Analysis Overview
SHA256
2c074fffbd47b3ed8129a7e9a4e350e7b9f6ce923f75b0166a8cb3e425e39e95
Threat Level: Known bad
The file 1725148829.119856_File.exe was found to be: Known bad.
Malicious Activity Summary
Vidar
Stealc
RedLine
Lumma Stealer, LummaC
Detect Vidar Stealer
RedLine payload
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Creates new service(s)
Stops running service(s)
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Identifies Wine through registry keys
Checks BIOS information in registry
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Unexpected DNS network traffic destination
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Power Settings
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies system certificate store
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-01 00:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 00:02
Reported
2024-09-01 00:07
Platform
win10v2004-20240802-en
Max time kernel
95s
Max time network
289s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Wine | C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8V7HB.tmp\py_q9F9XhXBwexdoquFQoW9L.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 91.211.247.248 | N/A | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe | N/A |
| N/A | N/A | C:\Liliafer\msptjhkfda.exe | N/A |
| N/A | N/A | C:\Liliafer\msptjhkfda.exe | N/A |
Suspicious use of SetThreadContext
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\EGIIJDHCGC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\py_q9F9XhXBwexdoquFQoW9L.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-8V7HB.tmp\py_q9F9XhXBwexdoquFQoW9L.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\CH6wiprYnjjiLcQcurMqpLJ8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1725148829.119856_File.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\1uGU_PaYOd93mwdvO0pRZJq6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\HR8iA61XqPfBph12_UX1aPyX.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminAKFHCAKJDB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\AY3U4Euxcxv9ydttoPDJ4yyd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\DBKKFCBAKK.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Liliafer\msptjhkfda.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminECBGHCGCBK.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\CH6wiprYnjjiLcQcurMqpLJ8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\Documents\iofolko5\OXjlPcHMWw9IOxuKS5jSh7o5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Documents\iofolko5\OXjlPcHMWw9IOxuKS5jSh7o5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Documents\iofolko5\OXjlPcHMWw9IOxuKS5jSh7o5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\Documents\iofolko5\OXjlPcHMWw9IOxuKS5jSh7o5.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Liliafer\msptjhkfda.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1725148829.119856_File.exe
"C:\Users\Admin\AppData\Local\Temp\1725148829.119856_File.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\bTk6z17ukjRsYPjToqllP1Iz.exe
C:\Users\Admin\Documents\iofolko5\bTk6z17ukjRsYPjToqllP1Iz.exe
C:\Users\Admin\Documents\iofolko5\1uGU_PaYOd93mwdvO0pRZJq6.exe
C:\Users\Admin\Documents\iofolko5\1uGU_PaYOd93mwdvO0pRZJq6.exe
C:\Users\Admin\Documents\iofolko5\CH6wiprYnjjiLcQcurMqpLJ8.exe
C:\Users\Admin\Documents\iofolko5\CH6wiprYnjjiLcQcurMqpLJ8.exe
C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe
C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe
C:\Users\Admin\Documents\iofolko5\py_q9F9XhXBwexdoquFQoW9L.exe
C:\Users\Admin\Documents\iofolko5\py_q9F9XhXBwexdoquFQoW9L.exe
C:\Users\Admin\Documents\iofolko5\AY3U4Euxcxv9ydttoPDJ4yyd.exe
C:\Users\Admin\Documents\iofolko5\AY3U4Euxcxv9ydttoPDJ4yyd.exe
C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe
C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe
C:\Users\Admin\Documents\iofolko5\OXjlPcHMWw9IOxuKS5jSh7o5.exe
C:\Users\Admin\Documents\iofolko5\OXjlPcHMWw9IOxuKS5jSh7o5.exe
C:\Users\Admin\Documents\iofolko5\HR8iA61XqPfBph12_UX1aPyX.exe
C:\Users\Admin\Documents\iofolko5\HR8iA61XqPfBph12_UX1aPyX.exe
C:\Users\Admin\AppData\Local\Temp\is-8V7HB.tmp\py_q9F9XhXBwexdoquFQoW9L.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8V7HB.tmp\py_q9F9XhXBwexdoquFQoW9L.tmp" /SL5="$C01D8,3429829,54272,C:\Users\Admin\Documents\iofolko5\py_q9F9XhXBwexdoquFQoW9L.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\CH6wiprYnjjiLcQcurMqpLJ8.exe
"C:\Users\Admin\Documents\iofolko5\CH6wiprYnjjiLcQcurMqpLJ8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe
"C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe
"C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe" -i
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Liliafer'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
C:\Liliafer\msptjhkfda.exe
C:\Liliafer\msptjhkfda.exe
C:\ProgramData\EGIIJDHCGC.exe
"C:\ProgramData\EGIIJDHCGC.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminAKFHCAKJDB.exe"
C:\Users\AdminAKFHCAKJDB.exe
"C:\Users\AdminAKFHCAKJDB.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3136 -ip 3136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3136 -ip 3136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1372
C:\ProgramData\DBKKFCBAKK.exe
