Analysis Overview
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
Threat Level: Known bad
The file Downloaders.zip was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Xworm family
Detect Xworm Payload
Detects Monster Stealer.
Monster family
Monster
Quasar payload
Quasar RAT
Quasar family
AsyncRat
Xworm
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
Identifies Wine through registry keys
Executes dropped EXE
Loads dropped DLL
Checks BIOS information in registry
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Writes to the Master Boot Record (MBR)
Looks up external IP address via web service
Checks installed software on the system
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Suspicious use of NtSetInformationThreadHideFromDebugger
Browser Information Discovery
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Wi-Fi Discovery
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Uses Task Scheduler COM API
outlook_office_path
Scheduled Task/Job: Scheduled Task
Suspicious behavior: GetForegroundWindowSpam
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-12 23:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-12 23:44
Reported
2025-02-12 23:53
Platform
win7-20240903-en
Max time kernel
222s
Max time network
248s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Monster Stealer.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Monster
Monster family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Files\petya.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Files\petya.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Files\petya.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Files\build9.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\Sync.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\AsyncClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\build11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2016_133838776836118000\stub.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\Discord.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\mcgen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\mcgen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\Ukodbcdcl.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\petya.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\Desktop\Files\petya.exe | N/A |
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Desktop\Files\petya.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Files\petya.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Ukodbcdcl.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\petya.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Sync.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\AsyncClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Desktop\Files\v7wa24td.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
C:\Users\Admin\Desktop\Files\build9.exe
"C:\Users\Admin\Desktop\Files\build9.exe"
C:\Users\Admin\Desktop\Files\Sync.exe
"C:\Users\Admin\Desktop\Files\Sync.exe"
C:\Users\Admin\Desktop\Files\AsyncClient.exe
"C:\Users\Admin\Desktop\Files\AsyncClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6558.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
C:\Users\Admin\Desktop\Files\build11.exe
"C:\Users\Admin\Desktop\Files\build11.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2016_133838776836118000\stub.exe
