Analysis Overview
SHA256
2840a81e534aa9badebe491f4e4a860a137f8eeb6f70e51c6262d832c5f576eb
Threat Level: Known bad
The file 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.zip was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Xmrig family
xmrig
Suspicious use of NtCreateUserProcessOtherParentProcess
Wannacry family
Phorphiex, Phorpiex
RedLine
Phorphiex family
Redline family
Phorphiex payload
Wannacry
XMRig Miner payload
Stops running service(s)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Themida packer
Modifies file permissions
Executes dropped EXE
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Modifies registry key
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-18 14:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-18 14:01
Reported
2024-11-18 14:03
Platform
win11-20241007-it
Max time kernel
56s
Max time network
104s
Command Line
Signatures
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5080 created 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe | C:\Windows\Explorer.EXE |
| PID 5080 created 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe | C:\Windows\Explorer.EXE |
| PID 1164 created 3280 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1164 created 3280 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1164 created 3280 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Wannacry
Wannacry family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\new1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\WannaCry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Files\taskdl.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1164 set thread context of 1320 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 1164 set thread context of 4968 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\AnchorAnnotated | C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe | N/A |
| File opened for modification | C:\Windows\CheckingReliable | C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe | N/A |
| File opened for modification | C:\Windows\ConferencesInto | C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\ViewpictureKingdom | C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe | N/A |
| File opened for modification | C:\Windows\BrandonBlind | C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe | N/A |
| File opened for modification | C:\Windows\GamblingCedar | C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\HardlyAircraft | C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe | N/A |
| File opened for modification | C:\Windows\IpaqArthur | C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\WannaCry.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\new1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Files\taskdl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\Files\new1.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\Files\new1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
"C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe"
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Surrey Surrey.cmd && Surrey.cmd && exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
"C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
cmd /c md 719580
C:\Windows\SysWOW64\findstr.exe
findstr /V "copehebrewinquireinnocent" Corpus
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Utilize + ..\Verzeichnis + ..\Built + ..\Vessels + ..\Cradle + ..\Jaguar + ..\Comics + ..\Flux + ..\Liberal f
C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif
Optimum.pif f
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe
"C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
