Malware Analysis Report

2024-10-19 04:37

Sample ID 210924-1szwrsaabn
Target e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a
SHA256 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a
Tags
raccoon redline servhelper smokeloader xmrig 2k superstar 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 700$ d4d8e30c16491ca1c11f7aa675764335342faedf f6d7183c9e82d2a9b81e6c0608450aa66cefb51f backdoor discovery evasion infostealer miner persistence spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a

Threat Level: Known bad

The file e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a was found to be: Known bad.

Malicious Activity Summary

raccoon redline servhelper smokeloader xmrig 2k superstar 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 700$ d4d8e30c16491ca1c11f7aa675764335342faedf f6d7183c9e82d2a9b81e6c0608450aa66cefb51f backdoor discovery evasion infostealer miner persistence spyware stealer suricata trojan

RedLine

xmrig

RedLine Payload

suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

SmokeLoader

Raccoon

ServHelper

suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Downloads MZ/PE file

Sets DLL path for service in the registry

Modifies RDP port number used by Windows

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Reads user/profile data of local email clients

Checks BIOS information in registry

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Runs net.exe

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-24 21:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-24 21:55

Reported

2021-09-24 21:58

Platform

win10v20210408

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"

Signatures

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ServHelper

trojan backdoor servhelper

SmokeLoader

trojan backdoor smokeloader

suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

suricata

suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

suricata

xmrig

miner xmrig

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\129A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\129A.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DB.vbs C:\Users\Admin\AppData\Local\Temp\7DB.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\7DB = "\"C:\\Users\\Admin\\AppData\\Roaming\\7DB.exe\"" C:\Users\Admin\AppData\Local\Temp\7DB.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\129A.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rdpclip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\129A.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D9F0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FF1F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7DB.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
PID 2428 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9F0.exe
PID 2428 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9F0.exe
PID 2428 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9F0.exe
PID 2428 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB9.exe
PID 2428 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB9.exe
PID 2428 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB9.exe
PID 2428 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE54.exe
PID 2428 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE54.exe
PID 2428 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE54.exe
PID 2656 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\DDB9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2656 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\DDB9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2656 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\DDB9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2656 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\DDB9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2656 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\DDB9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2428 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe
PID 2428 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe
PID 2428 wrote to memory of 3188 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe
PID 2428 wrote to memory of 3424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF1F.exe
PID 2428 wrote to memory of 3424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF1F.exe
PID 2428 wrote to memory of 3424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF1F.exe
PID 2428 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DB.exe
PID 2428 wrote to memory of 648 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DB.exe
PID 2428 wrote to memory of 3600 N/A N/A C:\Users\Admin\AppData\Local\Temp\129A.exe
PID 2428 wrote to memory of 3600 N/A N/A C:\Users\Admin\AppData\Local\Temp\129A.exe
PID 2428 wrote to memory of 3600 N/A N/A C:\Users\Admin\AppData\Local\Temp\129A.exe
PID 2428 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\1829.exe
PID 2428 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\1829.exe
PID 2428 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\1829.exe
PID 3956 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\EE54.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\EE54.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\EE54.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 4316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2116 wrote to memory of 4316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2116 wrote to memory of 4316 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4316 wrote to memory of 4420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4316 wrote to memory of 4420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4316 wrote to memory of 4420 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3188 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe
PID 3188 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe
PID 3188 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe
PID 3188 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe C:\Windows\SysWOW64\cmd.exe
PID 3188 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\F7DB.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4548 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4548 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4524 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe C:\Windows\SysWOW64\schtasks.exe
PID 4524 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe C:\Windows\SysWOW64\schtasks.exe
PID 4524 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe C:\Windows\SysWOW64\schtasks.exe
PID 2116 wrote to memory of 4776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 4776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 4776 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 3716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 3716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 3716 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2116 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe

"C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"

C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe

"C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"

C:\Users\Admin\AppData\Local\Temp\D9F0.exe

C:\Users\Admin\AppData\Local\Temp\D9F0.exe

C:\Users\Admin\AppData\Local\Temp\DDB9.exe

C:\Users\Admin\AppData\Local\Temp\DDB9.exe

C:\Users\Admin\AppData\Local\Temp\EE54.exe

C:\Users\Admin\AppData\Local\Temp\EE54.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\F7DB.exe

