0047ac5542

memory/2272-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Configurar.lnk

MD5 cb7e4263eefcb8b4da497f839d07e943
SHA1 e3dbdae19822b20832ee83a19accf0548c573639
SHA256 ee0add7e97b5d8043d87c1625691c031cd3de4f875123753bb89b07e8dfd9c55
SHA512 d34a12740e8ea4396b1d24ef51c7dbd83e26c1182df3c59020ac2062da76db984a2bd40eab82c0d9d3728dccee12cd78cfb46bee9c56e1b4a1ca98498caa63e9

C:\Users\Admin\AppData\Local\Temp\cpu_tromp_SSE2.dll

MD5 6fc8b16bf725d94370d9babd1782fe33
SHA1 5fc337e7d089764a4a74d721853607fb0d7b3977
SHA256 b4dfcce83e71815548f6a8c49884ea2feeffefa831a8e7e847bb69d6b3f0261d
SHA512 ee87b86bbbb32afc1611afb0c13d6f2fe3643bf90aa12d9bd882594f0e97829801cfd1eaa6178c999efe8c497280baada0ea0de7a2c8cdc63b0f7ac0785ea5ac

C:\Users\Admin\AppData\Local\Temp\cuda_tromp.dll

MD5 cb3cb16d409efc7d1a119a5cf5cb3363
SHA1 f835f5c182c6d56d5e24f8936981ccf766e67274
SHA256 f0b02adec0ed66b10ca0b0e3305110d81f1f829a3e07553649806c99c4f0469e
SHA512 5b405026aa37244954536465052314f526484b05783f9954271bec920869186ddc6c828420a28f3af96b274bcc99ee04e118f7ef3747831db23adf8a21db89c4

C:\Users\Admin\AppData\Local\Temp\msvcr120.dll

MD5 9c861c079dd81762b6c54e37597b7712
SHA1 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256 ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA512 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

C:\Users\Admin\AppData\Local\Temp\cuda_tromp.dll

MD5 cb3cb16d409efc7d1a119a5cf5cb3363
SHA1 f835f5c182c6d56d5e24f8936981ccf766e67274
SHA256 f0b02adec0ed66b10ca0b0e3305110d81f1f829a3e07553649806c99c4f0469e
SHA512 5b405026aa37244954536465052314f526484b05783f9954271bec920869186ddc6c828420a28f3af96b274bcc99ee04e118f7ef3747831db23adf8a21db89c4

C:\Users\Admin\AppData\Local\Temp\cudart64_80.dll

MD5 cf198b329fb988983749f891c060245e
SHA1 8cc81b4e6223069d15f11582191f4d75a44ddbe4
SHA256 55d57e2854311915ae5fdcfd1673f92d5bb0cec42773fcda68f740befb655ed1
SHA512 be331f0335526d2fdfe6fd1d352ffd1515a1d5f3a5fffbd3f2189fd9a61b3aff98c77f32a4f4b5b60fb767b7982f98a8b4bb3c241b44a369a3b4084a710ab478

memory/3688-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cudart64_80.dll

MD5 cf198b329fb988983749f891c060245e
SHA1 8cc81b4e6223069d15f11582191f4d75a44ddbe4
SHA256 55d57e2854311915ae5fdcfd1673f92d5bb0cec42773fcda68f740befb655ed1
SHA512 be331f0335526d2fdfe6fd1d352ffd1515a1d5f3a5fffbd3f2189fd9a61b3aff98c77f32a4f4b5b60fb767b7982f98a8b4bb3c241b44a369a3b4084a710ab478

C:\Users\Admin\AppData\Local\Temp\msvcr120.dll

MD5 9c861c079dd81762b6c54e37597b7712
SHA1 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256 ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA512 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

C:\Users\Admin\AppData\Local\Temp\msvcr120.dll

MD5 9c861c079dd81762b6c54e37597b7712
SHA1 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256 ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA512 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

C:\Users\Admin\AppData\Local\Temp\MSVCR120.dll

MD5 9c861c079dd81762b6c54e37597b7712
SHA1 62cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256 ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA512 3aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7

C:\Users\Admin\AppData\Local\Temp\msvcp120.dll

MD5 46060c35f697281bc5e7337aee3722b1
SHA1 d0164c041707f297a73abb9ea854111953e99cf1
SHA256 2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA512 2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a

