Malware Analysis Report

2025-08-05 13:59

Sample ID 210515-qkr25je8kx
Target ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe
SHA256 ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786
Tags
cryptbot spyware stealer danabot 3 banker discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759fd20c9cf44693abf786

Threat Level: Known bad

The file ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot spyware stealer danabot 3 banker discovery trojan

CryptBot Payload

Danabot

CryptBot

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 11:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 11:01

Reported

2021-05-15 11:04

Platform

win7v20210410

Max time kernel

123s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe

"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

Network

Country Destination Domain Proto
N/A 74.125.34.46:80 tcp

Files

memory/1864-60-0x0000000076A81000-0x0000000076A83000-memory.dmp

memory/1864-61-0x0000000001CF0000-0x0000000001DD1000-memory.dmp

memory/1864-62-0x0000000000400000-0x00000000004E5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 11:01

Reported

2021-05-15 11:05

Platform

win10v20210410

Max time kernel

122s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot

trojan banker danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RUNDLL32.EXE N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\foler\olader\adprovider.dll C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe N/A
File created C:\Program Files (x86)\foler\olader\acledit.dll C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe N/A
File created C:\Program Files (x86)\foler\olader\acppage.dll C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\RUNDLL32.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\RUNDLL32.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Windows\SysWOW64\WScript.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\RUNDLL32.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe
PID 2212 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe
PID 2212 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe
PID 2820 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
PID 2820 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
PID 2820 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
PID 2820 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
PID 2820 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
PID 2820 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
PID 3368 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1168 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1168 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1168 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com
PID 1168 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com
PID 1168 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com
PID 3952 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com
PID 2324 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com
PID 2324 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com
PID 1168 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1168 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1168 wrote to memory of 4052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2784 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2784 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2784 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3644 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 3644 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 3644 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1912 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe
PID 1912 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe
PID 1912 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe
PID 1912 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Windows\SysWOW64\WScript.exe
PID 1912 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Windows\SysWOW64\WScript.exe
PID 1912 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Windows\SysWOW64\WScript.exe
PID 1828 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1828 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1828 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2172 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\RUNDLL32.EXE
PID 2172 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\RUNDLL32.EXE
PID 2172 wrote to memory of 2088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\RUNDLL32.EXE
PID 2088 wrote to memory of 3548 N/A C:\Windows\SysWOW64\RUNDLL32.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3548 N/A C:\Windows\SysWOW64\RUNDLL32.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 3548 N/A C:\Windows\SysWOW64\RUNDLL32.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1912 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Windows\SysWOW64\WScript.exe
PID 1912 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Windows\SysWOW64\WScript.exe
PID 1912 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com C:\Windows\SysWOW64\WScript.exe
PID 2088 wrote to memory of 2940 N/A C:\Windows\SysWOW64\RUNDLL32.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2940 N/A C:\Windows\SysWOW64\RUNDLL32.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2940 N/A C:\Windows\SysWOW64\RUNDLL32.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\nslookup.exe
PID 2940 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\nslookup.exe
PID 2940 wrote to memory of 2824 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\nslookup.exe
PID 2088 wrote to memory of 3172 N/A C:\Windows\SysWOW64\RUNDLL32.EXE C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe

"C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe"

C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe

"C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe"

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Fra.potx

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^xYCLcQIeccmBAtQnxVUeRSreWyTMvLWXTwOpHrhwlUygNwRbGwNkoTUBVAOfXVFJmCHnfGQsISSXNOgVgvuxYKOqujgigXtggvPkzaiZlvDfwXOukTwBPlLPNHsraIeLOEJd$" Ritroverai.potx

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com

Volgendosi.exe.com n

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ba15de0f65e1d9b9d7ed54603aed434676f2f0c8eb759.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com n

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe

"C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\apbtwts.vbs"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.EXE

C:\Windows\SysWOW64\RUNDLL32.EXE

C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL,iy9cfI0=

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3038.tmp.ps1"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nnghiomc.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4827.tmp.ps1"

