Malware Analysis Report

2025-08-05 14:33

Sample ID 221126-3l2g5adc54
Target 4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb
SHA256 4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb
Tags
nanocore keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb

Threat Level: Known bad

The file 4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger spyware stealer trojan

NanoCore

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 23:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 23:36

Reported

2022-11-27 17:05

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 208 set thread context of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 4804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 4804 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1208 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1208 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1208 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 208 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 208 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 208 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 208 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 208 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 208 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 208 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 208 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe

"C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe"

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

"C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd" nvqme.cax

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\WJRYK

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 8.249.91.254:80 tcp
N/A 13.89.178.27:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.249.91.254:80 tcp
N/A 8.249.91.254:80 tcp
N/A 8.249.91.254:80 tcp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.8.8.8:53 tooblaq1.ddns.net udp
N/A 8.8.8.8:53 tooblaq2.ddns.net udp

Files

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1208-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\rwxok\nvqme.cax

MD5 e752d28535b542697712aff0ba741e00
SHA1 cdada9d037000d8102929cb4f45239a8d736f70a
SHA256 d1ef83dd382057431b0822158b1628fa6918aab33e557170747e3914bd209340
SHA512 74ff03fa2404a3014631ada173a76ba218b21fe7c6262cadc87ead2afdcd7aea9a6cbe04194416411840233e365dff2ff4faac7ec061d07bb9b804ca33e15825

C:\Users\Admin\AppData\Roaming\rwxok\YMQGIX

MD5 6f35bdf3bfd6613a2ca33e5157c9d7ab
SHA1 869e796f034d8ff735c6f259e64f8457965b538e
SHA256 d87016e0c7372007e52399ca62c1a4ebd6b2e7a3d1bbd0a79de79c5948c739fa
SHA512 04adb7ba79f902a47316c1cfeeb74165a9deb9c1d383dc1a426125e238e7eef5c09946ac04cdeee9d43798e32cc17bdf556e0bdbec7da7f59c3e858715e750ba

C:\Users\Admin\AppData\Roaming\rwxok\wjcok.giu

MD5 276253d9360c147e55b7dd175d0ea37e
SHA1 3c76fb9f4bc1735c5a064c97398fd6d34471c7d2
SHA256 0442adf7a873a806e7b31af671fda6d7a5eb7cef028811a4412cda265384bbc6
SHA512 a5f0fcfc3dc6d18328c30ab9d1f7f99b147369235f3c17ce9cdfe7f27f21a839367c597738cd04715868a7709ead0bbcb75227f0af598c229b44c2eb0e8ff305

C:\Users\Admin\AppData\Roaming\rwxok\jtgkl

MD5 8b972a5d97dce6214e6f98f7c36ae62f
SHA1 fbb11c0cda9607792091719f4d6b07e60a1d8027
SHA256 25f182e19880784f63c62f0f2f8357d6986995ec54b4306724980653d6da94d1
SHA512 77473d57bed24523471e70e27c59a7ba851c4cacb4e733c4ca4c4ce35127218fa73d0d1d1bf6435620a6f7c94559a802eb2cdf47f78d6f086328f0dd30659ef1

C:\Users\Admin\AppData\Roaming\rwxok\jixji.hja

MD5 c81204be47b41630d20ef1410a96c443
SHA1 2bf3e88fd27d59b989ed8cd2656e566796b4c252
SHA256 171e3883819320e8bc3891662d93a878f19ef1c6dfffa591f6e161948c37b1a7
SHA512 086e3a5e80836789cae526594039b2ac98f6077cbfe73bf6724e05734c3c2a0c8bb6c94b8b0eec3b38d4b627103797dd7ef6cba8e872d7e5f0cf8757de09f3ab

C:\Users\Admin\AppData\Roaming\rwxok\jffbf.tme

MD5 726981173cc61be3cd1025611dd6d43b
SHA1 f64a1eead53448967522a4713ed3d726a5850edf
SHA256 0bdad0dcf80956a2cfbefbdac795db7747f6e40756bee0853ed04b293457c0a3
SHA512 d9eed5c50b210edcb0c65e32c1c14329437d6588be714f4f5b89758fe69b666d12af91ebf9ddae56c5f8ebbc44a2c1beb320a5a20b782ea13223fa2a603088f0

C:\Users\Admin\AppData\Roaming\rwxok\jelbo.sqj

MD5 23c84b4ef0634d459290e7c7a781d883
SHA1 7f3f400da1885d4e8b2d1fd081fb6c73047241e7
SHA256 05ae8bec1d8671fdd86173312f4d9b22173a30cb0af5b704aed4150fda567876
SHA512 c7d7cee220fab65c765abe53b1541207709bfeebfd251983a65e53db5604f26a55ba7aced297459adbf85648fb9f79969905a26b87c507d86e8eedb211daa129

memory/208-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\rwxok\wtwtb.kbk

MD5 6ee656e8042e7ac9eef60cdbb52f69b1
SHA1 76dcd0eb88d0178c16c4f630d64f15fcfe231bd5
SHA256 e149f1034b243178b067d4f539ebc1b1c3eaf70421b91b9b3611522eee8e61f3
SHA512 c94c552a6de746c800bd39e6f54e31c413fcf4e7ed52b360af4e23229f5044bf6bd116b5071deca318ff88252eb158fb12ad9a919db5c1fd6f9509e771b5c226