"C:\ProgramData\DBKKFCBAKK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminECBGHCGCBK.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\AdminECBGHCGCBK.exe
"C:\Users\AdminECBGHCGCBK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VIFLJRPW"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VIFLJRPW"
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4660 -ip 4660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1364
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAKKFHCFIECA" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 185.143.223.148:80 | 185.143.223.148 | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.223.143.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240812161425945.tyr.zont16.com | udp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| CH | 179.43.188.227:80 | 240812161425945.tyr.zont16.com | tcp |
| US | 8.8.8.8:53 | 33.115.113.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.44.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.188.43.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| DE | 77.105.164.24:50505 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| US | 8.8.8.8:53 | 24.164.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.113.215.185.in-addr.arpa | udp |
| DE | 147.45.47.36:30035 | tcp | |
| US | 8.8.8.8:53 | 36.47.45.147.in-addr.arpa | udp |
| FI | 95.216.107.53:12311 | tcp | |
| US | 8.8.8.8:53 | 53.107.216.95.in-addr.arpa | udp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| US | 8.8.8.8:53 | 138.68.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.231.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | locatedblsoqp.shop | udp |
| US | 172.67.207.182:443 | locatedblsoqp.shop | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.207.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | traineiwnqo.shop | udp |
| US | 172.67.177.240:443 | traineiwnqo.shop | tcp |
| US | 8.8.8.8:53 | 240.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | httpbin.org | udp |
| US | 3.230.74.9:443 | httpbin.org | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 8.8.8.8:53 | condedqpwqm.shop | udp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | 9.74.230.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.10.21.104.in-addr.arpa | udp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| US | 8.8.8.8:53 | stadiatechnologies.com | udp |
| GB | 95.164.119.162:80 | stadiatechnologies.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| LT | 91.211.247.248:53 | boibohv.com | udp |
| US | 8.8.8.8:53 | 248.247.211.91.in-addr.arpa | udp |
| CH | 185.196.8.214:80 | boibohv.com | tcp |
| US | 8.8.8.8:53 | 214.8.196.185.in-addr.arpa | udp |
| CH | 185.196.8.214:80 | boibohv.com | tcp |
Files
memory/3500-0-0x000000007507E000-0x000000007507F000-memory.dmp
memory/3500-1-0x00000000004F0000-0x0000000000C6A000-memory.dmp
memory/3500-2-0x0000000005640000-0x00000000056DC000-memory.dmp
memory/3500-3-0x000000007507E000-0x000000007507F000-memory.dmp
memory/3500-4-0x0000000075070000-0x0000000075820000-memory.dmp
memory/3500-5-0x0000000005920000-0x0000000005D06000-memory.dmp
memory/3500-6-0x0000000006F40000-0x00000000071F4000-memory.dmp
memory/3500-7-0x00000000050A0000-0x00000000050C2000-memory.dmp
memory/3560-8-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-13-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-11-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3500-14-0x0000000075070000-0x0000000075820000-memory.dmp
memory/3560-10-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-16-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-23-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-22-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-21-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-20-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-24-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-19-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-18-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-17-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-15-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-28-0x0000000000400000-0x00000000005DF000-memory.dmp
C:\Users\Admin\Documents\iofolko5\HR8iA61XqPfBph12_UX1aPyX.exe
| MD5 | 1b4e6b62027f8ee24d3401c9ec96f672 |
| SHA1 | 6bb4152446cd1ed5752f81f7ba4053b8e12d0852 |
| SHA256 | d30d079e3e347e11a8d8ebd5ec025367968147b52d47d15c61a7bc48e0fbeee2 |
| SHA512 | bf8a779100c87206018926bc077ffd23bdce02fe5f47518e528e747b0ed83f60972d98abdf618ac514f8ac87250488fe0cab7756bc11ba18686e0d45c1c0dffc |
C:\Users\Admin\Documents\iofolko5\tBmzHMAfN793ylri5IeghaV3.exe
| MD5 | 4847d6885adc7ea78fdf9918c384cecb |
| SHA1 | 9eb0ce983f5a81300f18331b4899e03692fea6ef |
| SHA256 | 2954dec8276af3d7c60154c2afb2ae360d696c6a90eb779fd9e380848c6fd8cc |
| SHA512 | e9b4d83425344b7137477105ee474c114f098d6c6e41d7bdfb47fb5902e32ba5c91ae9b9a3629dbad0ce4151bbf9d880c80dbfd5002d77da9ad88e8aa67f41fe |
C:\Users\Admin\Documents\iofolko5\AY3U4Euxcxv9ydttoPDJ4yyd.exe
| MD5 | 19206462deb8093a24b063f75c0f88a0 |
| SHA1 | 294b76a6e7dceadde162e682c69115151edd8d73 |
| SHA256 | a672db5e7e34e662bbf17075a2076dc0b3479f75a49982c77e575077813ace94 |
| SHA512 | 426db34d5128e3071f766bf937b04959b90016448311789b97fb8b39d214f4129818e2b24e4c068eb3d1d1ef45be82bd16139f2db0eecb7c6d7b2c57001f06e8 |
C:\Users\Admin\Documents\iofolko5\py_q9F9XhXBwexdoquFQoW9L.exe
| MD5 | fdcc68a75a0e43485921c995d7b30aa5 |