C:\Users\Admin\Desktop\Files\build11.exe
C:\Users\Admin\Desktop\Files\Discord.exe
"C:\Users\Admin\Desktop\Files\Discord.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
C:\Users\Admin\Desktop\Files\mcgen.exe
"C:\Users\Admin\Desktop\Files\mcgen.exe"
C:\Users\Admin\Desktop\Files\mcgen.exe
"C:\Users\Admin\Desktop\Files\mcgen.exe"
C:\Users\Admin\Desktop\Files\v7wa24td.exe
"C:\Users\Admin\Desktop\Files\v7wa24td.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Users\Admin\Desktop\Files\Ukodbcdcl.exe
"C:\Users\Admin\Desktop\Files\Ukodbcdcl.exe"
C:\Users\Admin\Desktop\Files\XClient.exe
"C:\Users\Admin\Desktop\Files\XClient.exe"
C:\Users\Admin\Desktop\Files\petya.exe
"C:\Users\Admin\Desktop\Files\petya.exe"
C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe
"C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABVAGsAbwBkAGIAYwBkAGMAbAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwARABlAHMAawB0AG8AcABcAEYAaQBsAGUAcwBcAFUAawBvAGQAYgBjAGQAYwBsAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAHYAYQB1AHIAbgBoAHEALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATgB2AGEAdQByAG4AaABxAC4AZQB4AGUA
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe" "Microsoft_Hardware_Launch.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.130.49:443 | urlhaus.abuse.ch | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| CN | 60.188.59.126:8099 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| NZ | 172.204.136.22:1604 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| NZ | 172.204.136.22:1604 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 96.248.52.125:8031 | tcp | |
| N/A | 192.168.56.1:4782 | tcp | |
| N/A | 127.0.0.1:5821 | tcp | |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| NZ | 172.204.136.22:1604 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| N/A | 127.0.0.1:8080 | tcp | |
| DE | 41.216.183.9:8080 | tcp | |
| US | 96.248.52.125:8031 | tcp | |
| N/A | 192.168.56.1:4782 | tcp | |
| N/A | 127.0.0.1:8080 | tcp |
Files
C:\Users\Public\Desktop\Adobe Reader 9.lnk
| MD5 | 93f0af3cdb10427c0ceb4ea2db2fda3e |
| SHA1 | 898b3b01763859bbbab268fa580a5eadc5cb464d |
| SHA256 | f9b7fda7b756118383843e62a9092246a5d7b23f18cae6f49e3a5d0195d9c5af |
| SHA512 | 39fbec39a5fdb0ad2fcb26c47483c776eb714c8263ff752ede077deb36fcd3dfd09acc92f6cd2bb8ea31f8bcd44376bbb9fa85f62a957d7bafeb81bdc622785a |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 6b282bc9065f108da28fe9ff016f5dc4 |
| SHA1 | 89cd7babafc1a6ed4ac99b22e559b127033134b8 |
| SHA256 | 0d09e42dcc55c17495d41a109e3d20d993a67aa59e76395fb5600af7b6a454bb |
| SHA512 | 84ab98da7b7fa52a7f55512455aa3643c0860a80944a3aeae11764f85f59f3d1cf0769e1d669bdac710be7a663538a1a0aef9e39db65845e2d898ab2e862e3c8 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 17533a04a1e28341bd037aaf2b80aa72 |
| SHA1 | cab41a28a95dea1bbcc07b68238603784ac542a4 |
| SHA256 | e82c6c30d3e9624f535b806a34e08b0ee212d94d965a35d51658bd96a9cfa611 |
| SHA512 | 0ad1529cb0003e9a54c0bef14fbdee9d78079bfe77b1abc441a16148a322142053e331442aaf0d24add57803ca6b09cf222ee5d4d4dec89491085fb5c365118f |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 9ec5e565834f441cc4a9e61743abad42 |
| SHA1 | c4090dfb08b8093ecbb3df62c50850b2c38bf2ed |
| SHA256 | 6bd8ddabc50c5f0d3ad7ce6f09eec33accafeefa6c43f55fcae3f41135bb40ae |