C:\Users\Admin\AppData\Local\Temp\Files\new1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\new1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
C:\Users\Admin\AppData\Local\Temp\Files\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WannaCry.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Users\Admin\AppData\Local\Temp\Files\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 223901731938569.bat
C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
C:\Users\Admin\AppData\Local\Temp\Files\o.exe
"C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
C:\Windows\sysklnorbcv.exe
C:\Windows\sysklnorbcv.exe
C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe"
C:\Users\Admin\AppData\Local\Temp\Files\r.exe
"C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
C:\Windows\sysvplervcs.exe
C:\Windows\sysvplervcs.exe
C:\Users\Admin\AppData\Local\Temp\Files\build555.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build555.exe"
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Users\Admin\AppData\Local\Temp\Files\t.exe
"C:\Users\Admin\AppData\Local\Temp\Files\t.exe"
C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Users\Admin\AppData\Local\Temp\Files\taskdl.exe
taskdl.exe
C:\Users\Admin\AppData\Local\Temp\Files\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]
C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ykbbwuyjdr767" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Files\tasksche.exe\"" /f
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Users\Admin\AppData\Local\Temp\Files\newbundle.exe
"C:\Users\Admin\AppData\Local\Temp\Files\newbundle.exe"
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]
C:\Users\Admin\AppData\Local\Temp\Files\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ykbbwuyjdr767" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Files\tasksche.exe\"" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.66.49:443 | urlhaus.abuse.ch | tcp |
| CN | 106.15.224.147:36500 | tcp | |
| GB | 2.18.66.169:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| IE | 13.69.239.78:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 2.18.27.76:443 | www.bing.com | tcp |
| GB | 23.218.72.229:443 | cxcs.microsoft.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| ID | 103.123.98.86:80 | 103.123.98.86 | tcp |
| CN | 150.158.115.246:80 | tcp | |
| RU | 185.215.113.66:5152 | twizt.net | tcp |
| N/A | 255.255.255.255:5678 | udp | |
| SA | 193.122.74.238:1337 | 193.122.74.238 | tcp |
| RU | 185.215.113.217:80 | 185.215.113.217 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| DK | 38.180.72.54:42814 | tcp | |
| CN | 60.191.208.187:820 | ftp.ywxww.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| DK | 38.180.72.54:42814 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| CN | 114.132.167.179:8080 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
Files
memory/4384-0-0x000000007502E000-0x000000007502F000-memory.dmp
memory/4384-1-0x0000000000A90000-0x0000000000A98000-memory.dmp
memory/4384-2-0x00000000054D0000-0x000000000556C000-memory.dmp
memory/4384-3-0x0000000075020000-0x00000000757D1000-memory.dmp
memory/4384-4-0x000000007502E000-0x000000007502F000-memory.dmp
memory/4384-5-0x0000000075020000-0x00000000757D1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\37a6723a-8257-434d-b871-9db447a53f71.down_data
| MD5 | c2c241c1111d82bf82a4b92f3313d801 |
| SHA1 | f822956f60c463000e5aaaeccf8b99f551179250 |
| SHA256 | 2081dc0f876ba518493f98bc18988ebe6cc6c23d9d963b5c4bb5c9ecef1f9f29 |
| SHA512 | 04f745fa497c8115bb76b42bac6e03b7a0edd394f1c4a62f329015c545bba1bc9b517b7941806bcd23e84bcd289316649c1cbd9c6804cc83dce62dc26655cd7f |