C:\Users\Admin\AppData\Local\Temp\F7DB.exe

C:\Users\Admin\AppData\Local\Temp\FF1F.exe

C:\Users\Admin\AppData\Local\Temp\FF1F.exe

C:\Users\Admin\AppData\Local\Temp\7DB.exe

C:\Users\Admin\AppData\Local\Temp\7DB.exe

C:\Users\Admin\AppData\Local\Temp\129A.exe

C:\Users\Admin\AppData\Local\Temp\129A.exe

C:\Users\Admin\AppData\Local\Temp\1829.exe

C:\Users\Admin\AppData\Local\Temp\1829.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ez5qfc3\1ez5qfc3.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES425E.tmp" "c:\Users\Admin\AppData\Local\Temp\1ez5qfc3\CSCFB9CD46ACCC74A099EECC47747E335D2.TMP"

C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe

"C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F7DB.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\SysWOW64\cmd.exe

cmd /c net start rdpdr

C:\Windows\SysWOW64\net.exe

net start rdpdr

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\SysWOW64\cmd.exe

cmd /c net start TermService

C:\Windows\SysWOW64\net.exe

net start TermService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TermService

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 naghenrietti1.top udp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
US 8.8.8.8:53 jqueri-web.at udp
BG 194.61.25.77:443 jqueri-web.at tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
US 8.8.8.8:53 t.me udp
NL 178.132.3.103:80 tcp
FI 65.21.231.57:60751 tcp
NL 149.154.167.99:443 t.me tcp
HU 185.163.204.37:80 185.163.204.37 tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 185.244.180.224:39957 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
BG 194.61.25.77:443 jqueri-web.at tcp
RU 185.144.29.157:9122 tcp

Files

memory/632-114-0x0000000000030000-0x0000000000039000-memory.dmp

memory/804-115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/804-116-0x0000000000402FA5-mapping.dmp

memory/2428-117-0x0000000000410000-0x0000000000426000-memory.dmp

memory/2060-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D9F0.exe

MD5 c7a74664f4ddb6997ae6ea6dac763b1d
SHA1 77eed13dfc9f45ed52343026b1705935912ebd32
SHA256 7f3a1c052e2eb53fac9791aa61c961f701e287598246a4231ac6dd670180a682
SHA512 0c2b2a701166b8b091b0d92c2aac053f73e4ff994b09712f66a8bfa754fb8d9ce55ebaa6d6e71db6de26047df56ff322808725c60b21ccbf303ae9b209409b69

C:\Users\Admin\AppData\Local\Temp\D9F0.exe

MD5 c7a74664f4ddb6997ae6ea6dac763b1d
SHA1 77eed13dfc9f45ed52343026b1705935912ebd32
SHA256 7f3a1c052e2eb53fac9791aa61c961f701e287598246a4231ac6dd670180a682
SHA512 0c2b2a701166b8b091b0d92c2aac053f73e4ff994b09712f66a8bfa754fb8d9ce55ebaa6d6e71db6de26047df56ff322808725c60b21ccbf303ae9b209409b69

C:\Users\Admin\AppData\Local\Temp\DDB9.exe

MD5 66418c1bbdff03a57d27110d51372efc
SHA1 a60da2e4052136b89a2d1f8c8a80f5694700f9da
SHA256 f5b28d8533842deac03a82b2f72bcf1d4b72a4aad1445b53558a3b01f7ef4c90
SHA512 dcf1e46c62e4db49b069866fd0ce50cd612e13a979f4bfe5ac78ccf6ac6b91850f3fa79c644409248d08d98ff4536422d2842ce04f3061edd0c2effde8e61875

C:\Users\Admin\AppData\Local\Temp\DDB9.exe

MD5 66418c1bbdff03a57d27110d51372efc
SHA1 a60da2e4052136b89a2d1f8c8a80f5694700f9da
SHA256 f5b28d8533842deac03a82b2f72bcf1d4b72a4aad1445b53558a3b01f7ef4c90
SHA512 dcf1e46c62e4db49b069866fd0ce50cd612e13a979f4bfe5ac78ccf6ac6b91850f3fa79c644409248d08d98ff4536422d2842ce04f3061edd0c2effde8e61875