| SHA1 | 904c066f7a5aa391a105de475fe0621ea9434a67 |
| SHA256 | 350cdb47086ec6370f72779d1851953c3d12a91f0e6b59571be703a4538bbc48 |
| SHA512 | 11df46188805f1b943c4e4885eabcd66aa146c222f6863e1110a964d7d313587dd7ad3558380152ddf62980160b4580c2ec9f497ab41b7ed48a5d46de0b8fdbd |
C:\Users\Admin\Documents\iofolko5\bTk6z17ukjRsYPjToqllP1Iz.exe
| MD5 | 025ebe0a476fe1a27749e6da0eea724f |
| SHA1 | fe844380280463b927b9368f9eace55eb97baab7 |
| SHA256 | 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2 |
| SHA512 | 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799 |
C:\Users\Admin\Documents\iofolko5\OXjlPcHMWw9IOxuKS5jSh7o5.exe
| MD5 | 01a3155b62c88c17d864f9fd78745902 |
| SHA1 | ad629d70451330123fcd8c98e6a05406c4aea050 |
| SHA256 | 82475d4397b6d833a0b170945b7fb607eb82e3609dc35dc51f04884be3a91155 |
| SHA512 | e61debb7a875414fa8af8baa28847fd852c719da94107e98a5209b96cd09dab99f3d291ddd7692b1074bf95a8d8e624423264d0ac524e9ff7a2e174acddc0a42 |
C:\Users\Admin\Documents\iofolko5\1uGU_PaYOd93mwdvO0pRZJq6.exe
| MD5 | 68da26c2c1d0d040a86cc3910a40d287 |
| SHA1 | b374f418f3d086868f661ae2108a71e8eb70dcfa |
| SHA256 | 0904ef6ec1a22ab31adf07bb35bb0667603c574032da3e6004fb1592cea15b06 |
| SHA512 | 09b0647bf8e9d01bb36cf90cc82ecd33d545586ffa7ef14bf903f796739bc1c3c0986aa0f71851407434fc215214acb082fd6e95a24ca027a1d51982a1841b08 |
C:\Users\Admin\Documents\iofolko5\CH6wiprYnjjiLcQcurMqpLJ8.exe
| MD5 | bd2891236510c953d469e346d092f0c7 |
| SHA1 | 6409a3259b18ecf91d2ff6a43ff319c2f8158be2 |
| SHA256 | 1cf403233a05fd6140f33df350f8edccf51eea02746c6ba4ab3e31b32b8bab44 |
| SHA512 | 409abb8ce3382297bb669e7b7edfa44b0c2166831a6212223237245cba0595cf35592ec9755c839a69372bd0a4e96c74b98e7bca375a82b3e0707658d4b5802d |
C:\Users\Admin\Documents\iofolko5\Jn6gHmXmfs6tHAhtqBqrADGy.exe
| MD5 | d4ac1a0d0504ab9a127defa511df833e |
| SHA1 | 9254864b6917eba6d4d4616ac2564f192626668b |
| SHA256 | a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848 |
| SHA512 | 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5 |
memory/3560-110-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-106-0x0000000000400000-0x00000000005DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8V7HB.tmp\py_q9F9XhXBwexdoquFQoW9L.tmp
| MD5 | 38deb275b04a61c5837ef9597e066fcd |
| SHA1 | c389def26f07be7c4f44e1d3b686ed52de401753 |
| SHA256 | 346d652d50dd304ef8eafa8ffcc3b959363d006bb97a96caba169cde8c3cbc8e |
| SHA512 | 385a604f61e8a2c4dd1610a34361b1248491639961f891db509e45890457ff647c6305390ebfbde5a26ce29c748a87f422840d2935be2988d5aeb9bbfd95cb62 |
memory/2344-141-0x0000000000280000-0x00000000008CC000-memory.dmp
memory/4028-142-0x0000000000840000-0x0000000000B32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3RR06.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/3656-157-0x00000000008D0000-0x0000000000934000-memory.dmp
memory/2344-163-0x00000000050E0000-0x0000000005102000-memory.dmp
memory/412-187-0x0000000000400000-0x0000000000641000-memory.dmp
memory/4424-207-0x0000000000400000-0x0000000000490000-memory.dmp
C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe
| MD5 | 0451ab717fb9d85d548df23d0f3d0596 |
| SHA1 | 4704da48917a13b6acfcc7ad18727b16bdef3274 |
| SHA256 | a6c3d2b564125c7fc51643e9f778e2404da45c2790a0d7f5d9f3bf8bb5acc35d |
| SHA512 | 8dd396656a8e7b09f81066f0c88ff3449c7ba02d34149f97f7021288366988478853266e62bbb93155e1ee660f939229f876eb6ff156aa78f13e80f6f60421b3 |
C:\Users\Admin\AppData\Local\Temp\TmpA7A5.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4600-228-0x0000000000400000-0x0000000000786000-memory.dmp
memory/1288-249-0x0000000005C20000-0x0000000005C96000-memory.dmp
memory/4600-226-0x0000000000400000-0x0000000000786000-memory.dmp
memory/1984-220-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1288-219-0x00000000050B0000-0x00000000050BA000-memory.dmp
memory/1288-250-0x00000000062F0000-0x000000000630E000-memory.dmp
memory/1984-217-0x0000000000400000-0x0000000000643000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CH6wiprYnjjiLcQcurMqpLJ8.exe.log
| MD5 | 99e770c0d4043aa84ef3d3cbc7723c25 |
| SHA1 | 19829c5c413fccba750a3357f938dfa94486acad |
| SHA256 | 33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5 |
| SHA512 | ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39 |
memory/4424-209-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1288-208-0x0000000004EE0000-0x0000000004F72000-memory.dmp
memory/4424-205-0x0000000000400000-0x0000000000490000-memory.dmp
memory/412-191-0x0000000000400000-0x0000000000641000-memory.dmp
memory/412-189-0x0000000000400000-0x0000000000641000-memory.dmp
memory/4028-168-0x0000000005800000-0x000000000599E000-memory.dmp
memory/1288-166-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2392-170-0x0000000000400000-0x0000000000486000-memory.dmp
memory/2344-162-0x0000000005B60000-0x0000000006104000-memory.dmp
memory/4028-161-0x0000000005600000-0x00000000057A0000-memory.dmp
memory/4192-164-0x0000000000C70000-0x0000000000CB4000-memory.dmp
memory/5116-256-0x0000000000C30000-0x00000000012B5000-memory.dmp
memory/1288-260-0x00000000063C0000-0x00000000063D2000-memory.dmp
memory/1288-259-0x0000000006480000-0x000000000658A000-memory.dmp
memory/1288-261-0x0000000006420000-0x000000000645C000-memory.dmp
memory/1288-258-0x0000000006930000-0x0000000006F48000-memory.dmp
memory/1288-264-0x0000000006590000-0x00000000065DC000-memory.dmp