memory/4384-12-0x00000000061B0000-0x00000000061F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\NorthSperm.exe
| MD5 | ff83471ce09ebbe0da07d3001644b23c |
| SHA1 | 672aa37f23b421e4afba46218735425f7acc29c2 |
| SHA256 | 9e7bf4b2bd7f30ea9d9dca6bc80d28c5b43202df1477a4d46f695e096dce17ba |
| SHA512 | 179c724558065de4b7ea11dd75588df51a3fce737db3ebc77c8fdc0b3a432f6f1fdcc5acd2e2706ab0f088c35a3310c9e638de92ce0a644322eae46729aea259 |
C:\Users\Admin\AppData\Local\Temp\Surrey
| MD5 | 721cde52d197da4629a6792103404e23 |
| SHA1 | 1f5bac364c6b9546ba0501f41766bb25df98b32b |
| SHA256 | 66627eef98fb038f1d22f620bc8d85430a442d08313602eb02f0b158b5471812 |
| SHA512 | 63a6786227915bc450ea9ca4df4962126b4194a1fd5c68fe3c686da8175726d4efdda5e88aedea7b8e4e758816b9b31981fa79e37dbe51028650def5042ccac6 |
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
C:\Users\Admin\AppData\Local\Temp\Corpus
| MD5 | 148febc94e0f8036a074350ef338b007 |
| SHA1 | 1be93210e5348f9409fe4162599dfaad797a2ade |
| SHA256 | 849892bc358956ee263db6cbddd4a9cca0e1564d6caefe44e2e998d559e610a0 |
| SHA512 | 72b83e8cb35bf6fe295f1cb84197f3ffb4944e19b9ece9f6664ed2bc4aca40c9c912debf260e891c80feebb4c84935da4c2996b9a100ce94cde177928f31fa92 |
C:\Users\Admin\AppData\Local\Temp\Folding
| MD5 | 67ff730b62d42030058393ab3f0dafd1 |
| SHA1 | 79215f079836dd43b4f7b1e66739bd7dab9fb6a3 |
| SHA256 | 95d53427ef46fb44354a0253a611e342a30428101acaf83215f5b21432afbff1 |
| SHA512 | 6e7d6f12686b0b30c96eebe01546e4aee1adee39a7467409e8f41de9a37c65daa010ebcefa6c452d4849e7ba0bec9be55be1b38250420b40e2956c151478d973 |
C:\Users\Admin\AppData\Local\Temp\Utilize
| MD5 | 4bb39f0bce8a4f7b640ba76ecccaf87b |
| SHA1 | c0c7feca88b0fc3fc1f20d1963ae25388a1f4c12 |
| SHA256 | 96af995b201e5392293f2d7272b1c9a3f0eb671d62aeafffb4b0bbbfed0e3560 |
| SHA512 | ad2752281067584233cc19b3d0bbd0178dc3907af71c8dc3c37afe35f417afe1b1fc4d9ad2d99506d53100afde8ddb692e93669b8c9398782cb03dc22a04e1ef |
C:\Users\Admin\AppData\Local\Temp\Verzeichnis
| MD5 | 6a5ab833602af088d60d3d7f89b77229 |
| SHA1 | 32f9fe7c6ba035993a627a78491651f02d0dfc97 |
| SHA256 | 41586643456496d40c3279839a1cb1528428c19deefb4c702bd58f1467a1a1d0 |
| SHA512 | 0598b2b38270a8d282ae2325330420b467be203047dffc2e85626fd78e78f81c5084487eebfbefbcb36115732a6670a9857655c18803388c02e37fbcf51aaa66 |
C:\Users\Admin\AppData\Local\Temp\Vessels
| MD5 | d64ef3bbcca2c221c0bcc85a7b6d5209 |
| SHA1 | 5c3cf9d492c7021e19e103fa14ab3965fd1c6ba3 |
| SHA256 | c8c35545936faa3b0e00aa1b907952e97fffd9c1958045253863b4c2fad7f295 |
| SHA512 | 2b6713646373b5b233295930a46fefbd499b607a94051c6294d3dce12f58b187c98f22f7f0b1243f22611a82c659b1d95f70a7858247b8f0853a1765d449e611 |
C:\Users\Admin\AppData\Local\Temp\Jaguar
| MD5 | fdadac1c5944e618315f608ad2f02714 |
| SHA1 | debe3ccc5a4abc326dbcb4a86ec8074671a3417f |
| SHA256 | 49687025dce701973b47fb6caba71f1443471e64551f41967a6a3275ce1e93d5 |
| SHA512 | 92d7da5ef3625157acb00752b74fcfb80c588bc3ddf8b7fda488f68d0a6cf332aade539ee92139a26c5dc3549c8a69471ca24fcb1568068d5293b8988bbbab58 |
C:\Users\Admin\AppData\Local\Temp\Comics
| MD5 | 4a3aab84dbfdaf25ae909ac736489f4b |
| SHA1 | 76663cb1186f29fed429863013600c9d69355d36 |
| SHA256 | 2caa4849a4353ca50dfdbc860412e95b783fdcc7e60d8756c9b4bdf2915e1923 |
| SHA512 | 1c2b0ffa8783bb9e9082eae4214547d8ced58121e717b57884a56042a7ef70c55e702d7f018dea72ca95aa40170c6f24ccec7d56fa3b160237969b5c0473bea5 |
C:\Users\Admin\AppData\Local\Temp\Cradle
| MD5 | 8c59dae352a159e484b0de9603dabc11 |
| SHA1 | 34992e582081635abf736ec18f1492ae40ca4925 |
| SHA256 | 3ab028b25bd6bd3ba48a92c4198dd8ff07fe71b4b41c785469d79da422f2fe46 |
