Analysis Overview
SHA256
aa8c1cae00d0bfdced58e5b0386caa3a76aa602e6d4ec4c98c84e97fc7429d0d
Threat Level: Known bad
The file AnaRAT.7z was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Modifies WinLogon for persistence
Gh0st RAT payload
njRAT/Bladabindi
Detect PurpleFox Rootkit
Gh0strat
PurpleFox
Remcos
StormKitty
AsyncRat
StormKitty payload
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
NirSoft MailPassView
NirSoft WebBrowserPassView
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: AppInit DLLs
Modifies Windows Firewall
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
UPX packed file
Looks up external IP address via web service
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Event Triggered Execution: Netsh Helper DLL
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Modifies registry class
Scheduled Task/Job: Scheduled Task
Runs ping.exe
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
outlook_win_path
outlook_office_path
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-09-07 03:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-07 03:29
Reported
2024-09-07 03:31
Platform
win7-20240708-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
AsyncRat
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\Client.exe" | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
PurpleFox
Remcos
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
njRAT/Bladabindi
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Event Triggered Execution: AppInit DLLs
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\DriverrHub\\$77Microsoft To Do.exe\"" | C:\Users\Admin\AppData\Local\1231234.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\62264.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe" | C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\zzzz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzzz.exe" | C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe" | C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cisco = "C:\\Users\\Admin\\Pictures\\Cisco\\VPNManager.exe" | C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe" | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| File created | C:\ProgramData\NNYJZAHP\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| File created | C:\ProgramData\NNYJZAHP\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\it-IT\682643c589ab99 | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\xdwd.dll | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\All Users\Desktop\OSPPSVC.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe"
C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
"C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe"
C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
"C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
C:\Users\Admin\AppData\Local\62264.exe
"C:\Users\Admin\AppData\Local\62264.exe"
C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
"C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"
C:\Users\Admin\AppData\Local\1231234.exe
"C:\Users\Admin\AppData\Local\1231234.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
"C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
"C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
"C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
"C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'
C:\Users\Admin\AppData\Local\Temp\zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zzzzz" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zzzz" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zzzzz" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12312341" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1231234.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1231234" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1231234.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "12312341" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1231234.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\zzzz.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\1231234.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\OSPPSVC.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\egjtKZhlKS.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
"C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
C:\Users\All Users\Desktop\OSPPSVC.exe
"C:\Users\All Users\Desktop\OSPPSVC.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
"C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\brdeokmuxprbhwgcasdrbllojj"
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\ltqxgdwnlxjgjkugjdptmpgxkxryuj"
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\onvhhvhpzfbluqqkagkupcaoteazwulkp"
C:\Windows\system32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A54.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe
"C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | odogwuvisual123.duckdns.org | udp |
| SG | 206.123.138.32:6767 | odogwuvisual123.duckdns.org | tcp |
| CN | 110.42.66.56:4321 | tcp | |
| SG | 206.123.138.32:6767 | odogwuvisual123.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | agosto14.con-ip.com | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CH | 185.196.11.122:80 | 185.196.11.122 | tcp |
| RU | 89.169.12.1:80 | 89.169.12.1 | tcp |
| RU | 89.169.12.1:80 | 89.169.12.1 | tcp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | sites-sing.gl.at.ply.gg | udp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | hostcobraserver.ddns.net | udp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| CN | 110.42.66.56:4321 | tcp | |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | twart.myfirewall.org | udp |
| MD | 213.159.74.80:14143 | twart.myfirewall.org | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | hostcobraserver.ddns.net | udp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CN | 110.42.66.56:4321 | tcp | |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| MD | 213.159.74.80:14143 | twart.myfirewall.org | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| RU | 89.169.12.1:80 | 89.169.12.1 | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| MD | 213.159.74.80:14143 | twart.myfirewall.org | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
Files
memory/2316-0-0x0000000074681000-0x0000000074682000-memory.dmp
memory/2316-1-0x0000000074680000-0x0000000074C2B000-memory.dmp