C:\Users\Admin\AppData\Roaming\rwxok\vfgjo.lvb

MD5 b1ff5189c52d1aa4fadf7ebf2dcdee0d
SHA1 da50bd0967dfb9cc57a2cef2962e915c87a20c79
SHA256 3edd70ff685a2224dfe73eb428f5165186ddc04c76e48bd83a92025f7bbb5bed
SHA512 7d42185c8e138e2b26fac5f68163b2286ab0f5c19df20270979df4f52eb06c74f591c53bdd81644aebffc1a0bb8f2ec152d82ce8baf7a134d03bd8506a9ed9d8

C:\Users\Admin\AppData\Roaming\rwxok\vbunm.etw

MD5 466c9d4e4677ab32b848260c134f29ce
SHA1 f2861ddaea047161f1e304a2e9e31567dbb25421
SHA256 dfba06a42ad6a6b40940f3bcb8435f08efe5d546ff1e95976774ac2e86453bac
SHA512 d197d4e5f493ea6c0d3c627c1638d8191a57a52f82a48bfaf56371e19126d26b2242a203f290320a9b59ddbf3e9955e05ec4702c8e3fb1cf36f0ee436d047dbe

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\rwxok\upvcp.vls

MD5 0c10eb920c3c7be5de3dad0312ac4a2c
SHA1 2dc0f353e236de30423f3d7db6864d94c36b353e
SHA256 3034dd386c48550c71fbf5c424cfa0933cbc4ef825939c6c1f224ae6c903c052
SHA512 53ed5307f510f74cff99a1befc557f8eb85d4ae629bd37eaa5bf1a546db12699db84bcc87d30592e0d6be678fd6dcbd923d4a91715e7f7d044d31342d78e8f41

C:\Users\Admin\AppData\Roaming\rwxok\ttbjt.phf

MD5 4e503909473860cc7a34068d02caeb99
SHA1 0a03e77c43223d5721224ac473517ae42806d4ac
SHA256 656190a374354d9a2edec1d82030299e08652ea6ba7aeda3494d541e1afe1c8e
SHA512 e872aaa337060d461d58f3b5febec07c4b16aafd23fe37666f1edf30252dc8acbcb3c4b8ba439ca5bcd06b1f5f79d35e62b1ee1da54cc32635fec1ec1ee01fd2

C:\Users\Admin\AppData\Roaming\rwxok\tbaui.tve

MD5 750d69619fdac5dd1e97961b061ba4bd
SHA1 238ee34e89b6b5eb1cf1fbfa6463a16eb09f1c9d
SHA256 8f32593a506a5bd86fa4e40dfad538234df090c542ea95d068a9fa1f6c8c12cf
SHA512 f7b1d4acae339f453386c2d734b914917cd4592abd5241841a3a5fd4b35580db81da0c7133c31a2cddbb691d72e8b281301f1b656b9c415f5362abd353d15215

C:\Users\Admin\AppData\Roaming\rwxok\tamij.mcp

MD5 90b6ad2959b858be4148d68b8dc6a490
SHA1 07e256fbff17c1fe8762f16263322ecfa5791dc6
SHA256 28c62c3c8ed6be61fc5408444119969d143b17b6360640b91d77487f0f83df39
SHA512 0355cae4c71e40ed41e249faf5eb8f8c1e35f999796b026edf9d72b3afab419c6f116c230d98a6206ad77f624accf54ab1078765e8d271c8427926537d0224ea

C:\Users\Admin\AppData\Roaming\rwxok\sxoqa.tta

MD5 7c84ac85efa969f559677e6a172f76ed
SHA1 bbac0ad19e24b5d391e60c99651b8745e0a82ebd
SHA256 61cf364416927ca0eb80d26e1d26beb435a7802143252dc5c164a9db27c6f087
SHA512 9a044e4e4910ca039905aaa53c0f8f4502faa3373463e0ab6ce3e29b97d2882834366dc14fdf8d8f6b3e1d3bddcf80c9176eca9fa7e78b22ebc6f7d2a9f46a4c

C:\Users\Admin\AppData\Roaming\rwxok\rubjc.kud

MD5 30b4fa92afd8a6924821f2fb3fd70bfe
SHA1 c433bc86a36cd0a1771bd411f9626b86e042328f
SHA256 91a387a05d08348372c7a45feba7b6b2d7e97b7ef1c632cb4c3491a66639798c
SHA512 e5327273c4f99426f505ce3e1577161b3f01ba27ec372ca1053169bf313a3ebb4994c7f0a49adeab9f7d26091f7faa75bf0495ea9977bb0e1845bc5b12063f93

C:\Users\Admin\AppData\Roaming\rwxok\rbwtp.fvv

MD5 89605141142db62278e965ba599449e9
SHA1 3998a650acc23d9090bd1b7fd8a9b7fbbca40ec2
SHA256 f56b462d166ab80d2713d765d8c3b963d9b30597e7e0b17a500ecab658043067
SHA512 9dd2e9197e47562b69b12d7c4a1d63143ae0f0e2c0540f6f392f2930d1761613a9ee5995a5cceb1c7c27055ed3b8a20e78176e0e68891ad7cfdc097f481f3022

C:\Users\Admin\AppData\Roaming\rwxok\qigcj.bap

MD5 e81a0db95cc18a649b6d0b4df190718a
SHA1 347b32a9b6251d1a14f8ca2d755a3cba93a5753b
SHA256 ea422e0e3f8d95fe2487ddaabf78515491936292af50fefe0391f7fe26a59a3c
SHA512 18ca5da100f1d0df06aa59cb76089fd81bc3a82e52fb99be8ffe7258e803be8f2c3107fff43543d22eb06cf62bab29d2247f19e6ec6806d7f572b2d3c4e2a73c

