Analysis Overview
SHA256
12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd
Threat Level: Known bad
The file 4363463463464363463463463.zip.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Xworm
Lumma Stealer, LummaC
Quasar RAT
Xred family
RedLine payload
Lumma family
Quasar family
RedLine
Xworm family
Redline family
Xred
Quasar payload
Detect Xworm Payload
Stealc
Stealc family
Async RAT payload
Modifies Windows Firewall
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
System Network Configuration Discovery: Internet Connection Discovery
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-14 14:47
Signatures
Xred family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-14 14:47
Reported
2025-04-14 14:48
Platform
win10v2004-20250410-en
Max time kernel
1s
Max time network
39s
Command Line
Signatures
AsyncRat
Asyncrat family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer, LummaC
Lumma family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Stealc
Stealc family
Xred
Xred family
Xworm
Xworm family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Files\5hvzv2sl.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\Files\ScreenConnect.ClientSetup_2.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
C:\ProgramData\Synaptics\Synaptics.exe
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\SysWOW64\._cache_Synaptics.exe
"C:\Windows\system32\._cache_Synaptics.exe"
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe"
C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe"
C:\Windows\SysWOW64\Files\5hvzv2sl.exe
"C:\Windows\System32\Files\5hvzv2sl.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\Files\neon.exe
"C:\Users\Admin\AppData\Local\Temp\Files\neon.exe"
C:\Windows\SysWOW64\Files\built.exe
"C:\Windows\System32\Files\built.exe"
C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RuntimeBroker.exe"
C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe"
C:\Users\Admin\AppData\Roaming\svhost\svhost.exe
"C:\Users\Admin\AppData\Roaming\svhost\svhost.exe"
C:\Windows\SysWOW64\Files\svhost.exe
"C:\Windows\System32\Files\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe"
C:\Windows\SysWOW64\Files\5hvzv2sl.exe
"C:\Windows\SysWOW64\Files\5hvzv2sl.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4344 -ip 4344
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\svhost\svhost.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 268
C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1580 -ip 1580
C:\Windows\SysWOW64\Files\zzzz1.exe
"C:\Windows\System32\Files\zzzz1.exe"
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe"
C:\Windows\SysWOW64\Files\XClient.exe
"C:\Windows\System32\Files\XClient.exe"
C:\Users\Admin\AppData\Local\Temp\Files\built.exe
"C:\Users\Admin\AppData\Local\Temp\Files\built.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 864
C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe"
C:\Windows\SysWOW64\Files\Java.exe
"C:\Windows\System32\Files\Java.exe"
C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe
"C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe"
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" "NJRat.exe" ENABLE
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\SysWOW64\Files\ScreenConnect.ClientSetup_2.exe
"C:\Windows\System32\Files\ScreenConnect.ClientSetup_2.exe"
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\built.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\Files\new1.exe
"C:\Windows\System32\Files\new1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miEYAXhrXYbH.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" ..
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" ..
C:\Windows\SysWOW64\Files\SemiconductorNot.exe
"C:\Windows\System32\Files\SemiconductorNot.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 464 -ip 464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1412
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe ..
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe ..
