Analysis Overview
SHA256
e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
Threat Level: Known bad
The file E&V - PO.61370025177.exe was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Sets DLL path for service in the registry
Modifies Windows Firewall
UPX packed file
Checks computer location settings
Loads dropped DLL
Drops startup file
Executes dropped EXE
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 14:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 14:44
Reported
2023-02-25 14:46
Platform
win7-20230220-en
Max time kernel
148s
Max time network
77s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdiurdjk.lnk | C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1228 set thread context of 432 | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe
"C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe" "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
"C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"
Network
Files
memory/1712-54-0x0000000000210000-0x00000000002F8000-memory.dmp
memory/1712-55-0x00000000003C0000-0x0000000000400000-memory.dmp
memory/1712-56-0x0000000005010000-0x000000000505A000-memory.dmp
memory/1712-57-0x0000000000410000-0x0000000000428000-memory.dmp
memory/1712-58-0x00000000003C0000-0x0000000000400000-memory.dmp
memory/1712-59-0x00000000003C0000-0x0000000000400000-memory.dmp
\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
memory/1228-68-0x0000000000920000-0x0000000000A08000-memory.dmp
memory/1228-69-0x0000000004F30000-0x0000000004F70000-memory.dmp
memory/1228-70-0x0000000004F30000-0x0000000004F70000-memory.dmp
memory/1228-71-0x0000000004F30000-0x0000000004F70000-memory.dmp
memory/1228-72-0x0000000004600000-0x000000000461A000-memory.dmp
memory/1228-73-0x0000000000560000-0x0000000000566000-memory.dmp
memory/432-74-0x0000000000400000-0x000000000055C000-memory.dmp
memory/432-75-0x0000000000400000-0x000000000055C000-memory.dmp
memory/432-76-0x0000000000400000-0x000000000055C000-memory.dmp
memory/432-77-0x0000000000400000-0x000000000055C000-memory.dmp
memory/432-78-0x0000000000400000-0x000000000055C000-memory.dmp
memory/432-79-0x0000000000400000-0x000000000055C000-memory.dmp
memory/432-80-0x0000000000400000-0x000000000055C000-memory.dmp
memory/432-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1228-82-0x0000000004F30000-0x0000000004F70000-memory.dmp
memory/1228-83-0x0000000004F30000-0x0000000004F70000-memory.dmp
memory/1228-84-0x0000000004F30000-0x0000000004F70000-memory.dmp
memory/432-85-0x0000000000400000-0x000000000055C000-memory.dmp
memory/432-88-0x0000000000400000-0x000000000055C000-memory.dmp
\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
memory/1044-95-0x0000000000300000-0x000000000031A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 7d075c70b0166f4e2b600fadcbf5913f |
| SHA1 | 2f6df8024ff20201252a0719d34b5c846c82ed4a |
| SHA256 | b7e9a859acbc41dc53c4aca48bcd4daf9e444dae230558675a310cba06f7e4c2 |
| SHA512 | a2f6430db7aa2aece8119be80e52b831f0f0a8dd133539f85729fded2e02196fdec40ede18e0f0e6464357ba99fa5aac33596f90df5c37980d2b016166cedbce |
\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 9e319cbe777ecae1ee1887e2de877c4d |
| SHA1 | d29eac8a59db410f78e411ebb50b6f0a88278956 |
| SHA256 | 356fdbad92662ebc2d37cf17b5c9d43a8603c85d87ede57ec60c865f7c0d4b51 |
| SHA512 | 6041d8191e95dd71ae5c50f4fb7d98f012ed2d6f4f7ea291e4a9f129a8eb556f5f58aad0e3088ae37d3ca8b8907edabb52ea869b0b5153b17f3585b1cf2e7419 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 9e319cbe777ecae1ee1887e2de877c4d |
| SHA1 | d29eac8a59db410f78e411ebb50b6f0a88278956 |
| SHA256 | 356fdbad92662ebc2d37cf17b5c9d43a8603c85d87ede57ec60c865f7c0d4b51 |
| SHA512 | 6041d8191e95dd71ae5c50f4fb7d98f012ed2d6f4f7ea291e4a9f129a8eb556f5f58aad0e3088ae37d3ca8b8907edabb52ea869b0b5153b17f3585b1cf2e7419 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-25 14:44
Reported
2023-02-25 14:46
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
WarzoneRat, AveMaria
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdiurdjk.lnk | C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\46.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\rfxvmt.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3864 set thread context of 1452 | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft DN1\sqlmap.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Program Files\Microsoft DN1\rdpwrap.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\46.exe |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe
"C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 16 > nul && copy "C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe" "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe" && ping 127.0.0.1 -n 16 > nul && "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 16