C:\Users\Admin\AppData\Roaming\rwxok\pwwek.txw

MD5 00865d413600d26adb36d2f55973559f
SHA1 d5ac50815d4487c4de04caac1ceb500b9fd12a5d
SHA256 5393f44a4c0c05ae0a25bc80b83ac9d462f074625eea50658e1f20cb5f2c2704
SHA512 7222d0e8f1a2c10dd9ddc831922cad6b8da4fc437eb647483668ccaf8fb31d2d396488865dae32414ce322dba5d32e43c360950396577ab07df3ca4fa91299cc

C:\Users\Admin\AppData\Roaming\rwxok\pnptt.how

MD5 3e2a35fdb69dadda458db6014fa8bf2b
SHA1 c4ffde6a4874d30a89f4f270fde29409c8922802
SHA256 bba7d20b7a562203298491945da0ea8984d6d177bf0c1782a9cb1afe35611afb
SHA512 bdb3d1c6071f836351a3a10c35ce64ac6cede5bbb669311b2749a123883739208b69c95564cbdbda0b6405c3ec161134ca150fc6bc0ace93b2c9473ec516bbed

C:\Users\Admin\AppData\Roaming\rwxok\olsjv.gdq

MD5 b06f9ab88a550a9664ac4e6c15a8802f
SHA1 c425f114dd897362e671009e1becbb9bb7c34ac9
SHA256 e4a1ec2873df4494a36beaef8a0ee57ab3f4380ccb2b91a976e64844d4ce671a
SHA512 c40bb6c1589e90d1262f1dac53bbad8c90fbfbc3c2a3a9a3b8601f13f38c553b44dbe35a8fdd09227dbe362f0d7c140d7bda733269b9e6c2c452c9830da52a44

C:\Users\Admin\AppData\Roaming\rwxok\ogott.psf

MD5 26021334e307ea1a517a133d42bb6368
SHA1 e6f24c318fd4571b1a075aabd0b2f1536b21a3b7
SHA256 0b217195c52409b0bf35c783dabe8800d0e7deb4ada5c5d8c35d6c2cfcdc19f8
SHA512 de03ef9ccebd8d740a309763062563e0c9f72ebb2b21345e488f4413cb17b86335d8902f9d17d0c1f511c60d6a97bc600d20c347e8dd6e2e2274389d960fa4ef

C:\Users\Admin\AppData\Roaming\rwxok\objjo.ulo

MD5 60b87dbdf025ae348f8286cafe999f2c
SHA1 c392468ae233b54f6e7d6d1556107df5896ee8a0
SHA256 4e9e3a751185d77bdc2e5df5fd5aafe64003d1e71fecfba0682269dde0e151c6
SHA512 dd10858c2bfce929a33bdd93bfa5e72108c190505f4b917ff82950dd99995b53e60e1a3e445121fd5925bb5bb49a943fbde5108a20d14fa22f67a570174b67f4

C:\Users\Admin\AppData\Roaming\rwxok\nqust.jbv

MD5 5abb1c90cae8ee967d7e30fc9707000f
SHA1 df15abd82b9fb9daaa4517c1e4e8ad5510943b5b
SHA256 efd3830fa426c5a31d7fc9eb50363936a8774cba480c0738d0177c1e93f1c3d4
SHA512 5bb17fec154a7d0e76ac134676d8e916aaae4b249fb3746df7397d48aa2f6f443f982d40773863a722d2bcf951fb6f9ef979dc5c8e49fbec9d1002d22db74c8d

C:\Users\Admin\AppData\Roaming\rwxok\macms.ndh

MD5 83779f76fe14f9adaa4ecdf72caf0b02
SHA1 9878fedea4404baea061e588cbd72a1035462ea2
SHA256 adb74894ff8f27a999e173c2e53adde8d47a0be11a3653672b800542b03dbcf3
SHA512 343b237723eebe6a84cce19a3b8fcd1d67bd40c9b091d6d14c3b4f927c932713db2de5f247f0e796db10487b1af318fafb9f43c8a356d76c8e10df0127e4d045

C:\Users\Admin\AppData\Roaming\rwxok\lffhk.gpf

MD5 cbd436bbe6db5ee843359440ca80c689
SHA1 e373e9db75e8805f98416dcfaca81a6aa0c80adb
SHA256 eb0bef30067a4b404ab5b6db97d7f7e6953104caf9c05ea7d2e6fc16d17dd2f4
SHA512 6ba66ce4b24c6894b720e9037022570c1ec034edc11c830f1a6bac6741567e5cafd4b87f0827bdc8f01ae193a45b8e5fca3b75c93a2072a5c19359f29bda5057

C:\Users\Admin\AppData\Roaming\rwxok\ioorp.wff

MD5 3a4ee016e9bf2c3ee4e7d501921206d6
SHA1 d31c814421f272b4bdd49bd6d3abbc0c0ee70019
SHA256 936c81dea03d98d6cbe95b8ba03249fd45d99c64d05d5a00043d964d9c36e8bc
SHA512 b4c1719e1d0804a70bbc217750ee33cd3c009a9948f07a35a7bb9c562be4f5e94474a0936c441de325c6ffbbc4f43bbfeca1aed3cb29843d162a64526beda84d