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" "C:\Windows\system32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | www.teknoarge.com | udp |
| TR | 31.145.124.122:80 | www.teknoarge.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | c0al1t1onmatch.cyou | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | thicktoys.sbs | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | pub-9c2fd486dcf0474a8a72d3d50b097614.r2.dev | udp |
| US | 172.66.0.235:443 | pub-9c2fd486dcf0474a8a72d3d50b097614.r2.dev | tcp |
| US | 8.8.8.8:53 | fleez-inc.sbs | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| RU | 185.215.113.209:80 | 185.215.113.209 | tcp |
| US | 8.8.8.8:53 | pull-trucker.sbs | udp |
| US | 8.8.8.8:53 | 3xc1aimbl0w.sbs | udp |
| US | 8.8.8.8:53 | bored-light.sbs | udp |
| US | 8.8.8.8:53 | yzs-42879.portmap.host | udp |
| US | 8.8.8.8:53 | 300snails.sbs | udp |
| US | 8.8.8.8:53 | faintbl0w.sbs | udp |
| US | 8.8.8.8:53 | ftp.ywxww.net | udp |
| US | 8.8.8.8:53 | crib-endanger.sbs | udp |
| CN | 60.191.208.187:820 | ftp.ywxww.net | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 2.22.96.50:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | starcloc.bet | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | metalsyo.digital | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | ironloxp.live | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cosmosyf.top | udp |
| US | 8.8.8.8:53 | advennture.top | udp |
| US | 8.8.8.8:53 | esccapewz.run | udp |
| US | 8.8.8.8:53 | targett.top | udp |
| US | 8.8.8.8:53 | travewlio.shop | udp |
| US | 8.8.8.8:53 | spacedbv.world | udp |
| US | 8.8.8.8:53 | galxnetb.today | udp |
| US | 8.8.8.8:53 | touvrlane.bet | udp |
| US | 8.8.8.8:53 | sighbtseeing.shop | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| GB | 2.22.96.50:443 | steamcommunity.com | tcp |
| GB | 2.22.96.50:443 | steamcommunity.com | tcp |
| US | 47.90.142.15:80 | 47.90.142.15 | tcp |
| US | 8.8.8.8:53 | holidamyup.today | udp |
| TR | 31.145.124.122:80 | www.teknoarge.com | tcp |
| US | 8.8.8.8:53 | triplooqp.world | udp |
| GB | 2.22.96.50:443 | steamcommunity.com | tcp |
| DK | 46.29.235.45:80 | 46.29.235.45 | tcp |
| GB | 2.22.96.50:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | storage.soowim.co.kr | udp |
| KR | 210.216.165.152:443 | storage.soowim.co.kr | tcp |
| GB | 20.26.156.215:80 | github.com | tcp |
| US | 44.193.202.139:443 | tcp |
Files
memory/4440-0-0x0000000000790000-0x0000000000791000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_4363463463464363463463463.exe
| MD5 | 2a94f3960c58c6e70826495f76d00b85 |
| SHA1 | e2a1a5641295f5ebf01a37ac1c170ac0814bb71a |
| SHA256 | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce |
| SHA512 | fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 85e3d4ac5a6ef32fb93764c090ef32b7 |
| SHA1 | adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52 |
| SHA256 | 4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1 |
| SHA512 | a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab |
memory/4440-128-0x0000000000400000-0x00000000004C5000-memory.dmp
memory/2052-130-0x0000000000670000-0x0000000000671000-memory.dmp
memory/2828-129-0x000000007301E000-0x000000007301F000-memory.dmp
memory/2828-134-0x0000000000040000-0x0000000000048000-memory.dmp
memory/2828-137-0x0000000004890000-0x000000000492C000-memory.dmp
memory/4244-252-0x0000000000400000-0x00000000004C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
| MD5 | 29a37b6532a7acefa7580b826f23f6dd |
| SHA1 | a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f |
| SHA256 | 7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69 |
| SHA512 | a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818 |
C:\Users\Admin\AppData\Local\Temp\Files\svhost.exe
| MD5 | e3cfe28100238a1001c8cca4af39c574 |
| SHA1 | 9b80ea180a8f4cec6f787b6b57e51dc10e740f75 |
| SHA256 | 78f9c811e589ff1f25d363080ce8d338fa68f6d2a220b1dd0360e799bbc17a12 |
