Analysis Overview
SHA256
e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784
Threat Level: Known bad
The file E&V - PO.61370025177.exe was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Modifies Windows Firewall
Sets DLL path for service in the registry
UPX packed file
Executes dropped EXE
Checks computer location settings
Drops startup file
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-25 14:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-25 14:45
Reported
2023-02-25 14:47
Platform
win7-20230220-en
Max time kernel
150s
Max time network
73s
Command Line
Signatures
WarzoneRat, AveMaria
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdiurdjk.lnk | C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1660 set thread context of 1876 | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe
"C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe" "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
"C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
Network
Files
memory/2032-54-0x0000000001140000-0x0000000001228000-memory.dmp
memory/2032-55-0x0000000004990000-0x00000000049D0000-memory.dmp
memory/2032-56-0x0000000000DF0000-0x0000000000E3A000-memory.dmp
memory/2032-57-0x0000000000270000-0x0000000000288000-memory.dmp
memory/2032-58-0x0000000004990000-0x00000000049D0000-memory.dmp
memory/2032-59-0x0000000004990000-0x00000000049D0000-memory.dmp
memory/2032-60-0x0000000004990000-0x00000000049D0000-memory.dmp
\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
memory/1660-69-0x0000000000810000-0x00000000008F8000-memory.dmp
memory/1660-70-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/1660-72-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/1660-71-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/1660-73-0x0000000000AD0000-0x0000000000AEA000-memory.dmp
memory/1660-74-0x0000000000540000-0x0000000000546000-memory.dmp
memory/1876-75-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1876-77-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1876-76-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1876-79-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1876-78-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1876-81-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1876-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1876-80-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1660-83-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/1660-84-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/1660-85-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/1876-86-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1876-89-0x0000000000400000-0x000000000055C000-memory.dmp
\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
memory/1832-96-0x0000000000310000-0x000000000032A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 2b42a560cb1ca0563d3652157e9df2f1 |
| SHA1 | d1960957bf81f92bc3c445a6da1ccde1b632b210 |
| SHA256 | 40363ee6928161c22e54166dd216d4ee821617dc3a6a0169d8011af17f07928d |
| SHA512 | d56ac16c93c37957d47a6c9596f57c0edb83dae49b89b398ebc6a6821b6d2d08d361f776a4b274f15d1b7ef20cabc41bb5972b214ddbc11765544dfd81b803ee |
\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | f9ce4e8ef08f1ed70603adf725dc554f |
| SHA1 | b8d52be81203a1f2c710154516fcbe8c90dc3b02 |
| SHA256 | a69bd2c2c9a261b951a23b0ef4729b22aab7c87acf27c6bc26680874eb10fb7d |
| SHA512 | 3fe8b1c25b6a558334850a73284df9cc0cd4947ea68df2a84de3144ec3cf963e95a0670b6e40b1266a307d892c27140a700532ba8ee5cbde3085b915a54396ea |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | f9ce4e8ef08f1ed70603adf725dc554f |
| SHA1 | b8d52be81203a1f2c710154516fcbe8c90dc3b02 |
| SHA256 | a69bd2c2c9a261b951a23b0ef4729b22aab7c87acf27c6bc26680874eb10fb7d |
| SHA512 | 3fe8b1c25b6a558334850a73284df9cc0cd4947ea68df2a84de3144ec3cf963e95a0670b6e40b1266a307d892c27140a700532ba8ee5cbde3085b915a54396ea |
memory/1876-104-0x0000000000400000-0x000000000055C000-memory.dmp
memory/1876-105-0x0000000000400000-0x000000000055C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-25 14:45
Reported
2023-02-25 14:47
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
WarzoneRat, AveMaria
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdiurdjk.lnk | C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\rfxvmt.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1080 set thread context of 2324 | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft DN1\sqlmap.dll | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| File created | C:\Program Files\Microsoft DN1\rdpwrap.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\kdiurdjk.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe
"C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\Users\Admin\AppData\Local\Temp\E&V - PO.61370025177.exe" "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 14
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 14
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
"C:\Users\Admin\AppData\Roaming\kdiurdjk.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x458
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
"C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe"
C:\Users\Admin\AppData\Local\Temp\47.exe