| SHA512 | 27e9c84243bf853d07554565322b2504765c0f67b8ed0fd6498953c4af6a4668b0f80e7a9c5289cdcdafd7d44e28a5306b31e91f87993165597b941fbb9f798a |
C:\Users\Admin\Desktop\BlockUse.xps
| MD5 | e9132f43dcab2d0993a889590ee1e2e6 |
| SHA1 | fd46cb0d6783b4046a28231160be482b82fe1b0c |
| SHA256 | 65ea0bc209b7582da7a5839958575390294742547ad121a428eb20ee04a0e0ad |
| SHA512 | e5870d97036de9f677d272a389071454a3e304e352867e8bf12a593d1afa3c7a76103ee45e11b0c49de9f73780f983bef8833e7b59d3dfe6567e52ffa9a56805 |
C:\Users\Admin\Desktop\ConvertOut.vb
| MD5 | accb7a432b43573d1e4e1a4fea541838 |
| SHA1 | a2724fa36a4f71aa1c4c25279d5afc4c118f7659 |
| SHA256 | a8b4cdb3e99b5c7530d5fa3a701c9b8d32dbee84020639a26b287be62cfbe11e |
| SHA512 | 61179827ac1b674c691c3e7d9bff81e9a6a3507696fc3010c71b78f7d0b8adb995334603f85f827f846dc404e94419c36fd1a445c8c050d8ae60490ebcb5e3be |
C:\Users\Admin\Desktop\DisableRestore.css
| MD5 | 99a0d843f9f214e95abca634510d3e9d |
| SHA1 | e9c8ef6a2263637639745c5dca7efbc40fbb8e26 |
| SHA256 | c0467d1aec081d4c38165176c7d5e36e7392cf0de0893311993e73f9c3f60d00 |
| SHA512 | f70774dabcb6aea58005d235ca43a80913fb74c83de7dea0ee46b6cc94361e65f3d0758fbf7bc37d8c4847968d2999aa6d7ff20efc870f4a013ff1ed95f5c9cd |
C:\Users\Admin\Desktop\DisableShow.dotm
| MD5 | 5e5a128807c9de0abfd7c134b0e046cb |
| SHA1 | 7f3eab8ea825742d093ca9e3cec0eabe5cfc6df7 |
| SHA256 | 8964ef4d85f98e643ecef8c099a205f555a96059952efa269facda603eaa516d |
| SHA512 | 451138bd0bd1d724c3dc854bda9781ea82f467e96b378f41d495064b42b7b2cfde7a3b8127b9aed70c34e92cb6754eb76e2a04e64fe47a3b00845eeadc866684 |
C:\Users\Admin\Desktop\ResetConvertTo.wmx
| MD5 | 1fe4158dd69331253ee36749a1a86000 |
| SHA1 | 6f0cc820326f4fadbb4946f351763cdac8fe17f9 |
| SHA256 | d2abab31ea57eddae1e1bbad7d0229a3cf10412e3487a7d950bbb325959367f9 |
| SHA512 | a2b2b5d89cdf44133c58bf423fc9d9e2b8ca6095fd4ab57171064a62c2440a485cf3bae6e140326f0c3713553d224b9d67e10634d4d26cd54a2cb4aae932c6e6 |
C:\Users\Admin\Desktop\RevokeFind.xlt
| MD5 | cbe29ce96c95b219c71e11731b2cf51c |
| SHA1 | b7fcbefd85f58626893d3ab6a2b005b435c203ac |
| SHA256 | 7768c4a8606e34ab3a12c81fde562810f19236665cd0ff4f9b3ecdcec841c56b |
| SHA512 | 8dbac23674397e16f3b0ab520fdee17a004ca5bd41fa605f3d07d7d98f1c8fbab5a6bcd5ed44dcc39ef98f70561560270be8f4e674709bd6633396c52255c171 |
C:\Users\Admin\Desktop\ReceiveTrace.mhtml
| MD5 | d6191e07aa3be2ad9434cd3ecb4c02fa |
| SHA1 | 3fff16a5b76e2900f31a41acca74da507a7c70be |
| SHA256 | 8846cf027174e82d9ee8d7951bd382b89a70e7b41509dc634669e1df02e91dd0 |
| SHA512 | 5d7b103a4a52ec7d8625b99af4b802ffe7fc7da326b853c6b92eec5027687d61afa3d7de8bf51b58d102fdfdb6585c794f8c681dac6a04d5acc7c211dc1817bc |
C:\Users\Admin\Desktop\PushUpdate.xla
| MD5 | 9fb5cc3f523b474c9647df1a1a69c522 |
| SHA1 | de600d952476404134be8b9ba8b9a2f3d7bcb09c |
| SHA256 | ea7851f681ab498c4e80130c61d73a00cd2a342ba0730aedf20483409a8aa9d1 |
| SHA512 | 0b6addef963b0646fbd648047bdc5e72480b749aaa99b6bab4cccd91b46ff6a3716f1e68203265775f00a012aab5b59e8d5902b9226cdd3259a1092bf5fc9f08 |
C:\Users\Admin\Desktop\EnableInvoke.docx
| MD5 | faa4380cb045e115750af1da1ab4b49e |
| SHA1 | 81943b4e2ddf2869bb87a7fbe724452be45a72af |
| SHA256 | e9490c13dacd3c2cfc4d845efbcfae6bd78b9bdde2dfebe7fb1ea1c44aeb71d6 |
| SHA512 | 9fa4db5a6b4a450d7b8e5aeca1864b70c47f1f638a04c5698c086da678db3ce11a8d0a84d8dbe44ab846aa1d1f95f978f3ddd56f2a04c8cfc618d6930f750b3a |
C:\Users\Admin\Desktop\GrantLock.xlsx