| SHA512 | 511e8a150d6539f555470367933e5f35b00d129d3ed3e97954da57f402d18711dfc86c93acc26f5c2b1b18bd554b8ea4af1ad541cd2564b793acc65251757324 |
memory/3540-275-0x00000000009E0000-0x0000000000A64000-memory.dmp
C:\Windows\SysWOW64\Files\5hvzv2sl.exe
| MD5 | cc3381bd320d2a249405b46982abe611 |
| SHA1 | 32a5bc854726c829da2fbaed02ff8d41ea55e432 |
| SHA256 | 781e958b54a63ef673857bfe9c0a5992eb44b06f15d5499f8e35e44b1e1c868c |
| SHA512 | 73c95936748b9edf103c28d558d885bfee070efc18d318581fb1723769a15bb642976bdfb93b36a0b68d869538e0ee3c1936d613240bf29d3ff64dbb3d20e2e4 |
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
| MD5 | ffc2637acde7b6db1823a2b3304a6c6c |
| SHA1 | 8eac6fb5415f9338b1b131c42ed15ea70da22096 |
| SHA256 | 35efc0520b78a1b413afee5dbe5d8b0674eea2acfc7d943de70a99b5b2fd92ef |
| SHA512 | 3f9f0182d69b66ea6168717f8e7239a0726066e011be1983da874f76ee308e67ef55cd08a2d8990cd9e4a663bbbbf56c3445275d72e8330255b3d0dd3b98859a |
memory/4480-294-0x00000000007C0000-0x00000000007E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\neon.exe
| MD5 | b3fd0e1003b1cd38402b6d32829f6135 |
| SHA1 | c9cedd6322fb83457f56b64b4624b07e2786f702 |
| SHA256 | e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31 |
| SHA512 | 04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1 |
C:\Windows\SysWOW64\Files\built.exe
| MD5 | a813f565b05ee9df7e5db8dbbcc0fa43 |
| SHA1 | f508e738705163233b29ba54f4cb5ec4583d8df1 |
| SHA256 | ba59fb813ff718db8a17c4e5d244793d2199383969843ad31d09727b5e5ff156 |
| SHA512 | adb431c372c2e1d0f6019bedefe16a2253fcf76929ba7e2b9f9cc7a253137920615121a1a64f7003a43f39e8b17ace233daca32b2933b6953aa6cf558b834e2e |
memory/3428-316-0x0000000000860000-0x0000000000BDC000-memory.dmp
memory/1848-331-0x0000000000140000-0x0000000000464000-memory.dmp
memory/1764-359-0x00000000005D0000-0x00000000008F4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\Files\CnyvVl.exe
| MD5 | c3555ffa261822a6b1d04314c5370151 |
| SHA1 | b497c402641ee805e0e8aeae3e6d0600dc40a91d |
| SHA256 | a8b4fb8e5e17df94c0caa0118382f193ec0fa63703b14d0efc12317f7b80f4ce |
| SHA512 | d1c9471d10e795390347e26de3440ac85f6d9ce82c2dbe451917d9ae3e6d9bc1273b8a2a465df1d9fe678fa586dc4a8864378d1d2dfd85b6bfdcdab5810f65a5 |
memory/3272-379-0x0000000000400000-0x000000000045F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\RMS1.exe
| MD5 | 03b1ed4c105e5f473357dad1df17cf98 |
| SHA1 | faf5046ff19eafd3a59dcf85be30496f90b5b6b1 |
| SHA256 | 6be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba |
| SHA512 | 3f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765 |
memory/4064-389-0x00000227B2DD0000-0x00000227B2F30000-memory.dmp
memory/4064-391-0x00000227CD500000-0x00000227CD62A000-memory.dmp
memory/1580-399-0x0000000000FD0000-0x0000000000FFE000-memory.dmp
memory/4064-397-0x00000227CD630000-0x00000227CD75C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\alex1dskfmdsf.exe
| MD5 | 3928c62b67fc0d7c1fb6bcce3b6a8d46 |
| SHA1 | e843b7b7524a46a273267a86e320c98bc09e6d44 |
| SHA256 | 630e00afe98ad4c1db391b74a84b7822a3abb3867a34f2ba163a8bf26d8d4397 |
| SHA512 | 1884b125c89e32b6e5924e87ad9af827ae7e950ac80411e00a58c465eed88060af72142f9c512e0323e1ade46061f56a5247351e1c1d5e268f2ba35b5e447857 |
memory/4064-462-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-469-0x00000227CD630000-0x00000227CD755000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe
| MD5 | e78239a5b0223499bed12a752b893cad |
| SHA1 | a429b46db791f433180ae4993ebb656d2f9393a4 |
| SHA256 | 80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89 |
| SHA512 | cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc |
C:\Windows\SysWOW64\Files\zzzz1.exe
| MD5 | 36a627b26fae167e6009b4950ff15805 |
| SHA1 | f3cb255ab3a524ee05c8bab7b4c01c202906b801 |
| SHA256 | a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a |
| SHA512 | 2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094 |
memory/2052-927-0x0000000000670000-0x0000000000671000-memory.dmp
