Malware Analysis Report

2025-05-05 21:50

Sample ID 250414-r5wkfaz1hy
Target 4363463463464363463463463.zip.zip
SHA256 12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd
Tags
xred asyncrat lumma quasar redline stealc xworm bruterv3 default java nigga office04 svhost backdoor defense_evasion discovery infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd

Threat Level: Known bad

The file 4363463463464363463463463.zip.zip was found to be: Known bad.

Malicious Activity Summary

xred asyncrat lumma quasar redline stealc xworm bruterv3 default java nigga office04 svhost backdoor defense_evasion discovery infostealer persistence rat spyware stealer trojan

AsyncRat

Asyncrat family

Xworm

Lumma Stealer, LummaC

Quasar RAT

Xred family

RedLine payload

Lumma family

Quasar family

RedLine

Xworm family

Redline family

Xred

Quasar payload

Detect Xworm Payload

Stealc

Stealc family

Async RAT payload

Modifies Windows Firewall

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

System Network Configuration Discovery: Internet Connection Discovery

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-14 14:47

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-14 14:47

Reported

2025-04-14 14:48

Platform

win10v2004-20250410-en

Max time kernel

1s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Stealc

stealer stealc

Stealc family

stealc

Xred

backdoor xred

Xred family

xred

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe

"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

C:\ProgramData\Synaptics\Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\._cache_Synaptics.exe

"C:\Windows\system32\._cache_Synaptics.exe"

C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe

"C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe"

C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe"

C:\Windows\SysWOW64\Files\5hvzv2sl.exe

"C:\Windows\System32\Files\5hvzv2sl.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\Files\neon.exe

"C:\Users\Admin\AppData\Local\Temp\Files\neon.exe"

C:\Windows\SysWOW64\Files\built.exe

"C:\Windows\System32\Files\built.exe"

C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe

"C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"

C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe

"C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe"

C:\Users\Admin\AppData\Roaming\svhost\svhost.exe

"C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"

C:\Windows\SysWOW64\Files\svhost.exe

"C:\Windows\System32\Files\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe

"C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe"

C:\Windows\SysWOW64\Files\5hvzv2sl.exe

"C:\Windows\SysWOW64\Files\5hvzv2sl.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4344 -ip 4344

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe

"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 268

C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe

"C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1580 -ip 1580

C:\Windows\SysWOW64\Files\zzzz1.exe

"C:\Windows\System32\Files\zzzz1.exe"

C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe

"C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe"

C:\Windows\SysWOW64\Files\XClient.exe

"C:\Windows\System32\Files\XClient.exe"

C:\Users\Admin\AppData\Local\Temp\Files\built.exe

"C:\Users\Admin\AppData\Local\Temp\Files\built.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 864

C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe

"C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe"

C:\Windows\SysWOW64\Files\Java.exe

"C:\Windows\System32\Files\Java.exe"

C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe

"C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" "NJRat.exe" ENABLE

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe

"C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\Files\ScreenConnect.ClientSetup_2.exe

"C:\Windows\System32\Files\ScreenConnect.ClientSetup_2.exe"

C:\Users\Admin\AppData\Local\Temp\Files\file.exe

"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\built.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\Files\new1.exe

"C:\Windows\System32\Files\new1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miEYAXhrXYbH.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" ..

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" ..

C:\Windows\SysWOW64\Files\SemiconductorNot.exe

"C:\Windows\System32\Files\SemiconductorNot.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 464 -ip 464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1412

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable

C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe

C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe ..

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe

C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe ..