| SHA512 | cf041cc9470ac479702c19714d875868a5168940a8d56715a98ae3d52f0363ffab160566d7c364b1bd9e8cb263b7e2b60e6719dbac7b6ad12e5f6a87e4f57d8e |
C:\Users\Admin\AppData\Local\Temp\Built
| MD5 | 0a91386341f9d1a371bc735576b276a4 |
| SHA1 | a02598ef42cef1443cc94a8310a6c02df07119d4 |
| SHA256 | 7b857693641ff1ff59e69422b09299a5580d20677acd530c27c7fbc9e3ee3b92 |
| SHA512 | b492508575c01689c982a8eb57fac2b5759e4c843c92f99d231b63c25ab4c82fa7fece9d4e9c2cc436a3232b4ed7947baecf2a06aafbf1a3cf243395af71e96b |
C:\Users\Admin\AppData\Local\Temp\Flux
| MD5 | 523fea93bbf3f0b9ddd4d1a432b624c9 |
| SHA1 | 578ccd6f97455881ca61fddf068695ab0daa8918 |
| SHA256 | f4e881ea8495c993e2f008e9b5fc082bc2cea97812fe944dda293f3b02fb60b0 |
| SHA512 | 633474c0d83e92171d09ab5849b83a9bcd613f630ec54ee44ad42ac8102d25c987f9e3ec71ea6c2d3542bcc9919ded6e37c3754a8f074aeea9704f16770692f4 |
C:\Users\Admin\AppData\Local\Temp\Liberal
| MD5 | 524c0177830e8a3624062be7eddfa277 |
| SHA1 | 0a830e50e9433d530094edf3577b7ec5c5d1c5f5 |
| SHA256 | aacfabd8f6dde87949cbafa8eab7536dc5377e726064445e62824d10584eaec5 |
| SHA512 | 79ed8be7d451a885befb7001c52a9f0db3977be8e16abd7db9f7742d520270a650ac77ed72e512a377d8f888bf05643f6bce3fea2d4dba8f37c7fff73a70d0cd |
C:\Users\Admin\AppData\Local\Temp\719580\Optimum.pif
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\719580\f
| MD5 | 43ca848d3a9ee13623e355d9ee71b515 |
| SHA1 | 944f72b5cc721b44bf50c0013b4b10151972074d |
| SHA256 | 3d4000a64c1b7be8fcefe59e8f39f1ae12ef1fcd9d30a39158f83b26ee189831 |
| SHA512 | e52336e652a69b34c41aa9283d8e2e8e795c5734507b23050f48aa25be4423eafcc416f38bf23463de0602c20a24f0fd75629ec23214119b4c4a98025be8513f |
C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe
| MD5 | 7f79f7e5137990841e8bb53ecf46f714 |
| SHA1 | 89b2990d4b3c7b1b06394ec116cd59b6585a8c77 |
| SHA256 | 94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da |
| SHA512 | 92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a |
memory/1260-70-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2372-72-0x0000022D7FDB0000-0x0000022D7FE32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqtkfwlj.kwi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2372-78-0x0000022D7FCD0000-0x0000022D7FCF2000-memory.dmp
memory/2372-82-0x0000022D7E4E0000-0x0000022D7E4F0000-memory.dmp
memory/2372-83-0x0000022D7FF50000-0x0000022D80052000-memory.dmp
memory/2372-84-0x0000022D7FD50000-0x0000022D7FD9A000-memory.dmp
memory/5080-89-0x00007FF71B870000-0x00007FF71BE07000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 4764ec833397133003e2e24b080cd7ce |
| SHA1 | 03c8926d7afc4e605719aee53ef2ce53f6f314cc |
| SHA256 | 88331ffd23c1d6cfef379ab5366333f56ee41ff083f0421915302a492cb2a833 |
| SHA512 | e9ad86bc3878f4f3e1a38a191864857f24969e0f11d0636cb76523900e97b06d286c120460c38e7f93039356f45900d32ddda990abffb1958af173dfb1aedac1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fe8641a9c93905f937a67527bdb2d056 |
| SHA1 | 4f7fc06a63e62054e5ea6023e710607eb64f37f8 |
| SHA256 | c447bedf4b3819754ea5ad0bb6acb252a020c513cf3f49985065833ae0d50928 |
| SHA512 | 3eb369f672a7a6d2a6e75888fae7d3f3b40c78e6cdd1397df8d7a7559d3fcbf4a87bce89239655e4f4f4cde9478d2ec9176aaadae55a42e0b41b4ca93c997b1e |
memory/1260-104-0x0000000000400000-0x0000000000422000-memory.dmp
memory/4968-111-0x0000024F795C0000-0x0000024F795E0000-memory.dmp
memory/1164-110-0x00007FF6F6460000-0x00007FF6F69F7000-memory.dmp
memory/1320-113-0x00007FF7D35A0000-0x00007FF7D35C9000-memory.dmp
memory/4968-114-0x00007FF6EAF20000-0x00007FF6EB70F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe
| MD5 | 564be60ec38590b61733648812b66536 |
| SHA1 | 881f071bee59ba856b45a1fe11e7ed1d2123b017 |
| SHA256 | d9b41aeaaf67efd6370b267ab33dc39f149cbe9fd3f6dec30734f360e8ebfc6c |