memory/4756-263-0x0000000140000000-0x0000000141999000-memory.dmp
memory/4756-257-0x00007FFDFDD90000-0x00007FFDFDD92000-memory.dmp
memory/1128-154-0x0000000000740000-0x0000000000788000-memory.dmp
memory/2344-152-0x00000000053C0000-0x00000000055B2000-memory.dmp
memory/5116-132-0x0000000000C30000-0x00000000012B5000-memory.dmp
memory/2484-127-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3560-125-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-121-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-119-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-112-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-104-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-108-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/3560-102-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/2392-266-0x0000000009900000-0x0000000009966000-memory.dmp
memory/1848-272-0x000001AE73310000-0x000001AE73332000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dzynmyb.hzg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2392-279-0x000000000A4C0000-0x000000000A682000-memory.dmp
memory/2392-280-0x000000000ABC0000-0x000000000B0EC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2c8179aaa149c0b9791b73ce44c04d1 |
| SHA1 | 703361b0d43ec7f669304e7c0ffbbfdeb1e484ff |
| SHA256 | c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a |
| SHA512 | 2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d79d1bd60b7247fd284d8602d6e69c14 |
| SHA1 | 597f223c49c70fe13d0b4e5440dd3b9a998c89e0 |
| SHA256 | 45903c738ea99da02de9bc04177db4e702574ff7b8b448016f107b769079e553 |
| SHA512 | a3f38b9ac86f8c7a93129502bc4f08aee02eaee70f41fb602c34a1c76562b5cca314c15727e01a73643cf17f5337a7b8f98da379860d139aabbd68e485251b09 |
memory/3556-359-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2484-358-0x0000000000400000-0x0000000000414000-memory.dmp
memory/412-361-0x0000000000400000-0x0000000000641000-memory.dmp
memory/412-362-0x0000000000400000-0x0000000000641000-memory.dmp
memory/1984-363-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/412-391-0x000000001FA60000-0x000000001FCBF000-memory.dmp
C:\ProgramData\AAKKFHCFIECA\KFCBAE
| MD5 | 3cfabadfcb05a77b204fe1a6b09a5c90 |
| SHA1 | f106b5ed22265e64bc61dc5cf1e2d33ed12ec18d |
| SHA256 | 693617c470d7472e751d872341061cfb663f22ee95bdb42f9db01f02cb90df9c |
| SHA512 | d5502023a17213919e2e991f5ba2d0d2c08223fd489d876a47a37239b637d03ace9cb9b92deb71460ae4030194ca49ce9e9752e0bf2ccbcd297dc5afe62a4e7b |
memory/1288-433-0x0000000007830000-0x0000000007880000-memory.dmp
C:\ProgramData\AAKKFHCFIECA\FBFIJJ
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
memory/4600-441-0x0000000000400000-0x0000000000786000-memory.dmp
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\Liliafer\msptjhkfda.exe
| MD5 | 35b8c1c64fe230be546ef57fc2402c09 |
| SHA1 | 06a4298da56d14b37f051171463603cc43727f3a |
| SHA256 | f5a0022c0b4669fa4a8f89fe75b0f230afc6e4d3c31bded8d6d4328fbb76d5bf |
| SHA512 | 18ce36ae35ec32963ddb92c9dc63a200e952d9b0e21e2dcca9878324c67294997fc394479d74af4b293cefc7a3ce993695bf8bcbfcf5088553c797b66e11b44b |
memory/4888-472-0x00000000007D0000-0x0000000000B8B000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | 0d30b26812fb8c2034fdc0745ea88f45 |
| SHA1 | 9d343115c9dda2ba65586e050039c9c76bd661a2 |
| SHA256 | 8b803d7d3573c69906b3b727b5371ac4b96716ec7da19f665e35d726b459b9eb |
| SHA512 | 766d22004a4875331941a16def585e394299bb55c09b10311b873a088fde727f2779948791947e6c2fa78efee21487f5ded52acae6ea05bceeaae546b2b81aea |
C:\ProgramData\vcruntime140.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4888-483-0x00000000007D0000-0x0000000000B8B000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\ECGDHDHJEBGHJKFIECBG
| MD5 | 1c2c324da992245af106bf761a855edf |
| SHA1 | 37e5796ed02a41a9815ea17bee2e9585d8e6546c |
| SHA256 | d055e09d3e677766d727ac057991ecd25b7eeb417b418b3945ec32fd7bf883f3 |
| SHA512 | 870e468a7ce5fef23df4a4434afd0e3ef84ba6fcc100922c96b6bb38399fce48c54f493d8188ec3f4de30acdfcbc9a1675ac5852aa1f58c1141015a3a2e37863 |
C:\ProgramData\EGIIJDHCGC.exe
| MD5 | 463fa073a06a2d19d0a8395d94d12fb4 |
| SHA1 | 257b18e3d4c1004afafce8c2ff7c604a459abef9 |
| SHA256 | 48c76c428ef4e3e11a2ab4e3e0689465415d0c491179709c70f89067e096cd8f |
| SHA512 | ccac763a4c8744fd6493822d3399fbf8066d5f0465004d20be92dde7ca6b47932b1d6988dde536e9a3d9ae58856ef1f9406909bca6215fe45f02294cc0121f63 |
memory/1936-515-0x00000000007C0000-0x0000000000824000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminAKFHCAKJDB.exe.log
| MD5 | 4eaca4566b22b01cd3bc115b9b0b2196 |
| SHA1 | e743e0792c19f71740416e7b3c061d9f1336bf94 |
| SHA256 | 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb |
| SHA512 | bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8M42AOWL\sql[1].dll
| MD5 | 90e744829865d57082a7f452edc90de5 |
| SHA1 | 833b178775f39675fa4e55eab1032353514e1052 |
| SHA256 | 036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550 |
| SHA512 | 0a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323 |
C:\ProgramData\GIJDGCAEBFII\BFBFBF
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\ProgramData\GIJDGCAEBFII\BFBFBF
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\ProgramData\GIJDGCAEBFII\FHCBGD
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 00:02
Reported
2024-09-01 00:07
Platform
win11-20240802-en
Max time kernel
