Malware Analysis Report

2024-09-23 02:40

Sample ID 240706-njt8pszgqd
Target 1082572a44d4c41214a3c38dcd8289f9.exe
SHA256 9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc
Tags
asyncrat redline stormkitty 1 default venom clients infostealer persistence rat stealer collection discovery execution spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9085e6327177bb47cf43a8d8ed0c24fcfd50cde4199c5130f2b97b2508e9aabc

Threat Level: Known bad

The file 1082572a44d4c41214a3c38dcd8289f9.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat redline stormkitty 1 default venom clients infostealer persistence rat stealer collection discovery execution spyware

AsyncRat

RedLine

StormKitty

StormKitty payload

RedLine payload

Async RAT payload

Drops file in Drivers directory

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops startup file

Drops desktop.ini file(s)

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: AddClipboardFormatListener

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-06 11:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 11:26

Reported

2024-07-06 11:29

Platform

win7-20240705-en

Max time kernel

17s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\relog.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Identities.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Macromedia.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Media Center Programs.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1082572a44d4c41214a3c38dcd8289f9.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Identities = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Service_Identities.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Macromedia = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Service_Macromedia.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Media Center Programs = "C:\\Users\\Admin\\AppData\\Roaming\\Media Center Programs\\Service_Media Center Programs.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2508 set thread context of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe
PID 2508 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe
PID 2508 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe
PID 2508 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe
PID 2840 wrote to memory of 1280 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 2840 wrote to memory of 1280 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 1280 wrote to memory of 2420 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe
PID 1280 wrote to memory of 2420 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe
PID 1280 wrote to memory of 2420 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe
PID 1280 wrote to memory of 2396 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe
PID 1280 wrote to memory of 2396 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe
PID 1280 wrote to memory of 2396 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe
PID 1280 wrote to memory of 2396 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe
PID 1280 wrote to memory of 564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe
PID 1280 wrote to memory of 564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe
PID 1280 wrote to memory of 564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe
PID 1280 wrote to memory of 564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe

"C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe"

C:\Windows\system32\relog.exe

C:\Windows\system32\relog.exe

C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe

"C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe"

C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe

"C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe"

C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe

"C:\Users\Admin\AppData\Local\Temp\D693.tmp.Server.exe"

C:\Users\Admin\AppData\Local\Temp\DAD8.tmp.Client.exe

"C:\Users\Admin\AppData\Local\Temp\DAD8.tmp.Client.exe"

C:\Users\Admin\AppData\Local\Temp\DE04.tmp.update.exe

"C:\Users\Admin\AppData\Local\Temp\DE04.tmp.update.exe"

C:\Users\Admin\AppData\Local\Temp\E0E2.tmp.update.exe

"C:\Users\Admin\AppData\Local\Temp\E0E2.tmp.update.exe"

C:\Users\Admin\AppData\Local\Temp\E640.tmp.aaa.exe

"C:\Users\Admin\AppData\Local\Temp\E640.tmp.aaa.exe"

C:\Users\Admin\AppData\Local\Temp\E9D9.tmp.build.exe

"C:\Users\Admin\AppData\Local\Temp\E9D9.tmp.build.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:32 /du 23:59 /sc daily /ri 1 /f

C:\ProgramData\KMSAuto\accc.exe

"C:\ProgramData\KMSAuto\accc.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp619.tmp.bat""

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 7

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 172.67.133.32:443 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 88.221.134.179:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 95.100.245.168:80 x2.c.lencr.org tcp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 www.igenius.org udp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 hrdc.pk udp
US 64.31.40.18:80 hrdc.pk tcp
US 192.3.140.185:80 www.igenius.org tcp
US 192.3.140.185:80 www.igenius.org tcp
US 192.3.140.185:80 www.igenius.org tcp
US 192.3.140.185:80 www.igenius.org tcp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 www.westnilebirdingandsafari.com udp
US 75.119.203.100:80 www.westnilebirdingandsafari.com tcp
US 192.3.140.185:80 www.igenius.org tcp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
NL 94.232.249.204:1912 tcp
NL 94.232.249.204:6660 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
US 104.21.13.213:80 auth.xn--conbase-sfb.xyz tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab9D3B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9E38.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac60aaf51777e508cbe70579f8492eea
SHA1 423b7bacdbe31d517fc8452428a217e1e02a5aa3
SHA256 521c5dc5f731f20f69b16ef6bab05ff001a4bc01f96aa94e20b337901f0bb424
SHA512 1946ccafafbed9a828198dfa6cc8f8675115d055224ebb76d013ac1ff0a5b29f35d5a1c939474b1d8673cfc8cb7b9db67febdb101ccdbb920cdcd3326e91d597

C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe

MD5 839b3efd5782b6fc122855665f3aa202
SHA1 067c1b809106a1b9ad1641a9c745d4b83ece1196
SHA256 91ebcd79cfcbfedda3c557c5bb1ee5da9f4d13d518491d22a0e92f2caab7bec0
SHA512 1abfa3908386a7e579837548978ce0bac26cc2d9f3194ef652d2ce9810bbed84130d9cddabdc100256a118e362a33d0933df3511745f75de06c8dfa2bb88ffe4