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 www.teknoarge.com udp
TR 31.145.124.122:80 www.teknoarge.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 c0al1t1onmatch.cyou udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 thicktoys.sbs udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 pub-9c2fd486dcf0474a8a72d3d50b097614.r2.dev udp
US 172.66.0.235:443 pub-9c2fd486dcf0474a8a72d3d50b097614.r2.dev tcp
US 8.8.8.8:53 fleez-inc.sbs udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
RU 185.215.113.209:80 185.215.113.209 tcp
US 8.8.8.8:53 pull-trucker.sbs udp
US 8.8.8.8:53 3xc1aimbl0w.sbs udp
US 8.8.8.8:53 bored-light.sbs udp
US 8.8.8.8:53 yzs-42879.portmap.host udp
US 8.8.8.8:53 300snails.sbs udp
US 8.8.8.8:53 faintbl0w.sbs udp
US 8.8.8.8:53 ftp.ywxww.net udp
US 8.8.8.8:53 crib-endanger.sbs udp
CN 60.191.208.187:820 ftp.ywxww.net tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.96.50:443 steamcommunity.com tcp
US 8.8.8.8:53 starcloc.bet udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 metalsyo.digital udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 ironloxp.live udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cosmosyf.top udp
US 8.8.8.8:53 advennture.top udp
US 8.8.8.8:53 esccapewz.run udp
US 8.8.8.8:53 targett.top udp
US 8.8.8.8:53 travewlio.shop udp
US 8.8.8.8:53 spacedbv.world udp
US 8.8.8.8:53 galxnetb.today udp
US 8.8.8.8:53 touvrlane.bet udp
US 8.8.8.8:53 sighbtseeing.shop udp
RU 185.215.113.16:80 185.215.113.16 tcp
GB 2.22.96.50:443 steamcommunity.com tcp
GB 2.22.96.50:443 steamcommunity.com tcp
US 47.90.142.15:80 47.90.142.15 tcp
US 8.8.8.8:53 holidamyup.today udp
TR 31.145.124.122:80 www.teknoarge.com tcp
US 8.8.8.8:53 triplooqp.world udp
GB 2.22.96.50:443 steamcommunity.com tcp
DK 46.29.235.45:80 46.29.235.45 tcp
GB 2.22.96.50:443 steamcommunity.com tcp
US 8.8.8.8:53 storage.soowim.co.kr udp
KR 210.216.165.152:443 storage.soowim.co.kr tcp
GB 20.26.156.215:80 github.com tcp
US 44.193.202.139:443 tcp

Files

memory/4440-0-0x0000000000790000-0x0000000000791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe

MD5 2a94f3960c58c6e70826495f76d00b85
SHA1 e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512 fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

C:\ProgramData\Synaptics\Synaptics.exe

MD5 85e3d4ac5a6ef32fb93764c090ef32b7
SHA1 adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA256 4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512 a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab

memory/4440-128-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/2052-130-0x0000000000670000-0x0000000000671000-memory.dmp

memory/2828-129-0x000000007301E000-0x000000007301F000-memory.dmp

memory/2828-134-0x0000000000040000-0x0000000000048000-memory.dmp

memory/2828-137-0x0000000004890000-0x000000000492C000-memory.dmp

memory/4244-252-0x0000000000400000-0x00000000004C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe

MD5 29a37b6532a7acefa7580b826f23f6dd
SHA1 a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA256 7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512 a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe

MD5 e3cfe28100238a1001c8cca4af39c574
SHA1 9b80ea180a8f4cec6f787b6b57e51dc10e740f75
SHA256 78f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12
SHA512 511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324

memory/3540-275-0x00000000009E0000-0x0000000000A64000-memory.dmp

C:\Windows\SysWOW64\Files\5hvzv2sl.exe

MD5 cc3381bd320d2a249405b46982abe611
SHA1 32a5bc854726c829da2fbaed02ff8d41ea55e432
SHA256 781e958b54a63ef673857bfe9c0a5992eb44b06f15d5499f8e35e44b1e1c868c
SHA512 73c95936748b9edf103c28d558d885bfee070efc18d318581fb1723769a15bb642976bdfb93b36a0b68d869538e0ee3c1936d613240bf29d3ff64dbb3d20e2e4

C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

MD5 ffc2637acde7b6db1823a2b3304a6c6c
SHA1 8eac6fb5415f9338b1b131c42ed15ea70da22096
SHA256 35efc0520b78a1b413afee5dbe5d8b0674eea2acfc7d943de70a99b5b2fd92ef
SHA512 3f9f0182d69b66ea6168717f8e7239a0726066e011be1983da874f76ee308e67ef55cd08a2d8990cd9e4a663bbbbf56c3445275d72e8330255b3d0dd3b98859a

memory/4480-294-0x00000000007C0000-0x00000000007E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\neon.exe

MD5 b3fd0e1003b1cd38402b6d32829f6135
SHA1 c9cedd6322fb83457f56b64b4624b07e2786f702
SHA256 e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
SHA512 04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

C:\Windows\SysWOW64\Files\built.exe

MD5 a813f565b05ee9df7e5db8dbbcc0fa43
SHA1 f508e738705163233b29ba54f4cb5ec4583d8df1
SHA256 ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156
SHA512 adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e

memory/3428-316-0x0000000000860000-0x0000000000BDC000-memory.dmp

memory/1848-331-0x0000000000140000-0x0000000000464000-memory.dmp

memory/1764-359-0x00000000005D0000-0x00000000008F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe

