Analysis Overview
SHA256
9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
Threat Level: Known bad
The file 1082572a44d4c41214a3c38dcd8289f9.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
RedLine
StormKitty
StormKitty payload
RedLine payload
Async RAT payload
Drops file in Drivers directory
Downloads MZ/PE file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops startup file
Drops desktop.ini file(s)
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up geolocation information via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious behavior: AddClipboardFormatListener
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-06 11:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-06 11:26
Reported
2024-07-06 11:29
Platform
win7-20240705-en
Max time kernel
17s
Max time network
158s
Command Line
Signatures
AsyncRat
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\relog.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\relog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1082572a44d4c41214a3c38dcd8289f9.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Identities = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Service_Identities.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Macromedia = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Service_Macromedia.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Media Center Programs = "C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\Service_Media Center Programs.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2508 set thread context of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | C:\Windows\system32\relog.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe
"C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe"
C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe
"C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe"
C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe
"C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe"
C:\Users\Admin\AppData\Local\Temp\DAD8.tmp.Client.exe
"C:\Users\Admin\AppData\Local\Temp\DAD8.tmp.Client.exe"
C:\Users\Admin\AppData\Local\Temp\DE04.tmp.update.exe
"C:\Users\Admin\AppData\Local\Temp\DE04.tmp.update.exe"
C:\Users\Admin\AppData\Local\Temp\E0E2.tmp.update.exe
"C:\Users\Admin\AppData\Local\Temp\E0E2.tmp.update.exe"
C:\Users\Admin\AppData\Local\Temp\E640.tmp.aaa.exe
"C:\Users\Admin\AppData\Local\Temp\E640.tmp.aaa.exe"
C:\Users\Admin\AppData\Local\Temp\E9D9.tmp.build.exe
"C:\Users\Admin\AppData\Local\Temp\E9D9.tmp.build.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:32 /du 23:59 /sc daily /ri 1 /f
C:\ProgramData\KMSAuto\accc.exe
"C:\ProgramData\KMSAuto\accc.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp619.tmp.bat""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 7
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 172.67.133.32:443 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 88.221.134.179:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 95.100.245.168:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | www.igenius.org | udp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | hrdc.pk | udp |
| US | 64.31.40.18:80 | hrdc.pk | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | www.westnilebirdingandsafari.com | udp |
| US | 75.119.203.100:80 | www.westnilebirdingandsafari.com | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| NL | 94.232.249.204:1912 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| US | 104.21.13.213:80 | auth.xn--conbase-sfb.xyz | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab9D3B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9E38.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac60aaf51777e508cbe70579f8492eea |
| SHA1 | 423b7bacdbe31d517fc8452428a217e1e02a5aa3 |
| SHA256 | 521c5dc5f731f20f69b16ef6bab05ff001a4bc01f96aa94e20b337901f0bb424 |
| SHA512 | 1946ccafafbed9a828198dfa6cc8f8675115d055224ebb76d013ac1ff0a5b29f35d5a1c939474b1d8673cfc8cb7b9db67febdb101ccdbb920cdcd3326e91d597 |
C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe
| MD5 | 839b3efd5782b6fc122855665f3aa202 |
| SHA1 | 067c1b809106a1b9ad1641a9c745d4b83ece1196 |
| SHA256 | 91ebcd79cfcbfedda3c557c5bb1ee5da9f4d13d518491d22a0e92f2caab7bec0 |
| SHA512 | 1abfa3908386a7e579837548978ce0bac26cc2d9f3194ef652d2ce9810bbed84130d9cddabdc100256a118e362a33d0933df3511745f75de06c8dfa2bb88ffe4 |