C:\Windows\SysWOW64\nslookup.exe

"C:\Windows\system32\nslookup.exe" -type=any localhost

C:\Windows\SysWOW64\schtasks.exe

schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 remmzp62.top udp
N/A 34.86.24.123:80 remmzp62.top tcp
N/A 8.8.8.8:53 mortlk06.top udp
N/A 35.233.146.63:80 mortlk06.top tcp
N/A 8.8.8.8:53 sullok09.top udp
N/A 35.245.17.142:80 sullok09.top tcp
N/A 35.245.17.142:80 sullok09.top tcp
N/A 8.8.8.8:53 rLqbLqtHCzSBvhbiody.rLqbLqtHCzSBvhbiody udp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 2no.co udp
N/A 88.99.66.31:443 2no.co tcp
N/A 8.8.8.8:53 sosoprojects.com udp
N/A 45.91.67.130:80 sosoprojects.com tcp
N/A 198.23.140.71:80 198.23.140.71 tcp
N/A 184.95.51.183:443 tcp
N/A 8.8.8.8:53 iplogger.org udp
N/A 88.99.66.31:443 iplogger.org tcp
N/A 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 8.8.8.8:53 localhost udp

Files

memory/3952-114-0x0000000002330000-0x0000000002411000-memory.dmp

memory/3952-115-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/2212-116-0x0000000000000000-mapping.dmp

memory/2820-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe

MD5 4c8e98ff5c684a1b7270aef80ffe1f2c
SHA1 241a8c10832fc7821adb0f8f12674aba7b1aa279
SHA256 5d5f4989d6eb10511ed56ebd24355743e88c6de579adc693a726346d7d8311f1
SHA512 2cbda93cba5770915c5cdad436da81526c81be8b2eeb8dd5e97b78e6b6f004037790df82c84a7f63fa124e813928b722cd1e427ff2d1cd87767bcf9257c04150

C:\Users\Admin\AppData\Local\Temp\qQnFXaF.exe

MD5 4c8e98ff5c684a1b7270aef80ffe1f2c
SHA1 241a8c10832fc7821adb0f8f12674aba7b1aa279
SHA256 5d5f4989d6eb10511ed56ebd24355743e88c6de579adc693a726346d7d8311f1
SHA512 2cbda93cba5770915c5cdad436da81526c81be8b2eeb8dd5e97b78e6b6f004037790df82c84a7f63fa124e813928b722cd1e427ff2d1cd87767bcf9257c04150

\Users\Admin\AppData\Local\Temp\nst6A2A.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

memory/3368-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5 650492c6b78a97af3268ddc6d1ebeb7f
SHA1 0260cce8d542dafb87fe198bf10cb92c272b8ede
SHA256 48e7fd120053da955816df02970362769adfefe0fb530d3ff27e769abb62dc4b
SHA512 437f807bca05345ed3f4ebb071ba54c9f8151d1500ea7dbb866da6d477cb3ca467fea7f3242e0f85ba91e8bc623b85271cfb282cadd2db836bffa34add8f360d

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe

MD5 650492c6b78a97af3268ddc6d1ebeb7f
SHA1 0260cce8d542dafb87fe198bf10cb92c272b8ede
SHA256 48e7fd120053da955816df02970362769adfefe0fb530d3ff27e769abb62dc4b
SHA512 437f807bca05345ed3f4ebb071ba54c9f8151d1500ea7dbb866da6d477cb3ca467fea7f3242e0f85ba91e8bc623b85271cfb282cadd2db836bffa34add8f360d

memory/3644-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5 91eca96fc7e06b3a452499f2026a9000
SHA1 127f11bdb42316610d75a810a1c3fefcfb6c893d
SHA256 053df8d8584145338d3aa64dc05114198bf0de7b5e0615dd0959ec871b63745a
SHA512 9c70e0616692f8b5120355018d99b6da6dc5dce7d8b002f84542a02b228d26ffd6bc14c8c101822b260dbf9e43f079390dd4689c55d4151e95773a5fa8fa7bee