C:\Users\Admin\AppData\Roaming\rwxok\ilxis.dlr

MD5 a35cb2a520fd34a5eaf3d38ee52c3d1d
SHA1 c0a1fba76b7e9d6f57159db6f3010b94d130729a
SHA256 df516e125219ea117dc1523db2eedf690b7149523e309d92b6d9d0fe1d7f19ca
SHA512 82bf93617320589fd08112888a6703c015a843202c2428011cfa4fdea9896bd87a20d38ca98ba7c3739cf9c679aa11f5f3eeaff8e917f50b4f3c925a3f1dce1c

C:\Users\Admin\AppData\Roaming\rwxok\hmdtx.gum

MD5 21e1fbb8318e89418899f4124f9a2d29
SHA1 4049b469f744874537dff6a805418c143e15d02f
SHA256 5abedb604b0c712e223a7b7d04a2fd34af04880b4b409546102017c2ae346b2e
SHA512 5ad47e5eec0f8a72ebb2dda65254f31d6f23cee048f8fc00543aad40f1ae9ebe750bf534e84804c23d3577e7e9b50713e906364438e52f0fd65f550dff37b9ca

C:\Users\Admin\AppData\Roaming\rwxok\hhrqa.dxi

MD5 7075094de0a585229df1a7ba36a1f250
SHA1 5f9230592cae5f08c488c6d63975ab2f9f42dc04
SHA256 4c035b5ecbe1697e81d6f64bc080e56d35c15d2436dd99f9acd65c4e0fdded37
SHA512 5356b0f73ad21ce59b8e27854cc6e537b5f9a9428d5e058d85e8685e1d2176eac4580fac7c848a46ad6d34f7646cb704aeb3405be701218e026f1bcd6fad228c

C:\Users\Admin\AppData\Roaming\rwxok\gefbm.rrg

MD5 a3271cf0e143422346e6170dd14a55f1
SHA1 96b06496fb5a8812628218375d56f1fe1da392dd
SHA256 6ca00b183b6be536d3526f76a5058b8a35accad373e18ce42bccd806b002bc13
SHA512 512408fe950872357ce3bbed3930ac161da7a649d6f60780c940549341231d083a0acc5d3cd4d591a7fb7116373f2d292218deda180043a9a64e2c9dfa143cbd

C:\Users\Admin\AppData\Roaming\rwxok\fqfth.dhp

MD5 a8331ea8b1187f23a1dd041afe18bc9f
SHA1 0cc14c421e8d7ee9acf78fd31d8fe7c1472ad10c
SHA256 382ef960c48a310130cab66d3eb52a4dd5eb29e78f910bcd274d4c2d4c87c114
SHA512 96fadd0e25a2d951d442bf1a325445c600f604b2e7ef7d6273a8826baff239084889a18e6d05ec05fac669d232f121a81f4bd75152c12268459c2a0df81cd870

C:\Users\Admin\AppData\Roaming\rwxok\eumdj.tcg

MD5 07e350d725078b68c87da3af5c91facf
SHA1 dd48eb24368f5d9113125b908b516ebbc2a6170e
SHA256 d44976162b5c47b12f73628ff1ecf7e2a64fd4902027734362bc209cd15e8c7c
SHA512 656308b500d2fae3806d763822c4d7e39e5ca41dbd6462d46b209a3522e2b12028f07f55ab8aa107d5cff74a512fde47764a1609af75efd0659c9f8584fc9224

C:\Users\Admin\AppData\Roaming\rwxok\dxqer.oxx

MD5 6fadbab20e2a46bf37b1df27fbc4f9c1
SHA1 8b07b82e6f8cbb4103541f88922d9f7e20ac3fbc
SHA256 ba56a8102cec7508b0cf0342abd0abc1f9bb436fbc1aeaaff89efe8cc66faf08
SHA512 ffff13599e7c24b1cf8c7b433aa403d735d3fd153726fe0de7081d41d71c77fa95ce18c31839990b8fe90e2e6f7ef100323c4a41fb2e309860ddf713b571ab33

C:\Users\Admin\AppData\Roaming\rwxok\bdlxe.jfd

MD5 a468f6268268627d431996ee7d75929d
SHA1 bf8d94b028cf34c0c0644c8ba2ead5059413f1d0
SHA256 e315c86e17001ee1c4ad5bf7574dbec7f80ed2d11fde41b1937a036f672023e6
SHA512 bff2e826c86717c0a7468062265a0322ed0d0d703400bccef5c1517e199a4b6cd64236ae4d2e0703e59db32eb7833f28d4600b7826470a38615fa600057a8d83

C:\Users\Admin\AppData\Roaming\rwxok\kjblv.vhp

MD5 7a8713faacca9a23839d937eb1f12d58
SHA1 1a4b677cd8a669dbffdf189b6e2fe3f7bc7d9f8b
SHA256 8b98183b079fc4c2d2c791c32ca50086c4962da7b748df0df1e76c684345106f
SHA512 44adf98bf3be7f04f2b7efcc9b4c65b883953b627393a0634d821062be46bf999119113db06287c2cc5d58c846cbccc63e764a71466cb31779a3fa650880cb9c

C:\Users\Admin\AppData\Roaming\rwxok\WJRYK

MD5 a2fcc3c8ed806da4a28fd3b11d121b78
SHA1 8505aa3c95eeff211612490206fcb150a064cd2d
SHA256 dcfb4ceedb10506fb2b3d8cfeb189f530b7b860a6b3dfbcd1c2171c34fe6ce60
SHA512 8da240f3857d9504e2189d1a61e791f3109699183a71ffd016848b1c48a003fef8951e37d2ed097fed16c1f4ebe0ee78f71e4853e2561386a74f34028d27ae48

memory/4200-174-0x0000000000000000-mapping.dmp

memory/4200-175-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4200-176-0x00000000735C0000-0x0000000073B71000-memory.dmp

memory/4200-177-0x00000000735C0000-0x0000000073B71000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 23:36