\Users\Admin\AppData\Local\Temp\THA833.tmp
| MD5 | 52d46be6bb8dc6d8fd09925e84a76994 |
| SHA1 | 2639980aa48b17ee9fdc169872703453c8e73deb |
| SHA256 | 03b152b94fc40a782d7e12d58ad1d6b00b1029757811f841f64fdbd4831e694b |
| SHA512 | 3ea9efd5cbd44185ee2709a2ca787e8981fd5de1c757890f1636c9c79624203abdb341b9e0075a51733286aec963043ec2a2ac6651ec9bba043cdf81b32fd0c4 |
memory/2840-139-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | ee9d791fd900430e4d594e5bde5c096a |
| SHA1 | 25dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d |
| SHA256 | 74c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd |
| SHA512 | cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb |
memory/1280-186-0x0000000002E90000-0x0000000002EA6000-memory.dmp
memory/1280-184-0x0000000002E90000-0x0000000002EA6000-memory.dmp
memory/1280-182-0x00000000029D0000-0x0000000002A13000-memory.dmp
memory/1280-181-0x00000000029D0000-0x0000000002A13000-memory.dmp
memory/1280-188-0x0000000003C80000-0x0000000003CD1000-memory.dmp
memory/1280-191-0x0000000003C80000-0x0000000003CD1000-memory.dmp
memory/1280-190-0x0000000002EB0000-0x0000000002ECA000-memory.dmp
memory/1280-194-0x0000000077690000-0x0000000077691000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe
| MD5 | bed8cdced2d57be2bd750f0f59991ecd |
| SHA1 | 4e2a885b9387fcf040b7eb79892de2f9fe55bca4 |
| SHA256 | 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd |
| SHA512 | b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f |
memory/2420-198-0x000007FEF5763000-0x000007FEF5764000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe
| MD5 | 68fad5f5f8de1c290df5d3754b4af358 |
| SHA1 | 0028395243f38a03b13726915144b9848e8da39a |
| SHA256 | dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e |
| SHA512 | ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01 |
memory/2420-205-0x0000000000E60000-0x0000000000F00000-memory.dmp
memory/2396-213-0x0000000001160000-0x0000000001192000-memory.dmp
memory/564-212-0x00000000000B0000-0x00000000000E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DAD8.tmp.Client.exe
| MD5 | 43f955115dfba87ca3593a18efd58cef |
| SHA1 | a1ca1fd8976e6a50ca3fe59994daeb0f8a7f9de5 |
| SHA256 | 1d16c42501f0040b2cfcd9e6138db1311d7ed64c8f7c8f415176065b64f4b674 |
| SHA512 | 360b070901d19b67fcb70260d54c8a8fe65c5720fe0e0c170f6c71d29999eb95b995efb1bc3db6cc2a33989b2cbf44f879e00535f27591184625a62ab2641dcd |
memory/1876-220-0x0000000000140000-0x0000000000196000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DE04.tmp.update.exe
| MD5 | c709136e78750feb6cb85f99eda16629 |
| SHA1 | fc92be55dce55098824e381edec2002287bb8042 |
| SHA256 | d77ee327a52a472bc309a79db27b82f133c2f7b4ddae689cc130ebe407752fd3 |
| SHA512 | 7e92ee4b23e9ecfc97c259f7572dcb818cc6a77dbf02b693f58249926a8ed6c324b5ca641ba0c68db0b063bf966c8651eb82de9aa2b46446fea238fa255f27d6 |
memory/1984-227-0x0000000000950000-0x0000000000962000-memory.dmp
memory/660-234-0x0000000000A60000-0x0000000000A72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E640.tmp.aaa.exe
| MD5 | e52ba92d25281e90aa7f27bd3719951f |
| SHA1 | f67b856dbac5bdd315dce1df2738a1b4f88f4f39 |
| SHA256 | 8215ed905544d217f656b5b226f71798970698eefa4f24cb48532778d8409baa |
| SHA512 | 96a3e30a0fbe049f69b07155cfe3e1a431ff63e8dabc4baa13eada61668ebc4d4171fdaf70fb7fac4d92fc7e8383fa400dcf11eeaee98e47511857e30a23f53d |
memory/1712-267-0x0000000000EB0000-0x0000000000EC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9D9.tmp.build.exe
| MD5 | 7081e613321921500b70899fddb56a4d |
| SHA1 | fbb9ef6899fb0ea1999404ccff08ee61ca8de11f |
| SHA256 | 7c03173d3bd7a27e446d8fe70829b963942f746d933a9eab4d198d524b45cb68 |
| SHA512 | 679431a866a9806e967515eb97905d458798d8d9832a6fd57e519b12f5a8a5e8331297331a84c95a43bfca5953987ae9248638bc084fda92471540919a76a72c |
memory/2528-275-0x0000000000AF0000-0x0000000000B42000-memory.dmp
C:\Users\Admin\AppData\Roaming\EXCFTDUU\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/2880-316-0x0000000000F20000-0x0000000000FC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp619.tmp.bat
| MD5 | 57310749df8d556d8017cb72b8b57f73 |
| SHA1 | ffc1b1f19323a019133c5364fcd7b1c074180323 |
| SHA256 | 414e30fd48a7d3699dda87d9a922df417202a319488149c7a8ba2fc07a49744a |