\Users\Admin\AppData\Local\Temp\THA833.tmp

MD5 52d46be6bb8dc6d8fd09925e84a76994
SHA1 2639980aa48b17ee9fdc169872703453c8e73deb
SHA256 03b152b94fc40a782d7e12d58ad1d6b00b1029757811f841f64fdbd4831e694b
SHA512 3ea9efd5cbd44185ee2709a2ca787e8981fd5de1c757890f1636c9c79624203abdb341b9e0075a51733286aec963043ec2a2ac6651ec9bba043cdf81b32fd0c4

memory/2840-139-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 ee9d791fd900430e4d594e5bde5c096a
SHA1 25dd0ac5926d1d02bf4c9fe60d5aff6b602c9b7d
SHA256 74c6900b084deaf2ac76ee2113cfe73509e751c588707395fa2731e9bc154ccd
SHA512 cd1c18139594002e96c7094ff731812d9afb45fb34735731fb65eaecbd7918c2379fa52b8eea551ac9c51589827619f898a9a0ac95ee1ad8c0e94b589403efeb

memory/1280-186-0x0000000002E90000-0x0000000002EA6000-memory.dmp

memory/1280-184-0x0000000002E90000-0x0000000002EA6000-memory.dmp

memory/1280-182-0x00000000029D0000-0x0000000002A13000-memory.dmp

memory/1280-181-0x00000000029D0000-0x0000000002A13000-memory.dmp

memory/1280-188-0x0000000003C80000-0x0000000003CD1000-memory.dmp

memory/1280-191-0x0000000003C80000-0x0000000003CD1000-memory.dmp

memory/1280-190-0x0000000002EB0000-0x0000000002ECA000-memory.dmp

memory/1280-194-0x0000000077690000-0x0000000077691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC83.tmp.Installer.exe

MD5 bed8cdced2d57be2bd750f0f59991ecd
SHA1 4e2a885b9387fcf040b7eb79892de2f9fe55bca4
SHA256 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd
SHA512 b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f

memory/2420-198-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D27D.tmp.Server.exe

MD5 68fad5f5f8de1c290df5d3754b4af358
SHA1 0028395243f38a03b13726915144b9848e8da39a
SHA256 dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e
SHA512 ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01

memory/2420-205-0x0000000000E60000-0x0000000000F00000-memory.dmp

memory/2396-213-0x0000000001160000-0x0000000001192000-memory.dmp

memory/564-212-0x00000000000B0000-0x00000000000E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAD8.tmp.Client.exe

MD5 43f955115dfba87ca3593a18efd58cef
SHA1 a1ca1fd8976e6a50ca3fe59994daeb0f8a7f9de5
SHA256 1d16c42501f0040b2cfcd9e6138db1311d7ed64c8f7c8f415176065b64f4b674
SHA512 360b070901d19b67fcb70260d54c8a8fe65c5720fe0e0c170f6c71d29999eb95b995efb1bc3db6cc2a33989b2cbf44f879e00535f27591184625a62ab2641dcd

memory/1876-220-0x0000000000140000-0x0000000000196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE04.tmp.update.exe

MD5 c709136e78750feb6cb85f99eda16629
SHA1 fc92be55dce55098824e381edec2002287bb8042
SHA256 d77ee327a52a472bc309a79db27b82f133c2f7b4ddae689cc130ebe407752fd3
SHA512 7e92ee4b23e9ecfc97c259f7572dcb818cc6a77dbf02b693f58249926a8ed6c324b5ca641ba0c68db0b063bf966c8651eb82de9aa2b46446fea238fa255f27d6

memory/1984-227-0x0000000000950000-0x0000000000962000-memory.dmp

memory/660-234-0x0000000000A60000-0x0000000000A72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E640.tmp.aaa.exe

MD5 e52ba92d25281e90aa7f27bd3719951f
SHA1 f67b856dbac5bdd315dce1df2738a1b4f88f4f39
SHA256 8215ed905544d217f656b5b226f71798970698eefa4f24cb48532778d8409baa
SHA512 96a3e30a0fbe049f69b07155cfe3e1a431ff63e8dabc4baa13eada61668ebc4d4171fdaf70fb7fac4d92fc7e8383fa400dcf11eeaee98e47511857e30a23f53d

memory/1712-267-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9D9.tmp.build.exe

MD5 7081e613321921500b70899fddb56a4d
SHA1 fbb9ef6899fb0ea1999404ccff08ee61ca8de11f
SHA256 7c03173d3bd7a27e446d8fe70829b963942f746d933a9eab4d198d524b45cb68
SHA512 679431a866a9806e967515eb97905d458798d8d9832a6fd57e519b12f5a8a5e8331297331a84c95a43bfca5953987ae9248638bc084fda92471540919a76a72c

memory/2528-275-0x0000000000AF0000-0x0000000000B42000-memory.dmp

C:\Users\Admin\AppData\Roaming\EXCFTDUU\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2880-316-0x0000000000F20000-0x0000000000FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp619.tmp.bat

MD5 57310749df8d556d8017cb72b8b57f73
SHA1 ffc1b1f19323a019133c5364fcd7b1c074180323
SHA256 414e30fd48a7d3699dda87d9a922df417202a319488149c7a8ba2fc07a49744a
SHA512 da2c776bb93eefe5bfd8a25111c16d0b2e15125b8189deae7fc03d19394619d8fb0d19cbb970eb033a58d67f6484dda1af5a1f2fc550cb6f8be3f55798a32f56