memory/2656-121-0x0000000000000000-mapping.dmp

memory/2656-124-0x0000000000360000-0x00000000003D4000-memory.dmp

memory/2656-125-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/2656-126-0x0000000074BF0000-0x0000000074DB2000-memory.dmp

memory/2656-128-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/2656-127-0x0000000002680000-0x00000000026C3000-memory.dmp

memory/3956-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EE54.exe

MD5 90016ecad97ba699b5c10829b6f5e192
SHA1 2850da5bc078de19f2bbb074bacb831a79dcbd8a
SHA256 bf75c5d542560ffdc9ba7014234b2eca31e0430fab759c105df26cd12633c2cb
SHA512 cc8ee80b561661b33300450ad30e4c6d7d796ee139c949dcd44af6d58f7d584de2679585580ea6a366176c02ac1ada3d138423cf8fa44c7f067e0ac356ba360e

C:\Users\Admin\AppData\Local\Temp\EE54.exe

MD5 90016ecad97ba699b5c10829b6f5e192
SHA1 2850da5bc078de19f2bbb074bacb831a79dcbd8a
SHA256 bf75c5d542560ffdc9ba7014234b2eca31e0430fab759c105df26cd12633c2cb
SHA512 cc8ee80b561661b33300450ad30e4c6d7d796ee139c949dcd44af6d58f7d584de2679585580ea6a366176c02ac1ada3d138423cf8fa44c7f067e0ac356ba360e

memory/3748-132-0x0000000000540000-0x0000000000562000-memory.dmp

memory/3748-137-0x000000000055C5CA-mapping.dmp

memory/3748-138-0x0000000000540000-0x0000000000541000-memory.dmp

memory/3188-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F7DB.exe

MD5 5b96ce58bdd42fdc450774f7f0caf252
SHA1 bd7469ff305d7cab6e172616b9e5e5f42a614955
SHA256 198cd83ea6deafe4d242e7707c47ebbbec04c5debc90cc94f58fe0b2a60f723b
SHA512 4e80e6825502b7d3566b7ecc8e18d855663c4a2934c4a1a4c762bbb6a72ee90474abb860b90985cf1ad069e8159144d616528be2315f4baca2aa74011722cfe1

C:\Users\Admin\AppData\Local\Temp\F7DB.exe

MD5 5b96ce58bdd42fdc450774f7f0caf252
SHA1 bd7469ff305d7cab6e172616b9e5e5f42a614955
SHA256 198cd83ea6deafe4d242e7707c47ebbbec04c5debc90cc94f58fe0b2a60f723b
SHA512 4e80e6825502b7d3566b7ecc8e18d855663c4a2934c4a1a4c762bbb6a72ee90474abb860b90985cf1ad069e8159144d616528be2315f4baca2aa74011722cfe1

memory/3748-141-0x0000000004F60000-0x0000000004F61000-memory.dmp

memory/3748-144-0x0000000004990000-0x0000000004991000-memory.dmp

memory/3748-145-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

memory/2060-146-0x0000000002170000-0x000000000218F000-memory.dmp

memory/2060-147-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

memory/2060-148-0x00000000005A0000-0x00000000005D0000-memory.dmp

memory/3956-149-0x0000000000400000-0x0000000002F86000-memory.dmp

memory/3748-152-0x00000000049F0000-0x00000000049F1000-memory.dmp

memory/2060-155-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/3956-151-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

memory/3956-158-0x0000000007CD3000-0x0000000007CD4000-memory.dmp

memory/2060-163-0x0000000002540000-0x0000000002541000-memory.dmp

memory/3956-166-0x00000000089F0000-0x00000000089F1000-memory.dmp

memory/3956-161-0x00000000036E0000-0x0000000003AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF1F.exe

MD5 4266f72b05afa83f395e890b76eadf69
SHA1 489386ba56760821f6e35712028410da476fe258
SHA256 6b1e04d8ef0395166da7d784c80ec3b8e85593ec862e54c07976ef14b28c70e4
SHA512 a375f17bc9283e7edb8f492d616ec3f192d9943251a4323138c99b565dbb03a5734b4116b7b47830680dea16713155cb96e51ea32ce96f479c48e9bd0bb9556a

memory/2060-167-0x0000000002542000-0x0000000002543000-memory.dmp

memory/2060-169-0x0000000002544000-0x0000000002546000-memory.dmp

memory/3424-160-0x0000000000000000-mapping.dmp

memory/3956-156-0x0000000007CD2000-0x0000000007CD3000-memory.dmp

memory/3956-150-0x00000000080F0000-0x00000000084EF000-memory.dmp

memory/2060-153-0x0000000002490000-0x00000000024AE000-memory.dmp

memory/3748-170-0x0000000004950000-0x0000000004F56000-memory.dmp

memory/3748-173-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/3956-172-0x0000000007CD4000-0x0000000007CD5000-memory.dmp

memory/2060-171-0x0000000002543000-0x0000000002544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF1F.exe