Reported

2022-11-27 17:05

Platform

win7-20220901-en

Max time kernel

45s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 300 set thread context of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1064 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1064 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1064 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1064 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1064 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 1064 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 936 wrote to memory of 300 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd
PID 300 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 300 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 300 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 300 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 300 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 300 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 300 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 300 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe

"C:\Users\Admin\AppData\Local\Temp\4469537306c922ca46832b87beea15b460546f25f1de95ac2d2e74f551ed3cbb.exe"

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

"C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd" nvqme.cax

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd C:\Users\Admin\AppData\Roaming\rwxok\ASWTC

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

Network

N/A

Files

memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/936-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\rwxok\nvqme.cax

MD5 e752d28535b542697712aff0ba741e00
SHA1 cdada9d037000d8102929cb4f45239a8d736f70a
SHA256 d1ef83dd382057431b0822158b1628fa6918aab33e557170747e3914bd209340
SHA512 74ff03fa2404a3014631ada173a76ba218b21fe7c6262cadc87ead2afdcd7aea9a6cbe04194416411840233e365dff2ff4faac7ec061d07bb9b804ca33e15825

C:\Users\Admin\AppData\Roaming\rwxok\wjcok.giu

MD5 276253d9360c147e55b7dd175d0ea37e
SHA1 3c76fb9f4bc1735c5a064c97398fd6d34471c7d2
SHA256 0442adf7a873a806e7b31af671fda6d7a5eb7cef028811a4412cda265384bbc6
SHA512 a5f0fcfc3dc6d18328c30ab9d1f7f99b147369235f3c17ce9cdfe7f27f21a839367c597738cd04715868a7709ead0bbcb75227f0af598c229b44c2eb0e8ff305

\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\rwxok\wtwtb.kbk

MD5 6ee656e8042e7ac9eef60cdbb52f69b1
SHA1 76dcd0eb88d0178c16c4f630d64f15fcfe231bd5
SHA256 e149f1034b243178b067d4f539ebc1b1c3eaf70421b91b9b3611522eee8e61f3
SHA512 c94c552a6de746c800bd39e6f54e31c413fcf4e7ed52b360af4e23229f5044bf6bd116b5071deca318ff88252eb158fb12ad9a919db5c1fd6f9509e771b5c226

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\rwxok\vfgjo.lvb

MD5 b1ff5189c52d1aa4fadf7ebf2dcdee0d
SHA1 da50bd0967dfb9cc57a2cef2962e915c87a20c79
SHA256 3edd70ff685a2224dfe73eb428f5165186ddc04c76e48bd83a92025f7bbb5bed
SHA512 7d42185c8e138e2b26fac5f68163b2286ab0f5c19df20270979df4f52eb06c74f591c53bdd81644aebffc1a0bb8f2ec152d82ce8baf7a134d03bd8506a9ed9d8

C:\Users\Admin\AppData\Roaming\rwxok\wcwrc.cmd

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/300-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\rwxok\vbunm.etw

MD5 466c9d4e4677ab32b848260c134f29ce
SHA1 f2861ddaea047161f1e304a2e9e31567dbb25421
SHA256 dfba06a42ad6a6b40940f3bcb8435f08efe5d546ff1e95976774ac2e86453bac
SHA512 d197d4e5f493ea6c0d3c627c1638d8191a57a52f82a48bfaf56371e19126d26b2242a203f290320a9b59ddbf3e9955e05ec4702c8e3fb1cf36f0ee436d047dbe

C:\Users\Admin\AppData\Roaming\rwxok\upvcp.vls

MD5 0c10eb920c3c7be5de3dad0312ac4a2c
SHA1 2dc0f353e236de30423f3d7db6864d94c36b353e
SHA256 3034dd386c48550c71fbf5c424cfa0933cbc4ef825939c6c1f224ae6c903c052
SHA512 53ed5307f510f74cff99a1befc557f8eb85d4ae629bd37eaa5bf1a546db12699db84bcc87d30592e0d6be678fd6dcbd923d4a91715e7f7d044d31342d78e8f41

C:\Users\Admin\AppData\Roaming\rwxok\ttbjt.phf

MD5 4e503909473860cc7a34068d02caeb99
SHA1 0a03e77c43223d5721224ac473517ae42806d4ac
SHA256 656190a374354d9a2edec1d82030299e08652ea6ba7aeda3494d541e1afe1c8e
SHA512 e872aaa337060d461d58f3b5febec07c4b16aafd23fe37666f1edf30252dc8acbcb3c4b8ba439ca5bcd06b1f5f79d35e62b1ee1da54cc32635fec1ec1ee01fd2

C:\Users\Admin\AppData\Roaming\rwxok\tbaui.tve

MD5 750d69619fdac5dd1e97961b061ba4bd
SHA1 238ee34e89b6b5eb1cf1fbfa6463a16eb09f1c9d
SHA256 8f32593a506a5bd86fa4e40dfad538234df090c542ea95d068a9fa1f6c8c12cf
SHA512 f7b1d4acae339f453386c2d734b914917cd4592abd5241841a3a5fd4b35580db81da0c7133c31a2cddbb691d72e8b281301f1b656b9c415f5362abd353d15215