C:\Users\Admin\AppData\Local\Temp\MSVCP120.dll

MD5 46060c35f697281bc5e7337aee3722b1
SHA1 d0164c041707f297a73abb9ea854111953e99cf1
SHA256 2abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA512 2cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a

C:\Users\Admin\AppData\Local\Temp\OpenCL.dll

MD5 d143c8d82d8b0ccc0b9cda536596d808
SHA1 7ab739bff07cbdac611e898025c12dce9be0b929
SHA256 4497529508af8a8608c5b3ffbfa18e32638cac5c8dbdc0ae38856f794d487a8f
SHA512 86d5996ce441b6a06f4052465a0690a5cb44d175330d24697faa5fa3f63e0e3e4535c3651b11d4c5d076cfc10c0cfb07ff3b3a9c7d907ad37b2c24225076279a

C:\Users\Admin\AppData\Local\Temp\OpenCL.dll

MD5 d143c8d82d8b0ccc0b9cda536596d808
SHA1 7ab739bff07cbdac611e898025c12dce9be0b929
SHA256 4497529508af8a8608c5b3ffbfa18e32638cac5c8dbdc0ae38856f794d487a8f
SHA512 86d5996ce441b6a06f4052465a0690a5cb44d175330d24697faa5fa3f63e0e3e4535c3651b11d4c5d076cfc10c0cfb07ff3b3a9c7d907ad37b2c24225076279a

C:\Users\Admin\AppData\Local\Temp\cpu_tromp_SSE2.dll

MD5 6fc8b16bf725d94370d9babd1782fe33
SHA1 5fc337e7d089764a4a74d721853607fb0d7b3977
SHA256 b4dfcce83e71815548f6a8c49884ea2feeffefa831a8e7e847bb69d6b3f0261d
SHA512 ee87b86bbbb32afc1611afb0c13d6f2fe3643bf90aa12d9bd882594f0e97829801cfd1eaa6178c999efe8c497280baada0ea0de7a2c8cdc63b0f7ac0785ea5ac

C:\Users\Admin\AppData\Local\Temp\msvc64.exe

MD5 91a4d769487a8337c2d639c381b87647
SHA1 666447000a0f9fd94ef350cf01aa97aad069e4e5
SHA256 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f
SHA512 e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378

memory/4416-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\msvc64.exe

MD5 91a4d769487a8337c2d639c381b87647
SHA1 666447000a0f9fd94ef350cf01aa97aad069e4e5
SHA256 02585e009d501d83d40c533e374a89077180810aa317742baf0dc5c77e464e6f
SHA512 e4d61f4849383bb6aeb90c7ec1173f053639d7b6e11c8775734ceb2728f666e3b2d6405b1c6579e22646b4d733d1e723e43198de508fa9511f8f272746132378

memory/4500-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\move1.bat

MD5 f7c176d0da3ca73b43da3305ff66cae8
SHA1 7fba3298d9ec28884c8f32ae8806530521ee9154
SHA256 ea1742e3973d96efa28192f1f499327ef1ce70059ee6e339b654b8a884036562
SHA512 4523f60fcce3ea5abb59211db92ccb21eb96d2aba568eb37627f0abf964d2c25cdddf19a4bbfcf8516ad438767e073d10b04014d30bce5afcd6b7dca3d8ab6fc

C:\Users\Admin\AppData\Local\Temp\redlocal.lnk

MD5 bfaa9cbf73498c3f8dcb7179ce9612eb
SHA1 f709f66f9f48a126977a323e990ee418e5aa7a02
SHA256 ece7d88dabee0d5bde848f7586703d53ef0711e042ecb53d06c726ddc012e7eb
SHA512 3d7572ca01a456a212207c946f4315e6e70481cac5044a9a687a3a52b7e9bcea2038a922e3b6a451c04252012412a7ae5c1c6b89ecedcb6747b5b3ca23648248

C:\Users\Admin\AppData\Local\Temp\move.bat

MD5 d0eddeb25950f2bf5d436988af980254
SHA1 f0ed4f6fa6eea289da78b94832056cdb5d288f0f
SHA256 914c922cb0c4c4efb37f3661faa9f509ef2bf009f1d070e446358be478dc284e
SHA512 ef340613a176b618c4a4e947f18e8334d8d2fec5eee3003aa26cacab56864332b58314d096da1912fad4cb5c4f3855232588d08a1efa2b0750843763b71892ae