| MD5 | e2926036cc18ab9b1f74fa7c6f095218 |
| SHA1 | 9fa80a1133166f8670b757bcdfef3aa2199bd55e |
| SHA256 | d6372090c67169e522f71e82ca18a57b5a71ae8e0ac198218c26f9ffe5893ca0 |
| SHA512 | 8a9ad4a734aa177fdebabfb52fdbd8df15bf9fe97cac83e0304a05633b7f715f6ab1e38f606a772c14e56714bf51ae1a20a537ee4c100988ac8361679be1eede |
C:\Users\Admin\Desktop\UnprotectRead.ttf
| MD5 | f2b0118c9bce7ca59692c746fe54b7be |
| SHA1 | 11beb1442a5a0b5bbe80e0228af188a616ec1f78 |
| SHA256 | c73737dfb4c73aa73950215bb62b4c04214660ff0f0c8de1955981b606ef02f1 |
| SHA512 | 208f85542dbf8c2b6428eb9821f1790e923e30ecd15acaaa7f31d5870da6fe808a0e471c95c811c93c80bb95b61cc89bc28333097ddd58ef7ec0c0e94edc64bc |
C:\Users\Admin\Desktop\UnblockUnpublish.tiff
| MD5 | 6c83c3ab1cbf8aacf41a222a5ffda19b |
| SHA1 | 43358c2a20eb143c4bffd5dbc3a08c2215c01c75 |
| SHA256 | cacd1dffd99181cb3d3c442071ef242effaebe4c502619f6648950b62c87b09f |
| SHA512 | 59a7fbdb25b668a6f9f1ac876987f9e4bf313b7b3ad828b9dc7744329980bed089ffc9eb1e7c601e8ed33c8e2b43d4226be0614c46d853d279a7cdb31f604317 |
C:\Users\Admin\Desktop\StopClose.m1v
| MD5 | 9611ae743a259da35a56aac2cecf5782 |
| SHA1 | c5d7710ada9e68655f24c49f9c70c277c62054ba |
| SHA256 | f8951732a7600e5a1c33e45d25b0e932cafce7fe2b4f17b38755ea3a37cf6cbb |
| SHA512 | 21527f324415eabee9ea6ec0626291303b6e660292cdc319233f422f6bb3c6fbc3b3aa1adc8c85221fe823f028eef30a8bc5fe882d6565c8f86e5afb53e83db8 |
C:\Users\Admin\Desktop\SplitLock.asx
| MD5 | 1c00e7c4b515f60a715b8a5d6cb01873 |
| SHA1 | e8c2e58dd8320f6f59ef2d90a56d2c5533fa7c70 |
| SHA256 | 46ed8f12594da58085c452e313b68ab2a6b772907ad6214f35ba75773f734470 |
| SHA512 | cb3b4cbf8e77649689ab57d93d20b53019df5efd9f7c25489b7617fa698f91fa91d08cd7ce25a18765356ca0aabdfba37cb6b5e002aa367155c7ea8c45662f08 |
C:\Users\Admin\Desktop\SkipUse.ADT
| MD5 | 35ca75008c8e63efd1e13f6c32464db9 |
| SHA1 | a58bf0f9a0e8661a6bf02dc0019acb94410b6c1b |
| SHA256 | 226a8c59c7ce102febfe08ef47f1cc66340fb5d460c6fac78fab958d21516ab0 |
| SHA512 | 32fa73a995030f51c6c7da23515eb9ab9986a6c21d469389ee04d81dc4897fe1221df39259aa867ff2653656c320dc1558f329d009a748c229c3661520827dfe |
C:\Users\Admin\Desktop\ShowLock.dot
| MD5 | 69697620f8ed4d1e26013411d9499d18 |
| SHA1 | 1f40b502d386dd0fb886ee81d02c39db7f693ed8 |
| SHA256 | c5959d6d7e2986e573c9f3a1fd2f26954d03db980a7bd71cd710729b29202c63 |
| SHA512 | 0b99283aaf2160628b96273dab97dcd935f534904b7b7d6349c7b27c55abb70623413b16d06db0d08fc1dc4effe6a992c2ac2596d8b8c35818ab14b8f15bc71b |
C:\Users\Admin\Desktop\SetReceive.pot
| MD5 | 9d031052ebcf3530ce3d1ed01229e658 |
| SHA1 | f0952481ac3cf55e1abf19eea9aafa52cb8ec220 |
| SHA256 | 95f84dd279f105bdf33b2399c1776fe50ac1eb879ef1792c433a7cbfe1f43b49 |
| SHA512 | f218cd873b5206b889201d02b020eb3cbe0a71999193a0926d4a3663786be631abc0f7f4185b400ca0af20af2a5946e92100e85982ba39c32edeea7d5f86746b |
C:\Users\Admin\Desktop\SearchWait.M2T
| MD5 | e168af3ebe2221800af07fb1c60ea1e4 |
| SHA1 | 5fbc4d6003677df45307eab5ab3926bcc0cf89e7 |
| SHA256 | 020d626d55b73debc7fe85ecbdfb01405e6035f307468b229a6033b416722d04 |
| SHA512 | 53cbf157f860c54dc405e05109c463a519acd03f939c3705e4e0dd84f7c3bd5d1087dd414c04155773a131af39d0569895ca462e7b111514e98e2c520414164f |
C:\Users\Admin\Desktop\SaveUpdate.xltm
| MD5 | 2a5c34035d90d809f0812efffd9c50cb |
| SHA1 | 47916756085d97626138b73a8461621a7259c84b |
| SHA256 | 421ca3cc2ba658664795410faf5f6560faf3db9fe5d6293730999f895694f42c |