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 16
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
"C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x50c
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"
C:\Users\Admin\AppData\Local\Temp\46.exe
"C:\Users\Admin\AppData\Local\Temp\46.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 396
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 20.189.173.12:443 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 45.12.253.202:3219 | tcp | |
| US | 8.8.8.8:53 | 202.253.12.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| N/A | 127.0.0.1:3389 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.52.29:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | 29.52.112.20.in-addr.arpa | udp |
Files
memory/3964-133-0x0000000000A70000-0x0000000000B58000-memory.dmp
memory/3964-134-0x0000000005A50000-0x0000000005FF4000-memory.dmp
memory/3964-135-0x00000000054A0000-0x0000000005532000-memory.dmp
memory/3964-136-0x00000000055E0000-0x000000000567C000-memory.dmp
memory/3964-137-0x0000000005850000-0x0000000005860000-memory.dmp
memory/3964-138-0x0000000005850000-0x0000000005860000-memory.dmp
memory/3964-139-0x0000000004F80000-0x0000000004F8A000-memory.dmp
memory/3964-140-0x0000000005850000-0x0000000005860000-memory.dmp
memory/3964-142-0x0000000005850000-0x0000000005860000-memory.dmp
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
memory/3864-149-0x00000000000D0000-0x00000000001B8000-memory.dmp
memory/3864-150-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3864-151-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3864-152-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3864-153-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3864-154-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3864-155-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3864-156-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3864-157-0x0000000005350000-0x0000000005360000-memory.dmp
memory/1452-158-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1452-161-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1452-162-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1452-163-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
memory/3804-174-0x0000000000820000-0x000000000083A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | ecebb68c8d1b7e3cf247467986c5dee3 |
| SHA1 | 0df744f22c4b1419d7091e56ba0f15c52f9bef2a |
| SHA256 | 1182143aa4bebf09cf0bf9f59e0655e8ed9a7a21dc8d9b4bb2da29ed1a449cdd |
| SHA512 | da8a98e48606315a47d2e7665b10e8fbcd395ce496baa3d889881738e66ea955838e0872ecdbf6e6ae89732be568ad0670d6a0ea5ebf401c9a0ec277ef5bb42c |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xapfnzes.exe.log
| MD5 | 7dca233df92b3884663fa5a40db8d49c |
| SHA1 | 208b8f27b708c4e06ac37f974471cc7b29c29b60 |
| SHA256 | 90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c |
| SHA512 | d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 05c12b71beae96cff30f4e0538b8aa1c |
| SHA1 | 74da49eff2caaea14fa6781309a074bdfdd2863a |
| SHA256 | 8205d3e3a1534480a1c0650ebf8aa8a7ed98ad40863fe6576d23136a92055798 |
| SHA512 | cf7414266f9220f471c62d2a6cb5903e63b41190b1198644bb0b9c1af0afffd2c6ddbd6d1d7e46a2284ab96ef1a26374bf75890dea24288f2c30e20ac161334c |
memory/4824-182-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/1452-184-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 05c12b71beae96cff30f4e0538b8aa1c |
| SHA1 | 74da49eff2caaea14fa6781309a074bdfdd2863a |
| SHA256 | 8205d3e3a1534480a1c0650ebf8aa8a7ed98ad40863fe6576d23136a92055798 |
| SHA512 | cf7414266f9220f471c62d2a6cb5903e63b41190b1198644bb0b9c1af0afffd2c6ddbd6d1d7e46a2284ab96ef1a26374bf75890dea24288f2c30e20ac161334c |
memory/1452-187-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\46.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
C:\Users\Admin\AppData\Local\Temp\46.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
C:\Users\Admin\AppData\Local\Temp\46.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
memory/3584-200-0x0000000000510000-0x000000000053D000-memory.dmp
C:\Program Files\Microsoft DN1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
\??\c:\program files\microsoft dn1\rdpwrap.ini
| MD5 | fca6ba93c780afa00a5703df9ac65754 |
| SHA1 | 3ed423763fdd9722ff8bed3667ffa93f77390138 |
| SHA256 | 1c4930123ec2a809b3bd93969967d6c321d8d65fc7b886e062b2581c741944e5 |
| SHA512 | 538b0995be3796737575a2fd3aaa1644b3e6566e4cd5ed5c4df9e0a586368e7ceea8f0284de53f7c3f0874fc90b9a194d2ea1438bc9d7779eb12d00b8807f595 |
\??\c:\program files\microsoft dn1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/1452-204-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1452-207-0x0000000000400000-0x000000000055C000-memory.dmp