memory/2316-2-0x0000000074680000-0x0000000074C2B000-memory.dmp
\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
| MD5 | 385585748cd6feff767a913bd76c2457 |
| SHA1 | 1bedac2bc0da78c4dbaaf3914816d84f5c08f005 |
| SHA256 | 0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5 |
| SHA512 | 80619ee207d6c5a352d811405c40bcb9043fb2b2759ad40575e03e9e7b89f4ad55f6bc01dfe62a64b42dcd9b3b5bfef10503ce72f4efa0d2e39546f92047a880 |
\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
| MD5 | 690c1b65a6267d6d0b201ba46089aabc |
| SHA1 | 9eb6859bae82bcf8b9df7cf4fc061cd9155fdc39 |
| SHA256 | 244f3a2fad1afa232909355901f33cca18ea95444c5d142c7aa308170db5294f |
| SHA512 | cc540851386a3b98227822b2c952a57caf15db4563f9c246b8be5bca0989aaff70e64191d010738db86598d76dd8ad4e59a50965224db9f623edb64f2f8b3e2a |
\Users\Admin\AppData\Local\62264.exe
| MD5 | f30e9ff8706f3ec72c82a74ee6328db9 |
| SHA1 | b526d52d22600b28892f898a717eb25779ef3044 |
| SHA256 | d22bf8ad4fc9b769ea2944bbdee78277ab29bac7199407baf7c3b489568a9489 |
| SHA512 | a21220d5f1818c9c5aa55cf8560365888046a090b8892a9d87919b48ac921bd2fdfd6016ace77fa8205fde067c7d45cb01032a47f4325fcac560361d66cc58f6 |
C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
| MD5 | 0dcc21bdebe05957ca2922be486abe22 |
| SHA1 | 8bcbd8a839a58e0050c17221e6a1cc775f07586b |
| SHA256 | 73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3 |
| SHA512 | 0752ba22340fd3383132243580cb28a147e67b42bb920af8c0fde491d550556fdfa296e70d94f2ce9798faddd0dad4664e2c2edda8f6604b9ba9e63e8f875e0f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
| MD5 | 4ca15a71a92f90c56b53d9d03da17657 |
| SHA1 | 3d610aee0423eea84ad9dc0df7865e1bed982327 |
| SHA256 | ab532f166e08886166c0ed6426bb6a8998de8273d37ccac5823528a1ba3d8ca1 |
| SHA512 | e0d9e11b9a0fb84bab21cbe4638ead80319a9b38ed810a59a612ab844331adec32f2499425b0d9269f2eb3714e497ad31c9bdfded1f829533cc77bf2dea6464f |
C:\Users\Admin\AppData\Local\1231234.exe
| MD5 | 8f00376c7ee9fb1653dc2ae09afa5589 |
| SHA1 | 0005d278c062b496628e9c2a27043e87fc05689e |
| SHA256 | 6d2223ee967236cbc2c35809fce753553cfdb0aac7ba34e7087e19d61eecaa18 |
| SHA512 | 2512a5b67867c7c1cfbc19f7adc7ad56c3a2bf821f0c74341d0e69ee89dc20bbdc9118714d67ada6a846edced58afc6d01b0fe7560f2166e02c9044f85bc00f9 |
\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
| MD5 | 1a83a244d9e90a4865aac14bc0e27052 |
| SHA1 | d2b65e7aed7657c9915f90f03d46902087479753 |
| SHA256 | 150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712 |
| SHA512 | f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f |
memory/2700-63-0x000000013F0A0000-0x000000013F0AE000-memory.dmp
\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
| MD5 | 4ef3177a2e94ce3d15ae9490a73a2212 |
| SHA1 | a34f47568ce7fcea97a002eebeae385efa98790c |
| SHA256 | 87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0 |
| SHA512 | 635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502 |
memory/2316-71-0x0000000004670000-0x00000000046FA000-memory.dmp
memory/2656-66-0x00000000010D0000-0x0000000001110000-memory.dmp
memory/2904-75-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2104-73-0x0000000000C10000-0x0000000000CAA000-memory.dmp
memory/2316-72-0x0000000004670000-0x00000000046FA000-memory.dmp
\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
| MD5 | e2100d88aca7c0a44ba9bb988ccd3916 |
| SHA1 | ddaf17adbc769556037bb4fbf4bce7065bf57ef3 |
| SHA256 | 75f846b15fa1b548a0143f35584b25875a03c03a783e9310c8573f3b76957688 |
| SHA512 | 5b7fb077ea9d7d1310db3eb26b6624e3d12fe9f3d55d0a37d57c28197dab7e05449c6611d5b9a02f054d8ad790e12050228c8d7b913bb55e3f2b0da694c67ec5 |
\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
| MD5 | a6a1abaf12a28ea8f6553356c3bdcf57 |
| SHA1 | b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53 |
| SHA256 | f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76 |
| SHA512 | e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65 |
memory/2672-91-0x0000000000BF0000-0x0000000000CCC000-memory.dmp
memory/2316-92-0x0000000074680000-0x0000000074C2B000-memory.dmp
memory/2672-93-0x0000000000540000-0x0000000000546000-memory.dmp
memory/1972-94-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/1972-97-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/1972-99-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/2104-98-0x0000000000910000-0x000000000092E000-memory.dmp
memory/1972-96-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/2672-106-0x000000001B020000-0x000000001B1A4000-memory.dmp
memory/2672-107-0x0000000000550000-0x0000000000556000-memory.dmp
memory/1756-112-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/1756-113-0x0000000001E70000-0x0000000001E78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 21560cb75b809cf46626556cd5fbe3ab |
| SHA1 | f2eec01d42a301c3caacd41cddb0ef2284dbb5a6 |
| SHA256 | d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa |
| SHA512 | 21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db |
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
| MD5 | 4c8f3a1e15f370ca8afe2992902a6e98 |
| SHA1 | dc6324d924ac31bea4ad7e4dd6720ecdad3877dd |
| SHA256 | dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92 |
| SHA512 | b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0 |
memory/1092-123-0x0000000000190000-0x00000000001B0000-memory.dmp
memory/2448-131-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NW4BK931H45592EKXK7Z.temp
| MD5 | c630c1d4fbbc495530f7795b2b41c82f |
| SHA1 | e1c3f9dd207e5ecbaf9592faad39bc41cb86f9e2 |
| SHA256 | e299853c7fc2d70851897197914f80de5a02ed216da245f2f7ac3c6427468511 |
| SHA512 | 845d705b60254c035c536dbad59042e1f89926a06cc534690979c8aa2d1642f6f55a0341ef3d167550956c1a9454712bba1a9e12f01272c7cbefbaf3e552430c |
memory/2448-132-0x00000000022C0000-0x00000000022C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zzzz.exe
| MD5 | de4824c195cf1b2bb498511ef461e49b |
| SHA1 | f15ca6d0e02c785cce091dbd716cd43e3f5a80bd |
| SHA256 | 51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209 |
| SHA512 | b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a |
memory/2196-142-0x0000000003CB0000-0x0000000003CC0000-memory.dmp
memory/2376-140-0x0000000001040000-0x0000000001096000-memory.dmp
memory/2672-144-0x0000000000BA0000-0x0000000000BAE000-memory.dmp
memory/2672-146-0x0000000000BD0000-0x0000000000BEC000-memory.dmp
memory/2672-150-0x0000000000BB0000-0x0000000000BBE000-memory.dmp