C:\Users\Admin\AppData\Roaming\rwxok\tamij.mcp

MD5 90b6ad2959b858be4148d68b8dc6a490
SHA1 07e256fbff17c1fe8762f16263322ecfa5791dc6
SHA256 28c62c3c8ed6be61fc5408444119969d143b17b6360640b91d77487f0f83df39
SHA512 0355cae4c71e40ed41e249faf5eb8f8c1e35f999796b026edf9d72b3afab419c6f116c230d98a6206ad77f624accf54ab1078765e8d271c8427926537d0224ea

C:\Users\Admin\AppData\Roaming\rwxok\sxoqa.tta

MD5 7c84ac85efa969f559677e6a172f76ed
SHA1 bbac0ad19e24b5d391e60c99651b8745e0a82ebd
SHA256 61cf364416927ca0eb80d26e1d26beb435a7802143252dc5c164a9db27c6f087
SHA512 9a044e4e4910ca039905aaa53c0f8f4502faa3373463e0ab6ce3e29b97d2882834366dc14fdf8d8f6b3e1d3bddcf80c9176eca9fa7e78b22ebc6f7d2a9f46a4c

C:\Users\Admin\AppData\Roaming\rwxok\rubjc.kud

MD5 30b4fa92afd8a6924821f2fb3fd70bfe
SHA1 c433bc86a36cd0a1771bd411f9626b86e042328f
SHA256 91a387a05d08348372c7a45feba7b6b2d7e97b7ef1c632cb4c3491a66639798c
SHA512 e5327273c4f99426f505ce3e1577161b3f01ba27ec372ca1053169bf313a3ebb4994c7f0a49adeab9f7d26091f7faa75bf0495ea9977bb0e1845bc5b12063f93

C:\Users\Admin\AppData\Roaming\rwxok\rbwtp.fvv

MD5 89605141142db62278e965ba599449e9
SHA1 3998a650acc23d9090bd1b7fd8a9b7fbbca40ec2
SHA256 f56b462d166ab80d2713d765d8c3b963d9b30597e7e0b17a500ecab658043067
SHA512 9dd2e9197e47562b69b12d7c4a1d63143ae0f0e2c0540f6f392f2930d1761613a9ee5995a5cceb1c7c27055ed3b8a20e78176e0e68891ad7cfdc097f481f3022

C:\Users\Admin\AppData\Roaming\rwxok\qigcj.bap

MD5 e81a0db95cc18a649b6d0b4df190718a
SHA1 347b32a9b6251d1a14f8ca2d755a3cba93a5753b
SHA256 ea422e0e3f8d95fe2487ddaabf78515491936292af50fefe0391f7fe26a59a3c
SHA512 18ca5da100f1d0df06aa59cb76089fd81bc3a82e52fb99be8ffe7258e803be8f2c3107fff43543d22eb06cf62bab29d2247f19e6ec6806d7f572b2d3c4e2a73c

C:\Users\Admin\AppData\Roaming\rwxok\pwwek.txw

MD5 00865d413600d26adb36d2f55973559f
SHA1 d5ac50815d4487c4de04caac1ceb500b9fd12a5d
SHA256 5393f44a4c0c05ae0a25bc80b83ac9d462f074625eea50658e1f20cb5f2c2704
SHA512 7222d0e8f1a2c10dd9ddc831922cad6b8da4fc437eb647483668ccaf8fb31d2d396488865dae32414ce322dba5d32e43c360950396577ab07df3ca4fa91299cc

C:\Users\Admin\AppData\Roaming\rwxok\pnptt.how

MD5 3e2a35fdb69dadda458db6014fa8bf2b
SHA1 c4ffde6a4874d30a89f4f270fde29409c8922802
SHA256 bba7d20b7a562203298491945da0ea8984d6d177bf0c1782a9cb1afe35611afb
SHA512 bdb3d1c6071f836351a3a10c35ce64ac6cede5bbb669311b2749a123883739208b69c95564cbdbda0b6405c3ec161134ca150fc6bc0ace93b2c9473ec516bbed

C:\Users\Admin\AppData\Roaming\rwxok\olsjv.gdq

MD5 b06f9ab88a550a9664ac4e6c15a8802f
SHA1 c425f114dd897362e671009e1becbb9bb7c34ac9
SHA256 e4a1ec2873df4494a36beaef8a0ee57ab3f4380ccb2b91a976e64844d4ce671a
SHA512 c40bb6c1589e90d1262f1dac53bbad8c90fbfbc3c2a3a9a3b8601f13f38c553b44dbe35a8fdd09227dbe362f0d7c140d7bda733269b9e6c2c452c9830da52a44

C:\Users\Admin\AppData\Roaming\rwxok\ogott.psf

MD5 26021334e307ea1a517a133d42bb6368
SHA1 e6f24c318fd4571b1a075aabd0b2f1536b21a3b7
SHA256 0b217195c52409b0bf35c783dabe8800d0e7deb4ada5c5d8c35d6c2cfcdc19f8
SHA512 de03ef9ccebd8d740a309763062563e0c9f72ebb2b21345e488f4413cb17b86335d8902f9d17d0c1f511c60d6a97bc600d20c347e8dd6e2e2274389d960fa4ef

C:\Users\Admin\AppData\Roaming\rwxok\objjo.ulo

MD5 60b87dbdf025ae348f8286cafe999f2c
SHA1 c392468ae233b54f6e7d6d1556107df5896ee8a0
SHA256 4e9e3a751185d77bdc2e5df5fd5aafe64003d1e71fecfba0682269dde0e151c6
SHA512 dd10858c2bfce929a33bdd93bfa5e72108c190505f4b917ff82950dd99995b53e60e1a3e445121fd5925bb5bb49a943fbde5108a20d14fa22f67a570174b67f4