| SHA512 | 2b6bed6c03b30cb659ad87c47328a853d73ec06cf48dff3472e9d7cf5a91cb7d5bace4b0c96df193a9c624dca796c580f4fd1f782fad2fbce280b8f018272c90 |
memory/1260-126-0x0000000000400000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\new1.exe
| MD5 | b5e07492b13633eacab4b4f57853b439 |
| SHA1 | 673f25d3b8ca435846dc04eabf6f5b412d9e7ed5 |
| SHA256 | d86a4ac9ab81a74a638e659821fd1d76d9b240d2a4e9fd1dc25c387d356d9828 |
| SHA512 | cc555116a570db59dfae1beb8587ecda1a25f520bc7aa45423a276a56ab89d21c84cb60df336dc114e388760798399451f1431a9e290b2b4a4d078164bdab999 |
memory/4324-138-0x00000000007D0000-0x0000000000822000-memory.dmp
memory/4324-139-0x0000000005710000-0x0000000005CB6000-memory.dmp
memory/4324-140-0x0000000005200000-0x0000000005292000-memory.dmp
memory/4324-141-0x00000000051B0000-0x00000000051BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp48EB.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4324-156-0x0000000005D40000-0x0000000005DB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\splwow64_1.exe
| MD5 | 2b01c9b0c69f13da5ee7889a4b17c45e |
| SHA1 | 27f0c1ae0ddeddc9efac38bc473476b103fef043 |
| SHA256 | d5526528363ceeb718d30bc669038759c4cd80a1d3e9c8c661b12b261dcc9e29 |
| SHA512 | 23d4a0fc82b70cd2454a1be3d9b84b8ce7dd00ad7c3e8ad2b771b1b7cbca752c53feec5a3ac5a81d8384a9fc6583f63cc39f1ebe7de04d3d9b08be53641ec455 |
memory/4324-170-0x0000000006610000-0x000000000662E000-memory.dmp
memory/4324-176-0x0000000006D90000-0x00000000073A8000-memory.dmp
memory/4324-183-0x0000000006820000-0x0000000006832000-memory.dmp
memory/4324-182-0x00000000068E0000-0x00000000069EA000-memory.dmp
memory/4324-188-0x0000000006880000-0x00000000068BC000-memory.dmp
memory/4324-191-0x00000000069F0000-0x0000000006A3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Emotions
| MD5 | b98d78c3abe777a5474a60e970a674ad |
| SHA1 | 079e438485e46aff758e2dff4356fdd2c7575d78 |
| SHA256 | 2bc28afb291ece550a7cd2d0c5c060730eb1981d1cf122558d6971526c637eb4 |
| SHA512 | 6218413866237bc1f6eada6554658a00c9fc55402e104576b33a2e8d4adf0fd952d8cc8d1ae3a02ebcfa030115fc388fc1a6f23b9d372f808e11e1b551064e5d |
C:\Users\Admin\AppData\Local\Temp\Files\WannaCry.exe
| MD5 | 84c82835a5d21bbcf75a61706d8ab549 |
| SHA1 | 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 |
| SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
| SHA512 | 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_finnish.wnry
| MD5 | 35c2f97eea8819b1caebd23fee732d8f |
| SHA1 | e354d1cc43d6a39d9732adea5d3b0f57284255d2 |
| SHA256 | 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e |
| SHA512 | 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf |
memory/2044-242-0x0000000010000000-0x0000000010010000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\t.wnry
| MD5 | 5dcaac857e695a65f5c3ef1441a73a8f |
| SHA1 | 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd |
| SHA256 | 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 |
| SHA512 | 06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2 |
C:\Users\Admin\AppData\Local\Temp\Files\s.wnry
| MD5 | ad4c9de7c8c40813f200ba1c2fa33083 |
| SHA1 | d1af27518d455d432b62d73c6a1497d032f6120e |
| SHA256 | e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b |
| SHA512 | 115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617 |
C:\Users\Admin\AppData\Local\Temp\Files\r.wnry
| MD5 | 3e0020fc529b1c2a061016dd2469ba96 |
| SHA1 | c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade |
| SHA256 | 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c |
| SHA512 | 5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_vietnamese.wnry
| MD5 | 8419be28a0dcec3f55823620922b00fa |