memory/2672-148-0x00000000020D0000-0x00000000020E8000-memory.dmp
memory/2672-152-0x0000000000BC0000-0x0000000000BCE000-memory.dmp
memory/2672-157-0x0000000002100000-0x000000000210E000-memory.dmp
memory/2672-155-0x00000000020F0000-0x00000000020FC000-memory.dmp
memory/2672-159-0x0000000002210000-0x000000000221C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B28K0R9OCQ6AUL1SG1IO.temp
| MD5 | 1d1255135b8ec863ac6543d4ee4fbce4 |
| SHA1 | b9da052f66b3b07b06435153f6b66528dda72474 |
| SHA256 | 6b9259938ecad529f7ca1c4559dbf3b4a0e33b35665fde9d2df929bd25b7e412 |
| SHA512 | a25a242adf9063018a8c5a7b791861310818031657e7932020b76ac7454bb876da4edadf0ad7b2bc844f9b080e5aaa9246eb7e07ecb340c0d483ef90cecd761b |
C:\Users\Admin\AppData\Local\Temp\egjtKZhlKS.bat
| MD5 | 14fc3f11b153ca5e6ef0d7617851a111 |
| SHA1 | 922bad6c77677529e65e87f76ccd5f42676ebd34 |
| SHA256 | 03aaa5f87980d3cead074e086782ec868bbce5765640c9fae99270fae6b61ffe |
| SHA512 | 63a8fb1deac361af866343b0c59f025b9fd5643685ab31726eea37bf57e517c46c8af8e03c76d3b7372f8ea8904966e6c5ce7fa6683cbda46e3fcbd582dcbed9 |
memory/2288-215-0x00000000028D0000-0x00000000028D8000-memory.dmp
C:\ProgramData\NNYJZAHP\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | 622612f0d0c64efaee69441b875aded0 |
| SHA1 | 6959b24d41566cb7f468503feca38c312e0b6a18 |
| SHA256 | 4bd34e42d5175064c1e7cffc2c552291bf0cd3f157616f2abc83e8b862ecbbb0 |
| SHA512 | 369b3cc119c15c10041b1f00ed0691ad43dece0031d219da8c430c2fba3991452adf851afdc0183afcccbe4dc5e84451dc899e1f2319d1f8428d0608560d72e9 |
memory/2904-309-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2904-308-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2104-310-0x0000000000250000-0x0000000000266000-memory.dmp
memory/2104-311-0x0000000005B90000-0x0000000005BE4000-memory.dmp
memory/2688-312-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2688-325-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2688-323-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2688-321-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2688-320-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2688-318-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2688-316-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2688-314-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2756-329-0x0000000000AC0000-0x0000000000B9C000-memory.dmp
memory/1632-339-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1632-338-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1632-330-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2564-348-0x0000000000400000-0x000000000058F000-memory.dmp
memory/2808-361-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2808-358-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2808-357-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2564-354-0x0000000000400000-0x000000000058F000-memory.dmp
memory/2808-353-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2808-352-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2808-350-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2808-362-0x00000000001C0000-0x0000000000242000-memory.dmp
C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\BlockSelect.xlsx
| MD5 | e9faa70844e819a8a34f17ba51f29347 |
| SHA1 | ea7ad09cf4da18866dc9cef3e827e9c324a8db6c |
| SHA256 | 6a4225dc68dbf5d28868cdd31f3f06657659e239ebe917bc5af334c323b0a667 |
| SHA512 | 76b4f8b505fdd91c34ffda2f58d242a42ea9ed48d4a72ea8dd7f5360df3b093e414223bd23b6ca36e8afb7a7a63b3530cdcac7e036465fc2280217d821f98a8b |
C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\ExportRead.bmp
| MD5 | 80458c50ddcdab61b4f0beeba470daa0 |
| SHA1 | aed0fbc7a831410fc203c9bc982104089f721e0c |
| SHA256 | 0a0b7729203eac13438933fca6d93c9f3f75938347efe9aa1dcf1383518a8c6d |
| SHA512 | 5cd0ac32bf07bd4825d42e3d6b8f457bea94d11dbc804393db91944c1c978da4fe29e151fe260f5b8f17d88dfff34776d0d5a0f08826e2c1371b17007eadd650 |
C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\PingCompare.js
| MD5 | 06e53a3c4f811e3f2ec6b9537eb7abf5 |
| SHA1 | 319110069e006b3a8b19d48986ccbc04e143ee55 |
| SHA256 | bb340cf5cc4bbe6df54453fb1c870aa3b39c02b7b65c2447a0470ed5d8fc0778 |
| SHA512 | 80a227b983fdcfa38bfe215850eebe23944a41ca153d2a7570f2e28e74fc4d1b355c27ae361ae709fc9175515bb9ff5e8b36cebb8a375004205dc4dc4eb48468 |
C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\RedoUnblock.css
| MD5 | afdc741a1304a65da0ce003a6eaa6c3a |
| SHA1 | f5e1fbeaad5067209e24970792a6619b73abc381 |
| SHA256 | 4bb40b716a05baddda8040bc1971ceb23d13d372059b1a3a14f9fa5bf9199af3 |
| SHA512 | f0f6e4c4b7ecbcc9b415fed960018ed78602408b9945342c11601ab01a27fdef1d68164700cade4699f0631fa6eeb17465ac78ab8bf93fad9c2e1dc2c64606e4 |
C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\SaveMeasure.ppt
| MD5 | a2866baba3d49f8abea371b592de6a73 |
| SHA1 | 89ee627f7df114e7ad13b4ad6e7a0ba5be8a7791 |
| SHA256 | 3313bcdc4fef6a53d6de3c9dcdc9ec33bf2642f1ab2027bbce976d35943134ec |
| SHA512 | 5d947c44f0fda48d6bf856cd4c9be947428fe6711651c61646a38d8f3b1210d43e215aaf4340dd07ff3f7448e42f5d4a64fc47734ad2f54eaa6ad34b9bf33db3 |
C:\ProgramData\NNYJZAHP\FileGrabber\Desktop\SkipResume.rtf
| MD5 | 8f21bf6fd322f6b121286293a987c06d |
| SHA1 | 7fe4648d433637ab69285a325e2c1c5e9220cb09 |
| SHA256 | 6abb64f1823988c4efd32008a49ad15dee625b9d45bdd524b0af3556d2557619 |
| SHA512 | 516fafa6c3d158eb74a08442e6b7b6e6fe3caa8529574f0348ad9f8250dc937bc24ab0cb6a9dcecb7c2a1886384e1d9464f529342173e67dea8b6c6f2291a078 |
C:\ProgramData\NNYJZAHP\FileGrabber\Documents\CompressExpand.pdf
| MD5 | e8d10cf653f35a50c099cc50432f7fce |
| SHA1 | 3439cbee6680df96d83c9d51581b5b26c141a2d2 |
| SHA256 | 09e90e69ac27a607b249b868aaf889db165449faef137f375d225f4bea451d0a |
| SHA512 | a87f4747a835df9314e313d21145b098c6273aee37f664d398f88e4b5610069046e2c8d26d5e4bfc341cba42bff7f37daf6741f6fd24b1f462b47daabb9e039c |
C:\ProgramData\NNYJZAHP\FileGrabber\Documents\PingInstall.docx
| MD5 | 4851060ec0cadc22d5bc6f1cbf810d85 |
| SHA1 | 90d192d16dac939017d41b7d2c72251c4c66e6a3 |
| SHA256 | dc8da8bd2d99e6a0e41df2223c63a848cd2c89404a23be90f6f1a3b0502e97b6 |
| SHA512 | 51703941b598a46bffaa7feee97e8b136a17ca21521ac378a4e8cb4731ec98ab79d85c469473d2b1ae13eedaac29c259bcb29c1363877b42fd61d8989257aa0f |
C:\ProgramData\NNYJZAHP\FileGrabber\Documents\SuspendPublish.pdf
| MD5 | 83c5d15e0f9ddaae4c60b43aae987e7e |
| SHA1 | 1490e207440f82c2c6f03299cec32ec030cf6cab |
| SHA256 | 6f2f05110066ca866e9a390fc94c51e08daec362967b39b7a533e0d4839b5ef7 |