C:\Users\Admin\AppData\Roaming\rwxok\nqust.jbv

MD5 5abb1c90cae8ee967d7e30fc9707000f
SHA1 df15abd82b9fb9daaa4517c1e4e8ad5510943b5b
SHA256 efd3830fa426c5a31d7fc9eb50363936a8774cba480c0738d0177c1e93f1c3d4
SHA512 5bb17fec154a7d0e76ac134676d8e916aaae4b249fb3746df7397d48aa2f6f443f982d40773863a722d2bcf951fb6f9ef979dc5c8e49fbec9d1002d22db74c8d

C:\Users\Admin\AppData\Roaming\rwxok\macms.ndh

MD5 83779f76fe14f9adaa4ecdf72caf0b02
SHA1 9878fedea4404baea061e588cbd72a1035462ea2
SHA256 adb74894ff8f27a999e173c2e53adde8d47a0be11a3653672b800542b03dbcf3
SHA512 343b237723eebe6a84cce19a3b8fcd1d67bd40c9b091d6d14c3b4f927c932713db2de5f247f0e796db10487b1af318fafb9f43c8a356d76c8e10df0127e4d045

C:\Users\Admin\AppData\Roaming\rwxok\lffhk.gpf

MD5 cbd436bbe6db5ee843359440ca80c689
SHA1 e373e9db75e8805f98416dcfaca81a6aa0c80adb
SHA256 eb0bef30067a4b404ab5b6db97d7f7e6953104caf9c05ea7d2e6fc16d17dd2f4
SHA512 6ba66ce4b24c6894b720e9037022570c1ec034edc11c830f1a6bac6741567e5cafd4b87f0827bdc8f01ae193a45b8e5fca3b75c93a2072a5c19359f29bda5057

C:\Users\Admin\AppData\Roaming\rwxok\kjblv.vhp

MD5 7a8713faacca9a23839d937eb1f12d58
SHA1 1a4b677cd8a669dbffdf189b6e2fe3f7bc7d9f8b
SHA256 8b98183b079fc4c2d2c791c32ca50086c4962da7b748df0df1e76c684345106f
SHA512 44adf98bf3be7f04f2b7efcc9b4c65b883953b627393a0634d821062be46bf999119113db06287c2cc5d58c846cbccc63e764a71466cb31779a3fa650880cb9c

C:\Users\Admin\AppData\Roaming\rwxok\jtgkl

MD5 8b972a5d97dce6214e6f98f7c36ae62f
SHA1 fbb11c0cda9607792091719f4d6b07e60a1d8027
SHA256 25f182e19880784f63c62f0f2f8357d6986995ec54b4306724980653d6da94d1
SHA512 77473d57bed24523471e70e27c59a7ba851c4cacb4e733c4ca4c4ce35127218fa73d0d1d1bf6435620a6f7c94559a802eb2cdf47f78d6f086328f0dd30659ef1

C:\Users\Admin\AppData\Roaming\rwxok\jixji.hja

MD5 c81204be47b41630d20ef1410a96c443
SHA1 2bf3e88fd27d59b989ed8cd2656e566796b4c252
SHA256 171e3883819320e8bc3891662d93a878f19ef1c6dfffa591f6e161948c37b1a7
SHA512 086e3a5e80836789cae526594039b2ac98f6077cbfe73bf6724e05734c3c2a0c8bb6c94b8b0eec3b38d4b627103797dd7ef6cba8e872d7e5f0cf8757de09f3ab

C:\Users\Admin\AppData\Roaming\rwxok\jffbf.tme

MD5 726981173cc61be3cd1025611dd6d43b
SHA1 f64a1eead53448967522a4713ed3d726a5850edf
SHA256 0bdad0dcf80956a2cfbefbdac795db7747f6e40756bee0853ed04b293457c0a3
SHA512 d9eed5c50b210edcb0c65e32c1c14329437d6588be714f4f5b89758fe69b666d12af91ebf9ddae56c5f8ebbc44a2c1beb320a5a20b782ea13223fa2a603088f0

C:\Users\Admin\AppData\Roaming\rwxok\jelbo.sqj

MD5 23c84b4ef0634d459290e7c7a781d883
SHA1 7f3f400da1885d4e8b2d1fd081fb6c73047241e7
SHA256 05ae8bec1d8671fdd86173312f4d9b22173a30cb0af5b704aed4150fda567876
SHA512 c7d7cee220fab65c765abe53b1541207709bfeebfd251983a65e53db5604f26a55ba7aced297459adbf85648fb9f79969905a26b87c507d86e8eedb211daa129

C:\Users\Admin\AppData\Roaming\rwxok\ioorp.wff

MD5 3a4ee016e9bf2c3ee4e7d501921206d6
SHA1 d31c814421f272b4bdd49bd6d3abbc0c0ee70019
SHA256 936c81dea03d98d6cbe95b8ba03249fd45d99c64d05d5a00043d964d9c36e8bc
SHA512 b4c1719e1d0804a70bbc217750ee33cd3c009a9948f07a35a7bb9c562be4f5e94474a0936c441de325c6ffbbc4f43bbfeca1aed3cb29843d162a64526beda84d