80s
Max time network
291s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Credentials from Password Stores: Credentials from Web Browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe | N/A |
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk | C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Wine | C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JLIJ6.tmp\mexBLkBRJ6MTJ877Z4GVTnkU.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 45.155.250.90 | N/A | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe" | C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe | N/A |
| N/A | N/A | C:\Liliafer\msptjhkfda.exe | N/A |
| N/A | N/A | C:\Liliafer\msptjhkfda.exe | N/A |
Suspicious use of SetThreadContext
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminDHCBAEHJJJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\Mi84AzKrGhypOtRmSnf01zgl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JLIJ6.tmp\mexBLkBRJ6MTJ877Z4GVTnkU.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\4mC5Y7nbNcRWOrRVz0zXSAEn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\AdminDBGHDGHCGH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\mexBLkBRJ6MTJ877Z4GVTnkU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1725148829.119856_File.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Documents\iofolko5\mKStypmO9XJBkkW_xjsAmIse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Liliafer\msptjhkfda.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Liliafer\msptjhkfda.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1725148829.119856_File.exe
"C:\Users\Admin\AppData\Local\Temp\1725148829.119856_File.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\4mC5Y7nbNcRWOrRVz0zXSAEn.exe
C:\Users\Admin\Documents\iofolko5\4mC5Y7nbNcRWOrRVz0zXSAEn.exe
C:\Users\Admin\Documents\iofolko5\smwwhSUC4AZ0GbZTP8GgiADp.exe
C:\Users\Admin\Documents\iofolko5\smwwhSUC4AZ0GbZTP8GgiADp.exe
C:\Users\Admin\Documents\iofolko5\mKStypmO9XJBkkW_xjsAmIse.exe
C:\Users\Admin\Documents\iofolko5\mKStypmO9XJBkkW_xjsAmIse.exe
C:\Users\Admin\Documents\iofolko5\Mi84AzKrGhypOtRmSnf01zgl.exe
C:\Users\Admin\Documents\iofolko5\Mi84AzKrGhypOtRmSnf01zgl.exe
C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe
C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe
C:\Users\Admin\Documents\iofolko5\rAs41tWSCPhv90DNdLRTzmYd.exe
C:\Users\Admin\Documents\iofolko5\rAs41tWSCPhv90DNdLRTzmYd.exe
C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe
C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe
C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe
C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe
C:\Users\Admin\Documents\iofolko5\mexBLkBRJ6MTJ877Z4GVTnkU.exe
C:\Users\Admin\Documents\iofolko5\mexBLkBRJ6MTJ877Z4GVTnkU.exe
C:\Users\Admin\AppData\Local\Temp\is-JLIJ6.tmp\mexBLkBRJ6MTJ877Z4GVTnkU.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JLIJ6.tmp\mexBLkBRJ6MTJ877Z4GVTnkU.tmp" /SL5="$8027A,3429829,54272,C:\Users\Admin\Documents\iofolko5\mexBLkBRJ6MTJ877Z4GVTnkU.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe
"C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe"
C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe
"C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe"
C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe
"C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe
"C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe" -i
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Windows'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Recovery'"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDHCBAEHJJJ.exe"
C:\Users\AdminDHCBAEHJJJ.exe
"C:\Users\AdminDHCBAEHJJJ.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDBGHDGHCGH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\AdminDBGHDGHCGH.exe
"C:\Users\AdminDBGHDGHCGH.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Liliafer'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%USERPROFILE%\Desktop'"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1044 -ip 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1276
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
C:\Liliafer\msptjhkfda.exe
C:\Liliafer\msptjhkfda.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "VIFLJRPW"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "VIFLJRPW" binpath= "C:\ProgramData\xprfjygruytr\etzpikspwykg.exe" start= "auto"
C:\ProgramData\EGCGHCBKFC.exe
"C:\ProgramData\EGCGHCBKFC.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "VIFLJRPW"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\xprfjygruytr\etzpikspwykg.exe
C:\ProgramData\KJDGDGDHDG.exe
"C:\ProgramData\KJDGDGDHDG.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2452 -ip 2452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2452 -ip 2452
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1248
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KJEHJKJEBGHJ" & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2452 -ip 2452
Network
| Country | Destination | Domain | Proto |
| US | 150.171.27.10:443 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| US | 20.189.173.7:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 185.143.223.148:80 | 185.143.223.148 | tcp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | 77.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| RU | 176.113.115.33:80 | 176.113.115.33 | tcp |