| SHA1 | 2e4791f9cdfca8abf345d606f313d22b36c46b92 |
| SHA256 | 1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8 |
| SHA512 | 8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_turkish.wnry
| MD5 | 531ba6b1a5460fc9446946f91cc8c94b |
| SHA1 | cc56978681bd546fd82d87926b5d9905c92a5803 |
| SHA256 | 6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415 |
| SHA512 | ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_swedish.wnry
| MD5 | c7a19984eb9f37198652eaf2fd1ee25c |
| SHA1 | 06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae |
| SHA256 | 146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4 |
| SHA512 | 43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_spanish.wnry
| MD5 | 8d61648d34cba8ae9d1e2a219019add1 |
| SHA1 | 2091e42fc17a0cc2f235650f7aad87abf8ba22c2 |
| SHA256 | 72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1 |
| SHA512 | 68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_slovak.wnry
| MD5 | c911aba4ab1da6c28cf86338ab2ab6cc |
| SHA1 | fee0fd58b8efe76077620d8abc7500dbfef7c5b0 |
| SHA256 | e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729 |
| SHA512 | 3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_russian.wnry
| MD5 | 452615db2336d60af7e2057481e4cab5 |
| SHA1 | 442e31f6556b3d7de6eb85fbac3d2957b7f5eac6 |
| SHA256 | 02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078 |
| SHA512 | 7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_romanian.wnry
| MD5 | 313e0ececd24f4fa1504118a11bc7986 |
| SHA1 | e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d |
| SHA256 | 70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1 |
| SHA512 | c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_portuguese.wnry
| MD5 | fa948f7d8dfb21ceddd6794f2d56b44f |
| SHA1 | ca915fbe020caa88dd776d89632d7866f660fc7a |
| SHA256 | bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66 |
| SHA512 | 0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_polish.wnry
| MD5 | e79d7f2833a9c2e2553c7fe04a1b63f4 |
| SHA1 | 3d9f56d2381b8fe16042aa7c4feb1b33f2baebff |
| SHA256 | 519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e |
| SHA512 | e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_norwegian.wnry
| MD5 | ff70cc7c00951084175d12128ce02399 |
| SHA1 | 75ad3b1ad4fb14813882d88e952208c648f1fd18 |
| SHA256 | cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a |
| SHA512 | f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_latvian.wnry
| MD5 | c33afb4ecc04ee1bcc6975bea49abe40 |
| SHA1 | fbea4f170507cde02b839527ef50b7ec74b4821f |
| SHA256 | a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536 |
| SHA512 | 0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_korean.wnry
| MD5 | 6735cb43fe44832b061eeb3f5956b099 |
| SHA1 | d636daf64d524f81367ea92fdafa3726c909bee1 |
| SHA256 | 552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0 |
| SHA512 | 60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_japanese.wnry
| MD5 | b77e1221f7ecd0b5d696cb66cda1609e |
| SHA1 | 51eb7a254a33d05edf188ded653005dc82de8a46 |
| SHA256 | 7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e |
| SHA512 | f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_italian.wnry
| MD5 | 30a200f78498990095b36f574b6e8690 |
| SHA1 | c4b1b3c087bd12b063e98bca464cd05f3f7b7882 |
| SHA256 | 49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07 |
| SHA512 | c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_indonesian.wnry
| MD5 | 3788f91c694dfc48e12417ce93356b0f |
| SHA1 | eb3b87f7f654b604daf3484da9e02ca6c4ea98b7 |
| SHA256 | 23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4 |
| SHA512 | b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_greek.wnry