C:\Users\Admin\AppData\Local\Temp\tmp879.tmp.bat

MD5 a65cb1e43695c456c192f16b8c602dd1
SHA1 d3eb46db9e5db623845ac2adfe34db2098ca89d9
SHA256 08c86391bbc3e96f986579e041455c33567cf48401fea90d47823040a6bf6ad4
SHA512 55aacbf2b5bb232771f5e60256b1d5e039f06291c7afe644f1f8619020fff47076faeb4334f54c01cee1b23ab38381f537f48637ddc56cc1d157640dccac3e1c

memory/900-337-0x0000000000B20000-0x0000000000B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 28712ba36c04b8ab7ee992096dc1fa9f
SHA1 b15b38fdbe26c6d9fc24cd45b34e8a0f6663cc69
SHA256 ab83d935e734460374c3d66315d096d24a16717b45b6e7fb71cf8aaccb6b3ef1
SHA512 8262c82e6f45d07839b1e4bb5735ea917004a99e76a94f551d8fc8b97b8b549e6350f82734f80ba16e640c9fbc6b1dedce2c56454c7baab4b70212c8ddab86df

C:\Users\Admin\AppData\Local\Temp\tmp601C.tmp.dat

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Temp\tmp5E37.tmp.dat

MD5 f2e3c82219257b13b8cd21a887ac0a23
SHA1 9fc2d5695d5eddad36899a6a69927ce6b2ef76f2
SHA256 bbe72f97a51d05275f862dd16ebdebbf1b5ac34c7085e2dbbf57982ef1a7626b
SHA512 f4b63d51ebdf6f10e5ae80414831598206e8b8be7cc6b2dc4c69c8fada1cfb61ee5284c09120cb868ff0e6d6cd84e3f0aa3eef607878b80f924eeb77c418f226

C:\Users\Admin\AppData\Local\Temp\tmp6549.tmp.dat

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp6E52.tmp.dat

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/1280-405-0x0000000003C80000-0x0000000003CD1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 11:26

Reported

2024-07-06 11:29

Platform

win10v2004-20240704-en

Max time kernel

37s

Max time network

160s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\system32\relog.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Sun.exe.lnk C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1082572a44d4c41214a3c38dcd8289f9.exe" C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ACCC Tools = "C:\\ProgramData\\KMSAuto\\accc.exe" C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A
File created C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A
File created C:\ProgramData\NQZRGKDO\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A
File created C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A freegeoip.app N/A N/A
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5028 set thread context of 1504 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\ProgramData\KMSAuto\accc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A
N/A N/A C:\Windows\system32\relog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\relog.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5028 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe
PID 5028 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe
PID 5028 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe C:\Windows\system32\relog.exe
PID 1504 wrote to memory of 3468 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 1504 wrote to memory of 3468 N/A C:\Windows\system32\relog.exe C:\Windows\Explorer.EXE
PID 3468 wrote to memory of 2628 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe
PID 3468 wrote to memory of 2628 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe
PID 3468 wrote to memory of 1320 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe
PID 3468 wrote to memory of 1320 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe
PID 3468 wrote to memory of 1320 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe
PID 3468 wrote to memory of 2672 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FD4E.tmp.Server.exe
PID 3468 wrote to memory of 2672 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FD4E.tmp.Server.exe
PID 3468 wrote to memory of 2672 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FD4E.tmp.Server.exe
PID 3468 wrote to memory of 3884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe
PID 3468 wrote to memory of 3884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe
PID 3468 wrote to memory of 3884 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe
PID 2628 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 2628 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe C:\Windows\system32\schtasks.exe
PID 3468 wrote to memory of 4072 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe
PID 3468 wrote to memory of 4072 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe
PID 3468 wrote to memory of 4072 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe
PID 3468 wrote to memory of 5092 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\63A.tmp.update.exe
PID 3468 wrote to memory of 5092 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\63A.tmp.update.exe
PID 3468 wrote to memory of 5092 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\63A.tmp.update.exe
PID 2628 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 2628 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe C:\ProgramData\KMSAuto\accc.exe
PID 2628 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 1540 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe
PID 3468 wrote to memory of 1540 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe
PID 2868 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2868 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3468 wrote to memory of 5036 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe
PID 3468 wrote to memory of 5036 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe
PID 3468 wrote to memory of 5036 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe

"C:\Users\Admin\AppData\Local\Temp\1082572a44d4c41214a3c38dcd8289f9.exe"

C:\Windows\system32\relog.exe

C:\Windows\system32\relog.exe

C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe

"C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe"

C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe

"C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe"

C:\Users\Admin\AppData\Local\Temp\FD4E.tmp.Server.exe

"C:\Users\Admin\AppData\Local\Temp\FD4E.tmp.Server.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /create /tn ACCC Tools /tr "C:\ProgramData\KMSAuto\accc.exe" /st 11:32 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe

"C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe"

C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe

"C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe"

C:\Users\Admin\AppData\Local\Temp\63A.tmp.update.exe

"C:\Users\Admin\AppData\Local\Temp\63A.tmp.update.exe"

C:\ProgramData\KMSAuto\accc.exe

"C:\ProgramData\KMSAuto\accc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CB.tmp.bat""

C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe

"C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe"

C:\Windows\system32\timeout.exe

timeout 7

C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe

"C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5CE0.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nkjvni.exe"' & exit

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nkjvni.exe"'

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\nkjvni.exe

"C:\Users\Admin\AppData\Local\Temp\nkjvni.exe"