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe

MD5 91eca96fc7e06b3a452499f2026a9000
SHA1 127f11bdb42316610d75a810a1c3fefcfb6c893d
SHA256 053df8d8584145338d3aa64dc05114198bf0de7b5e0615dd0959ec871b63745a
SHA512 9c70e0616692f8b5120355018d99b6da6dc5dce7d8b002f84542a02b228d26ffd6bc14c8c101822b260dbf9e43f079390dd4689c55d4151e95773a5fa8fa7bee

memory/808-127-0x0000000000000000-mapping.dmp

memory/1168-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fra.potx

MD5 22c62352b3738e3987a30e1f4f8c8a84
SHA1 cc8eb25d1d5f39c0c5355f0f0bc64c161e1ab60d
SHA256 49193a3b42985da49e324f4f8171f9fb80464655e93997c2de28d0bc8ee9ed73
SHA512 363295738a4c24b64055ab55ab25f85d088f5b00037d9ce1673024814e683f90faa439597b9cd8cc12aa5f9ec5b0ec08fcbb705b2959115974e3e55c7b780ec8

memory/3164-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ritroverai.potx

MD5 cb7b7737298e386be31e4e775f92b793
SHA1 3d230dc9e20a40d8acd0a55063a0a88e85b290d5
SHA256 6c67538f0efbb58dc3fac7de03ea12df425dee5ddca15b1591c1b95fc9ac0e34
SHA512 b32a9c26b0db5a3e60501adbc7f92f2a93d00924ab4c6e843d97e2dd08f530a75fcef191755d26fb7859e80e0ea173fcbf1994bd1fd88f7cd4a81dba26cd913c

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dipinte.potx

MD5 4a05c14d3353106911ee0deac21d8320
SHA1 8116b73ae3e7665573e45049ba8b941fa01af222
SHA256 d34295177f23a126fc23d2571ca3536597150edb79813db266f2830b32ef5b9f
SHA512 b0df0d01c1cf58128079ec4c563a6d50e2c33d7aa745c8d4e8dc04c74cfb3fd8cd86dfc085abfba5be18113c5b7a145865de2c2a43261958cc028a8477643873

memory/2324-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\n

MD5 4a05c14d3353106911ee0deac21d8320
SHA1 8116b73ae3e7665573e45049ba8b941fa01af222
SHA256 d34295177f23a126fc23d2571ca3536597150edb79813db266f2830b32ef5b9f
SHA512 b0df0d01c1cf58128079ec4c563a6d50e2c33d7aa745c8d4e8dc04c74cfb3fd8cd86dfc085abfba5be18113c5b7a145865de2c2a43261958cc028a8477643873

memory/2784-135-0x0000000000000000-mapping.dmp

memory/1912-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tal.potx

MD5 baa5b1e481082092d8200e97f9073142
SHA1 0b16551e3e59842138b5a42d888566c98ecc5ed5
SHA256 f56c36c2b52d321274a76ef1bd2ce9e1129e66dd6b23927c144155dc6d583c27
SHA512 682d0d5a6ff154e40d1074a23569e3941eabefc7f5775589042c8110b30b79bec12399762df401fa5799765fe131987decf4fe3e9290f2a83cbfddc545e250cb

memory/4052-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY\files_\files\CONNEC~1.TXT

MD5 cee1f05e82b5770c7a9ea5eeca8fa67a
SHA1 34cfefdf3e01f3f8f2de83e863b2412a413f02c0
SHA256 b74369130503d82230586dc2b9c43e471dd057b2db880bc3ae7ea8d99365d893
SHA512 28a6093d3fb70862650fe311fcb961cae33a90de1d8beaef4981b8b70bac5342200e63d9c453815d36c88d32a7d29220d2583fb7d05d8a66813bde89ee979ae4

C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY\_Files\_Files\CONNEC~1.TXT

MD5 cee1f05e82b5770c7a9ea5eeca8fa67a
SHA1 34cfefdf3e01f3f8f2de83e863b2412a413f02c0
SHA256 b74369130503d82230586dc2b9c43e471dd057b2db880bc3ae7ea8d99365d893
SHA512 28a6093d3fb70862650fe311fcb961cae33a90de1d8beaef4981b8b70bac5342200e63d9c453815d36c88d32a7d29220d2583fb7d05d8a66813bde89ee979ae4