| MD5 | fb4e8718fea95bb7479727fde80cb424 |
| SHA1 | 1088c7653cba385fe994e9ae34a6595898f20aeb |
| SHA256 | e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9 |
| SHA512 | 24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_german.wnry
| MD5 | 3d59bbb5553fe03a89f817819540f469 |
| SHA1 | 26781d4b06ff704800b463d0f1fca3afd923a9fe |
| SHA256 | 2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61 |
| SHA512 | 95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_french.wnry
| MD5 | 4e57113a6bf6b88fdd32782a4a381274 |
| SHA1 | 0fccbc91f0f94453d91670c6794f71348711061d |
| SHA256 | 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc |
| SHA512 | 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_filipino.wnry
| MD5 | 08b9e69b57e4c9b966664f8e1c27ab09 |
| SHA1 | 2da1025bbbfb3cd308070765fc0893a48e5a85fa |
| SHA256 | d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324 |
| SHA512 | 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_english.wnry
| MD5 | fe68c2dc0d2419b38f44d83f2fcf232e |
| SHA1 | 6c6e49949957215aa2f3dfb72207d249adf36283 |
| SHA256 | 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5 |
| SHA512 | 941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_dutch.wnry
| MD5 | 7a8d499407c6a647c03c4471a67eaad7 |
| SHA1 | d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b |
| SHA256 | 2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c |
| SHA512 | 608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_danish.wnry
| MD5 | 2c5a3b81d5c4715b7bea01033367fcb5 |
| SHA1 | b548b45da8463e17199daafd34c23591f94e82cd |
| SHA256 | a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6 |
| SHA512 | 490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_czech.wnry
| MD5 | 537efeecdfa94cc421e58fd82a58ba9e |
| SHA1 | 3609456e16bc16ba447979f3aa69221290ec17d0 |
| SHA256 | 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150 |
| SHA512 | e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_croatian.wnry
| MD5 | 17194003fa70ce477326ce2f6deeb270 |
| SHA1 | e325988f68d327743926ea317abb9882f347fa73 |
| SHA256 | 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171 |
| SHA512 | dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_chinese (traditional).wnry
| MD5 | 2efc3690d67cd073a9406a25005f7cea |
| SHA1 | 52c07f98870eabace6ec370b7eb562751e8067e9 |
| SHA256 | 5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a |
| SHA512 | 0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_chinese (simplified).wnry
| MD5 | 0252d45ca21c8e43c9742285c48e91ad |
| SHA1 | 5c14551d2736eef3a1c1970cc492206e531703c1 |
| SHA256 | 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a |
| SHA512 | 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755 |
C:\Users\Admin\AppData\Local\Temp\Files\msg\m_bulgarian.wnry
| MD5 | 95673b0f968c0f55b32204361940d184 |
| SHA1 | 81e427d15a1a826b93e91c3d2fa65221c8ca9cff |
| SHA256 | 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd |
| SHA512 | 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92 |
C:\Users\Admin\AppData\Local\Temp\Files\c.wnry
| MD5 | 8124a611153cd3aceb85a7ac58eaa25d |
| SHA1 | c1d5cd8774261d810dca9b6a8e478d01cd4995d6 |
| SHA256 | 0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e |
| SHA512 | b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17 |
C:\Users\Admin\AppData\Local\Temp\Files\b.wnry
| MD5 | c17170262312f3be7027bc2ca825bf0c |
| SHA1 | f19eceda82973239a1fdc5826bce7691e5dcb4fb |
| SHA256 | d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa |
| SHA512 | c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c |