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 104.21.13.213:443 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 95.100.245.168:80 x2.c.lencr.org tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 213.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 auth.xn--conbase-sfb.xyz udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 32.133.67.172.in-addr.arpa udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 www.igenius.org udp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 hrdc.pk udp
US 64.31.40.18:80 hrdc.pk tcp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 185.140.3.192.in-addr.arpa udp
US 8.8.8.8:53 18.40.31.64.in-addr.arpa udp
US 192.3.140.185:80 www.igenius.org tcp
US 192.3.140.185:80 www.igenius.org tcp
US 192.3.140.185:80 www.igenius.org tcp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 www.westnilebirdingandsafari.com udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 75.119.203.100:80 www.westnilebirdingandsafari.com tcp
US 192.3.140.185:80 www.igenius.org tcp
US 8.8.8.8:53 100.203.119.75.in-addr.arpa udp
US 192.3.140.185:80 www.igenius.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 94.232.249.204:6660 tcp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
NL 94.232.249.204:1912 tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 204.249.232.94.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
NL 94.232.249.204:6660 tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:8808 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:8808 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:8808 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 94.232.249.204:6660 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 94.232.249.204:6660 tcp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 172.67.209.71:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
NL 94.232.249.204:6660 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 94.232.249.204:6660 tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 104.16.185.241:80 icanhazip.com tcp
US 172.67.196.114:443 api.mylnikov.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 172.67.19.24:443 pastebin.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 94.232.249.204:6660 tcp
US 104.26.12.205:443 api.ipify.org tcp
US 208.95.112.1:80 ip-api.com tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
NL 94.232.249.204:6660 tcp
US 172.67.133.32:80 auth.xn--conbase-sfb.xyz tcp
NL 94.232.249.204:6660 tcp

Files

C:\Users\Admin\AppData\Roaming\Adobe\Service_Adobe.exe

MD5 839b3efd5782b6fc122855665f3aa202
SHA1 067c1b809106a1b9ad1641a9c745d4b83ece1196
SHA256 91ebcd79cfcbfedda3c557c5bb1ee5da9f4d13d518491d22a0e92f2caab7bec0
SHA512 1abfa3908386a7e579837548978ce0bac26cc2d9f3194ef652d2ce9810bbed84130d9cddabdc100256a118e362a33d0933df3511745f75de06c8dfa2bb88ffe4

C:\Users\Admin\AppData\Local\Temp\THAF4B.tmp

MD5 52d46be6bb8dc6d8fd09925e84a76994
SHA1 2639980aa48b17ee9fdc169872703453c8e73deb
SHA256 03b152b94fc40a782d7e12d58ad1d6b00b1029757811f841f64fdbd4831e694b
SHA512 3ea9efd5cbd44185ee2709a2ca787e8981fd5de1c757890f1636c9c79624203abdb341b9e0075a51733286aec963043ec2a2ac6651ec9bba043cdf81b32fd0c4

C:\Windows\System32\drivers\etc\hosts

MD5 1530b50aac226cd50815c69326517e51
SHA1 e97855298b61d8a5b6cf2450a990d5cbc40c6aa4
SHA256 1c1eab02470f70f1067cc91ae1506955f2cd92eac3afac8eb3592cc718c2cab3
SHA512 c66ee426b16c2ab3439617774b914dd279351b4c3dc14e16d6e7cdb11cd0cf0d3346df87a315f5a0de885522e3bfdcc2513e73f2d01cf0e5f13f77f7facdb432

memory/3468-86-0x0000000006CB0000-0x0000000006CF3000-memory.dmp

memory/3468-90-0x00000000007E0000-0x00000000007F6000-memory.dmp

memory/3468-92-0x0000000000800000-0x000000000081A000-memory.dmp

memory/3468-89-0x0000000007570000-0x00000000075C1000-memory.dmp

memory/3468-88-0x0000000007570000-0x00000000075C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F4C0.tmp.Installer.exe

MD5 bed8cdced2d57be2bd750f0f59991ecd
SHA1 4e2a885b9387fcf040b7eb79892de2f9fe55bca4
SHA256 5f628663f71e3baa55f10e6021597f7860bef868284eb50b8958169dcbbff4fd
SHA512 b85990a778c2462d57c3b314270bd1f397749450e75508e1012a14f21661358b98021efb791f694d9eb05f49b0776ea3ff4c803f842f858db5669968c477433f

memory/2628-106-0x00007FF84BBF3000-0x00007FF84BBF5000-memory.dmp

memory/3468-105-0x00007FF8687B0000-0x00007FF8687B1000-memory.dmp

memory/2628-107-0x0000000000F70000-0x0000000001010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F993.tmp.Server.exe

MD5 68fad5f5f8de1c290df5d3754b4af358
SHA1 0028395243f38a03b13726915144b9848e8da39a
SHA256 dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e
SHA512 ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01

memory/2628-130-0x00007FF84BBF0000-0x00007FF84C6B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\108.tmp.Client.exe

MD5 43f955115dfba87ca3593a18efd58cef
SHA1 a1ca1fd8976e6a50ca3fe59994daeb0f8a7f9de5
SHA256 1d16c42501f0040b2cfcd9e6138db1311d7ed64c8f7c8f415176065b64f4b674
SHA512 360b070901d19b67fcb70260d54c8a8fe65c5720fe0e0c170f6c71d29999eb95b995efb1bc3db6cc2a33989b2cbf44f879e00535f27591184625a62ab2641dcd