MD5 4266f72b05afa83f395e890b76eadf69
SHA1 489386ba56760821f6e35712028410da476fe258
SHA256 6b1e04d8ef0395166da7d784c80ec3b8e85593ec862e54c07976ef14b28c70e4
SHA512 a375f17bc9283e7edb8f492d616ec3f192d9943251a4323138c99b565dbb03a5734b4116b7b47830680dea16713155cb96e51ea32ce96f479c48e9bd0bb9556a

memory/3956-176-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

memory/3188-177-0x0000000002BD0000-0x0000000002D1A000-memory.dmp

memory/648-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7DB.exe

MD5 0a465be9c75469e6f2398b2668a2c5f2
SHA1 9b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256 eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512 eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9

C:\Users\Admin\AppData\Local\Temp\7DB.exe

MD5 0a465be9c75469e6f2398b2668a2c5f2
SHA1 9b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256 eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512 eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9

memory/3956-179-0x000000000A9B0000-0x000000000A9B1000-memory.dmp

memory/648-182-0x0000000000460000-0x0000000000461000-memory.dmp

memory/3188-184-0x0000000000400000-0x0000000002BD0000-memory.dmp

memory/3424-185-0x00000000001C0000-0x00000000001F0000-memory.dmp

memory/3424-186-0x00000000048B0000-0x00000000048CF000-memory.dmp

memory/3424-188-0x0000000004B60000-0x0000000004B7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\129A.exe

MD5 80950391f894f81ef75eaecbd50747f4
SHA1 01488b302cd42243826f8f34d147071a73f39061
SHA256 cc5a84ba775fa7d79b15b3903899aca266f179bd4d630b4bd8c47d5fec08bd89
SHA512 22a6b41acd437088b006f959dc29a95be6965d0ca7eda9184227c03b9a9581e27df436620642474150af4917f7a2ddf7eef8c795ef929c0b996e1348cf659f37

memory/3600-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\129A.exe

MD5 80950391f894f81ef75eaecbd50747f4
SHA1 01488b302cd42243826f8f34d147071a73f39061
SHA256 cc5a84ba775fa7d79b15b3903899aca266f179bd4d630b4bd8c47d5fec08bd89
SHA512 22a6b41acd437088b006f959dc29a95be6965d0ca7eda9184227c03b9a9581e27df436620642474150af4917f7a2ddf7eef8c795ef929c0b996e1348cf659f37

memory/3424-196-0x0000000000400000-0x0000000002BA3000-memory.dmp

memory/3424-198-0x0000000004B84000-0x0000000004B86000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/3600-197-0x0000000000ED0000-0x00000000013B6000-memory.dmp

memory/3424-201-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/3424-202-0x0000000004B82000-0x0000000004B83000-memory.dmp

memory/3424-204-0x0000000004B83000-0x0000000004B84000-memory.dmp

memory/2692-205-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1829.exe

MD5 885cb6e5ebea328d840713882a7ff412
SHA1 7a8f0cfa23054e9bf2a16222d9a02aa80546d55a
SHA256 8705fa55cba407024395f636436eb29457d26c954ea2d581d0d19afade1ee3ea
SHA512 084ef9ba8ad7a594a30545b2214328863903167a433052954f47efb3f8041e135cd40a4441e7172563647deb66fff93a3543960456d07e21a5f22f3d96d613a3