| SHA512 | ff1083c1d45e4486fe8ca935734b40d91e38e8acdfcd88ee6b78eeb5274aab7a9df99d0a08035789786a8721bd329dfb59057752fdeabf8fea3653578aac4856 |
C:\Users\Admin\Desktop\MountOut.xlt
| MD5 | 55c7d8a111f04ef01bca8aa91c4f2f9c |
| SHA1 | 6ab37c27b9d3d14d0b89c1535bcb3943ce9fb033 |
| SHA256 | 8920197c6a74d4ec90dcfaa711f9cc781aa597cda2cbf33b1cfe2b0d718fe21e |
| SHA512 | c590716a9d1098ef2e82fd099d3dee40cb528939e4522752193cbcf2e8f4663cd9108b573e0f6c5632f3f3b332c37ddb52778cdbcb0ab0ffff969c8a7c6364d3 |
C:\Users\Admin\Desktop\LimitUnlock.ppt
| MD5 | 6b417941fe81748413e1e4c4c278768c |
| SHA1 | 829cf47b81755315d6ae49a6b29b6e06479b37ea |
| SHA256 | 670178a4dfb922832f119f02bb40812a0859b246f6cf25bca289eb42e11bed34 |
| SHA512 | 6f7bf12fb18ed553ee301a8aef92a32d3077cb83b7137cddd835b5d11c186419cf3932189c8e4cf4bbcc44d20b6de9d403b5cb3d6c47c55c2e24998b4f2c6d10 |
C:\Users\Admin\Desktop\FormatHide.jpg
| MD5 | 4cd7232e135c2f1f47f2144a3e08add7 |
| SHA1 | 97058084562418806d7af95b5d489be209e857ec |
| SHA256 | 4aa71dc547809b163940753165ef33834105cfa548c9941e7847a5857300728e |
| SHA512 | 612b95a0e674b7e1f93812e384e98e8997c6fe9c864914e28dba1861f49c373e4dac381ce04067930d7ab81884b7bc2e3176ae322c552997d653411b92e81f8d |
C:\Users\Admin\Desktop\EnableUndo.pot
| MD5 | da01b6c00d7b001945d030241eb3909d |
| SHA1 | 7f125f0cdd6834b8da2efcc870acd675dd23ab1f |
| SHA256 | 453a2a022217cd1f3ba9ce677071530bb19825aaaa0bcfef5e165224c967f493 |
| SHA512 | 66be163836242938abb9918d87c4e10b6e0ff94098cd405144059bac845faee93bf29c61c38abf49e856c2d94e7eec4cf0667d2f736bcaf52b1fb9a4bfe22005 |
C:\Users\Admin\Desktop\ConfirmSet.txt
| MD5 | 081ad20f6d03123475980562a31244a5 |
| SHA1 | 561f750f48b0fdaed5368ea0fa557852027eee90 |
| SHA256 | 5b6e418094dd968f40be536ab7227632f7f57b64d440d9b9f781b5d9d331daa4 |
| SHA512 | 4c0ed5ebd97beb444cf157b43a02fdec1b94cea3f31214a8911338d887355269bc28db3aea263109169c56daccfff1beb7b17005c57c57a80c3782d9f35988cd |
C:\Users\Admin\Desktop\InvokeSave.odt
| MD5 | fc95fad8ab4c1a1de22df013cebee038 |
| SHA1 | 8277690f24b3fe92462f671023ed07635e98fe2f |
| SHA256 | ae64188be9f7a3c6154d40b65dbbf20322088aa6f81bf15817eedcbee6db0149 |
| SHA512 | 3536c77413ac39730de23bb14423396175869f40373fcaeb62426ea462e225d0137903afda071586f37b8406aad5269980179bd68cb1727d98e14ad6da124b57 |
C:\Users\Admin\Desktop\ResumeConfirm.gif
| MD5 | 8018cc2961056ae92ba8cc13f065c5bd |
| SHA1 | d0eb5e1978d6703dc53fe3fd8682fcb168a05941 |
| SHA256 | 5234e09e48b1fbd80218438ae3def3ce474c12ff41c42a2e0735c1e80f401951 |
| SHA512 | 7d1b7917f4ca539bc5fb737802ab00c02fd2b67de3a094f4e32adbf06cff88edf996c25faea9b68b4b770d408e3133fcadf567dc4c3755d3fd37da3fce7837b4 |
C:\Users\Admin\Desktop\SkipStop.mov
| MD5 | 886c6bceb4c2866e6eb3342b111712d5 |
| SHA1 | 58004fc122a8d200a3ad1282a4414d29c7d2615d |
| SHA256 | 61fd8839f5a4f57196af831d8388f13d4e6d13b8789d400062b07095f4b0fe95 |
| SHA512 | 253eb43c1ab1d7ce39b9727b6a22485f4df1e99395d70bb0212b3789e294d5183f0528ccc0cd4e5d14f74612e677caa88ae1ec57bfec36a5fb6aa9258f831138 |
C:\Users\Admin\Desktop\UpdateMeasure.ods
| MD5 | 5fa720cd5cdb578bc24f62b275b9f62d |
| SHA1 | f9822cae101aab4000d2caf355f1dedf14f7db0d |
| SHA256 | c547f702916552cc26e76910ea3240dd83a12538eb86c21c8efea0ba25bf4328 |
| SHA512 | d0d5454540b83abba2d19f0329d05ef7660d809230f698d4726908298472bfdbf379e557dd315240b80e30fdd4dee02fe29e122d5d0f30fe4b38fd4ba44e8553 |