| CH | 179.43.188.227:80 | 240812161425945.tyr.zont16.com | tcp |
| US | 8.8.8.8:53 | 227.188.43.179.in-addr.arpa | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| DE | 77.105.164.24:50505 | tcp | |
| CZ | 46.8.231.109:80 | 46.8.231.109 | tcp |
| DE | 147.45.47.36:30035 | tcp | |
| FI | 95.216.107.53:12311 | tcp | |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 104.21.58.213:443 | locatedblsoqp.shop | tcp |
| US | 104.21.67.155:443 | traineiwnqo.shop | tcp |
| CH | 147.45.44.104:80 | 147.45.44.104 | tcp |
| US | 3.230.74.9:443 | httpbin.org | tcp |
| US | 104.21.10.172:443 | condedqpwqm.shop | tcp |
| DE | 45.76.89.70:443 | pool.hashvault.pro | tcp |
| GB | 95.164.119.162:80 | stadiatechnologies.com | tcp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| FR | 147.45.68.138:80 | 147.45.68.138 | tcp |
| RU | 185.215.113.100:80 | 185.215.113.100 | tcp |
| GB | 95.101.143.201:443 | r.bing.com | tcp |
| US | 20.189.173.7:443 | browser.pipe.aria.microsoft.com | tcp |
| SE | 45.155.250.90:53 | ayyenbi.ru | udp |
| CH | 185.196.8.214:80 | ayyenbi.ru | tcp |
| NL | 89.105.201.183:2023 | tcp | |
| US | 8.8.8.8:53 | 214.8.196.185.in-addr.arpa | udp |
| CH | 185.196.8.214:80 | ayyenbi.ru | tcp |
| NL | 89.105.201.183:2023 | tcp |
Files
memory/1976-0-0x00000000747BE000-0x00000000747BF000-memory.dmp
memory/1976-1-0x00000000005D0000-0x0000000000D4A000-memory.dmp
memory/1976-2-0x0000000005870000-0x000000000590C000-memory.dmp
memory/1976-3-0x00000000747BE000-0x00000000747BF000-memory.dmp
memory/1976-4-0x00000000747B0000-0x0000000074F61000-memory.dmp
memory/1976-5-0x0000000005B50000-0x0000000005F36000-memory.dmp
memory/1976-6-0x0000000007170000-0x0000000007424000-memory.dmp
memory/1976-7-0x0000000005270000-0x0000000005292000-memory.dmp
memory/1380-8-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-12-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-13-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-10-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1976-14-0x00000000747B0000-0x0000000074F61000-memory.dmp
memory/1380-19-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-23-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-22-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-21-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-20-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-18-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-24-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-17-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-15-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-16-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-28-0x0000000000400000-0x00000000005DF000-memory.dmp
C:\Users\Admin\Documents\iofolko5\gMXDcsqBIr2c0Kn7Kw0fInmz.exe
| MD5 | 4847d6885adc7ea78fdf9918c384cecb |
| SHA1 | 9eb0ce983f5a81300f18331b4899e03692fea6ef |
| SHA256 | 2954dec8276af3d7c60154c2afb2ae360d696c6a90eb779fd9e380848c6fd8cc |
| SHA512 | e9b4d83425344b7137477105ee474c114f098d6c6e41d7bdfb47fb5902e32ba5c91ae9b9a3629dbad0ce4151bbf9d880c80dbfd5002d77da9ad88e8aa67f41fe |
C:\Users\Admin\Documents\iofolko5\mexBLkBRJ6MTJ877Z4GVTnkU.exe
| MD5 | fdcc68a75a0e43485921c995d7b30aa5 |
| SHA1 | 904c066f7a5aa391a105de475fe0621ea9434a67 |
| SHA256 | 350cdb47086ec6370f72779d1851953c3d12a91f0e6b59571be703a4538bbc48 |
| SHA512 | 11df46188805f1b943c4e4885eabcd66aa146c222f6863e1110a964d7d313587dd7ad3558380152ddf62980160b4580c2ec9f497ab41b7ed48a5d46de0b8fdbd |
C:\Users\Admin\Documents\iofolko5\smwwhSUC4AZ0GbZTP8GgiADp.exe
| MD5 | 01a3155b62c88c17d864f9fd78745902 |
| SHA1 | ad629d70451330123fcd8c98e6a05406c4aea050 |
| SHA256 | 82475d4397b6d833a0b170945b7fb607eb82e3609dc35dc51f04884be3a91155 |
| SHA512 | e61debb7a875414fa8af8baa28847fd852c719da94107e98a5209b96cd09dab99f3d291ddd7692b1074bf95a8d8e624423264d0ac524e9ff7a2e174acddc0a42 |
C:\Users\Admin\Documents\iofolko5\4mC5Y7nbNcRWOrRVz0zXSAEn.exe
| MD5 | 68da26c2c1d0d040a86cc3910a40d287 |
| SHA1 | b374f418f3d086868f661ae2108a71e8eb70dcfa |
| SHA256 | 0904ef6ec1a22ab31adf07bb35bb0667603c574032da3e6004fb1592cea15b06 |
| SHA512 | 09b0647bf8e9d01bb36cf90cc82ecd33d545586ffa7ef14bf903f796739bc1c3c0986aa0f71851407434fc215214acb082fd6e95a24ca027a1d51982a1841b08 |
C:\Users\Admin\Documents\iofolko5\mKStypmO9XJBkkW_xjsAmIse.exe
| MD5 | 1b4e6b62027f8ee24d3401c9ec96f672 |
| SHA1 | 6bb4152446cd1ed5752f81f7ba4053b8e12d0852 |
| SHA256 | d30d079e3e347e11a8d8ebd5ec025367968147b52d47d15c61a7bc48e0fbeee2 |
| SHA512 | bf8a779100c87206018926bc077ffd23bdce02fe5f47518e528e747b0ed83f60972d98abdf618ac514f8ac87250488fe0cab7756bc11ba18686e0d45c1c0dffc |
C:\Users\Admin\Documents\iofolko5\XsCYtOTiVYve210PxDhWTnr7.exe
| MD5 | bd2891236510c953d469e346d092f0c7 |
| SHA1 | 6409a3259b18ecf91d2ff6a43ff319c2f8158be2 |
| SHA256 | 1cf403233a05fd6140f33df350f8edccf51eea02746c6ba4ab3e31b32b8bab44 |
| SHA512 | 409abb8ce3382297bb669e7b7edfa44b0c2166831a6212223237245cba0595cf35592ec9755c839a69372bd0a4e96c74b98e7bca375a82b3e0707658d4b5802d |
C:\Users\Admin\Documents\iofolko5\Mi84AzKrGhypOtRmSnf01zgl.exe
| MD5 | 19206462deb8093a24b063f75c0f88a0 |
| SHA1 | 294b76a6e7dceadde162e682c69115151edd8d73 |
| SHA256 | a672db5e7e34e662bbf17075a2076dc0b3479f75a49982c77e575077813ace94 |