C:\Users\Admin\AppData\Local\Temp\3D7.tmp.update.exe

MD5 c709136e78750feb6cb85f99eda16629
SHA1 fc92be55dce55098824e381edec2002287bb8042
SHA256 d77ee327a52a472bc309a79db27b82f133c2f7b4ddae689cc130ebe407752fd3
SHA512 7e92ee4b23e9ecfc97c259f7572dcb818cc6a77dbf02b693f58249926a8ed6c324b5ca641ba0c68db0b063bf966c8651eb82de9aa2b46446fea238fa255f27d6

memory/2628-178-0x00007FF84BBF0000-0x00007FF84C6B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABF.tmp.aaa.exe

MD5 e52ba92d25281e90aa7f27bd3719951f
SHA1 f67b856dbac5bdd315dce1df2738a1b4f88f4f39
SHA256 8215ed905544d217f656b5b226f71798970698eefa4f24cb48532778d8409baa
SHA512 96a3e30a0fbe049f69b07155cfe3e1a431ff63e8dabc4baa13eada61668ebc4d4171fdaf70fb7fac4d92fc7e8383fa400dcf11eeaee98e47511857e30a23f53d

memory/1540-191-0x0000000000A10000-0x0000000000A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7CB.tmp.bat

MD5 2c510a4b200842f7dc2f1e831f7b4400
SHA1 299ca4b4a4fe59c10e5331f72a44b417b5507053
SHA256 5a00b9a3046bc3173f8dee693f9fffeb8c667376d6c209470476fbebd63c78db
SHA512 4ded7c6cf724abd770f098855cbd54a33cbc629dd3afd34d798c05ed9d58225a476250016242fe10527d41a86e6e156a62712efe283eb33058be4e802e90c103

memory/1320-192-0x00000000004D0000-0x0000000000502000-memory.dmp

memory/4072-194-0x0000000000460000-0x0000000000472000-memory.dmp

memory/3884-193-0x0000000000140000-0x0000000000196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F15.tmp.build.exe

MD5 7081e613321921500b70899fddb56a4d
SHA1 fbb9ef6899fb0ea1999404ccff08ee61ca8de11f
SHA256 7c03173d3bd7a27e446d8fe70829b963942f746d933a9eab4d198d524b45cb68
SHA512 679431a866a9806e967515eb97905d458798d8d9832a6fd57e519b12f5a8a5e8331297331a84c95a43bfca5953987ae9248638bc084fda92471540919a76a72c

memory/5036-206-0x00000000004B0000-0x0000000000502000-memory.dmp

memory/5036-207-0x00000000053C0000-0x0000000005964000-memory.dmp

memory/5036-208-0x0000000004E10000-0x0000000004EA2000-memory.dmp

memory/5036-209-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

memory/5036-240-0x0000000005F90000-0x00000000065A8000-memory.dmp

memory/5036-242-0x0000000005060000-0x0000000005072000-memory.dmp

memory/5036-241-0x0000000005130000-0x000000000523A000-memory.dmp

memory/5036-243-0x00000000050C0000-0x00000000050FC000-memory.dmp

memory/5036-244-0x0000000005240000-0x000000000528C000-memory.dmp

memory/4072-245-0x0000000004D10000-0x0000000004D76000-memory.dmp

C:\ProgramData\NQZRGKDO\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4072-270-0x0000000005200000-0x000000000529C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5CE0.tmp.bat

MD5 c2b2fc38d22c2d4845f7ab38948fbb95
SHA1 203fc5c9c15a264366c8519a6fc3cff98762b7b4
SHA256 793086abf008f8b101ee61e0afc80d3ea476d6b50deb87477961fd27da650070
SHA512 340d57ae6dccb721551daf13dd04eaad07e6928eea5dc148bd0e886d25ddf513bf2874754e974e18b67f90d92dbfc38d12549c2153da71458512ade5e061eee4

C:\Users\Admin\AppData\Local\Temp\tmp6B09.tmp.dat

MD5 cf7a291fa3c23b1fa0a0c003717ca899
SHA1 a8feadd23a73c1c7783b5e56ce951c84f97e3851
SHA256 fd821a883d1953d95a9e616db71d43071afde16947f331f523ce8ea20c39d139
SHA512 0dfffbc596515ac284f8ab8fac13f1bbb496223ee7d849e9b8976b6f75a5c257619010419c5e441b84a538a7409bf0cefaf5f7b65bc7736842030c10eef4856f

C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp6B2B.tmp.dat

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 f61e84eeb6d764187d4c908556f5b882
SHA1 b846caee1ab53a6db6ca04a4adae48617be89961
SHA256 450dd94a76f83dd013933a97f8593841b7dbe03ac81796e1ee4ddc8a617e4a90
SHA512 aff76615285cb9834c33dfbca44a5c4bd44bb4020f9e3042bafdd36aceb362d6e4061f65cc848cb4fbd53b53cca7a47977e3192139a72e93bd39c13544c5c559

C:\Users\Admin\AppData\Local\Temp\tmp6C99.tmp.dat

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\tmp6C88.tmp.dat

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp6D46.tmp.dat

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp6C87.tmp.dat

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp6C14.tmp.dat

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Local\9a306fc04527f1c5cdde86d98790c0a2\Admin@NQZRGKDO_en-US\System\Process.txt