"C:\Users\Admin\AppData\Local\Temp\47.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| US | 104.208.16.88:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 45.12.253.202:3219 | tcp | |
| US | 8.8.8.8:53 | 202.253.12.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| N/A | 127.0.0.1:3389 | tcp | |
| N/A | 10.127.0.1:5351 | udp | |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.52.29:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | 29.52.112.20.in-addr.arpa | udp |
Files
memory/2068-133-0x0000000000960000-0x0000000000A48000-memory.dmp
memory/2068-134-0x0000000005D30000-0x00000000062D4000-memory.dmp
memory/2068-135-0x0000000005610000-0x00000000056A2000-memory.dmp
memory/2068-136-0x00000000056B0000-0x000000000574C000-memory.dmp
memory/2068-137-0x00000000058C0000-0x00000000058D0000-memory.dmp
memory/2068-138-0x0000000002F40000-0x0000000002F4A000-memory.dmp
memory/2068-139-0x00000000058C0000-0x00000000058D0000-memory.dmp
memory/2068-140-0x00000000058C0000-0x00000000058D0000-memory.dmp
memory/2068-142-0x00000000058C0000-0x00000000058D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
C:\Users\Admin\AppData\Roaming\kdiurdjk.exe
| MD5 | cc2e6a027d9a95e1b2df73f1b0350107 |
| SHA1 | 0d0899b4940db158978fa66d92e40e0c013d3e1d |
| SHA256 | e9575a5decf464c96451e7e6f2f4a12e2c0f96729bc25885507913ede49cb784 |
| SHA512 | 33721debe49429d2b561add911f7e03d916e9a5990fdda7e0ea4ede1f911b0d723d41a9cb0721066b64ce784604671b0ec63bcc118c1632da6601f3d9347747a |
memory/1080-149-0x00000000004E0000-0x00000000005C8000-memory.dmp
memory/1080-150-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1080-151-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1080-152-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1080-153-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1080-154-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1080-155-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1080-156-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1080-157-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/2324-158-0x0000000000400000-0x000000000055C000-memory.dmp
memory/2324-161-0x0000000000400000-0x000000000055C000-memory.dmp
memory/2324-162-0x0000000000400000-0x000000000055C000-memory.dmp
memory/2324-163-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
memory/1616-174-0x0000000000740000-0x000000000075A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 650efd7432b59f2e927dd54cc5a930e8 |
| SHA1 | 0e856cf8f56def81d2b589de0fbbdf801e8416b7 |
| SHA256 | 70aa8ccc92cffe750a10010d7c7014246ffc61e581472a179a420d8223ae0e51 |
| SHA512 | 5a8b99a16bbf9ca3da698a37581e3af49a7e7f713f2c9c5b94831873f97f8da7677156384e0ac215bdb2d6d505cca1cdfc14f211738c1511eb674d635e6b7725 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.exe
| MD5 | 0e362e7005823d0bec3719b902ed6d62 |
| SHA1 | 590d860b909804349e0cdc2f1662b37bd62f7463 |
| SHA256 | 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad |
| SHA512 | 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xapfnzes.exe.log
| MD5 | 7dca233df92b3884663fa5a40db8d49c |
| SHA1 | 208b8f27b708c4e06ac37f974471cc7b29c29b60 |
| SHA256 | 90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c |
| SHA512 | d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07 |
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 9c0f3f56bf8ac8c93a1f71554eb39916 |
| SHA1 | 523237b53c1246af1be877290013c79eb6f57f0d |
| SHA256 | c541b41ee2e53cc17a05dd5e78a949f69cd10215be8e675ef08be07fd6c0cd86 |
| SHA512 | d040577b76484cfde408c83d0e9626c6622f472073db5aa1df810c107f2aa38a8114dc82bb8aa525be792a4a7a82d26e9b1a6e66da56513974468561312795f8 |
memory/2164-182-0x0000000000C10000-0x0000000000C11000-memory.dmp
memory/2324-184-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xapfnzes.txt
| MD5 | 9c0f3f56bf8ac8c93a1f71554eb39916 |
| SHA1 | 523237b53c1246af1be877290013c79eb6f57f0d |
| SHA256 | c541b41ee2e53cc17a05dd5e78a949f69cd10215be8e675ef08be07fd6c0cd86 |
| SHA512 | d040577b76484cfde408c83d0e9626c6622f472073db5aa1df810c107f2aa38a8114dc82bb8aa525be792a4a7a82d26e9b1a6e66da56513974468561312795f8 |
memory/2324-187-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\47.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
C:\Users\Admin\AppData\Local\Temp\47.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
C:\Users\Admin\AppData\Local\Temp\47.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
memory/3112-200-0x0000000000250000-0x000000000027D000-memory.dmp
\??\c:\program files\microsoft dn1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
C:\Program Files\Microsoft DN1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
\??\c:\program files\microsoft dn1\rdpwrap.ini
| MD5 | fca6ba93c780afa00a5703df9ac65754 |
| SHA1 | 3ed423763fdd9722ff8bed3667ffa93f77390138 |
| SHA256 | 1c4930123ec2a809b3bd93969967d6c321d8d65fc7b886e062b2581c741944e5 |
| SHA512 | 538b0995be3796737575a2fd3aaa1644b3e6566e4cd5ed5c4df9e0a586368e7ceea8f0284de53f7c3f0874fc90b9a194d2ea1438bc9d7779eb12d00b8807f595 |
memory/2324-204-0x0000000000400000-0x000000000055C000-memory.dmp
memory/3112-206-0x0000000000250000-0x000000000027D000-memory.dmp
memory/2324-208-0x0000000000400000-0x000000000055C000-memory.dmp