memory/2020-32-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2020-33-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2020-34-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\Desktop\4363463463464363463463463.zip
| MD5 | 202786d1d9b71c375e6f940e6dd4828a |
| SHA1 | 7cad95faa33e92aceee3bcc809cd687bda650d74 |
| SHA256 | 45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76 |
| SHA512 | de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae |
C:\Users\Admin\Desktop\New Text Document mod.exse.zip
| MD5 | a7b1b22096cf2b8b9a0156216871768a |
| SHA1 | 48acafe87df586a0434459b068d9323d20f904cb |
| SHA256 | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9 |
| SHA512 | 35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f |
C:\Users\Admin\Desktop\4363463463464363463463463
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2000-38-0x00000000012C0000-0x00000000012C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabEDDA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarEDED.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
\Users\Admin\Desktop\Files\build9.exe
| MD5 | 4e18e7b1280ebf97a945e68cda93ce33 |
| SHA1 | 602ab8bb769fff3079705bf2d3b545fc08d07ee6 |
| SHA256 | 30b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d |
| SHA512 | 9612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37 |
memory/2668-111-0x000000013F9A0000-0x000000013FC02000-memory.dmp
memory/2668-117-0x000000013F9A0000-0x000000013FC02000-memory.dmp
memory/2668-119-0x000000013F9A0000-0x000000013FC02000-memory.dmp
memory/2668-122-0x000000013F9A0000-0x000000013FC02000-memory.dmp
\Users\Admin\Desktop\Files\Sync.exe
| MD5 | 4d5a086a9634eb694ec941e898fdc3ce |
| SHA1 | 3b4ce31fcc765f313c95c6844ae206997dc6702b |
| SHA256 | 149990fa6abd66bd9771383560a23894c70696aaeb3b2304768212be1be8f764 |
| SHA512 | 16546b2d4f361ff0a32ef8314989e28f06bb2ec6b31276031bd7dec4c67ce30e97befb72e962d927cffb57fe283a8de7fa049725f488b3918968c011f9487468 |
memory/600-184-0x0000000000E80000-0x0000000000E92000-memory.dmp
C:\Users\Admin\Desktop\Files\AsyncClient.exe
| MD5 | 7ace559d317742937e8254dc6da92a7e |
| SHA1 | e4986e5b11b96bedc62af5cfb3b48bed58d8d1c9 |
| SHA256 | b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f |
| SHA512 | 2c50337078075dc6bfd8b02d77d4de8e5b9ad5b01deed1a3b4f3eb0b2d21efce2736e74d5cf94fdf937bcc2a51c2ecf98022049c706350feacb079c4b968d5d3 |
memory/1932-192-0x0000000000E90000-0x0000000000EA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6558.tmp.bat
| MD5 | 3b3f943d00ca315a84f0657d31046ba2 |
| SHA1 | 006623333a73554fbcff9a7a235633be7f716272 |
| SHA256 | 6938b0e2e17936f3301b220e209d0c7cb5e8b5bb2135ffa0e16bbf965c339b42 |
| SHA512 | 707e63edef457d90c322182761b291e3f9e920c31bb8a7f9066172f4786c8bef4ae009a99e4cab35f3a8dcac19251aa9baacab8ea4b1606a757d5f6c0a6074f6 |
memory/992-207-0x0000000001280000-0x0000000001292000-memory.dmp
\Users\Admin\Desktop\Files\build11.exe
| MD5 | 2cb47309bb7dde63256835d5c872b2f9 |
| SHA1 | 8baa9effc09cf80b4a1bac1aa2aa92b38c812f1d |
| SHA256 | 18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e |
| SHA512 | 3db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104 |
\Users\Admin\AppData\Local\Temp\onefile_2016_133838776836118000\stub.exe
| MD5 | 9cb4cf7e6b271413430c9b3eea8aafa2 |
| SHA1 | 5d789fc3756e2f5e113aeba0f9f3053e88db59b3 |