C:\Users\Admin\AppData\Local\Temp\1829.exe

MD5 885cb6e5ebea328d840713882a7ff412
SHA1 7a8f0cfa23054e9bf2a16222d9a02aa80546d55a
SHA256 8705fa55cba407024395f636436eb29457d26c954ea2d581d0d19afade1ee3ea
SHA512 084ef9ba8ad7a594a30545b2214328863903167a433052954f47efb3f8041e135cd40a4441e7172563647deb66fff93a3543960456d07e21a5f22f3d96d613a3

memory/3600-208-0x00000000779F0000-0x0000000077B7E000-memory.dmp

memory/3600-209-0x0000000000ED0000-0x00000000013B6000-memory.dmp

memory/2116-210-0x0000000000000000-mapping.dmp

memory/2116-213-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/2116-214-0x00000000078E0000-0x00000000078E1000-memory.dmp

memory/2116-215-0x00000000072A0000-0x00000000072A1000-memory.dmp

memory/2116-216-0x00000000072A2000-0x00000000072A3000-memory.dmp

memory/2116-217-0x0000000007710000-0x0000000007711000-memory.dmp

memory/2116-218-0x00000000077B0000-0x00000000077B1000-memory.dmp

memory/2692-221-0x0000000002E80000-0x0000000002F10000-memory.dmp

memory/2116-220-0x00000000080F0000-0x00000000080F1000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

memory/2692-224-0x0000000000400000-0x0000000002BD0000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

memory/2116-225-0x0000000007F90000-0x0000000007F91000-memory.dmp

memory/3748-227-0x0000000005F70000-0x0000000005F71000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/3748-231-0x0000000006670000-0x0000000006671000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/2116-234-0x0000000008810000-0x0000000008811000-memory.dmp

memory/2060-239-0x0000000007290000-0x0000000007291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/648-253-0x000000001BF50000-0x000000001BF52000-memory.dmp

memory/4316-259-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1ez5qfc3\1ez5qfc3.cmdline

MD5 689351868abc02c9188666583f0aa37f
SHA1 eb7f4431c953306f42877f2a010052d922569f89
SHA256 63143fd8395d0201f70fa527521c66c0111c5d00c49a45bf76dc0c0ffea466ca
SHA512 c6134c5c3b3bb4a711eac0ec0029b6adb98377b8f51911e592e22ca489cfff5951c1152738c0289f99dc7ee868124624c8df5553f0c6dd07c36fe77bb6227e62

\??\c:\Users\Admin\AppData\Local\Temp\1ez5qfc3\1ez5qfc3.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/4420-266-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1ez5qfc3\CSCFB9CD46ACCC74A099EECC47747E335D2.TMP

MD5 531ca8f59c2f45a1abacc42e883d68c3
SHA1 15a8993d239f2bad3a0198990c234e4bd464b60d
SHA256 c144c655ebfed925d330a347207e7af7e3f81a1ba189f3492a96e600f6c42e00
SHA512 1948600ebf585d7501eb98b617f918318304ff5220812321b38c1aa549575bcd377702e2e300ed463d28dce9c8ea8d5bdd741e5eccfa5cb8d90e15e871eb3fa1

C:\Users\Admin\AppData\Local\Temp\RES425E.tmp

MD5 0a78770ffd84db91fc4399d6c7f1374d
SHA1 644d8aa06e7e1f4ec40b12e175ca99c93ecdeb69
SHA256 b0c74dd84e7c993ca55e8250eb87e5e3cf5252a951e8026a50ca96813e10c801
SHA512 727bbccfe7df0cd175d63678fbff70a109d4d94c8d1443b8485e56619d966b99b7140930f5b6688547d1bcfb6c212330875a30e50c0196f32130ec09b1ddd503

C:\Users\Admin\AppData\Local\Temp\1ez5qfc3\1ez5qfc3.dll

MD5 d11ed022e97ee096323415b0758c87e1
SHA1 d4325947361a91d970736bfb43425957b413fc5a
SHA256 e9d7f299d61036534c723a6f9a0ff5f665526d3bc948070c051a3bd8b21b8f91
SHA512 64f5504e234d934df5e24a72bc6f84f4fc6c79d3722d03275b2680234102bbdc4d8c43d4b891e50f5eb412fe57da3b5d8d2721d7d1b551c91fd55d319eec4835