| SHA512 | 9399dcb41257bb8e95461d4612b8932261336de814268e3498c1791ddde7dac7d5bfdcd865c8c8a330ed8d6ce92596e7d7d09bc7ec496339b9ce534e76796c38 |
C:\ProgramData\NNYJZAHP\FileGrabber\Downloads\CompareRestore.txt
| MD5 | f5af125bcb1d1027bff05c91600c3724 |
| SHA1 | 7dfc756c72b447af0d45a0d4c7b02e8154951f3c |
| SHA256 | 23641d1dcab7f42354da9aa59c39b90805d415a7bcbf331646961ee2fc7bca90 |
| SHA512 | 4af3cc2baa415115b329e64b0ae4b1fb63c803ec94cdb481a74baa30848aa63aff77cbd4d0da84f8406461002b06ecd750f72ca0ef6a869295ec93cfaee18446 |
C:\ProgramData\NNYJZAHP\FileGrabber\Downloads\ConvertToPop.xlsx
| MD5 | f069d4049635838ac2823d361edb0392 |
| SHA1 | 27a60423d85517baef990ea3d84f9ecd5157c8c3 |
| SHA256 | 5df0822856fe80043f6025d67e7a8d00ed1b0c0bf674c369b8edc1a7a0db51c6 |
| SHA512 | 78d5248b87810aedbea1e8906f1ff082811add6f9ddc5239bcafb1a57ac9364fda3e0359c0df3446fd51bc516518c52380f6da6228be6555fd878a21db9636da |
C:\ProgramData\NNYJZAHP\FileGrabber\Pictures\InitializeUndo.bmp
| MD5 | 21d57bc2f9d8c30d15c7120f76dae308 |
| SHA1 | e8e7cd9e55ee9ebc64cc7843158b1c30c3f0bd2f |
| SHA256 | 61b23e885fbe30c54542d47506ed8b0c910614affc3a16c1ba610263873c1a73 |
| SHA512 | 71015ddd850aee0c53a7e1610a666df27acf79762135ac333a0b3298289da0c7acdbc4e4868988dd7ba0699ed97bb7b5141a1c1ab562fafa4870684a00d860b8 |
C:\ProgramData\NNYJZAHP\FileGrabber\Pictures\ResolveTest.bmp
| MD5 | 835a4d5ff00e119b32f573c9987e9c3d |
| SHA1 | 522031b3c21cb332c7197deb607b31cdea8c170c |
| SHA256 | 0388029d8ec40231f22b288fb52165973fa02b357115324cd981ff5bbf71e09e |
| SHA512 | 1fa43c10f3862e1fdebd64f37bb3587a9ade94e60e10ebeb449a263a70e61133f833b17ce4bc137c6b826e0b0592f589cae9fed16c0b69ff8b317c97ecb6ce0a |
memory/2808-456-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2808-458-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2808-459-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/1768-461-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2144-462-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2144-463-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2184-466-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2144-467-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2184-471-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2184-470-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2144-469-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1768-468-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1768-465-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2184-473-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2808-474-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/1768-480-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2808-482-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2904-483-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2808-484-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2808-544-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2808-545-0x00000000001C0000-0x0000000000242000-memory.dmp
memory/2144-546-0x0000000000470000-0x00000000005F1000-memory.dmp
memory/2144-548-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2904-549-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1A54.tmp.bat
| MD5 | fad26880a406054dce9a17006547dc61 |
| SHA1 | d206b5220986a63dc8948c32c25e88ed3b51696c |
| SHA256 | 65cff2b2083666f7b2e9059d0f963bad325566714334d0f3e53a93aee1740e5b |
| SHA512 | e58cdca2adab920bdb2eb95dbe259b384b4482a8c9b98a831c584d5f4f67e84e076e320dd614164ec71640e45919d29a7800d3402e5c4fc26f9565d903324399 |
memory/1700-593-0x000000013F9C0000-0x000000013F9CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3249.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar326B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1644-717-0x0000000000E20000-0x0000000000E4C000-memory.dmp
memory/1644-718-0x0000000000530000-0x000000000053C000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | a65f85e1a9b0821be88bd6110e5b6da6 |
| SHA1 | fba58fbf6258c56e059766413f65790b7b582d10 |
| SHA256 | fdae46e0ec6b2604c042dfe4caec04f3ca345c5dc3e6543e569d2cbc4d367437 |
| SHA512 | 6309cc9519e450aecb9efdf8c65f60b0a3592f7a256b6b08e02e83c4a223286a9aa4a7a1ea27fc118c87342744245ebd283d3f68403edb9aa46d5cc1545341ea |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 4b6d4727ca3c277e5af47092ec9e3ef1 |
| SHA1 | 8faea131181960c1f43ccee6a2b7bcdaa23fcd81 |
| SHA256 | 5fb62cc6421cf636023381cc6fd5a06e3b326a58ea3d3ce9c879f1cc408519f4 |
| SHA512 | 8a1814ec549a42771cbe83fe7612d7e269af27d092a5c0ae685e92772dc7effd2b14829090f0b12edfbabeb9804f80558f2b316efb4f48a6a3b500b1172c2bbc |
memory/680-782-0x0000000000EE0000-0x0000000000F0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.bat
| MD5 | 5caa639aea42a35722614a24553e6734 |
| SHA1 | 9a8c41f3524fb428187beda054954b1fa8947b93 |
| SHA256 | c2498c688896c00a47f8908b96c33a5d3e094f4486a42275df9d1749492be6a4 |
| SHA512 | 79e9d283543bcf4cbfe9f2865b45bf91c99f492b7839fa47c4f256ab984a11cb0e588023f0d2b5dead6481cd2eccfc42f32725bb8e07c6842af3749514e21e12 |
C:\Users\Admin\AppData\Local\Temp\zEFl46k9Yg
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\R1N1465zW7
| MD5 | a58d87b023e155c10b4e15fdfc6fcb06 |
| SHA1 | 0ee449b782aeac54c0406adde543f19ecd9dfd38 |
| SHA256 | 331b040f0bd7731b64e72a837ad86943379ff02e239c305d200108fe7e3c8c61 |
| SHA512 | 1965574101a71a640efb135a49c4a968fd5feb328779c33936047afb2209424b44fba3a1ccdacee959ce5a016f22b49c8b42dc543476b11f83df0feb1b080eae |
memory/1396-868-0x0000000000C60000-0x0000000000CFA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-07 03:29
Reported
2024-09-07 03:32
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
AsyncRat
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\Client.exe" | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
PurpleFox
Remcos
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
njRAT/Bladabindi
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Event Triggered Execution: AppInit DLLs
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64805e9b9efcd75e104b05fad0cb2a4c.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe" | C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzzz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzzz.exe" | C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cisco = "C:\\Users\\Admin\\Pictures\\Cisco\\VPNManager.exe" | C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe" | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\62264.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" | C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe" | C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe | N/A |