memory/5620-929-0x00000000008D0000-0x0000000000B13000-memory.dmp
memory/2828-926-0x000000007301E000-0x000000007301F000-memory.dmp
C:\Windows\SysWOW64\Files\XClient.exe
| MD5 | 5e667ea0d9c2c150967220e306fb148c |
| SHA1 | 772d22ffda2f5ae055cc39f5f3b7f2ce41c9c7c5 |
| SHA256 | ec0cef1c54254ab00469ec1d4884765e886f23ebeae6d7d84929e27a47492a00 |
| SHA512 | f575199a3ba2667b3872d6a96da29fd68c7026deb12a837c24f2e419f041a4fed0ba01f531403f7191eb12dc69329c279029db31dd738b488ed271410254eebb |
memory/5656-1048-0x0000000000E10000-0x0000000000E1E000-memory.dmp
memory/5212-1559-0x0000029AAC780000-0x0000029AAC79A000-memory.dmp
C:\Windows\SysWOW64\Files\Java.exe
| MD5 | f29f701e76e3a435acdd474a41fa60ba |
| SHA1 | 10f06b6fc259131d8b6a5423972a1e55b62ce478 |
| SHA256 | 9cd175451c10b5f9e2dc3987f986b33a0a35294d47826dfde104171e65b84fba |
| SHA512 | 0d5088f4f685b6d29edec7cc7e8bfe7c594fa6b3fde2a6b11ee977455d6fe088e04e899203171ff519cf9d2b5a78231f3650774cc17824219f43f947d13a86e9 |
C:\Users\Admin\AppData\Local\Temp\Files\legendarik.exe
| MD5 | 2a3fbf508bbf6c77fb9138e6bdc0c114 |
| SHA1 | 8de41763cb3b5011ef1bb611fc258184b24ca258 |
| SHA256 | b87944aaa06658715496841be98f0f4791165f2d0d2a85267bf5fc80ef59f74f |
| SHA512 | ed5cc3d07923986cc2751d1e5d833fc2a83de70fb68926378b9dbb0d83506ca7af39ce3a9bc46461c96bf5c2a35c04e106d56296b0d010a64a6c128057a9c84a |
memory/5620-1558-0x00000000008D0000-0x0000000000B13000-memory.dmp
memory/5212-1478-0x0000029AAC260000-0x0000029AAC3B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\BruterV3.1.exe
| MD5 | db0cc4d2477eb4d4b059fb95f23241de |
| SHA1 | 71b57e79039c10a01c5aee3b11c6c9305de82b40 |
| SHA256 | 2387adbe7709475fee04203bc8209488de4235b222c9683fcf7143001858648b |
| SHA512 | 0f6924b07e28264f8cc9454f62cf4a88c909e65fa6e3a2ee119cfb7a5e531e6363fd1e2ce0e61bc6b1fb6fd3eef9d79b0aeba832175105d0dc98560d6facdbd8 |
memory/5964-1569-0x0000000000C20000-0x0000000000F6E000-memory.dmp
memory/3788-1596-0x000000001C910000-0x000000001C9C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\svchosd.exe
| MD5 | a284b850e82b0fdaeea4159e23763216 |
| SHA1 | bbc1771b39431e8b091a220a07e7767b53e9f49a |
| SHA256 | ff65fa5e209c564630a51be481c4b9950465f675a72ed3d32e66b9d6edac0a33 |
| SHA512 | c2a401a2e93694a2c1b2052de0c48a07e56bca2e649fba69de02f0775af5ddc9b5f7afa167234e9af39d373ee2b1102c8ac48a8f50f60b1f11d03b222a378a0b |
C:\Windows\SysWOW64\Files\ScreenConnect.ClientSetup_2.exe
| MD5 | 657d75be7f740e2dbbd6a6f0d7e9de58 |
| SHA1 | c2f3afc9f9eecd893526e945442895643192edbb |
| SHA256 | e118bad38fc36b21633207e9b13a2e777cd4365c421256de69b03b9adf38c57f |
| SHA512 | 05d1f167c991eb0d616afef080e603e1b2985c75e3f1a1dcde560e3b6b4c3e22fd7ab56df9ba2041e6a21ab62c3c67072f0b7fa180cc2b9fbf82735a3dab6bd5 |
memory/464-1657-0x0000000005920000-0x0000000005EC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
| MD5 | af2379cc4d607a45ac44d62135fb7015 |
| SHA1 | 39b6d40906c7f7f080e6befa93324dddadcbd9fa |
| SHA256 | 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739 |
| SHA512 | 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99 |
memory/5568-1671-0x000000001B2F0000-0x000000001B312000-memory.dmp
C:\Windows\SysWOW64\Files\new1.exe
| MD5 | b5e07492b13633eacab4b4f57853b439 |
| SHA1 | 673f25d3b8ca435846dc04eabf6f5b412d9e7ed5 |
| SHA256 | d86a4ac9ab81a74a638e659821fd1d76d9b240d2a4e9fd1dc25c387d356d9828 |
| SHA512 | cc555116a570db59dfae1beb8587ecda1a25f520bc7aa45423a276a56ab89d21c84cb60df336dc114e388760798399451f1431a9e290b2b4a4d078164bdab999 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3mivo1o.4z5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/464-1656-0x0000000004E80000-0x000000000502A000-memory.dmp
memory/464-1655-0x0000000004D40000-0x0000000004D62000-memory.dmp
memory/464-1652-0x0000000004CB0000-0x0000000004D3C000-memory.dmp
memory/464-1651-0x0000000005080000-0x0000000005370000-memory.dmp
memory/464-1650-0x0000000000DE0000-0x0000000000DE8000-memory.dmp