| SHA512 | da2c776bb93eefe5bfd8a25111c16d0b2e15125b8189deae7fc03d19394619d8fb0d19cbb970eb033a58d67f6484dda1af5a1f2fc550cb6f8be3f55798a32f56 |
C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat
| MD5 | a65cb1e43695c456c192f16b8c602dd1 |
| SHA1 | d3eb46db9e5db623845ac2adfe34db2098ca89d9 |
| SHA256 | 08c86391bbc3e96f986579e041455c33567cf48401fea90d47823040a6bf6ad4 |
| SHA512 | 55aacbf2b5bb232771f5e60256b1d5e039f06291c7afe644f1f8619020fff47076faeb4334f54c01cee1b23ab38381f537f48637ddc56cc1d157640dccac3e1c |
memory/900-337-0x0000000000B20000-0x0000000000B32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\places.raw
| MD5 | 28712ba36c04b8ab7ee992096dc1fa9f |
| SHA1 | b15b38fdbe26c6d9fc24cd45b34e8a0f6663cc69 |
| SHA256 | ab83d935e734460374c3d66315d096d24a16717b45b6e7fb71cf8aaccb6b3ef1 |
| SHA512 | 8262c82e6f45d07839b1e4bb5735ea917004a99e76a94f551d8fc8b97b8b549e6350f82734f80ba16e640c9fbc6b1dedce2c56454c7baab4b70212c8ddab86df |
C:\Users\Admin\AppData\Local\Temp\tmp601C.tmp.dat
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\Users\Admin\AppData\Local\Temp\tmp5E37.tmp.dat
| MD5 | f2e3c82219257b13b8cd21a887ac0a23 |
| SHA1 | 9fc2d5695d5eddad36899a6a69927ce6b2ef76f2 |
| SHA256 | bbe72f97a51d05275f862dd16ebdebbf1b5ac34c7085e2dbbf57982ef1a7626b |
| SHA512 | f4b63d51ebdf6f10e5ae80414831598206e8b8be7cc6b2dc4c69c8fada1cfb61ee5284c09120cb868ff0e6d6cd84e3f0aa3eef607878b80f924eeb77c418f226 |
C:\Users\Admin\AppData\Local\Temp\tmp6549.tmp.dat
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp6E52.tmp.dat
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
memory/1280-405-0x0000000003C80000-0x0000000003CD1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-06 11:26
Reported
2024-07-06 11:29
Platform
win10v2004-20240704-en
Max time kernel
37s
Max time network
160s
Command Line
Signatures
AsyncRat
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\system32\relog.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Sun.exe.lnk | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\relog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FD4E.tmp.Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\63A.tmp.update.exe | N/A |
| N/A | N/A | C:\ProgramData\KMSAuto\accc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1082572a44d4c41214a3c38dcd8289f9.exe" | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACCC Tools = "C:\\ProgramData\\KMSAuto\\accc.exe" | C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
| File created | C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
| File created | C:\ProgramData\NQZRGKDO\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
| File created | C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5028 set thread context of 1504 | N/A | C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe | C:\Windows\system32\relog.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KMSAuto\accc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe
"C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe"
C:\Windows\system32\relog.exe
C:\Windows\system32\relog.exe
C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe"
C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe
"C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe"
C:\Users\Admin\AppData\Local\Temp\FD4E.tmp.Server.exe
"C:\Users\Admin\AppData\Local\Temp\FD4E.tmp.Server.exe"
C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:32 /du 23:59 /sc daily /ri 1 /f
C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe
"C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe"
C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe
"C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe"
C:\Users\Admin\AppData\Local\Temp\63A.tmp.update.exe
"C:\Users\Admin\AppData\Local\Temp\63A.tmp.update.exe"
C:\ProgramData\KMSAuto\accc.exe
"C:\ProgramData\KMSAuto\accc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CB.tmp.bat""
C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe
"C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe"
C:\Windows\system32\timeout.exe
timeout 7
C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe
"C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5CE0.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nkjvni.exe"' & exit
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nkjvni.exe"'
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\nkjvni.exe