Checks installed software on the system
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Multimedia Platform\dllhost.exe | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File opened for modification | C:\Program Files\Windows Multimedia Platform\dllhost.exe | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\5940a34987c991 | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\uk-UA\36588f4d270d4c | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File created | C:\Program Files\Windows NT\Accessories\en-US\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IME\de-DE\RuntimeBroker.exe | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File created | C:\Windows\IME\de-DE\9e8d7a4ca61bd9 | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| File created | C:\Windows\xdwd.dll | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Multimedia Platform\dllhost.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe
"C:\Users\Admin\AppData\Local\Temp\AnaRAT.exe"
C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
"C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe"
C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
"C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
C:\Users\Admin\AppData\Local\62264.exe
"C:\Users\Admin\AppData\Local\62264.exe"
C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
"C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe"
C:\Users\Admin\AppData\Local\1231234.exe
"C:\Users\Admin\AppData\Local\1231234.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
"C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe"
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
"C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe"
C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
"C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
"C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6516547941616161717718525885474758854141525263963699658854714525252586" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "651654794161616171771852588547475885414152526396369965885471452525258" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6516547941616161717718525885474758854141525263963699658854714525252586" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\de-DE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IME\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\IME\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\uk-UA\651654794161616171771852588547475885414152526396369965885471452525258.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\de-DE\RuntimeBroker.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7qjYWRE28c.bat"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\zzzz.exe'
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
C:\Users\Admin\AppData\Local\Temp\zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
"C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe"
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
"C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe"
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\yemhvifbxohdhu"
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\ahrawaqulwzikizpz"
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbxkxtawzfrnuontjjco"
C:\Program Files\Windows Multimedia Platform\dllhost.exe
"C:\Program Files\Windows Multimedia Platform\dllhost.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
C:\Windows\SYSTEM32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe" & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Sub\Client.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp51E4.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe
"C:\Users\Admin\AppData\Roaming\DriverrHub\$77Microsoft To Do.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7B07.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | odogwuvisual123.duckdns.org | udp |
| SG | 206.123.138.32:6767 | odogwuvisual123.duckdns.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.138.123.206.in-addr.arpa | udp |
| CN | 110.42.66.56:4321 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| SG | 206.123.138.32:6767 | odogwuvisual123.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| GB | 162.125.64.15:443 | dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | agosto14.con-ip.com | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CH | 185.196.11.122:80 | 185.196.11.122 | tcp |
| RU | 89.169.12.1:80 | 89.169.12.1 | tcp |
| US | 8.8.8.8:53 | 122.11.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.12.169.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| RU | 89.169.12.1:80 | 89.169.12.1 | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doddyfire.linkpc.net | udp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | sites-sing.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | hostcobraserver.ddns.net | udp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CN | 110.42.66.56:4321 | tcp | |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | twart.myfirewall.org | udp |
| MD | 213.159.74.80:14143 | twart.myfirewall.org | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 8.8.8.8:53 | hostcobraserver.ddns.net | udp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| CN | 110.42.66.56:4321 | tcp | |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| MD | 213.159.74.80:14143 | twart.myfirewall.org | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 147.185.221.16:61490 | sites-sing.gl.at.ply.gg | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| CN | 171.213.139.100:10000 | doddyfire.linkpc.net | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| MD | 213.159.74.80:14143 | twart.myfirewall.org | tcp |
| RU | 89.169.12.1:80 | 89.169.12.1 | tcp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
| RU | 95.220.181.90:1335 | hostcobraserver.ddns.net | tcp |
| US | 8.8.8.8:53 | tibiaserver.ddns.net | udp |
| US | 154.216.20.171:7772 | agosto14.con-ip.com | tcp |
Files
memory/1060-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp
memory/1060-1-0x0000000074CA0000-0x0000000075251000-memory.dmp
memory/1060-2-0x0000000074CA0000-0x0000000075251000-memory.dmp