MD5 654d50b1cde01d4868a3f9e3d7974105
SHA1 fdaa78941c0fe33ce48f738b5d9f9883a1ccd326
SHA256 c0cbfea182835578887bf93de752b455ce2cdfde6bd49a02f713d12448548064
SHA512 adc0d95b272a03cc74ed1338f3851d855523038a32811af5678a36f91adef9690dd8ad2699e5898360d1dbfc6d27068ae08a918ab1aa49e692c31815fc21c617

memory/5036-515-0x0000000007720000-0x0000000007770000-memory.dmp

memory/5036-523-0x0000000006AC0000-0x0000000006C82000-memory.dmp

memory/5036-527-0x0000000007CA0000-0x00000000081CC000-memory.dmp

memory/1640-557-0x0000000006EA0000-0x0000000006F3C000-memory.dmp

memory/1640-556-0x0000000006E20000-0x0000000006E96000-memory.dmp

memory/1640-566-0x0000000006DC0000-0x0000000006DDE000-memory.dmp

memory/1640-574-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

memory/1640-573-0x0000000006F90000-0x0000000006FD0000-memory.dmp

C:\Users\Admin\AppData\Local\cd31ed6ceaddbcd5581da22a0735f289\Admin@NQZRGKDO_en-US\System\Process.txt

MD5 963031f7a1d5ec034558827980f813d2
SHA1 28b8f4f3db591c3497c5e612efea51c6aa10d639
SHA256 030d3fa33e48ff4e00ca508c7f842c10b347a997f2634ac9dbe1d35997b6b398
SHA512 13d45c2c8e83068e2bcb0511fef251bd03b0dff6ed069dd2b7f36fe6e49180c59533a8209fb02054f136053370245bcca2e8cc894a9dde48890e37a6085a2219

C:\ProgramData\NQZRGKDO\Process.txt

MD5 6cfc55ab1a57700467bc4092130f14de
SHA1 f07446edee994b6fe4ab743d662945b440aa2204
SHA256 5ece54087c0ea84fc9900ef14f372487aa5f67bc231b4682e7b47e27643baeb6
SHA512 a5b6a70425e369e709b7b3d9b864f1debce576b84b64177137b8272230362bb7d466aea2dbad34057fa43a0f1df4545914f81cbf0260cb52811b07956d56a948

memory/1640-665-0x00000000070E0000-0x0000000007142000-memory.dmp

memory/1852-676-0x0000000002950000-0x0000000002986000-memory.dmp

memory/1852-677-0x00000000055B0000-0x0000000005BD8000-memory.dmp

memory/3468-678-0x0000000007570000-0x00000000075C1000-memory.dmp

memory/1852-679-0x0000000005490000-0x00000000054B2000-memory.dmp

memory/1852-681-0x0000000005BE0000-0x0000000005C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0yfr52o.glh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1852-691-0x0000000005C50000-0x0000000005FA4000-memory.dmp

memory/1852-693-0x0000000006250000-0x000000000626E000-memory.dmp

memory/1852-695-0x00000000067B0000-0x00000000067FC000-memory.dmp

C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\DisconnectComplete.bmp

MD5 1539537294599fdadc1ca04c72779a8a
SHA1 4006e9d1493803bc51aaee4d4feb5a1d5f044e7a
SHA256 3b32d6b788e65bf50d9b62d9f2303dede24720f0de0f90242f9a39dcf2c234cd
SHA512 9e630c6c7ce4f33caf5849e15469815578242f2d634f83203ab2549149fcd60ed7d1b00a87254685a67875f0661a7bc1a2a03f8503588f9fd5494b68670953d1

C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\PublishNew.html

MD5 f37d2b8774a4a097f71170bdde778e2a
SHA1 6507d7c114c31292c0f5e0bdfbe09c93e325bbf9
SHA256 5e989c6feb959986bcd33ef1634e7f9d00a025bb2e0a8b90700c00bd58c4028a
SHA512 38b1cb5b5c36b4f8a3b3e9d0575edfc1173330b0c1ccaff903c4fa6970c42ef0ff42f1835a655abb48a6a450c01100b36c7a8809031e3fd5287eb3d7dde7e1f4

C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\PushRemove.docx

MD5 fbab186d92f03a1c2326a5683607e5bd
SHA1 29b5c29d9992ad1114e4f1621fdad100a18498d6
SHA256 784bf488884df40cb5ba1290a5d15f540d27670c1bfa27c9d6577c7dbc00da75
SHA512 76d26fa73e484ce55bcc309ec5842d44907cee99553d07e16f61c8dc35f7e8308b5c117631ac45055a12d66b447e2314dde6e6978f539919267fdc98f419e227

C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\RestartBlock.rtf

MD5 59f13d4fa84b0506452934cbfce7aa23
SHA1 0c0784178405b1670be780c2b184f226be020481
SHA256 d5469b8791211c0af5bd402e9ecdd7f67a3824e43a3720e9454a59ba37caf68b
SHA512 fd6ec01cb742dbc1fb8db0ac9687c4e08855f7febb7b6a18e3b8389a40ad09ba53937c4afedad60738e3ba8185629cc7ec80ee3507ce28c6720252674b3bcb7a