"C:\Users\Admin\AppData\Local\Temp\nkjvni.exe"
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 104.21.13.213:443 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 95.100.245.168:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 213.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | auth.xn--conbase-sfb.xyz | udp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | 32.133.67.172.in-addr.arpa | udp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | www.igenius.org | udp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | hrdc.pk | udp |
| US | 64.31.40.18:80 | hrdc.pk | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | 185.140.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.40.31.64.in-addr.arpa | udp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | www.westnilebirdingandsafari.com | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 75.119.203.100:80 | www.westnilebirdingandsafari.com | tcp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| US | 8.8.8.8:53 | 100.203.119.75.in-addr.arpa | udp |
| US | 192.3.140.185:80 | www.igenius.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| NL | 94.232.249.204:1912 | tcp | |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 204.249.232.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:8808 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:8808 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:8808 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 94.232.249.204:6660 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| NL | 94.232.249.204:6660 | tcp | |
| US | 172.67.133.32:80 | auth.xn--conbase-sfb.xyz | tcp |
| NL | 94.232.249.204:6660 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe
| MD5 | 839b3efd5782b6fc122855665f3aa202 |
| SHA1 | 067c1b809106a1b9ad1641a9c745d4b83ece1196 |
| SHA256 | 91ebcd79cfcbfedda3c557c5bb1ee5da9f4d13d518491d22a0e92f2caab7bec0 |
| SHA512 | 1abfa3908386a7e579837548978ce0bac26cc2d9f3194ef652d2ce9810bbed84130d9cddabdc100256a118e362a33d0933df3511745f75de06c8dfa2bb88ffe4 |
C:\Users\Admin\AppData\Local\Temp\THAF4B.tmp
| MD5 | 52d46be6bb8dc6d8fd09925e84a76994 |
| SHA1 | 2639980aa48b17ee9fdc169872703453c8e73deb |
| SHA256 | 03b152b94fc40a782d7e12d58ad1d6b00b1029757811f841f64fdbd4831e694b |
| SHA512 | 3ea9efd5cbd44185ee2709a2ca787e8981fd5de1c757890f1636c9c79624203abdb341b9e0075a51733286aec963043ec2a2ac6651ec9bba043cdf81b32fd0c4 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 1530b50aac226cd50815c69326517e51 |
| SHA1 | e97855298b61d8a5b6cf2450a990d5cbc40c6aa4 |
| SHA256 | 1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3 |
| SHA512 | c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432 |
memory/3468-86-0x0000000006CB0000-0x0000000006CF3000-memory.dmp
memory/3468-90-0x00000000007E0000-0x00000000007F6000-memory.dmp
memory/3468-92-0x0000000000800000-0x000000000081A000-memory.dmp
memory/3468-89-0x0000000007570000-0x00000000075C1000-memory.dmp
memory/3468-88-0x0000000007570000-0x00000000075C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe
| MD5 | bed8cdced2d57be2bd750f0f59991ecd |
| SHA1 | 4e2a885b9387fcf040b7eb79892de2f9fe55bca4 |
| SHA256 | 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd |
| SHA512 | b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f |
memory/2628-106-0x00007FF84BBF3000-0x00007FF84BBF5000-memory.dmp
memory/3468-105-0x00007FF8687B0000-0x00007FF8687B1000-memory.dmp
memory/2628-107-0x0000000000F70000-0x0000000001010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe
| MD5 | 68fad5f5f8de1c290df5d3754b4af358 |
| SHA1 | 0028395243f38a03b13726915144b9848e8da39a |
| SHA256 | dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e |
| SHA512 | ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01 |
memory/2628-130-0x00007FF84BBF0000-0x00007FF84C6B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe
| MD5 | 43f955115dfba87ca3593a18efd58cef |
| SHA1 | a1ca1fd8976e6a50ca3fe59994daeb0f8a7f9de5 |
| SHA256 | 1d16c42501f0040b2cfcd9e6138db1311d7ed64c8f7c8f415176065b64f4b674 |
| SHA512 | 360b070901d19b67fcb70260d54c8a8fe65c5720fe0e0c170f6c71d29999eb95b995efb1bc3db6cc2a33989b2cbf44f879e00535f27591184625a62ab2641dcd |
C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe
| MD5 | c709136e78750feb6cb85f99eda16629 |
| SHA1 | fc92be55dce55098824e381edec2002287bb8042 |