| SHA256 | 0728e88b0c32282e2750d77d172c2454a0fa53bf6a093c7885c93641cf5e794f |
| SHA512 | f34db1ba8e1083570318c05370cc24af61dd507532c1c867cd90cc6b5c7fbae2dfde9b4dc13edc1e5587efe74ebfdccfa2c0e095f2ae0477c49cdecc5e6d034b |
memory/1548-293-0x0000000000CD0000-0x0000000000FFA000-memory.dmp
memory/1720-295-0x000000013F900000-0x000000014096B000-memory.dmp
memory/2016-329-0x000000013F680000-0x0000000140155000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
| MD5 | bedd5e5f44b78c79f93e29dc184cfa3d |
| SHA1 | 11e7e692b9a6b475f8561f283b2dd59c3cd19bfd |
| SHA256 | e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c |
| SHA512 | 3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de |
memory/2592-332-0x0000000000E00000-0x000000000112A000-memory.dmp
memory/768-357-0x000007FEEA3D0000-0x000007FEEAA35000-memory.dmp
memory/2032-361-0x0000000001270000-0x0000000001338000-memory.dmp
memory/996-439-0x0000000000DD0000-0x0000000000EE0000-memory.dmp
memory/996-440-0x00000000047B0000-0x000000000488C000-memory.dmp
memory/996-448-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-446-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-444-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-442-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-441-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-511-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-509-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/1528-691-0x00000000013D0000-0x00000000013DE000-memory.dmp
memory/996-1518-0x0000000000A90000-0x0000000000ADC000-memory.dmp
memory/996-1517-0x00000000009F0000-0x0000000000A48000-memory.dmp
memory/996-507-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-505-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-503-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-501-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-499-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-497-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-495-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-493-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-491-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-489-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-487-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-485-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-483-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-481-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-479-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-477-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-475-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-473-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/996-469-0x00000000047B0000-0x0000000004886000-memory.dmp
memory/2000-1523-0x00000000069F0000-0x0000000006D4C000-memory.dmp
memory/2612-1524-0x0000000001350000-0x00000000016AC000-memory.dmp
memory/2612-1525-0x0000000001350000-0x00000000016AC000-memory.dmp
memory/2612-1526-0x0000000001350000-0x00000000016AC000-memory.dmp
C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe
| MD5 | 7e9aea4310d362cc62c7eef48b9bea7d |
| SHA1 | 0d0f4ba4460f30731da5f5b7a2df5538fc39509c |
| SHA256 | 7ebeecbc8be6ef0639cdfc58a6e7adb22786de3268efbc71a84e2407abf30c0e |
| SHA512 | 7e4a2f2076adebf213e2d86f5e8924924db0f609cabd4e55a4707a293410cad83dd93c3c82a4e93fa9d580454e9e20549c621dbc3b7733081874b99ff747b415 |