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 794bf0ae26a7efb0c516cf4a7692c501
SHA1 c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA256 97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA512 20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

memory/2116-274-0x00000000072A3000-0x00000000072A4000-memory.dmp

memory/4524-275-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe

MD5 22515d004bd22ea234d89e302e533c0d
SHA1 3ec604ae165b59a8ed0dec0525cfa1b27468f82d
SHA256 56123d686dd57a13ef31841d482fbf5fec60203fae69b270ee550bed5c01f1c2
SHA512 f47a339799c0de2bb8cc8ea9609af16f2ee12da7a4b8c4d4f785832b3ab64e8af4dcbe8ababeda9aeb026ce920b30cdf0094cbe385f7c307d39013eb8a22ed25

memory/4548-278-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe

MD5 22515d004bd22ea234d89e302e533c0d
SHA1 3ec604ae165b59a8ed0dec0525cfa1b27468f82d
SHA256 56123d686dd57a13ef31841d482fbf5fec60203fae69b270ee550bed5c01f1c2
SHA512 f47a339799c0de2bb8cc8ea9609af16f2ee12da7a4b8c4d4f785832b3ab64e8af4dcbe8ababeda9aeb026ce920b30cdf0094cbe385f7c307d39013eb8a22ed25

memory/4588-279-0x0000000000000000-mapping.dmp

memory/4524-295-0x0000000000030000-0x0000000000034000-memory.dmp

memory/4692-297-0x0000000000000000-mapping.dmp

memory/4524-298-0x0000000000400000-0x0000000002B90000-memory.dmp

memory/4776-304-0x0000000000000000-mapping.dmp

memory/4776-313-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

memory/4776-314-0x0000000006EC2000-0x0000000006EC3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 f3068198b62b4b70404ec46694d632be
SHA1 7b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256 bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512 ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

memory/4776-341-0x000000007F520000-0x000000007F521000-memory.dmp

memory/3716-560-0x0000000000000000-mapping.dmp

memory/3716-571-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/3716-572-0x0000000000D72000-0x0000000000D73000-memory.dmp

memory/3716-595-0x000000007FCD0000-0x000000007FCD1000-memory.dmp

memory/4528-815-0x0000000000000000-mapping.dmp

memory/4528-824-0x0000000006740000-0x0000000006741000-memory.dmp

memory/4528-825-0x0000000006742000-0x0000000006743000-memory.dmp

memory/4528-864-0x000000007F480000-0x000000007F481000-memory.dmp

memory/1836-1089-0x0000000000000000-mapping.dmp

memory/4716-1090-0x0000000000000000-mapping.dmp

memory/4588-1091-0x0000000000000000-mapping.dmp

memory/4572-1128-0x0000000000000000-mapping.dmp

memory/3692-1129-0x0000000000000000-mapping.dmp

memory/4892-1132-0x0000000000000000-mapping.dmp

memory/4936-1133-0x0000000000000000-mapping.dmp

memory/5028-1134-0x0000000000000000-mapping.dmp

memory/5052-1135-0x0000000000000000-mapping.dmp

memory/5080-1136-0x0000000000000000-mapping.dmp

memory/5096-1137-0x0000000000000000-mapping.dmp

memory/5112-1138-0x0000000000000000-mapping.dmp

memory/4900-1139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

MD5 22515d004bd22ea234d89e302e533c0d
SHA1 3ec604ae165b59a8ed0dec0525cfa1b27468f82d
SHA256 56123d686dd57a13ef31841d482fbf5fec60203fae69b270ee550bed5c01f1c2
SHA512 f47a339799c0de2bb8cc8ea9609af16f2ee12da7a4b8c4d4f785832b3ab64e8af4dcbe8ababeda9aeb026ce920b30cdf0094cbe385f7c307d39013eb8a22ed25

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

MD5 22515d004bd22ea234d89e302e533c0d
SHA1 3ec604ae165b59a8ed0dec0525cfa1b27468f82d
SHA256 56123d686dd57a13ef31841d482fbf5fec60203fae69b270ee550bed5c01f1c2
SHA512 f47a339799c0de2bb8cc8ea9609af16f2ee12da7a4b8c4d4f785832b3ab64e8af4dcbe8ababeda9aeb026ce920b30cdf0094cbe385f7c307d39013eb8a22ed25

memory/4236-1142-0x0000000000000000-mapping.dmp

memory/4192-1143-0x0000000000400000-0x0000000002B90000-memory.dmp

memory/5004-1170-0x0000000000000000-mapping.dmp

memory/4432-1171-0x0000000000000000-mapping.dmp

memory/2116-1271-0x000000007F080000-0x000000007F081000-memory.dmp