| SHA512 | 426db34d5128e3071f766bf937b04959b90016448311789b97fb8b39d214f4129818e2b24e4c068eb3d1d1ef45be82bd16139f2db0eecb7c6d7b2c57001f06e8 |
C:\Users\Admin\Documents\iofolko5\Pel8pScpUBUSRZz0eAWFVlyQ.exe
| MD5 | d4ac1a0d0504ab9a127defa511df833e |
| SHA1 | 9254864b6917eba6d4d4616ac2564f192626668b |
| SHA256 | a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848 |
| SHA512 | 59b707d1c4f3c66337ec2f913de4b3506786a31108fc621bdbe7201490e91b0f7b70505763f71d53eee0eaacf477dc6ef9cd50769881654daf1b678eaaf994c5 |
C:\Users\Admin\Documents\iofolko5\rAs41tWSCPhv90DNdLRTzmYd.exe
| MD5 | 025ebe0a476fe1a27749e6da0eea724f |
| SHA1 | fe844380280463b927b9368f9eace55eb97baab7 |
| SHA256 | 2a51d50f42494c6ab6027dbd35f8861bdd6fe1551f5fb30bf10138619f4bc4b2 |
| SHA512 | 5f2b40713cc4c54098da46f390bbeb0ac2fc0c0872c7fbdfdca26ab087c81ff0144b89347040cc93e35b5e5dd5dc102db28737baea616183bef4caecebfb9799 |
memory/1380-107-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-105-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-115-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-125-0x0000000000400000-0x00000000005DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-JLIJ6.tmp\mexBLkBRJ6MTJ877Z4GVTnkU.tmp
| MD5 | 38deb275b04a61c5837ef9597e066fcd |
| SHA1 | c389def26f07be7c4f44e1d3b686ed52de401753 |
| SHA256 | 346d652d50dd304ef8eafa8ffcc3b959363d006bb97a96caba169cde8c3cbc8e |
| SHA512 | 385a604f61e8a2c4dd1610a34361b1248491639961f891db509e45890457ff647c6305390ebfbde5a26ce29c748a87f422840d2935be2988d5aeb9bbfd95cb62 |
memory/4268-142-0x0000000000730000-0x0000000000D7C000-memory.dmp
memory/3312-153-0x0000000000760000-0x00000000007A8000-memory.dmp
memory/4212-138-0x00000000009F0000-0x0000000000CE2000-memory.dmp
memory/2600-132-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2264-137-0x00000000001A0000-0x0000000000825000-memory.dmp
memory/1380-123-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-119-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/2820-162-0x00000000004E0000-0x0000000000544000-memory.dmp
memory/1452-164-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4212-168-0x0000000005A80000-0x0000000005C1E000-memory.dmp
memory/4212-170-0x00000000055D0000-0x00000000055F2000-memory.dmp
memory/1508-182-0x0000000000400000-0x0000000000641000-memory.dmp
memory/1904-188-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1452-202-0x0000000004EC0000-0x0000000004F52000-memory.dmp
memory/1452-208-0x0000000004F70000-0x0000000004F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpCE38.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XsCYtOTiVYve210PxDhWTnr7.exe.log
| MD5 | 3ed4d7ca42ade54d0dedaf2f11b46e83 |
| SHA1 | 65a563e185b03f2c3a9764a38c15bbff1e3acc4f |
| SHA256 | a2e15cb4d04d01dcb2156d754dae42c92c7e1824dd260f306a5f834a467ce993 |
| SHA512 | 6e941fcd818b208fd4b17102f39239dcc10e50ca819e5fbbc9130917efd09dae18ba4d8c9a181d2582ccbd8ea52249551eb6265017a82b018b6a6b95087c8933 |
memory/1680-206-0x0000000000400000-0x0000000000486000-memory.dmp
memory/1452-239-0x0000000005B00000-0x0000000005B76000-memory.dmp
memory/1904-185-0x0000000000400000-0x0000000000490000-memory.dmp
memory/1452-246-0x00000000061B0000-0x00000000061CE000-memory.dmp
memory/2612-250-0x0000000000400000-0x0000000000786000-memory.dmp
memory/2612-251-0x0000000000400000-0x0000000000786000-memory.dmp
C:\Users\Admin\AppData\Local\Free Video Converter Max\videoconvertermax32_64.exe
| MD5 | 0451ab717fb9d85d548df23d0f3d0596 |
| SHA1 | 4704da48917a13b6acfcc7ad18727b16bdef3274 |
| SHA256 | a6c3d2b564125c7fc51643e9f778e2404da45c2790a0d7f5d9f3bf8bb5acc35d |
| SHA512 | 8dd396656a8e7b09f81066f0c88ff3449c7ba02d34149f97f7021288366988478853266e62bbb93155e1ee660f939229f876eb6ff156aa78f13e80f6f60421b3 |
memory/1452-255-0x0000000006280000-0x0000000006292000-memory.dmp
memory/1452-254-0x0000000006340000-0x000000000644A000-memory.dmp
memory/1452-256-0x00000000062E0000-0x000000000631C000-memory.dmp
memory/1452-257-0x0000000006450000-0x000000000649C000-memory.dmp
memory/1452-253-0x00000000067F0000-0x0000000006E08000-memory.dmp
memory/4268-179-0x0000000005540000-0x0000000005562000-memory.dmp
memory/1508-177-0x0000000000400000-0x0000000000641000-memory.dmp
memory/1508-184-0x0000000000400000-0x0000000000641000-memory.dmp
memory/1904-180-0x0000000000400000-0x0000000000490000-memory.dmp
memory/4268-173-0x0000000005930000-0x0000000005B22000-memory.dmp
memory/2796-258-0x00007FFC5B6B0000-0x00007FFC5B6B2000-memory.dmp
memory/4212-169-0x00000000061D0000-0x0000000006776000-memory.dmp
memory/2364-157-0x0000000000400000-0x0000000000643000-memory.dmp
memory/1704-161-0x0000000000F30000-0x0000000000F74000-memory.dmp
memory/4212-159-0x00000000058E0000-0x0000000005A80000-memory.dmp
memory/2364-155-0x0000000000400000-0x0000000000643000-memory.dmp
memory/2796-259-0x0000000140000000-0x0000000141999000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DQI9R.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1380-121-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/1380-111-0x0000000000400000-0x00000000005DF000-memory.dmp
memory/2364-263-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1380-102-0x0000000000400000-0x00000000005DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ooc3nmgm.2aw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/32-304-0x000001B8A9060000-0x000001B8A9082000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a9fa92a4f2e2ec9e244d43a6a4f8fb9 |