C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\AppData\Local\Temp\Files\@[email protected]
| MD5 | 7a2726bb6e6a79fb1d092b7f2b688af0 |
| SHA1 | b3effadce8b76aee8cd6ce2eccbb8701797468a2 |
| SHA256 | 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5 |
| SHA512 | 4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54 |
memory/1320-510-0x00007FF7D35A0000-0x00007FF7D35C9000-memory.dmp
memory/4968-511-0x00007FF6EAF20000-0x00007FF6EB70F000-memory.dmp
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
| MD5 | 1b1afbdb3c685f76e2ad2cdc88a875b8 |
| SHA1 | 484d8a0ef6cfbd049ecdaf5cfb1e05c2a168a762 |
| SHA256 | f7513c14af034b8f78ed3929e80f3fa9b3d3325848fabad930767acb860ffdfa |
| SHA512 | da190ba809209ecb63c8f663d576972dcb8d37e3a300454e90d38f6a5b021baf40d1da76bd80d222e2bfdfb95b3edbfdc4a3c604674a40d4d551addeb9add718 |
memory/4968-1780-0x00007FF6EAF20000-0x00007FF6EB70F000-memory.dmp
memory/4324-1783-0x0000000006B10000-0x0000000006B9C000-memory.dmp
memory/4324-1784-0x00000000073B0000-0x00000000074B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\o.exe
| MD5 | a775d164cf76e9a9ff6afd7eb1e3ab2e |
| SHA1 | 0b390cd5a44a64296b592360b6b74ac66fb26026 |
| SHA256 | 794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979 |
| SHA512 | 80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808 |
memory/4968-1798-0x00007FF6EAF20000-0x00007FF6EB70F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe
| MD5 | b45668e08c03024f2432ff332c319131 |
| SHA1 | 4bef9109eaeace4107c47858eef2d9d3487e45f0 |
| SHA256 | 4b5a876b1c230b28c0862d5f8158b3657016709855bf3329d8fea6cada3adbfe |
| SHA512 | 538c8471fc0313e68885d4d09140ec3e3374af3464af626195b6387a67b9bae9c3c9fd369d9dc7965decc182d13e8bbf95b4cf96b5ffc78af5d7904d59325bbc |
memory/4868-1808-0x0000000000A80000-0x00000000012FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\r.exe
| MD5 | 930c41bc0c20865af61a95bcf0c3b289 |
| SHA1 | cecf37c3b6c76d9a79dd2a97cfc518621a6ac924 |
| SHA256 | 1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff |
| SHA512 | fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2 |
C:\Users\Admin\AppData\Local\Temp\Files\Petya.A.exe
| MD5 | af2379cc4d607a45ac44d62135fb7015 |
| SHA1 | 39b6d40906c7f7f080e6befa93324dddadcbd9fa |
| SHA256 | 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 |
| SHA512 | 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99 |
memory/4868-1825-0x0000000000A80000-0x00000000012FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\build555.exe
| MD5 | 4e18e7b1280ebf97a945e68cda93ce33 |
| SHA1 | 602ab8bb769fff3079705bf2d3b545fc08d07ee6 |
| SHA256 | 30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d |
| SHA512 | 9612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37 |
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
memory/4028-1867-0x0000000002490000-0x00000000024C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\newbundle.exe
| MD5 | 58e8b2eb19704c5a59350d4ff92e5ab6 |
| SHA1 | 171fc96dda05e7d275ec42840746258217d9caf0 |
| SHA256 | 07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834 |
| SHA512 | e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f |
memory/4472-1876-0x0000000000A60000-0x0000000000AB2000-memory.dmp
memory/4028-1877-0x00000000050D0000-0x00000000056FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\TaskData\Tor\tor.exe
| MD5 | fe7eb54691ad6e6af77f8a9a0b6de26d |
| SHA1 | 53912d33bec3375153b7e4e68b78d66dab62671a |
| SHA256 | e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb |
| SHA512 | 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f |
memory/4968-2314-0x00007FF6EAF20000-0x00007FF6EB70F000-memory.dmp
memory/1292-2772-0x00007FF7D95D0000-0x00007FF7D9832000-memory.dmp