| SHA256 | d77ee327a52a472bc309a79db27b82f133c2f7b4ddae689cc130ebe407752fd3 |
| SHA512 | 7e92ee4b23e9ecfc97c259f7572dcb818cc6a77dbf02b693f58249926a8ed6c324b5ca641ba0c68db0b063bf966c8651eb82de9aa2b46446fea238fa255f27d6 |
memory/2628-178-0x00007FF84BBF0000-0x00007FF84C6B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe
| MD5 | e52ba92d25281e90aa7f27bd3719951f |
| SHA1 | f67b856dbac5bdd315dce1df2738a1b4f88f4f39 |
| SHA256 | 8215ed905544d217f656b5b226f71798970698eefa4f24cb48532778d8409baa |
| SHA512 | 96a3e30a0fbe049f69b07155cfe3e1a431ff63e8dabc4baa13eada61668ebc4d4171fdaf70fb7fac4d92fc7e8383fa400dcf11eeaee98e47511857e30a23f53d |
memory/1540-191-0x0000000000A10000-0x0000000000A26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7CB.tmp.bat
| MD5 | 2c510a4b200842f7dc2f1e831f7b4400 |
| SHA1 | 299ca4b4a4fe59c10e5331f72a44b417b5507053 |
| SHA256 | 5a00b9a3046bc3173f8dee693f9fffeb8c667376d6c209470476fbebd63c78db |
| SHA512 | 4ded7c6cf724abd770f098855cbd54a33cbc629dd3afd34d798c05ed9d58225a476250016242fe10527d41a86e6e156a62712efe283eb33058be4e802e90c103 |
memory/1320-192-0x00000000004D0000-0x0000000000502000-memory.dmp
memory/4072-194-0x0000000000460000-0x0000000000472000-memory.dmp
memory/3884-193-0x0000000000140000-0x0000000000196000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe
| MD5 | 7081e613321921500b70899fddb56a4d |
| SHA1 | fbb9ef6899fb0ea1999404ccff08ee61ca8de11f |
| SHA256 | 7c03173d3bd7a27e446d8fe70829b963942f746d933a9eab4d198d524b45cb68 |
| SHA512 | 679431a866a9806e967515eb97905d458798d8d9832a6fd57e519b12f5a8a5e8331297331a84c95a43bfca5953987ae9248638bc084fda92471540919a76a72c |
memory/5036-206-0x00000000004B0000-0x0000000000502000-memory.dmp
memory/5036-207-0x00000000053C0000-0x0000000005964000-memory.dmp
memory/5036-208-0x0000000004E10000-0x0000000004EA2000-memory.dmp
memory/5036-209-0x0000000004DE0000-0x0000000004DEA000-memory.dmp
memory/5036-240-0x0000000005F90000-0x00000000065A8000-memory.dmp
memory/5036-242-0x0000000005060000-0x0000000005072000-memory.dmp
memory/5036-241-0x0000000005130000-0x000000000523A000-memory.dmp
memory/5036-243-0x00000000050C0000-0x00000000050FC000-memory.dmp
memory/5036-244-0x0000000005240000-0x000000000528C000-memory.dmp
memory/4072-245-0x0000000004D10000-0x0000000004D76000-memory.dmp
C:\ProgramData\NQZRGKDO\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/4072-270-0x0000000005200000-0x000000000529C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5CE0.tmp.bat
| MD5 | c2b2fc38d22c2d4845f7ab38948fbb95 |
| SHA1 | 203fc5c9c15a264366c8519a6fc3cff98762b7b4 |
| SHA256 | 793086abf008f8b101ee61e0afc80d3ea476d6b50deb87477961fd27da650070 |
| SHA512 | 340d57ae6dccb721551daf13dd04eaad07e6928eea5dc148bd0e886d25ddf513bf2874754e974e18b67f90d92dbfc38d12549c2153da71458512ade5e061eee4 |
C:\Users\Admin\AppData\Local\Temp\tmp6B09.tmp.dat
| MD5 | cf7a291fa3c23b1fa0a0c003717ca899 |
| SHA1 | a8feadd23a73c1c7783b5e56ce951c84f97e3851 |
| SHA256 | fd821a883d1953d95a9e616db71d43071afde16947f331f523ce8ea20c39d139 |
| SHA512 | 0dfffbc596515ac284f8ab8fac13f1bbb496223ee7d849e9b8976b6f75a5c257619010419c5e441b84a538a7409bf0cefaf5f7b65bc7736842030c10eef4856f |
C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.dat
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp6B2B.tmp.dat
| MD5 | 73bd1e15afb04648c24593e8ba13e983 |
| SHA1 | 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91 |
| SHA256 | aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b |
| SHA512 | 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7 |
C:\Users\Admin\AppData\Local\Temp\places.raw
| MD5 | f61e84eeb6d764187d4c908556f5b882 |
| SHA1 | b846caee1ab53a6db6ca04a4adae48617be89961 |
| SHA256 | 450dd94a76f83dd013933a97f8593841b7dbe03ac81796e1ee4ddc8a617e4a90 |
| SHA512 | aff76615285cb9834c33dfbca44a5c4bd44bb4020f9e3042bafdd36aceb362d6e4061f65cc848cb4fbd53b53cca7a47977e3192139a72e93bd39c13544c5c559 |
C:\Users\Admin\AppData\Local\Temp\tmp6C99.tmp.dat
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\Users\Admin\AppData\Local\Temp\tmp6C88.tmp.dat
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\tmp6D46.tmp.dat
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Local\Temp\tmp6C87.tmp.dat
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp6C14.tmp.dat
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\9a306fc04527f1c5cdde86d98790c0a2\Admin@NQZRGKDO_en-US\System\Process.txt