C:\Users\Admin\AppData\Local\0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5.exe
| MD5 | 385585748cd6feff767a913bd76c2457 |
| SHA1 | 1bedac2bc0da78c4dbaaf3914816d84f5c08f005 |
| SHA256 | 0430dc1af2f95a33401d17b84b314a48cf619c9cae8e7fb8376466ca96ba8ec5 |
| SHA512 | 80619ee207d6c5a352d811405c40bcb9043fb2b2759ad40575e03e9e7b89f4ad55f6bc01dfe62a64b42dcd9b3b5bfef10503ce72f4efa0d2e39546f92047a880 |
C:\Users\Admin\AppData\Local\690c1b65a6267d6d0b201ba46089aabc.exe
| MD5 | 690c1b65a6267d6d0b201ba46089aabc |
| SHA1 | 9eb6859bae82bcf8b9df7cf4fc061cd9155fdc39 |
| SHA256 | 244f3a2fad1afa232909355901f33cca18ea95444c5d142c7aa308170db5294f |
| SHA512 | cc540851386a3b98227822b2c952a57caf15db4563f9c246b8be5bca0989aaff70e64191d010738db86598d76dd8ad4e59a50965224db9f623edb64f2f8b3e2a |
C:\Users\Admin\AppData\Local\62264.exe
| MD5 | f30e9ff8706f3ec72c82a74ee6328db9 |
| SHA1 | b526d52d22600b28892f898a717eb25779ef3044 |
| SHA256 | d22bf8ad4fc9b769ea2944bbdee78277ab29bac7199407baf7c3b489568a9489 |
| SHA512 | a21220d5f1818c9c5aa55cf8560365888046a090b8892a9d87919b48ac921bd2fdfd6016ace77fa8205fde067c7d45cb01032a47f4325fcac560361d66cc58f6 |
C:\Users\Admin\AppData\Local\73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3.exe
| MD5 | 0dcc21bdebe05957ca2922be486abe22 |
| SHA1 | 8bcbd8a839a58e0050c17221e6a1cc775f07586b |
| SHA256 | 73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3 |
| SHA512 | 0752ba22340fd3383132243580cb28a147e67b42bb920af8c0fde491d550556fdfa296e70d94f2ce9798faddd0dad4664e2c2edda8f6604b9ba9e63e8f875e0f |
C:\Users\Admin\AppData\Local\1231234.exe
| MD5 | 8f00376c7ee9fb1653dc2ae09afa5589 |
| SHA1 | 0005d278c062b496628e9c2a27043e87fc05689e |
| SHA256 | 6d2223ee967236cbc2c35809fce753553cfdb0aac7ba34e7087e19d61eecaa18 |
| SHA512 | 2512a5b67867c7c1cfbc19f7adc7ad56c3a2bf821f0c74341d0e69ee89dc20bbdc9118714d67ada6a846edced58afc6d01b0fe7560f2166e02c9044f85bc00f9 |
memory/4996-61-0x0000000000CC0000-0x0000000000CCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SCRIPT~1.EXE
| MD5 | 4ca15a71a92f90c56b53d9d03da17657 |
| SHA1 | 3d610aee0423eea84ad9dc0df7865e1bed982327 |
| SHA256 | ab532f166e08886166c0ed6426bb6a8998de8273d37ccac5823528a1ba3d8ca1 |
| SHA512 | e0d9e11b9a0fb84bab21cbe4638ead80319a9b38ed810a59a612ab844331adec32f2499425b0d9269f2eb3714e497ad31c9bdfded1f829533cc77bf2dea6464f |
C:\Users\Admin\AppData\Local\150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712.exe
| MD5 | 1a83a244d9e90a4865aac14bc0e27052 |
| SHA1 | d2b65e7aed7657c9915f90f03d46902087479753 |
| SHA256 | 150704149f7e54c4f7cbdb776f33173979791bc0c625f42477815923d13f8712 |
| SHA512 | f4b9d26d8a0841f9425abf038f85563ddee65e2404bc508fd23c8023bb565fd7f0ceaeaadde49c4951d3bbbb93f6b64b3cf610464855a2bf2d418477dd4fe03f |
memory/2968-82-0x0000000000820000-0x00000000008BA000-memory.dmp
memory/2968-95-0x0000000005150000-0x00000000051E2000-memory.dmp
C:\Users\Admin\AppData\Local\172407564549f9f59ff9210a9f3b93f8551fc2fdf5aeb80c40ec13c403393d131f4191de51907.exe
| MD5 | 4ef3177a2e94ce3d15ae9490a73a2212 |
| SHA1 | a34f47568ce7fcea97a002eebeae385efa98790c |
| SHA256 | 87353d18dfdebf4d0747bbf21d58adaed2b04060d61cba3fa052d522640520f0 |
| SHA512 | 635ce5c0d1b9f7dd5d7b4c00f216af06dc7d818132ba87a57d3d54f6b30ee01f64430d2aa265f60027cc58dc2e738d5b674ee36ffdca34ff540ce44b7da7c502 |
memory/2968-84-0x0000000005640000-0x0000000005BE4000-memory.dmp
memory/8-97-0x0000000000BA0000-0x0000000000BE0000-memory.dmp
memory/2968-96-0x0000000005270000-0x00000000055C4000-memory.dmp
C:\Users\Admin\AppData\Local\a6a1abaf12a28ea8f6553356c3bdcf57.exe
| MD5 | a6a1abaf12a28ea8f6553356c3bdcf57 |
| SHA1 | b7613fb9944bc3d8e11b5eb6f7ff706f04e8ad53 |
| SHA256 | f2507211585dfe351ff53086f30b42572db223b2646e45f91b7f3e202bb0bb76 |
| SHA512 | e525d119128c1ca1c05d379b9ebba9791b7b15390c8999773bff6517fde674178e17ee2c7c126b249c8c54b4dd1c07326ba24d52c8c192f067bc7e8545113a65 |
memory/452-94-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\Local\651654794161616171771852588547475885414152526396369965885471452525258.exe
| MD5 | e2100d88aca7c0a44ba9bb988ccd3916 |
| SHA1 | ddaf17adbc769556037bb4fbf4bce7065bf57ef3 |
| SHA256 | 75f846b15fa1b548a0143f35584b25875a03c03a783e9310c8573f3b76957688 |
| SHA512 | 5b7fb077ea9d7d1310db3eb26b6624e3d12fe9f3d55d0a37d57c28197dab7e05449c6611d5b9a02f054d8ad790e12050228c8d7b913bb55e3f2b0da694c67ec5 |
memory/2968-109-0x0000000005DA0000-0x0000000005E3C000-memory.dmp
memory/2968-108-0x00000000055D0000-0x00000000055DA000-memory.dmp
memory/1060-114-0x0000000074CA0000-0x0000000075251000-memory.dmp
memory/1612-115-0x0000000000040000-0x000000000011C000-memory.dmp
memory/1612-116-0x00000000007B0000-0x00000000007B6000-memory.dmp
memory/2968-117-0x0000000006F30000-0x0000000006F4E000-memory.dmp
memory/464-120-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/464-121-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/1612-122-0x000000001B090000-0x000000001B214000-memory.dmp
memory/1612-124-0x00000000007C0000-0x00000000007C6000-memory.dmp
memory/464-123-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/464-118-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/1612-132-0x00000000021A0000-0x00000000021AE000-memory.dmp
memory/1612-135-0x000000001AD10000-0x000000001AD60000-memory.dmp
memory/1612-137-0x00000000023D0000-0x00000000023E8000-memory.dmp
memory/1612-134-0x00000000021D0000-0x00000000021EC000-memory.dmp
memory/1612-139-0x00000000021B0000-0x00000000021BE000-memory.dmp
memory/1612-143-0x00000000023F0000-0x00000000023FC000-memory.dmp
memory/1612-141-0x00000000021C0000-0x00000000021CE000-memory.dmp
memory/1612-145-0x0000000002400000-0x000000000240E000-memory.dmp
memory/1612-147-0x0000000002410000-0x000000000241C000-memory.dmp
memory/2556-157-0x000001EF5CAA0000-0x000001EF5CAC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojiyt3tq.gyb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svchost.exe
| MD5 | 4b6d4727ca3c277e5af47092ec9e3ef1 |
| SHA1 | 8faea131181960c1f43ccee6a2b7bcdaa23fcd81 |
| SHA256 | 5fb62cc6421cf636023381cc6fd5a06e3b326a58ea3d3ce9c879f1cc408519f4 |
| SHA512 | 8a1814ec549a42771cbe83fe7612d7e269af27d092a5c0ae685e92772dc7effd2b14829090f0b12edfbabeb9804f80558f2b316efb4f48a6a3b500b1172c2bbc |
memory/2152-211-0x00000000002F0000-0x000000000031C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7qjYWRE28c.bat
| MD5 | 368e377e5f12ec82959cbea43e28ad3b |