C:\Users\Admin\AppData\Roaming\rwxok\ilxis.dlr

MD5 a35cb2a520fd34a5eaf3d38ee52c3d1d
SHA1 c0a1fba76b7e9d6f57159db6f3010b94d130729a
SHA256 df516e125219ea117dc1523db2eedf690b7149523e309d92b6d9d0fe1d7f19ca
SHA512 82bf93617320589fd08112888a6703c015a843202c2428011cfa4fdea9896bd87a20d38ca98ba7c3739cf9c679aa11f5f3eeaff8e917f50b4f3c925a3f1dce1c

C:\Users\Admin\AppData\Roaming\rwxok\hmdtx.gum

MD5 21e1fbb8318e89418899f4124f9a2d29
SHA1 4049b469f744874537dff6a805418c143e15d02f
SHA256 5abedb604b0c712e223a7b7d04a2fd34af04880b4b409546102017c2ae346b2e
SHA512 5ad47e5eec0f8a72ebb2dda65254f31d6f23cee048f8fc00543aad40f1ae9ebe750bf534e84804c23d3577e7e9b50713e906364438e52f0fd65f550dff37b9ca

C:\Users\Admin\AppData\Roaming\rwxok\hhrqa.dxi

MD5 7075094de0a585229df1a7ba36a1f250
SHA1 5f9230592cae5f08c488c6d63975ab2f9f42dc04
SHA256 4c035b5ecbe1697e81d6f64bc080e56d35c15d2436dd99f9acd65c4e0fdded37
SHA512 5356b0f73ad21ce59b8e27854cc6e537b5f9a9428d5e058d85e8685e1d2176eac4580fac7c848a46ad6d34f7646cb704aeb3405be701218e026f1bcd6fad228c

C:\Users\Admin\AppData\Roaming\rwxok\gefbm.rrg

MD5 a3271cf0e143422346e6170dd14a55f1
SHA1 96b06496fb5a8812628218375d56f1fe1da392dd
SHA256 6ca00b183b6be536d3526f76a5058b8a35accad373e18ce42bccd806b002bc13
SHA512 512408fe950872357ce3bbed3930ac161da7a649d6f60780c940549341231d083a0acc5d3cd4d591a7fb7116373f2d292218deda180043a9a64e2c9dfa143cbd

C:\Users\Admin\AppData\Roaming\rwxok\fqfth.dhp

MD5 a8331ea8b1187f23a1dd041afe18bc9f
SHA1 0cc14c421e8d7ee9acf78fd31d8fe7c1472ad10c
SHA256 382ef960c48a310130cab66d3eb52a4dd5eb29e78f910bcd274d4c2d4c87c114
SHA512 96fadd0e25a2d951d442bf1a325445c600f604b2e7ef7d6273a8826baff239084889a18e6d05ec05fac669d232f121a81f4bd75152c12268459c2a0df81cd870

C:\Users\Admin\AppData\Roaming\rwxok\eumdj.tcg

MD5 07e350d725078b68c87da3af5c91facf
SHA1 dd48eb24368f5d9113125b908b516ebbc2a6170e
SHA256 d44976162b5c47b12f73628ff1ecf7e2a64fd4902027734362bc209cd15e8c7c
SHA512 656308b500d2fae3806d763822c4d7e39e5ca41dbd6462d46b209a3522e2b12028f07f55ab8aa107d5cff74a512fde47764a1609af75efd0659c9f8584fc9224

C:\Users\Admin\AppData\Roaming\rwxok\dxqer.oxx

MD5 6fadbab20e2a46bf37b1df27fbc4f9c1
SHA1 8b07b82e6f8cbb4103541f88922d9f7e20ac3fbc
SHA256 ba56a8102cec7508b0cf0342abd0abc1f9bb436fbc1aeaaff89efe8cc66faf08
SHA512 ffff13599e7c24b1cf8c7b433aa403d735d3fd153726fe0de7081d41d71c77fa95ce18c31839990b8fe90e2e6f7ef100323c4a41fb2e309860ddf713b571ab33

C:\Users\Admin\AppData\Roaming\rwxok\bdlxe.jfd

MD5 a468f6268268627d431996ee7d75929d
SHA1 bf8d94b028cf34c0c0644c8ba2ead5059413f1d0
SHA256 e315c86e17001ee1c4ad5bf7574dbec7f80ed2d11fde41b1937a036f672023e6
SHA512 bff2e826c86717c0a7468062265a0322ed0d0d703400bccef5c1517e199a4b6cd64236ae4d2e0703e59db32eb7833f28d4600b7826470a38615fa600057a8d83

C:\Users\Admin\AppData\Roaming\rwxok\YMQGIX

MD5 6f35bdf3bfd6613a2ca33e5157c9d7ab
SHA1 869e796f034d8ff735c6f259e64f8457965b538e
SHA256 d87016e0c7372007e52399ca62c1a4ebd6b2e7a3d1bbd0a79de79c5948c739fa
SHA512 04adb7ba79f902a47316c1cfeeb74165a9deb9c1d383dc1a426125e238e7eef5c09946ac04cdeee9d43798e32cc17bdf556e0bdbec7da7f59c3e858715e750ba

C:\Users\Admin\AppData\Roaming\rwxok\ASWTC

MD5 a2fcc3c8ed806da4a28fd3b11d121b78
SHA1 8505aa3c95eeff211612490206fcb150a064cd2d
SHA256 dcfb4ceedb10506fb2b3d8cfeb189f530b7b860a6b3dfbcd1c2171c34fe6ce60
SHA512 8da240f3857d9504e2189d1a61e791f3109699183a71ffd016848b1c48a003fef8951e37d2ed097fed16c1f4ebe0ee78f71e4853e2561386a74f34028d27ae48

memory/1952-105-0x000000000041EDAE-mapping.dmp