memory/3492-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\redlocal.vbs

MD5 230a9bb12875f2a15fa9695e752af036
SHA1 16108e1037abe7c323f433ebdfec69b62f4e059a
SHA256 39deae526328c7d32cf98744ab8b7c696d598897fa84d7d7128798ce8c7da028
SHA512 dae2d8ced788ba205b2894e156744be72edbdd8a8f2265d0e590ec66e8cb2d21e93cd90fcfb9fc6e77dfc60ecf427e7601976bfd84449d921ad6f12b32750515

memory/2736-176-0x0000000000000000-mapping.dmp

memory/3708-177-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3532-179-0x0000000000000000-mapping.dmp

memory/2736-181-0x0000000000820000-0x0000000000876000-memory.dmp

memory/3532-183-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2412-178-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3708-175-0x0000000000000000-mapping.dmp

memory/2412-174-0x0000000000000000-mapping.dmp

memory/2412-202-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1420-205-0x0000000000000000-mapping.dmp

memory/4900-206-0x0000000000000000-mapping.dmp

memory/3872-204-0x0000000000000000-mapping.dmp

memory/4868-207-0x0000000000000000-mapping.dmp

memory/2412-203-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3708-208-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2616-211-0x0000000000000000-mapping.dmp

memory/2736-210-0x0000000005160000-0x00000000051FC000-memory.dmp

memory/2736-216-0x00000000058B0000-0x0000000005E54000-memory.dmp

memory/3708-214-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/2736-218-0x0000000005440000-0x00000000054D2000-memory.dmp

memory/3360-212-0x0000000000000000-mapping.dmp

memory/3532-220-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/3532-222-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/1752-223-0x0000000000000000-mapping.dmp

memory/3808-224-0x0000000000000000-mapping.dmp

memory/2736-225-0x0000000005E60000-0x0000000005EC6000-memory.dmp

memory/2616-226-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2616-227-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/3708-229-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/2616-228-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/3164-231-0x0000000000000000-mapping.dmp

memory/3532-230-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/3164-232-0x00000000005B0000-0x00000000005BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

MD5 91046f2e147049d3e53cd9bf9d4d95ed
SHA1 228e347d062840b2edcbd16904475aacad414c62
SHA256 ea92f8291b86440b98162409b1f9f04470455c22be01a1480ea5ebc37eb168dc
SHA512 071a9c6e17760a726c3a4519cf8006f36f17f50946af0129e0e1f3e480f6b7fcc804a7614b044247f2420a8b2b46bec5b8493e4869bb918bc7c0f6aa1346c3e0

memory/2412-238-0x0000000010410000-0x0000000010471000-memory.dmp

memory/3164-240-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/3360-242-0x0000000010410000-0x0000000010471000-memory.dmp

memory/3164-243-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/3164-245-0x000000006F9A0000-0x0000000070148000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

MD5 fe63b5e61e538e2a328049cbb5a55550
SHA1 b7062cb3b7eaf07dd265d5063c3a3571710b195a
SHA256 f25c6d3bcc77fddc410703fae90c280f8c196789154471f7c6e630ce557778df
SHA512 cfecde1d6e5e4ff0a5c715fffc3465407f5c433a80e787722c20ffb0ef9509a7df362a2245bc6bd46c0629d29ab9771deaea478999fbf4ae914e9a19ff507a57

C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

memory/3360-248-0x0000000010410000-0x0000000010471000-memory.dmp

memory/4664-249-0x0000000000000000-mapping.dmp

memory/3164-250-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/3164-251-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/2120-252-0x0000000000000000-mapping.dmp

memory/2120-258-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2120-259-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/2120-260-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/3532-261-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/2120-262-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2120-263-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/3708-264-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/3708-265-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/4936-267-0x0000000000000000-mapping.dmp

memory/2736-266-0x0000000006B60000-0x0000000006B6A000-memory.dmp

memory/3708-270-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/3532-268-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/3532-272-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/3544-273-0x0000000000000000-mapping.dmp

memory/4936-269-0x0000000000590000-0x000000000059C000-memory.dmp

memory/4936-277-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/4936-278-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/4936-279-0x000000006F9A0000-0x0000000070148000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gvusiyrxnixv\pxtfywuemiea.exe