MD5 c3555ffa261822a6b1d04314c5370151
SHA1 b497c402641ee805e0e8aeae3e6d0600dc40a91d
SHA256 a8b4fb8e5e17df94c0caa0118382f193ec0fa63703b14d0efc12317f7b80f4ce
SHA512 d1c9471d10e795390347e26de3440ac85f6d9ce82c2dbe451917d9ae3e6d9bc1273b8a2a465df1d9fe678fa586dc4a8864378d1d2dfd85b6bfdcdab5810f65a5

memory/3272-379-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe

MD5 03b1ed4c105e5f473357dad1df17cf98
SHA1 faf5046ff19eafd3a59dcf85be30496f90b5b6b1
SHA256 6be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba
SHA512 3f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765

memory/4064-389-0x00000227B2DD0000-0x00000227B2F30000-memory.dmp

memory/4064-391-0x00000227CD500000-0x00000227CD62A000-memory.dmp

memory/1580-399-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

memory/4064-397-0x00000227CD630000-0x00000227CD75C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe

MD5 3928c62b67fc0d7c1fb6bcce3b6a8d46
SHA1 e843b7b7524a46a273267a86e320c98bc09e6d44
SHA256 630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397
SHA512 1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857

memory/4064-462-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-469-0x00000227CD630000-0x00000227CD755000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe

MD5 e78239a5b0223499bed12a752b893cad
SHA1 a429b46db791f433180ae4993ebb656d2f9393a4
SHA256 80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89
SHA512 cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

C:\Windows\SysWOW64\Files\zzzz1.exe

MD5 36a627b26fae167e6009b4950ff15805
SHA1 f3cb255ab3a524ee05c8bab7b4c01c202906b801
SHA256 a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a
SHA512 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

memory/2052-927-0x0000000000670000-0x0000000000671000-memory.dmp

memory/5620-929-0x00000000008D0000-0x0000000000B13000-memory.dmp

memory/2828-926-0x000000007301E000-0x000000007301F000-memory.dmp

C:\Windows\SysWOW64\Files\XClient.exe

MD5 5e667ea0d9c2c150967220e306fb148c
SHA1 772d22ffda2f5ae055cc39f5f3b7f2ce41c9c7c5
SHA256 ec0cef1c54254ab00469ec1d4884765e886f23ebeae6d7d84929e27a47492a00
SHA512 f575199a3ba2667b3872d6a96da29fd68c7026deb12a837c24f2e419f041a4fed0ba01f531403f7191eb12dc69329c279029db31dd738b488ed271410254eebb

memory/5656-1048-0x0000000000E10000-0x0000000000E1E000-memory.dmp

memory/5212-1559-0x0000029AAC780000-0x0000029AAC79A000-memory.dmp

C:\Windows\SysWOW64\Files\Java.exe

MD5 f29f701e76e3a435acdd474a41fa60ba
SHA1 10f06b6fc259131d8b6a5423972a1e55b62ce478
SHA256 9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba
SHA512 0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9

C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe

MD5 2a3fbf508bbf6c77fb9138e6bdc0c114
SHA1 8de41763cb3b5011ef1bb611fc258184b24ca258
SHA256 b87944aaa06658715496841be98f0f4791165f2d0d2a85267bf5fc80ef59f74f
SHA512 ed5cc3d07923986cc2751d1e5d833fc2a83de70fb68926378b9dbb0d83506ca7af39ce3a9bc46461c96bf5c2a35c04e106d56296b0d010a64a6c128057a9c84a

memory/5620-1558-0x00000000008D0000-0x0000000000B13000-memory.dmp

memory/5212-1478-0x0000029AAC260000-0x0000029AAC3B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe

MD5 db0cc4d2477eb4d4b059fb95f23241de
SHA1 71b57e79039c10a01c5aee3b11c6c9305de82b40
SHA256 2387adbe7709475fee04203bc8209488de4235b222c9683fcf7143001858648b
SHA512 0f6924b07e28264f8cc9454f62cf4a88c909e65fa6e3a2ee119cfb7a5e531e6363fd1e2ce0e61bc6b1fb6fd3eef9d79b0aeba832175105d0dc98560d6facdbd8

memory/5964-1569-0x0000000000C20000-0x0000000000F6E000-memory.dmp

memory/3788-1596-0x000000001C910000-0x000000001C9C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe

MD5 a284b850e82b0fdaeea4159e23763216
SHA1 bbc1771b39431e8b091a220a07e7767b53e9f49a
SHA256 ff65fa5e209c564630a51be481c4b9950465f675a72ed3d32e66b9d6edac0a33
SHA512 c2a401a2e93694a2c1b2052de0c48a07e56bca2e649fba69de02f0775af5ddc9b5f7afa167234e9af39d373ee2b1102c8ac48a8f50f60b1f11d03b222a378a0b