C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY\LXDDPF~1.ZIP

MD5 ea3163a4c55c9b5cd2daf666a24085ce
SHA1 664c6b70491bb2b02f278838147cd5486ba5e702
SHA256 10f9bec8295ffbf158e86d7f57f69d4718c7ae402117949d07b32f8215ffef99
SHA512 ed6737e0f4c88e72b553f20af67e4874c7b64204e9f68b540c88d9a7f1a090c94ffc7c23efe2f56669e651cb7c95dda99cabdc2699448cd20075cb2b5b622631

C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY\IOZOWB~1.ZIP

MD5 c9e96130a397443f35eeb371c85cc4c7
SHA1 9d5c6bc9303ea7d188a53623e19764c648a6abc2
SHA256 105d93a88d5238621d14a0ec4362e56858677fd30c862bc867445665a6b71180
SHA512 285d6345dde068edbaff67a16708a53b2ffd8fdaa61e3de3c94334f18ddd1754c7f04c13477e668a9e6f26224df0134e0697e078ed811b2b6299cf16a912c99c

C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY\files_\SYSTEM~1.TXT

MD5 11580dbf782fd385af34b16b0a22ffbd
SHA1 9cc2461f987aa8ba732355183a4024e78054f858
SHA256 a3c387458bc339416d96dafc708bb7c5f97d8a8ca8ec75faea089f251a96989e
SHA512 7c2c96838d0a21aaa65c8ef721e94024330b504d82f11b340bbd32251dd72f2192800e335a362943ec2fe91baf2a9bd9072a237890642b6f7e361bad3285f026

C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY\files_\SCREEN~1.JPG

MD5 5e227b024762d314da8354e3181d0d5f
SHA1 1d83525dc0c3ac2f4924b953b6d8efa089e68e31
SHA256 a1b431e2cff2115b741e5b8c3c948dc50df26473a9d5d9556b8a46a63ab3a94c
SHA512 460b0366eae35186cca826b4dc97d198be7702c2fb6a4c6c9343f49dca726ba818b974d636efbca0908d75575c3b51434bc3594830e4b319f126cd592d1b7713

C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY\_Files\_SCREE~1.JPE

MD5 5e227b024762d314da8354e3181d0d5f
SHA1 1d83525dc0c3ac2f4924b953b6d8efa089e68e31
SHA256 a1b431e2cff2115b741e5b8c3c948dc50df26473a9d5d9556b8a46a63ab3a94c
SHA512 460b0366eae35186cca826b4dc97d198be7702c2fb6a4c6c9343f49dca726ba818b974d636efbca0908d75575c3b51434bc3594830e4b319f126cd592d1b7713

C:\Users\Admin\AppData\Local\Temp\tlAHqIgwhiGY\_Files\_INFOR~1.TXT

MD5 bd354c06d501e8725d52e9241570a5ae
SHA1 8baddb2d589a2fac322d5c3b08a6f92fad78715b
SHA256 18fe32155bfd0e5af9558add214334e1ea2a22e14268dcc5ac4c59ebd62afabe
SHA512 e1d59121317e76ef212bbce855f63a4a013d6e3590be5eaf61ac9f7dbb1afc54f4140d2649faf1da627653efda548303ed9292619209ab2711ee21574bb60281

memory/1812-149-0x0000000000000000-mapping.dmp

memory/3940-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 91eca96fc7e06b3a452499f2026a9000
SHA1 127f11bdb42316610d75a810a1c3fefcfb6c893d
SHA256 053df8d8584145338d3aa64dc05114198bf0de7b5e0615dd0959ec871b63745a
SHA512 9c70e0616692f8b5120355018d99b6da6dc5dce7d8b002f84542a02b228d26ffd6bc14c8c101822b260dbf9e43f079390dd4689c55d4151e95773a5fa8fa7bee