| SHA1 | 9910190edfaccece1dfcc1d92e357772f5dae8f7 |
| SHA256 | 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888 |
| SHA512 | 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 781da0576417bf414dc558e5a315e2be |
| SHA1 | 215451c1e370be595f1c389f587efeaa93108b4c |
| SHA256 | 41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe |
| SHA512 | 24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/1680-352-0x00000000093C0000-0x0000000009426000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 050567a067ffea4eb40fe2eefebdc1ee |
| SHA1 | 6e1fb2c7a7976e0724c532449e97722787a00fec |
| SHA256 | 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e |
| SHA512 | 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259 |
memory/1680-376-0x000000000A340000-0x000000000A502000-memory.dmp
memory/1680-383-0x000000000AA40000-0x000000000AF6C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1189a72e42e2321edf1ed3a8d5568687 |
| SHA1 | a2142fc754d6830de107d9d46f398483156f16a6 |
| SHA256 | 009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea |
| SHA512 | b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29 |
C:\Users\AdminDBGHDGHCGH.exe
| MD5 | 463fa073a06a2d19d0a8395d94d12fb4 |
| SHA1 | 257b18e3d4c1004afafce8c2ff7c604a459abef9 |
| SHA256 | 48c76c428ef4e3e11a2ab4e3e0689465415d0c491179709c70f89067e096cd8f |
| SHA512 | ccac763a4c8744fd6493822d3399fbf8066d5f0465004d20be92dde7ca6b47932b1d6988dde536e9a3d9ae58856ef1f9406909bca6215fe45f02294cc0121f63 |
memory/3980-405-0x0000000000F90000-0x0000000000FF4000-memory.dmp
memory/1044-409-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1044-411-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AdminDBGHDGHCGH.exe.log
| MD5 | bb27934be8860266d478c13f2d65f45e |
| SHA1 | a69a0e171864dcac9ade1b04fc0313e6b4024ccb |
| SHA256 | 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4 |
| SHA512 | 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb |
memory/1044-407-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34e3230cb2131270db1af79fb3d57752 |
| SHA1 | 21434dd7cf3c4624226b89f404fd7982825f8ac6 |
| SHA256 | 0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39 |
| SHA512 | 3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335 |
memory/2932-423-0x0000000000400000-0x00000000004BA000-memory.dmp
memory/2600-422-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2264-424-0x00000000001A0000-0x0000000000825000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0d1f09639656a53035ea14bb10d6e36c |
| SHA1 | c3e76231c631f26eee988c8d72db53002150ad9d |
| SHA256 | f437a53b1c3986583492450a06337658312f06c10cb302e353947e6a4fef0889 |
| SHA512 | 469aa860e902c156d62ef0ef804371896b5ca81c0b8e77f53922b4048479f876dde39866db394418984f6ff71e1e364a5506db7d4c2f1174f2358183a0dab087 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cc349bca6af5d58c4d32aaa973a6120d |
| SHA1 | 00e9a04a3794cc0da7ac7613e812fac1cc3a57aa |
| SHA256 | 5e2069281396a765ad0d1468ca9244a5c816d35b4919f67c47ca5a368267a73c |
| SHA512 | a32cc7b654055614682a0458c709cab0b7396a64768848d7b0ef2e3a5c92e1924e5e5314b2ceb070efd614615f3704f0c86860daee9000d2549d505cf4cd7684 |
memory/2612-449-0x0000000000400000-0x0000000000786000-memory.dmp
C:\ProgramData\KJEHJKJEBGHJ\CGIDAA
| MD5 | 6205160b38ce34c90456d967715ca941 |
| SHA1 | fce483a831467c4f8b8cf9558ff753d1f1d4d340 |
| SHA256 | 5df07863dae25402f552f8cb599367a9e5d0f7e913648c07c163c1a4ff656407 |
| SHA512 | 9249ccfe3272002224f348bbffac93b59d1f207237a12e07e694ab38d3ecd198ea470596cb0114e6b29aedd7d90879c1ebddfe6c370be8eff401948c8345b7fb |
memory/1452-483-0x0000000008200000-0x0000000008250000-memory.dmp
C:\ProgramData\KJEHJKJEBGHJ\EGDGII
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
C:\ProgramData\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\ProgramData\KJEHJKJEBGHJ\JEHIID
| MD5 | f9711ba270e571c3e7b88d12d2cbac7d |
| SHA1 | e72a7d8db8e674d7d5ae5e61b55075dedba7a9c0 |
| SHA256 | cabb2cab893db44aa94d3fb400eba2893699e3f58c0cf84b3f1aefbb30aa4e0e |
| SHA512 | a58048085d88d2532c61b7a3f7eac60a8fd8a1b9149bc15697746db89d2868e7be94cc2d0374c7322979277ecb29f70c8f14c6579075e8bb6c1e9a3f658cac72 |
memory/2392-526-0x0000000000F40000-0x00000000012FB000-memory.dmp
C:\Liliafer\msptjhkfda.exe
| MD5 | 35b8c1c64fe230be546ef57fc2402c09 |
| SHA1 | 06a4298da56d14b37f051171463603cc43727f3a |
| SHA256 | f5a0022c0b4669fa4a8f89fe75b0f230afc6e4d3c31bded8d6d4328fbb76d5bf |
| SHA512 | 18ce36ae35ec32963ddb92c9dc63a200e952d9b0e21e2dcca9878324c67294997fc394479d74af4b293cefc7a3ce993695bf8bcbfcf5088553c797b66e11b44b |
memory/2392-530-0x0000000000F40000-0x00000000012FB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R7CDL9JE\sql[1].dll
| MD5 | 90e744829865d57082a7f452edc90de5 |
| SHA1 | 833b178775f39675fa4e55eab1032353514e1052 |
| SHA256 | 036a57102385d7f0d7b2deacf932c1c372ae30d924365b7a88f8a26657dd7550 |
| SHA512 | 0a2d112ff7cb806a74f5ec17fe097d28107bb497d6ed5ad28ea47e6795434ba903cdb49aaf97a9a99c08cd0411f1969cad93031246dc107c26606a898e570323 |
C:\ProgramData\BKECBAKFBGDG\DHJECF
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\ProgramData\BKECBAKFBGDG\IEHJJE
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\ProgramData\BKECBAKFBGDG\AAEBAK
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
memory/2264-654-0x00000000001A0000-0x0000000000825000-memory.dmp