C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\UpdateReset.png

MD5 a9447b8083d9e0cf492d265a51e306d7
SHA1 c2e143774915a1a27a857d75bdd4b0ba84344663
SHA256 0cbd4fd134a63ef17a7f3ebfa680242ef4db06ae8474334256af0b7ddb9bc5d5
SHA512 d151ba4e6596b04d25baf1b33a56d0d773d7cd4f89b87fb330986a58906da791583c6bfeaaeb5070e4099e9a8b8e55e0ad3de6f512781064f2e2de28fc5f5eca

C:\ProgramData\NQZRGKDO\FileGrabber\Documents\CompareReceive.xlsx

MD5 eb03dd7fa4261e30a68c7b9f15bd1dc3
SHA1 730e5d1445493c02c8c49c7418ec347bd3d8ac7b
SHA256 d6665e869082319a9ad66dbeb439e093a42fa2dc462389c829f50acd27164540
SHA512 aa576cb441165159d57bb3e04df22d7e6038e12c8b303bb2413a2064ebde6a2109d50c41e6ac45ca40d562380da3279d255d6ce5d86d3251babfa918d7ec6332

C:\ProgramData\NQZRGKDO\FileGrabber\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\ProgramData\NQZRGKDO\FileGrabber\Documents\ProtectEdit.html

MD5 99684f1415dd63e21c5cd855e862a5b7
SHA1 5375ed73fef9ba6801ea260556393c9871d15394
SHA256 f7e697f09ec319b7297609a6fb099f5a241926f771f785ca8099caed2b8f3d93
SHA512 b9af1bbfaa9dbda0e8099571a092c14d208f454a8ac3a4c4adc846d94e3bbc53b5f9e81c50a5250fa373a3a46646b0a520cb6f750ca791ef255337549d185fdd

C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\ClearRedo.pptx

MD5 b7b51ce8e5d31d1035b3f105068d3c8e
SHA1 f81e4e82343320d2db6187bede0336561389ddde
SHA256 cda59bd601b5f2d83bedb5ffdde80cf99734e53ea9a2bc1f26665755ef769a60
SHA512 804a4492f187187fc6243045487c7cdd91bf7f89cc89bd7df12d1d0e727e7faaea9cef1ce505402a77b87398c676e5934173847578af5d5037f50a296679468d

C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\MeasureFind.docx

MD5 46a1e2f6a3066de31d3300fd90eb5a99
SHA1 5b45cd01ef4a21407fb0bbb224e5b340b851cef9
SHA256 d8927a454b56293048ff08f355d7130f19cdd1a0810fac264f785f596ccc9159
SHA512 60f164eec4aa7177e14a34900a39c087ed223679e0164f2dd4b47934f3dd5663c869e922c9032e2c6c5d34c688e7725a0476b8a64b4f2c6af18f97fb61be0cdd

C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\SendOptimize.txt

MD5 4c60ce82ff4e667a340d3d9933b0cc2b
SHA1 7d5b22adf3a0c0f0babcdaafa055583e60362e52
SHA256 5f3ade4125d19332706e0e2e893383e3e4d90dd3459b2594aae7354841cf3b8a
SHA512 504389b360800b09043f095a8e0fd20a69e7c29619804c0de807601f71b6e938ff0a490f347b0de150effc9326bec18059006ac01fb85c885268e58664418603

C:\ProgramData\NQZRGKDO\FileGrabber\Downloads\UseReset.html

MD5 e996fc8b3a4209a3ed50f6302e0d62e0
SHA1 32a3905a16d290e3faaf7681728fb29bd47131c5
SHA256 c3616d939782a947612fb0517e21291f33a107eb49ae59f5ea88ee7c73fe00a8
SHA512 74a7c35434c3c1921644f96d3f57b75872efff48ccaf710f0cf279d1e89c184168ea414f73af0d8987a7fb67f69224c04c893a6cad251112a89d3baf4b9c3b80

C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\ApproveDismount.png

MD5 d8e0fef32cd2890b2814e01854902e3b
SHA1 6fbf89b50d0be84aa9ec09539826409216a015e1
SHA256 b0ef37325ee1eff8f1bc7a0c635d03144d6116b3be2ea0ddee92f26a823c43dd
SHA512 32f6653d6de095467cb4416eafb5389394ba6c0c4cfc6f31867c75a38ce680d8ffb2f16b19dd6178f8497c43dcdd9508933b7a4904dc40156dd0f6dff7e80ea5

C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\FindImport.svg

MD5 17919590aee9e21827c479a535774db2
SHA1 496b04eb0efd84511206c65f8b689bc548e4917f
SHA256 5961f1375340f316e7486e0454818e40d858ce373018fe3f882072dc59e76b3c
SHA512 e079fa33ab357a9b6d74c180d4d08b5d24564d19938f1055465d1a88a372c17dbd03a9e13015babcc84a54a7ac645d9fadbd4b474b7c8106b05e362d2b5dd490

C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\ConfirmPush.svg

MD5 968de80e4359f3a1d6206f22ec10985a
SHA1 b3a44f4b899e5e12799a41403f1b99b5f6d7c82f
SHA256 53977f3825d7370fa259bfc58fa8a16b6709a13618d2faa33f8e14fb2eacb62a
SHA512 9b4fa11b956a347f1795d3427f56c7180e1126b200c3b8c925dbef76f6fdf03d97325f1f474875fde9c58d51b385229d1c90f041ea7e0e2bfd99d64f3e5cf1a2

memory/1852-815-0x00000000066D0000-0x00000000066EA000-memory.dmp

memory/1852-816-0x0000000006720000-0x0000000006742000-memory.dmp

memory/1852-814-0x0000000007200000-0x0000000007296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nkjvni.exe