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 91eca96fc7e06b3a452499f2026a9000
SHA1 127f11bdb42316610d75a810a1c3fefcfb6c893d
SHA256 053df8d8584145338d3aa64dc05114198bf0de7b5e0615dd0959ec871b63745a
SHA512 9c70e0616692f8b5120355018d99b6da6dc5dce7d8b002f84542a02b228d26ffd6bc14c8c101822b260dbf9e43f079390dd4689c55d4151e95773a5fa8fa7bee

memory/3644-154-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3644-153-0x00000000004B0000-0x00000000004D6000-memory.dmp

memory/3940-156-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1912-157-0x00000000014C0000-0x00000000014C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Volgendosi.exe.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

memory/1828-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe

MD5 bd499282425f4b08275627023b8313b1
SHA1 21f291aced05155e96a1dd82f227933153c31dc6
SHA256 74ac88cc64000053a708de55c6bc3eef5d53ba3766f7bd4b24e1b4baca3cbb8a
SHA512 1fe294af1c22cf2f663ef2dbdb0aa53dff708d6a1d3d8f8edaa54f0d9823cb6b3f43e8e0e1bf35fdc723b7d11150b3dea253030506677bc87900f92b1304690b

C:\Users\Admin\AppData\Local\Temp\qqyfqxcvmd.exe

MD5 bd499282425f4b08275627023b8313b1
SHA1 21f291aced05155e96a1dd82f227933153c31dc6
SHA256 74ac88cc64000053a708de55c6bc3eef5d53ba3766f7bd4b24e1b4baca3cbb8a
SHA512 1fe294af1c22cf2f663ef2dbdb0aa53dff708d6a1d3d8f8edaa54f0d9823cb6b3f43e8e0e1bf35fdc723b7d11150b3dea253030506677bc87900f92b1304690b

memory/2136-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\apbtwts.vbs

MD5 618eecc8506cdd6abfcc2dded36f541a
SHA1 34b0d81648d93b301f9714b37cf9050383c0a83d
SHA256 9b68b1fe3ec6d97493d2d4b43361e45af817e5558a6a6d42124698fe2f5bb0ee
SHA512 4a70f9022e6659912f9c3256644c7ff468c8e60ccc3a0aa4644877c650c2d6fefb82f6d8d587e932a30221bf14689f80f051cf4dae9cdf0379886117c497a2a7

memory/2172-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL

MD5 7ac078a4c0a0c82464f31418b512cad7
SHA1 edafdb4391106484521c3a76890690ee525a9d68
SHA256 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418
SHA512 e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL

MD5 7ac078a4c0a0c82464f31418b512cad7
SHA1 edafdb4391106484521c3a76890690ee525a9d68
SHA256 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418
SHA512 e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL

MD5 7ac078a4c0a0c82464f31418b512cad7
SHA1 edafdb4391106484521c3a76890690ee525a9d68
SHA256 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418
SHA512 e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

memory/2172-168-0x00000000045A0000-0x0000000004B65000-memory.dmp

memory/1828-169-0x0000000002EA0000-0x00000000035A7000-memory.dmp

memory/1828-170-0x0000000000400000-0x0000000000B14000-memory.dmp

memory/1828-171-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2172-173-0x0000000005520000-0x0000000005521000-memory.dmp

memory/2088-174-0x0000000000000000-mapping.dmp

memory/2172-172-0x0000000004EB1000-0x0000000005510000-memory.dmp

\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL

MD5 7ac078a4c0a0c82464f31418b512cad7
SHA1 edafdb4391106484521c3a76890690ee525a9d68
SHA256 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418
SHA512 e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

\Users\Admin\AppData\Local\Temp\QQYFQX~1.DLL

MD5 7ac078a4c0a0c82464f31418b512cad7
SHA1 edafdb4391106484521c3a76890690ee525a9d68
SHA256 8c8d6d7a1c6ce3ae445a85b32aac61eef74d00effcaaac0379d33cd299008418
SHA512 e5c6cff838a20a0130ed42b170fdd0fcca3491dd65ffb4ced4612b8c8598b3083172f3218a5471c22ffdd6189f748c22e6c7b9417a775344b04956fa2e141507

memory/2172-175-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/2088-179-0x0000000005520000-0x0000000005521000-memory.dmp