memory/5568-1639-0x0000000000880000-0x00000000008BA000-memory.dmp
memory/3788-1595-0x000000001C800000-0x000000001C850000-memory.dmp
memory/4064-1567-0x00000227B4C00000-0x00000227B4C4C000-memory.dmp
memory/4064-1566-0x00000227CD760000-0x00000227CD804000-memory.dmp
memory/4064-466-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-464-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-460-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-458-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-457-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-454-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-450-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-449-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-446-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-444-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-440-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-438-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-435-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-452-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-442-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-433-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-431-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-430-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-426-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-424-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-421-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-418-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-416-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-414-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-410-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-408-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-407-0x00000227CD630000-0x00000227CD755000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe
| MD5 | f4da021b8bc9d8ef1ff9ce30b0ab3b79 |
| SHA1 | 998a833c28617bf3e215fe7a8c3552972da36851 |
| SHA256 | b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545 |
| SHA512 | 77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c |
memory/4064-422-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/4064-412-0x00000227CD630000-0x00000227CD755000-memory.dmp
memory/3272-377-0x0000000000400000-0x000000000045F000-memory.dmp
memory/1832-354-0x0000000000980000-0x000000000099E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Files\Krishna33.exe
| MD5 | 1ebef0766160be26918574b1645c1848 |
| SHA1 | c30739eeecb96079bcf6d4f40c94e35abb230e34 |
| SHA256 | 3e664b59ba376749eb9b596b6499bf7edcec5d34382ead80964f9fe92a4c3c83 |
| SHA512 | 01c42bb22a92543a3408c6f420593443357a53915937341b5eaf8563ee775dbdeba7af38e2df9c9cf249a512a5a42c65c4c4d39d100e8a4143e58fd235b85951 |
memory/3428-341-0x00000000236F0000-0x000000002378E000-memory.dmp
memory/3644-1687-0x00000000006C0000-0x0000000000712000-memory.dmp
memory/3644-1689-0x0000000004FE0000-0x0000000005072000-memory.dmp
memory/3644-1690-0x0000000005170000-0x000000000517A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp9D98.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3644-1709-0x0000000005C20000-0x0000000005C96000-memory.dmp
C:\Windows\SysWOW64\Files\SemiconductorNot.exe
| MD5 | 7adfc6a2e7a5daa59d291b6e434a59f3 |
| SHA1 | e21ef8be7b78912bed36121404270e5597a3fe25 |
| SHA256 | fbb957b3e36ba1dda0b65986117fd8555041d747810a100b47da4a90a1dfd693 |
| SHA512 | 30f56bd75fe83e8fb60a816c1a0322bc686863d7ab17a763fff977a88f5582c356b4fcfe7c0c9e3e5925bfee7fc44e4ea8b96f82a011ed5e7cd236253187181b |
C:\Users\Admin\AppData\Local\Temp\miEYAXhrXYbH.bat
| MD5 | f3983c33931dc4c5373087893287e05f |
| SHA1 | 09962696efbe01b6ce16a4d1f57838173fabffe3 |
| SHA256 | d8ada4b9c2f5f84aeb9d2d717aca56591f73b2ccdd9740bf95caf9f5fea52677 |
| SHA512 | 9b8324266a95e3bd5611de99d378562af2e2822c40ed099868e76786b5cb9101e515a8967acfa5f3a8e8b9ef519215fc5d897134297b369a8d107b80aab4bd60 |
memory/3644-1712-0x0000000006410000-0x000000000642E000-memory.dmp