| MD5 | 654d50b1cde01d4868a3f9e3d7974105 |
| SHA1 | fdaa78941c0fe33ce48f738b5d9f9883a1ccd326 |
| SHA256 | c0cbfea182835578887bf93de752b455ce2cdfde6bd49a02f713d12448548064 |
| SHA512 | adc0d95b272a03cc74ed1338f3851d855523038a32811af5678a36f91adef9690dd8ad2699e5898360d1dbfc6d27068ae08a918ab1aa49e692c31815fc21c617 |
memory/5036-515-0x0000000007720000-0x0000000007770000-memory.dmp
memory/5036-523-0x0000000006AC0000-0x0000000006C82000-memory.dmp
memory/5036-527-0x0000000007CA0000-0x00000000081CC000-memory.dmp
memory/1640-557-0x0000000006EA0000-0x0000000006F3C000-memory.dmp
memory/1640-556-0x0000000006E20000-0x0000000006E96000-memory.dmp
memory/1640-566-0x0000000006DC0000-0x0000000006DDE000-memory.dmp
memory/1640-574-0x0000000006DF0000-0x0000000006DFA000-memory.dmp
memory/1640-573-0x0000000006F90000-0x0000000006FD0000-memory.dmp
C:\Users\Admin\AppData\Local\cd31ed6ceaddbcd5581da22a0735f289\Admin@NQZRGKDO_en-US\System\Process.txt
| MD5 | 963031f7a1d5ec034558827980f813d2 |
| SHA1 | 28b8f4f3db591c3497c5e612efea51c6aa10d639 |
| SHA256 | 030d3fa33e48ff4e00ca508c7f842c10b347a997f2634ac9dbe1d35997b6b398 |
| SHA512 | 13d45c2c8e83068e2bcb0511fef251bd03b0dff6ed069dd2b7f36fe6e49180c59533a8209fb02054f136053370245bcca2e8cc894a9dde48890e37a6085a2219 |
C:\ProgramData\NQZRGKDO\Process.txt
| MD5 | 6cfc55ab1a57700467bc4092130f14de |
| SHA1 | f07446edee994b6fe4ab743d662945b440aa2204 |
| SHA256 | 5ece54087c0ea84fc9900ef14f372487aa5f67bc231b4682e7b47e27643baeb6 |
| SHA512 | a5b6a70425e369e709b7b3d9b864f1debce576b84b64177137b8272230362bb7d466aea2dbad34057fa43a0f1df4545914f81cbf0260cb52811b07956d56a948 |
memory/1640-665-0x00000000070E0000-0x0000000007142000-memory.dmp
memory/1852-676-0x0000000002950000-0x0000000002986000-memory.dmp
memory/1852-677-0x00000000055B0000-0x0000000005BD8000-memory.dmp
memory/3468-678-0x0000000007570000-0x00000000075C1000-memory.dmp
memory/1852-679-0x0000000005490000-0x00000000054B2000-memory.dmp
memory/1852-681-0x0000000005BE0000-0x0000000005C46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0yfr52o.glh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1852-691-0x0000000005C50000-0x0000000005FA4000-memory.dmp
memory/1852-693-0x0000000006250000-0x000000000626E000-memory.dmp
memory/1852-695-0x00000000067B0000-0x00000000067FC000-memory.dmp
C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\desktop.ini
| MD5 | 9e36cc3537ee9ee1e3b10fa4e761045b |
| SHA1 | 7726f55012e1e26cc762c9982e7c6c54ca7bb303 |
| SHA256 | 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 |
| SHA512 | 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790 |
C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\DisconnectComplete.bmp
| MD5 | 1539537294599fdadc1ca04c72779a8a |
| SHA1 | 4006e9d1493803bc51aaee4d4feb5a1d5f044e7a |
| SHA256 | 3b32d6b788e65bf50d9b62d9f2303dede24720f0de0f90242f9a39dcf2c234cd |
| SHA512 | 9e630c6c7ce4f33caf5849e15469815578242f2d634f83203ab2549149fcd60ed7d1b00a87254685a67875f0661a7bc1a2a03f8503588f9fd5494b68670953d1 |
C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\PublishNew.html
| MD5 | f37d2b8774a4a097f71170bdde778e2a |
| SHA1 | 6507d7c114c31292c0f5e0bdfbe09c93e325bbf9 |
| SHA256 | 5e989c6feb959986bcd33ef1634e7f9d00a025bb2e0a8b90700c00bd58c4028a |
| SHA512 | 38b1cb5b5c36b4f8a3b3e9d0575edfc1173330b0c1ccaff903c4fa6970c42ef0ff42f1835a655abb48a6a450c01100b36c7a8809031e3fd5287eb3d7dde7e1f4 |
C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\PushRemove.docx
| MD5 | fbab186d92f03a1c2326a5683607e5bd |
| SHA1 | 29b5c29d9992ad1114e4f1621fdad100a18498d6 |
| SHA256 | 784bf488884df40cb5ba1290a5d15f540d27670c1bfa27c9d6577c7dbc00da75 |
| SHA512 | 76d26fa73e484ce55bcc309ec5842d44907cee99553d07e16f61c8dc35f7e8308b5c117631ac45055a12d66b447e2314dde6e6978f539919267fdc98f419e227 |
C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\RestartBlock.rtf
| MD5 | 59f13d4fa84b0506452934cbfce7aa23 |
| SHA1 | 0c0784178405b1670be780c2b184f226be020481 |
| SHA256 | d5469b8791211c0af5bd402e9ecdd7f67a3824e43a3720e9454a59ba37caf68b |
| SHA512 | fd6ec01cb742dbc1fb8db0ac9687c4e08855f7febb7b6a18e3b8389a40ad09ba53937c4afedad60738e3ba8185629cc7ec80ee3507ce28c6720252674b3bcb7a |
C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\UpdateReset.png
| MD5 | a9447b8083d9e0cf492d265a51e306d7 |