MD5 757cdc4b50e6ee9fb9d904be1bb72fae
SHA1 649d9a872ac5e247374988e8a57390652714d0ca
SHA256 b91b47554385204727851b53cf0d44bdf7df78b97ecc1b578ec0badd18835523
SHA512 b574d11cb21c9076be4238b6678e02c0ef597f9586a7642c4947e652c95bab14b283a7f51a0b59d49d60f3a0067054d2d8ef532bf4f8b135e3decd16fb6a83d5

memory/3360-281-0x0000000010410000-0x0000000010471000-memory.dmp

memory/4936-282-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/4936-283-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/1996-284-0x0000000000000000-mapping.dmp

memory/1996-290-0x00000000729E0000-0x0000000072F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gsiwvxqxaeve\dewvuwwmdcmz.exe

MD5 e5a9ca5399244644e10c1efe94ecb24a
SHA1 b2ed050f0de3e1f88bb59ed37fdca20947793b2d
SHA256 d67fdecf34b66191ac062a1a4a1865a0c5a259707d36a929a4ebddb989d4f17f
SHA512 08bcb5b89196f8a2b2e07249cd42481fc1ffd2b086e3b6d285a201bbb254fd7c15ae9e94e1b1deb01a5665bfd25df15c80b655422628512020655194d3bcfbaf

memory/1996-292-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/1996-293-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/3360-295-0x0000000005CA0000-0x0000000005CE6000-memory.dmp

memory/3360-296-0x0000000005DF0000-0x0000000005E36000-memory.dmp

memory/3360-294-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1996-297-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/1996-298-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/2064-299-0x0000000000000000-mapping.dmp

memory/2064-305-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2064-306-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/2064-307-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/2064-308-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2064-309-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/2132-310-0x0000000000000000-mapping.dmp

memory/2132-316-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2132-317-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/2132-318-0x000000006F9A0000-0x0000000070148000-memory.dmp

memory/2132-319-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2132-320-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/4988-321-0x0000000000000000-mapping.dmp

memory/4988-327-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/4988-328-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/4988-329-0x000000006F9A0000-0x0000000070148000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\romefmippdsq\poxqwoowwktv.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

C:\Users\Admin\AppData\Local\Temp\hgubcqgsmnsw\yhiehxvpudbb.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

\??\c:\users\admin\appdata\local\temp\hgubcqgsmnsw\yhiehxvpudbb.exe

MD5 3316064512569f8a1f2c0e862fce2e66
SHA1 5f8996d38afbcad8caa3da6388e1b4d50d902e86
SHA256 4d169b9556fd98d32598aa8bd5d0a4cadb9d8a85ce8b923a28e3b3128667cca6
SHA512 536e6b078af4747aa7438696a3d561b454190b1ab241c89ae73a74c68867aa255196d8f4583de92a0d3094825bef86a190b6fc5e013021f671ba18af59421195

memory/4988-333-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/4988-334-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/4356-335-0x0000000000000000-mapping.dmp

memory/4356-341-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/4356-342-0x0000000071E40000-0x0000000072940000-memory.dmp

memory/4356-343-0x000000006F9A0000-0x0000000070148000-memory.dmp

\??\c:\users\admin\appdata\roaming\qmcoiguiklrx\jjnrmrnndmoy.exe

MD5 e0fbfe477ea9736b977e435af868c5af
SHA1 9e4076c8eaaa3c9f9b45438aee7cb499af7c57df
SHA256 d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953
SHA512 d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962

\??\c:\users\admin\appdata\local\temp\romefmippdsq\poxqwoowwktv.exe

MD5 39279ca212224a32e82770656d711a77
SHA1 8f0bc2fd72dffa523c5a41767d7566da71cdfda4
SHA256 2b7119d578c3c74645fafd009f50e531c39cb2c0d655bf32e3d9225d1e1072ed
SHA512 9124abae8829a0ef532609c352910af45aff35ef74c8c06c6a9196aaa6a5f5241d1ce77c1dbbb9d856297a415f7796c06f492260a15b6cc66a8b5669c9fb8300

C:\Users\Admin\AppData\Roaming\qmcoiguiklrx\jjnrmrnndmoy.exe

MD5 e0fbfe477ea9736b977e435af868c5af
SHA1 9e4076c8eaaa3c9f9b45438aee7cb499af7c57df
SHA256 d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953
SHA512 d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962

memory/4356-347-0x00000000729E0000-0x0000000072F91000-memory.dmp

memory/2420-349-0x0000000000000000-mapping.dmp

memory/1592-360-0x0000000000000000-mapping.dmp

memory/3572-371-0x0000000000000000-mapping.dmp

memory/408-382-0x0000000000000000-mapping.dmp

memory/2056-393-0x0000000000000000-mapping.dmp