C:\Windows\SysWOW64\Files\ScreenConnect.ClientSetup_2.exe

MD5 657d75be7f740e2dbbd6a6f0d7e9de58
SHA1 c2f3afc9f9eecd893526e945442895643192edbb
SHA256 e118bad38fc36b21633207e9b13a2e777cd4365c421256de69b03b9adf38c57f
SHA512 05d1f167c991eb0d616afef080e603e1b2985c75e3f1a1dcde560e3b6b4c3e22fd7ab56df9ba2041e6a21ab62c3c67072f0b7fa180cc2b9fbf82735a3dab6bd5

memory/464-1657-0x0000000005920000-0x0000000005EC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\file.exe

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA512 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

memory/5568-1671-0x000000001B2F0000-0x000000001B312000-memory.dmp

C:\Windows\SysWOW64\Files\new1.exe

MD5 b5e07492b13633eacab4b4f57853b439
SHA1 673f25d3b8ca435846dc04eabf6f5b412d9e7ed5
SHA256 d86a4ac9ab81a74a638e659821fd1d76d9b240d2a4e9fd1dc25c387d356d9828
SHA512 cc555116a570db59dfae1beb8587ecda1a25f520bc7aa45423a276a56ab89d21c84cb60df336dc114e388760798399451f1431a9e290b2b4a4d078164bdab999

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3mivo1o.4z5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/464-1656-0x0000000004E80000-0x000000000502A000-memory.dmp

memory/464-1655-0x0000000004D40000-0x0000000004D62000-memory.dmp

memory/464-1652-0x0000000004CB0000-0x0000000004D3C000-memory.dmp

memory/464-1651-0x0000000005080000-0x0000000005370000-memory.dmp

memory/464-1650-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

memory/5568-1639-0x0000000000880000-0x00000000008BA000-memory.dmp

memory/3788-1595-0x000000001C800000-0x000000001C850000-memory.dmp

memory/4064-1567-0x00000227B4C00000-0x00000227B4C4C000-memory.dmp

memory/4064-1566-0x00000227CD760000-0x00000227CD804000-memory.dmp

memory/4064-466-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-464-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-460-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-458-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-457-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-454-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-450-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-449-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-446-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-444-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-440-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-438-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-435-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-452-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-442-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-433-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-431-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-430-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-426-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-424-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-421-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-418-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-416-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-414-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-410-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-408-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-407-0x00000227CD630000-0x00000227CD755000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe

MD5 f4da021b8bc9d8ef1ff9ce30b0ab3b79
SHA1 998a833c28617bf3e215fe7a8c3552972da36851
SHA256 b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545
SHA512 77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c

memory/4064-422-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/4064-412-0x00000227CD630000-0x00000227CD755000-memory.dmp

memory/3272-377-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1832-354-0x0000000000980000-0x000000000099E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe

MD5 1ebef0766160be26918574b1645c1848
SHA1 c30739eeecb96079bcf6d4f40c94e35abb230e34
SHA256 3e664b59ba376749eb9b596b6499bf7edcec5d34382ead80964f9fe92a4c3c83
SHA512 01c42bb22a92543a3408c6f420593443357a53915937341b5eaf8563ee775dbdeba7af38e2df9c9cf249a512a5a42c65c4c4d39d100e8a4143e58fd235b85951

memory/3428-341-0x00000000236F0000-0x000000002378E000-memory.dmp

memory/3644-1687-0x00000000006C0000-0x0000000000712000-memory.dmp

memory/3644-1689-0x0000000004FE0000-0x0000000005072000-memory.dmp

memory/3644-1690-0x0000000005170000-0x000000000517A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp9D98.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3644-1709-0x0000000005C20000-0x0000000005C96000-memory.dmp

C:\Windows\SysWOW64\Files\SemiconductorNot.exe

MD5 7adfc6a2e7a5daa59d291b6e434a59f3
SHA1 e21ef8be7b78912bed36121404270e5597a3fe25
SHA256 fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693
SHA512 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b

C:\Users\Admin\AppData\Local\Temp\miEYAXhrXYbH.bat

MD5 f3983c33931dc4c5373087893287e05f
SHA1 09962696efbe01b6ce16a4d1f57838173fabffe3
SHA256 d8ada4b9c2f5f84aeb9d2d717aca56591f73b2ccdd9740bf95caf9f5fea52677
SHA512 9b8324266a95e3bd5611de99d378562af2e2822c40ed099868e76786b5cb9101e515a8967acfa5f3a8e8b9ef519215fc5d897134297b369a8d107b80aab4bd60

memory/3644-1712-0x0000000006410000-0x000000000642E000-memory.dmp