| SHA1 | c2e143774915a1a27a857d75bdd4b0ba84344663 |
| SHA256 | 0cbd4fd134a63ef17a7f3ebfa680242ef4db06ae8474334256af0b7ddb9bc5d5 |
| SHA512 | d151ba4e6596b04d25baf1b33a56d0d773d7cd4f89b87fb330986a58906da791583c6bfeaaeb5070e4099e9a8b8e55e0ad3de6f512781064f2e2de28fc5f5eca |
C:\ProgramData\NQZRGKDO\FileGrabber\Documents\CompareReceive.xlsx
| MD5 | eb03dd7fa4261e30a68c7b9f15bd1dc3 |
| SHA1 | 730e5d1445493c02c8c49c7418ec347bd3d8ac7b |
| SHA256 | d6665e869082319a9ad66dbeb439e093a42fa2dc462389c829f50acd27164540 |
| SHA512 | aa576cb441165159d57bb3e04df22d7e6038e12c8b303bb2413a2064ebde6a2109d50c41e6ac45ca40d562380da3279d255d6ce5d86d3251babfa918d7ec6332 |
C:\ProgramData\NQZRGKDO\FileGrabber\Documents\desktop.ini
| MD5 | ecf88f261853fe08d58e2e903220da14 |
| SHA1 | f72807a9e081906654ae196605e681d5938a2e6c |
| SHA256 | cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844 |
| SHA512 | 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b |
C:\ProgramData\NQZRGKDO\FileGrabber\Documents\ProtectEdit.html
| MD5 | 99684f1415dd63e21c5cd855e862a5b7 |
| SHA1 | 5375ed73fef9ba6801ea260556393c9871d15394 |
| SHA256 | f7e697f09ec319b7297609a6fb099f5a241926f771f785ca8099caed2b8f3d93 |
| SHA512 | b9af1bbfaa9dbda0e8099571a092c14d208f454a8ac3a4c4adc846d94e3bbc53b5f9e81c50a5250fa373a3a46646b0a520cb6f750ca791ef255337549d185fdd |
C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\desktop.ini
| MD5 | 3a37312509712d4e12d27240137ff377 |
| SHA1 | 30ced927e23b584725cf16351394175a6d2a9577 |
| SHA256 | b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3 |
| SHA512 | dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05 |
C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\ClearRedo.pptx
| MD5 | b7b51ce8e5d31d1035b3f105068d3c8e |
| SHA1 | f81e4e82343320d2db6187bede0336561389ddde |
| SHA256 | cda59bd601b5f2d83bedb5ffdde80cf99734e53ea9a2bc1f26665755ef769a60 |
| SHA512 | 804a4492f187187fc6243045487c7cdd91bf7f89cc89bd7df12d1d0e727e7faaea9cef1ce505402a77b87398c676e5934173847578af5d5037f50a296679468d |
C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\MeasureFind.docx
| MD5 | 46a1e2f6a3066de31d3300fd90eb5a99 |
| SHA1 | 5b45cd01ef4a21407fb0bbb224e5b340b851cef9 |
| SHA256 | d8927a454b56293048ff08f355d7130f19cdd1a0810fac264f785f596ccc9159 |
| SHA512 | 60f164eec4aa7177e14a34900a39c087ed223679e0164f2dd4b47934f3dd5663c869e922c9032e2c6c5d34c688e7725a0476b8a64b4f2c6af18f97fb61be0cdd |
C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\SendOptimize.txt
| MD5 | 4c60ce82ff4e667a340d3d9933b0cc2b |
| SHA1 | 7d5b22adf3a0c0f0babcdaafa055583e60362e52 |
| SHA256 | 5f3ade4125d19332706e0e2e893383e3e4d90dd3459b2594aae7354841cf3b8a |
| SHA512 | 504389b360800b09043f095a8e0fd20a69e7c29619804c0de807601f71b6e938ff0a490f347b0de150effc9326bec18059006ac01fb85c885268e58664418603 |
C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\UseReset.html
| MD5 | e996fc8b3a4209a3ed50f6302e0d62e0 |
| SHA1 | 32a3905a16d290e3faaf7681728fb29bd47131c5 |
| SHA256 | c3616d939782a947612fb0517e21291f33a107eb49ae59f5ea88ee7c73fe00a8 |
| SHA512 | 74a7c35434c3c1921644f96d3f57b75872efff48ccaf710f0cf279d1e89c184168ea414f73af0d8987a7fb67f69224c04c893a6cad251112a89d3baf4b9c3b80 |
C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\ApproveDismount.png
| MD5 | d8e0fef32cd2890b2814e01854902e3b |
| SHA1 | 6fbf89b50d0be84aa9ec09539826409216a015e1 |
| SHA256 | b0ef37325ee1eff8f1bc7a0c635d03144d6116b3be2ea0ddee92f26a823c43dd |
| SHA512 | 32f6653d6de095467cb4416eafb5389394ba6c0c4cfc6f31867c75a38ce680d8ffb2f16b19dd6178f8497c43dcdd9508933b7a4904dc40156dd0f6dff7e80ea5 |
C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\desktop.ini
| MD5 | 29eae335b77f438e05594d86a6ca22ff |
| SHA1 | d62ccc830c249de6b6532381b4c16a5f17f95d89 |
| SHA256 | 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4 |
| SHA512 | 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17 |
C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\FindImport.svg
| MD5 | 17919590aee9e21827c479a535774db2 |
| SHA1 | 496b04eb0efd84511206c65f8b689bc548e4917f |
| SHA256 | 5961f1375340f316e7486e0454818e40d858ce373018fe3f882072dc59e76b3c |
| SHA512 | e079fa33ab357a9b6d74c180d4d08b5d24564d19938f1055465d1a88a372c17dbd03a9e13015babcc84a54a7ac645d9fadbd4b474b7c8106b05e362d2b5dd490 |
C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\ConfirmPush.svg