memory/3548-181-0x0000000000000000-mapping.dmp

memory/3548-184-0x00000000049B0000-0x00000000049B1000-memory.dmp

memory/3548-185-0x00000000074B0000-0x00000000074B1000-memory.dmp

memory/3548-186-0x0000000006E70000-0x0000000006E71000-memory.dmp

memory/3548-187-0x0000000006E72000-0x0000000006E73000-memory.dmp

memory/3548-188-0x0000000007410000-0x0000000007411000-memory.dmp

memory/3548-189-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

memory/3548-190-0x0000000007D30000-0x0000000007D31000-memory.dmp

memory/3548-191-0x0000000007DF0000-0x0000000007DF1000-memory.dmp

memory/3548-192-0x00000000081C0000-0x00000000081C1000-memory.dmp

memory/3548-193-0x0000000008200000-0x0000000008201000-memory.dmp

memory/1820-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nnghiomc.vbs

MD5 8cde4d964a780b6f31c00695819c3731
SHA1 df9d94a0d7297bdd39f8e5b863acb1c1e85656c4
SHA256 eb18d65a7c65af863e735da0a28bcdd52c0edf59548b60db8e4925c7f1dc36d7
SHA512 6f1c203a1284a5715451571c08658d046affca75899f56059130e842ed8c764b3f8ad3704bccee0efb4c1b9dcb9401d598f95ae5e963552b9b0bc530c07af756

memory/3548-196-0x0000000008500000-0x0000000008501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3038.tmp.ps1

MD5 aeb87fe563badc971d23dd3da3e42b24
SHA1 1331435f3f4bbdfc7be8d7c1eb4d53f79d1f141b
SHA256 2dc39c60530626559b91b7e0006652354dfbd5494986e9ab00e612d3e616bc55
SHA512 f4a20c037e932b760fc5c1f76d0f9b838c33d70cf1e0427fc9ac79de340405f3f3d2ff43c1e0f1afcfbdf36a18df9d12fe4f75b586d611aec01a305f009a242f

memory/3548-198-0x0000000008610000-0x0000000008611000-memory.dmp

memory/3548-203-0x0000000009C80000-0x0000000009C81000-memory.dmp

memory/3548-204-0x0000000009200000-0x0000000009201000-memory.dmp

memory/3548-205-0x0000000007020000-0x0000000007021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3039.tmp

MD5 c416c12d1b2b1da8c8655e393b544362
SHA1 fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA256 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512 cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

memory/3548-208-0x0000000006E73000-0x0000000006E74000-memory.dmp

memory/2940-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 47eebe401625bbc55e75dbfb72e9e89a
SHA1 db3b2135942d2532c59b9788253638eb77e5995e
SHA256 f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512 590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

memory/2940-218-0x0000000008330000-0x0000000008331000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c106c4ed6bae0b99320ae1b1f2e4d3df
SHA1 297cc1a122d57c075e9d569a990ae3484dbd8cd6
SHA256 8245d9d0d2f1d43740b1ee83c8d6027b4cdabbc849031f90af7d6ad9b449d05c
SHA512 404abbd08e0e2fb6e5975af098a75497f0bb7ee2a12bab612949bfddf56e58bf5b7c249a86e524c86ae62dbecaa4d1ba2698d32311685b169a498e2cc0a48db4

memory/2088-220-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/2940-221-0x0000000007300000-0x0000000007301000-memory.dmp

memory/2940-222-0x0000000007302000-0x0000000007303000-memory.dmp

memory/2940-224-0x0000000008D60000-0x0000000008D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4827.tmp.ps1

MD5 2cd5471792fd7aa9b725471b090b7dbe
SHA1 6dc996571a3f501e6d9702b5ebe02aa331cc34a1
SHA256 4547fa9c65c269527c377c2814ca24bf3d5d218bd390a9f27b0674415a7bb2fd
SHA512 8d0b97e88acf3845b7fc09c503de969f5d18f174f8e9eb48e4c017a08acb5c154e73f2c7c502cf1475fc03158064f1bd881172b1ee4a7358274a19af973645d9

memory/2824-233-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4828.tmp

MD5 1860260b2697808b80802352fe324782
SHA1 f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA256 0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512 d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

memory/3172-236-0x0000000000000000-mapping.dmp

memory/2940-237-0x0000000007303000-0x0000000007304000-memory.dmp

memory/3816-238-0x0000000000000000-mapping.dmp