| SHA1 | 493b18dfae336e65419b0bc53a4c5db1e3fffb37 |
| SHA256 | 80719acc858f473c0c4692e4243f2d68e7708b93218c41a10b0a0cfb1f251ab1 |
| SHA512 | e600cd875e4be0186f6f815f53a5d09aa504f108122bcf2abafdea418705671d08f51ed11ad83fd22d4f52e76a5e24af36a80dc7c72b28d12978aec4235ecb1d |
memory/2152-232-0x0000000005750000-0x000000000575C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 21560cb75b809cf46626556cd5fbe3ab |
| SHA1 | f2eec01d42a301c3caacd41cddb0ef2284dbb5a6 |
| SHA256 | d2525bab5cb322933c8978880975e0c189feece68ae3f1951bf46297c7f640fa |
| SHA512 | 21eac0037b16f968ee8743b52dc73efdd34d24c2502d090b399a552dc6cb75f7d3090c10d448c66b868b1c4a7c46a5068b084b88b487e40b1e755356cb7557db |
C:\Users\Admin\AppData\Local\Temp\Launcher.exe
| MD5 | 4c8f3a1e15f370ca8afe2992902a6e98 |
| SHA1 | dc6324d924ac31bea4ad7e4dd6720ecdad3877dd |
| SHA256 | dcdc72549f7ad41cc860738adbeee5e44f02222415fd84ed5c92538ac9049b92 |
| SHA512 | b63c4e48f3024edcf1e1391b5df6ff65fc5111849eb093b429fa0f21c03339dbaeff835f18e250758498f3432874b85348530e47b2ada93f6f68615a5ccf66c0 |
memory/1332-253-0x0000000000420000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
| MD5 | cb46ba61effbdd59efb0a9a83d65ab64 |
| SHA1 | bcb0d85b0f98fdb473115e0fdfcf9cb757ac5ca5 |
| SHA256 | 9ea12d40d73546ddc087cec87954ab07de5dfe8ff8226242a2c3dabb9355011e |
| SHA512 | 1d2f3ad76c6480f4a193347e37dfc291e66eebb11e973fce219b174e13c0dc0953121dea8f1523fb68f8da90cb677367f6927c99d875f2f40f1005247f72d9dd |
memory/452-278-0x0000000000400000-0x000000000048A000-memory.dmp
memory/452-277-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 54522d22658e4f8f87ecb947b71b8feb |
| SHA1 | 6a6144bdf9c445099f52211b6122a2ecf72b77e9 |
| SHA256 | af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a |
| SHA512 | 55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba |
C:\Users\Admin\AppData\Local\Temp\zzzz.exe
| MD5 | de4824c195cf1b2bb498511ef461e49b |
| SHA1 | f15ca6d0e02c785cce091dbd716cd43e3f5a80bd |
| SHA256 | 51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209 |
| SHA512 | b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a |
memory/5004-302-0x00000000004F0000-0x0000000000546000-memory.dmp
memory/2968-334-0x0000000006740000-0x0000000006756000-memory.dmp
memory/2968-335-0x00000000093C0000-0x0000000009414000-memory.dmp
memory/3948-338-0x0000000000400000-0x0000000000412000-memory.dmp
memory/5004-344-0x00000000065D0000-0x0000000006636000-memory.dmp
C:\Users\Admin\AppData\Roaming\DSEYXUOD\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/3236-379-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\script-error.zip
| MD5 | b3609673caf3522ae50fe7b2f69b46f2 |
| SHA1 | c14f39aa78398030b84ab6b3d36014483b97a520 |
| SHA256 | c2423419d653bf31077eb40ad665590445b5baac4f82948822c8ed55fc009c4d |
| SHA512 | be15ca57e7b80049c35a37f216fb1387b89d68440494c81e7e8b21644dbab8ab161119a37475ad873d144ceae105ec2c61097f0c115f078cde961bc38e6f28b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\script-error.xml
| MD5 | fdb26e74f4d6ca3a02af55b15fcca7f2 |
| SHA1 | 7d990a1a4062fc3f0ae117dc72f47bcb3ef66425 |
| SHA256 | 49704e6fd30fc98988f40be963296c81b95662d7f3af605c372cd0344ab78e1b |
| SHA512 | 36a82624ee8173bacffdf978e00f9c5ffe96bd6b27ba1230f2891a11bc301908ed6ea790c75669219c7445489806f00ba67eda2ea7346396ca3304e02c6fec7d |
memory/368-433-0x0000000000400000-0x000000000058F000-memory.dmp
memory/1856-436-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-440-0x0000000000590000-0x0000000000612000-memory.dmp
memory/368-438-0x0000000000400000-0x000000000058F000-memory.dmp
memory/1856-445-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-442-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-447-0x0000000000590000-0x0000000000612000-memory.dmp
memory/792-459-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-463-0x0000000000400000-0x0000000000462000-memory.dmp
memory/792-462-0x0000000000400000-0x0000000000478000-memory.dmp
memory/792-465-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2284-468-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2284-466-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4976-477-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4976-478-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2284-479-0x0000000000470000-0x0000000000539000-memory.dmp
memory/2284-481-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4976-472-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2284-467-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4976-484-0x0000000000400000-0x0000000000424000-memory.dmp
memory/792-499-0x0000000000400000-0x0000000000478000-memory.dmp
memory/452-505-0x0000000010000000-0x0000000010019000-memory.dmp
memory/452-506-0x0000000010000000-0x0000000010019000-memory.dmp
memory/452-502-0x0000000010000000-0x0000000010019000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yemhvifbxohdhu
| MD5 | 2538ec9e8425a905937573069b77d4c2 |
| SHA1 | ad0c2b7aff4382e23444d26adac96d9697b849f3 |
| SHA256 | 29338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e |
| SHA512 | a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c |
memory/1856-520-0x0000000000590000-0x0000000000612000-memory.dmp
C:\Users\Admin\AppData\Roaming\DSEYXUOD\Process.txt
| MD5 | 69cb685b31a66ede9de355744a6e7ee7 |
| SHA1 | ccadcc2a0dce5b5e415b701b5cdd932406d8572f |
| SHA256 | 1264acc71eb1b8a3b10c15c1d2db985e1176b3f13d990a1bbd9be4bc686bc0e8 |
| SHA512 | 0c3aaee7d23c07c23eb70ed64335c82aec6b069f714db5c75a0dde5b3c4cfcf954fa79253cdb9a3a8cf074e22b066c618f5e8ffc289ff5664c47659a219cecb2 |
memory/1856-546-0x0000000000590000-0x0000000000612000-memory.dmp
memory/452-556-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1856-561-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-563-0x0000000000590000-0x0000000000612000-memory.dmp
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Desktop\SetHide.svg
| MD5 | e057ed31b7e3101373411e490f144ff5 |
| SHA1 | 117a086748ae282fc6295c81b5756f9910fe236f |
| SHA256 | 807d57fca560d1827d50d591c4caf5048cee4f701baec0b37c0d952cb13e2bed |
| SHA512 | db6e5c8e7ceda32a0d6fd23cd2e19f5a79c1e07c75d73296c383c6ce0d9fc7269cba0f6dd288d1390261b6405e9d95c8257f5d6a6d0ffd1263fa9bc9e48fd3bf |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Documents\InitializeExpand.xls
| MD5 | 1412ffd779e3da8d51f54513e9c36c20 |
| SHA1 | 37c4d77375b15efde019da449af84297aaf1a606 |
| SHA256 | 00e0687c49e300b4706f45b9c56062eb78e014bb5e0a3155f81c54f99164d4eb |