| MD5 | 968de80e4359f3a1d6206f22ec10985a |
| SHA1 | b3a44f4b899e5e12799a41403f1b99b5f6d7c82f |
| SHA256 | 53977f3825d7370fa259bfc58fa8a16b6709a13618d2faa33f8e14fb2eacb62a |
| SHA512 | 9b4fa11b956a347f1795d3427f56c7180e1126b200c3b8c925dbef76f6fdf03d97325f1f474875fde9c58d51b385229d1c90f041ea7e0e2bfd99d64f3e5cf1a2 |
memory/1852-815-0x00000000066D0000-0x00000000066EA000-memory.dmp
memory/1852-816-0x0000000006720000-0x0000000006742000-memory.dmp
memory/1852-814-0x0000000007200000-0x0000000007296000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nkjvni.exe
| MD5 | c28490da01887aa59d82c54b576dc107 |
| SHA1 | 5c4a2f7a85b686f5767a618d69adb20367381bdd |
| SHA256 | bc07b9c79b5cd67dbce8031e5a39e8987494a6185e20f589964020e14ff3e789 |
| SHA512 | 770835b7ac65b090478b233aa5008557fa447961445558bbbc7cc900b5cb29e1ded2f8e0b318e996e410686b9054f83c1ace710de54e8fd039965c4cb110d2c2 |
memory/1756-824-0x0000000000720000-0x0000000000776000-memory.dmp
C:\ProgramData\NQZRGKDO\Browsers\Outlook\Outlook.txt
| MD5 | 81051bcc2cf1bedf378224b0a93e2877 |
| SHA1 | ba8ab5a0280b953aa97435ff8946cbcbb2755a27 |
| SHA256 | 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6 |
| SHA512 | 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d |
C:\ProgramData\NQZRGKDO\InstalledSoftware.txt
| MD5 | bca4ee4b0d73edf2835ac08ab38d1bd9 |
| SHA1 | a833d7663f5edecc050b37b7efd1d563268ea0df |
| SHA256 | 0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f |
| SHA512 | 48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2 |
memory/3468-841-0x0000000000800000-0x000000000081A000-memory.dmp
C:\ProgramData\NQZRGKDO\Screen.png
| MD5 | b511181dcaa3a8e63f4ed1c16f5d07fc |
| SHA1 | d693734e62db76b090a65c2c27fb050ac36baa34 |
| SHA256 | 423dbea9d47135c2f58ebffef1d3a16af00acb791501ce0ff7ab3ae4ec0fbd68 |
| SHA512 | d209b3cd02cfdf137d6f00933d5f430e25a20b3d75fef187f39ed05f37dc248f251817b10da1fb1aa11dca956985b3f409ce792a25cb6c9b59eca61475b6ae69 |
C:\ProgramData\NQZRGKDO\Browsers\Firefox\Bookmarks.txt
| MD5 | 1267f4be35fbe5510886cf08ddee9fdd |
| SHA1 | 04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9 |
| SHA256 | ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3 |
| SHA512 | 6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b |
C:\ProgramData\NQZRGKDO\Process.txt
| MD5 | 1b8b7078ea39e541cf19b107813b67a8 |
| SHA1 | 16c084bde29e529870546e2a55fb80e28f91c146 |
| SHA256 | ef721171389f9d3e9730443ae950ff796f78c8902ea920d97ee2d6359c47f2d5 |
| SHA512 | 9c8f3115140f70f848065ec52b5ce8958dec3cdbb7ed55d243c82d6a0d2b8aae55b8ba59247ae77e81d139710d4d3261661b71ac2bb940a311a31ee09ddbf5b0 |
memory/2672-900-0x0000000001150000-0x000000000115A000-memory.dmp
C:\Users\Admin\AppData\Local\b7e0bdc64f14b25b95280bc2e557a1b0\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2672-934-0x00000000012F0000-0x0000000001302000-memory.dmp
C:\ProgramData\NQZRGKDO\Information.txt
| MD5 | 172c5bd764c1fcd9d88b5abdd7ef4af4 |
| SHA1 | 058f569d5ebac59af5ccdc12939c438b16a231af |
| SHA256 | 844efe16046148674f507341588f5698d7908b6ba4ee8bc405868ea942f4df2b |
| SHA512 | 12189ca1346384a18e5bb16316913a353f101f80f572a416319c24b40715457572cd8f0b632ce4ac5b4e0e4c597a862a05195e4fc58421f79767bbfed0206e96 |
C:\ProgramData\NQZRGKDO\Process.txt
| MD5 | 451bfcf6578cc361c8e3442d2934c8d2 |
| SHA1 | 843c6485af9b378002ec3422447075466e1bf6ed |
| SHA256 | 3b3861734e2132468e41be6627981c36545313a1cfc584c05393d94c31f4173b |
| SHA512 | 9b8aec35856e4be273fb9f48ea112a1ad6c29ee66a99af28a0094eab0e162689723c0655aa6ac02ef15dad66c44dd299c5345459562572f6ade8575dffe0ff41 |
C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\ProgramData\NQZRGKDO\FileGrabber\Documents\ResolveReset.pdf
| MD5 | 5c4b91400ed3bb483f83e79848b84f89 |
| SHA1 | be6fee3d4a155eee7cc8e899a7f41b2a4a33e9ad |
| SHA256 | 3e13a169a2cfedcec972301148e94a3f9281d1670d1a0627e2f2e5eabd262663 |
| SHA512 | c05040ba5e95147775850ba88458da4b9ad6b30322147cf37956a04901f6aa7379a9117dd6e1c48e6c9c912fb088916dd0a137a1c6dcbed88d45d1e3666c4636 |
C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\UseSync.xlsx
| MD5 | aeeef1c5636c7a4a52f0590d39bf37d5 |
| SHA1 | 389007ae467f57489019d531ae76244dcac37c11 |
| SHA256 | fb77df3812f46c27efcad855b08bd3ffd1cc9edc8d0dbfa65506126a0f6d8e28 |
| SHA512 | de205bac7078efa4f5a7d34fa6dbd77a9ae9ee53a048293e34286409fec1e87102420e3c029a226c22d47a706a91f92b76c4b666df3de42b1a8f4f98901b8034 |