MD5 c28490da01887aa59d82c54b576dc107
SHA1 5c4a2f7a85b686f5767a618d69adb20367381bdd
SHA256 bc07b9c79b5cd67dbce8031e5a39e8987494a6185e20f589964020e14ff3e789
SHA512 770835b7ac65b090478b233aa5008557fa447961445558bbbc7cc900b5cb29e1ded2f8e0b318e996e410686b9054f83c1ace710de54e8fd039965c4cb110d2c2

memory/1756-824-0x0000000000720000-0x0000000000776000-memory.dmp

C:\ProgramData\NQZRGKDO\Browsers\Outlook\Outlook.txt

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

C:\ProgramData\NQZRGKDO\InstalledSoftware.txt

MD5 bca4ee4b0d73edf2835ac08ab38d1bd9
SHA1 a833d7663f5edecc050b37b7efd1d563268ea0df
SHA256 0face1d1c4bdf8e8f16c7fe99e2a6150cd6f60dc20396214288a585f870f3e5f
SHA512 48fa5f3b545f470146fee34c87b7268eb09ca7944d8bfea9e9fa2a14f4f934ec3b91ae4d302f7248b797bd5e0562b8a567f5ca3bce241ea8c3493bbe3310bce2

memory/3468-841-0x0000000000800000-0x000000000081A000-memory.dmp

C:\ProgramData\NQZRGKDO\Screen.png

MD5 b511181dcaa3a8e63f4ed1c16f5d07fc
SHA1 d693734e62db76b090a65c2c27fb050ac36baa34
SHA256 423dbea9d47135c2f58ebffef1d3a16af00acb791501ce0ff7ab3ae4ec0fbd68
SHA512 d209b3cd02cfdf137d6f00933d5f430e25a20b3d75fef187f39ed05f37dc248f251817b10da1fb1aa11dca956985b3f409ce792a25cb6c9b59eca61475b6ae69

C:\ProgramData\NQZRGKDO\Browsers\Firefox\Bookmarks.txt

MD5 1267f4be35fbe5510886cf08ddee9fdd
SHA1 04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9
SHA256 ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3
SHA512 6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

C:\ProgramData\NQZRGKDO\Process.txt

MD5 1b8b7078ea39e541cf19b107813b67a8
SHA1 16c084bde29e529870546e2a55fb80e28f91c146
SHA256 ef721171389f9d3e9730443ae950ff796f78c8902ea920d97ee2d6359c47f2d5
SHA512 9c8f3115140f70f848065ec52b5ce8958dec3cdbb7ed55d243c82d6a0d2b8aae55b8ba59247ae77e81d139710d4d3261661b71ac2bb940a311a31ee09ddbf5b0

memory/2672-900-0x0000000001150000-0x000000000115A000-memory.dmp

C:\Users\Admin\AppData\Local\b7e0bdc64f14b25b95280bc2e557a1b0\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2672-934-0x00000000012F0000-0x0000000001302000-memory.dmp

C:\ProgramData\NQZRGKDO\Information.txt

MD5 172c5bd764c1fcd9d88b5abdd7ef4af4
SHA1 058f569d5ebac59af5ccdc12939c438b16a231af
SHA256 844efe16046148674f507341588f5698d7908b6ba4ee8bc405868ea942f4df2b
SHA512 12189ca1346384a18e5bb16316913a353f101f80f572a416319c24b40715457572cd8f0b632ce4ac5b4e0e4c597a862a05195e4fc58421f79767bbfed0206e96

C:\ProgramData\NQZRGKDO\Process.txt

MD5 451bfcf6578cc361c8e3442d2934c8d2
SHA1 843c6485af9b378002ec3422447075466e1bf6ed
SHA256 3b3861734e2132468e41be6627981c36545313a1cfc584c05393d94c31f4173b
SHA512 9b8aec35856e4be273fb9f48ea112a1ad6c29ee66a99af28a0094eab0e162689723c0655aa6ac02ef15dad66c44dd299c5345459562572f6ade8575dffe0ff41

C:\ProgramData\NQZRGKDO\FileGrabber\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\ProgramData\NQZRGKDO\FileGrabber\Documents\ResolveReset.pdf

MD5 5c4b91400ed3bb483f83e79848b84f89
SHA1 be6fee3d4a155eee7cc8e899a7f41b2a4a33e9ad
SHA256 3e13a169a2cfedcec972301148e94a3f9281d1670d1a0627e2f2e5eabd262663
SHA512 c05040ba5e95147775850ba88458da4b9ad6b30322147cf37956a04901f6aa7379a9117dd6e1c48e6c9c912fb088916dd0a137a1c6dcbed88d45d1e3666c4636

C:\ProgramData\NQZRGKDO\FileGrabber\Desktop\UseSync.xlsx

MD5 aeeef1c5636c7a4a52f0590d39bf37d5
SHA1 389007ae467f57489019d531ae76244dcac37c11
SHA256 fb77df3812f46c27efcad855b08bd3ffd1cc9edc8d0dbfa65506126a0f6d8e28
SHA512 de205bac7078efa4f5a7d34fa6dbd77a9ae9ee53a048293e34286409fec1e87102420e3c029a226c22d47a706a91f92b76c4b666df3de42b1a8f4f98901b8034