| SHA512 | 27a56e491b8e7cdf576aa605502e867c132b8eedc551216732b4d9b955ed770f186efb20356c3f3b3388b38f6698f3197a05ac033f3392e4cba99e30c5ee5d8d |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\ApproveWait.pdf
| MD5 | d9017a2bca1cf31c8dbc0409b390b347 |
| SHA1 | 549ee867d1b3318d72de74323e77947addbb462e |
| SHA256 | 43b8423f1ba9bdb7612c9786e842acf9aacece7770971c1dcb10b3f96615108d |
| SHA512 | 0623aa6ebe8f025f313ebbdbfe034668933e144d5553a41813e1abd06f1fd1f443347ed64d1ebdd0db7b67d13f92fa830360f27b32da9e0480c97419373b97ef |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\ConvertClose.bmp
| MD5 | 718508db054938242805bb5df366079c |
| SHA1 | 9783aa3fc8e466892aab37417e68a67edbadfbcd |
| SHA256 | 2254bb532d090f9c8a1a97b24a4cba87fe20fe59828e0dd3ce753ac0da0ea428 |
| SHA512 | f10bedaed3a62a57e4d52f111d3a90d06771a221e995ce7c601af67860d88d88806eab4916d6a1c48e6b4109dd40c9ffc19114c11252714997060a0744028661 |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\DenySync.docx
| MD5 | bc532f5dbe143f172fd3b75a7ef4cf9f |
| SHA1 | 7d16dff0aebf1a61f4e9bf40536716937ed692d2 |
| SHA256 | 76ef178c405e705a183fd93a3e4abbe7dccb5c40d08ad6861e0e36092b63d512 |
| SHA512 | 2b419557524f046c28f3de7f427466b0de9a23f45496fdbe40ce1431854a4bb9a1e4af4c5bd2b7499dabecb2792cd452ecdfdaa543ede1d7392b5ef115dab07a |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\SkipFind.sql
| MD5 | c0d2b7235228439bc56fd1a77fec6e83 |
| SHA1 | 1f3ceb3dbc26ced66731a3b947c17f24e038afb0 |
| SHA256 | 2f1ffa1196e82e87d81ebdca8b10b9c0cb5a8f6c8be3f48a8d09136b476f9c98 |
| SHA512 | 266c2710fc57e7a31bddbd43652806049bb009fc06ead46637f0cf28d6e2a1e12a74fc5b6a3ea8f643f5c39c774312037488f2a444df53ba704abb89aa0929f7 |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Downloads\SplitPop.xlsx
| MD5 | 7cf663d96e4f1b4cf90038b05b48afd2 |
| SHA1 | f740e1da5ae2f566db66cea1f24ea066e313b736 |
| SHA256 | 816b5f2b1f79a98040e4263d080af875a1e999490fce985a9fb97f7452e479e1 |
| SHA512 | 2318732304c9ad227edcc9e4f3bdf31ef4a937f1515b50a6b479dd3c3507b1f01ec90956212b5ead66fd727a86d0a76d355a9a269a9237a4d3d2d46a75d21fa4 |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\GetSet.png
| MD5 | b10b25b044631095c621ad0b81923c4c |
| SHA1 | e2b8a591e13c3b67a6231b86667d2c7a88fa3937 |
| SHA256 | 406e200a8f6849de7ce3e643a102074e3a884cdf34ea99572078ae639317f8ff |
| SHA512 | 70086da4ef9117c25fc05c3b577ba2e421c25faf4637ce65a4d87162040a82ff722c45a1dedac19bcf8de5f7fb5891eff24088b5a90f49877fa66607f680eb26 |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\ReceivePop.jpg
| MD5 | 9d7e681eb783c922aea2900e08a968ea |
| SHA1 | 402e7e46fe3ff1af372a4b720529ffdb12d0092d |
| SHA256 | ef4457d1030493f82185f52e3e3223708dc1c79d68857f1e26a0f65f03a934b3 |
| SHA512 | 3ddfb81e0b8165c58e6acbfac26e12ccaf26a088fcc6f1d6b4571f771adcce3b1e88eafdc5c38b6d98d18be13c70c01b1ae3e3ff8944e7fd5d14fb0ccb1138ef |
C:\Users\Admin\AppData\Roaming\DSEYXUOD\FileGrabber\Pictures\UnlockRemove.jpg
| MD5 | c6eda28ab66c3a2c1bd4c96872368e97 |
| SHA1 | 560affbb12872fcd0234e1e3936cd220a01b08a3 |
| SHA256 | 10df9f0f68713506743c03c59c737a3de996c84b33f4ec6f85efa479e91e2d95 |
| SHA512 | 0c912018ba9a10e49ec9483a30691f94e25ef9af4f0511689883bcb36ed9eb3358b7f79b005d58ccd6b40e1b83ca7a0d1d172b32935e789635648a79d4c18cf4 |
memory/1856-671-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-718-0x0000000000590000-0x0000000000612000-memory.dmp
memory/452-759-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Windows\xdwd.dll
| MD5 | 16e5a492c9c6ae34c59683be9c51fa31 |
| SHA1 | 97031b41f5c56f371c28ae0d62a2df7d585adaba |
| SHA256 | 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66 |
| SHA512 | 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6 |
C:\Users\Admin\AppData\Local\Temp\tmp51E4.tmp.bat
| MD5 | 018e9071319ab280a5a8dcc2a3f0bb28 |
| SHA1 | c0fec2daaaf3cca3b0f217f37e097a0e33308bb4 |
| SHA256 | cae2ad934a7a8027cbb568e1aa648a6cf35e614ef66ffc67551bb26426176ab6 |
| SHA512 | 6ed3768d547ffd0dd905a637b8b663ab53952bdbff0101f4452f68edad241393825ac3034c4fd2879195cdc964abbc8171d75dc215345575f371805b81cf8fcc |
memory/1856-826-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-827-0x0000000000590000-0x0000000000612000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | f040c2e1e39e3cf539df1a32c8f1af5a |
| SHA1 | e9da9fb5c7fe1e5d79be0da6d817b76745c732b6 |
| SHA256 | 65e5724c50cc82729eb00f4ceac09875681e42f15971e2f9be4aed48009d10aa |
| SHA512 | 56ca0562177620406ada99dff0d102cd88483c1d2d9238ff0e7e8621661ad3e3e5ba6cfb0deb6d1fba9ba85fda3b7197020ab36c401339d64122695a5cdc58a5 |
memory/1856-855-0x0000000000590000-0x0000000000612000-memory.dmp
memory/452-856-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1856-857-0x0000000000590000-0x0000000000612000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\690c1b65a6267d6d0b201ba46089aabc.exe.log
| MD5 | 7cad59aef5a93f093b6ba494f13f796f |
| SHA1 | 3cef97b77939bfc06dfd3946fc1a8cd159f67100 |
| SHA256 | 1e1b444fe2d8772f6709b22b94bb5b0aa7fa590f6a693705d9bf1f2f71267a55 |
| SHA512 | 8cedd03efec34c6226a01fd6b4831a689be16545ea6b849cd96f775e0722bfefd4b47f3dd8401d2080d341d4319f75995ece60de44352a1f86a2e5dc01e6210b |
C:\Users\Admin\AppData\Local\Temp\tmp7B07.tmp.bat
| MD5 | 9854f2a1b79aa8788276d39c646c8522 |
| SHA1 | 219c5bb8f962c77e9c84b0b8cf8c87d0eb65adbc |
| SHA256 | 52d1d4a9bf16e854c78ed6a1785fae0ae4feab57199c21da9432b7a405cd2cd5 |
| SHA512 | e7303967de54652bb4a7ea562733c196c47f6a24b07580d28a70269aef5121951d82a19516d86837b8c27d1782635ab63afc2d63a63a45c0c3f48a385e9c9b0d |
memory/1856-954-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-955-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-984-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-985-0x0000000000590000-0x0000000000612000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WizFN6Ayux
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\4bDPnfeBYs
| MD5 | db26309558628fa1ef6a1edd23ab2b09 |
| SHA1 | 9bfb0530d0c2dcc6f9b3947bc3ca602943356368 |
| SHA256 | e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070 |
| SHA512 | 4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c |
C:\Users\Admin\AppData\Local\Temp\3HH6KfBvI8
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
memory/1856-1038-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-1040-0x0000000000590000-0x0000000000612000-memory.dmp
memory/1856-1068-0x0000000000590000-0x0000000000612000-memory.dmp