Malware Analysis Report

2025-05-05 23:33

Sample ID 230127-h9gseahe67
Target 7034c12131cc2e28fcf9235850a36b08e9983dce
SHA256 f00982603a693995cf32649df28ac390ce839638751f04d11517454466061785
Tags
purecrypter remcos 28282 collection downloader loader persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f00982603a693995cf32649df28ac390ce839638751f04d11517454466061785

Threat Level: Known bad

The file 7034c12131cc2e28fcf9235850a36b08e9983dce was found to be: Known bad.

Malicious Activity Summary

purecrypter remcos 28282 collection downloader loader persistence rat spyware stealer

Detect PureCrypter injector

PureCrypter

Remcos

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-27 07:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-27 07:26

Reported

2023-01-27 07:29

Platform

win7-20220812-en

Max time kernel

151s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eesibjdz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gngrey\\Eesibjdz.exe\"" C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1948 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1944 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

"C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe /stext "C:\Users\Admin\AppData\Local\Temp\figx"

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe /stext "C:\Users\Admin\AppData\Local\Temp\pllqbyv"

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe /stext "C:\Users\Admin\AppData\Local\Temp\afrjcrfqzyy"

Network

Country Destination Domain Proto
N/A 194.180.49.17:80 tcp
N/A 194.180.49.17:80 194.180.49.17 tcp
N/A 194.180.49.17:28282 tcp
N/A 8.8.8.8:53 geoplugin.net udp
N/A 178.237.33.50:80 geoplugin.net tcp
N/A 194.180.49.17:28282 tcp

Files

memory/1948-54-0x00000000011F0000-0x00000000011F8000-memory.dmp

memory/1948-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

memory/1948-56-0x0000000006280000-0x000000000651C000-memory.dmp

memory/1712-57-0x0000000000000000-mapping.dmp

memory/1712-59-0x000000006FB30000-0x00000000700DB000-memory.dmp

memory/1712-60-0x000000006FB30000-0x00000000700DB000-memory.dmp

memory/1712-61-0x000000006FB30000-0x00000000700DB000-memory.dmp

memory/1948-62-0x00000000050E0000-0x0000000005160000-memory.dmp

memory/1944-63-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-66-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-69-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-68-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-76-0x0000000000432C26-mapping.dmp

memory/1944-79-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1944-80-0x0000000000400000-0x000000000047F000-memory.dmp

memory/800-81-0x0000000000476274-mapping.dmp

memory/944-85-0x0000000000422206-mapping.dmp

memory/1044-82-0x0000000000455238-mapping.dmp

memory/944-87-0x0000000000400000-0x0000000000424000-memory.dmp

memory/800-88-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\figx

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1044-90-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1044-91-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1944-92-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1944-96-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1944-95-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1944-97-0x0000000010000000-0x0000000010019000-memory.dmp

memory/1944-98-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-27 07:26

Reported

2023-01-27 07:29

Platform

win10v2004-20220812-en

Max time kernel

168s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eesibjdz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gngrey\\Eesibjdz.exe\"" C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4708 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 4708 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 812 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

"C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe /stext "C:\Users\Admin\AppData\Local\Temp\bidvuqpainqhfenhuhhad"

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe /stext "C:\Users\Admin\AppData\Local\Temp\ecinniauevimhsbldstcobxm"

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe /stext "C:\Users\Admin\AppData\Local\Temp\oeogotkwsdarsyxpucgvrgrdoirp"

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe /stext "C:\Users\Admin\AppData\Local\Temp\oeogotkwsdarsyxpucgvrgrdoirp"

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe /stext "C:\Users\Admin\AppData\Local\Temp\oeogotkwsdarsyxpucgvrgrdoirp"

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 117.18.237.29:80 tcp
N/A 20.123.141.233:443 tcp
N/A 194.180.49.17:80 194.180.49.17 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 194.180.49.17:28282 tcp
N/A 194.180.49.17:28282 tcp
N/A 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
N/A 194.180.49.17:28282 tcp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
N/A 194.180.49.17:28282 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 194.180.49.17:28282 tcp
N/A 194.180.49.17:28282 tcp
N/A 8.8.8.8:53 geoplugin.net udp
N/A 178.237.33.50:80 geoplugin.net tcp

Files

memory/4708-132-0x0000000000A50000-0x0000000000A58000-memory.dmp

memory/4708-133-0x0000000006C10000-0x0000000006C32000-memory.dmp

memory/3256-134-0x0000000000000000-mapping.dmp

memory/3256-135-0x00000000050E0000-0x0000000005116000-memory.dmp

memory/3256-136-0x00000000058E0000-0x0000000005F08000-memory.dmp

memory/3256-137-0x0000000005FB0000-0x0000000006016000-memory.dmp

memory/3256-138-0x0000000006020000-0x0000000006086000-memory.dmp

memory/3256-139-0x00000000066A0000-0x00000000066BE000-memory.dmp

memory/3256-140-0x0000000007CD0000-0x000000000834A000-memory.dmp

memory/3256-141-0x0000000006B80000-0x0000000006B9A000-memory.dmp

memory/4708-142-0x0000000005E00000-0x0000000005E92000-memory.dmp

memory/4708-143-0x0000000007A10000-0x0000000007FB4000-memory.dmp

memory/2124-144-0x0000000000000000-mapping.dmp

memory/812-145-0x0000000000000000-mapping.dmp

memory/812-146-0x0000000000400000-0x000000000047F000-memory.dmp

memory/812-147-0x0000000000400000-0x000000000047F000-memory.dmp

memory/812-148-0x0000000000400000-0x000000000047F000-memory.dmp

memory/812-149-0x0000000000400000-0x000000000047F000-memory.dmp

memory/812-150-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4424-151-0x0000000000000000-mapping.dmp

memory/3908-152-0x0000000000000000-mapping.dmp

memory/4924-153-0x0000000000000000-mapping.dmp

memory/4788-154-0x0000000000000000-mapping.dmp

memory/2192-155-0x0000000000000000-mapping.dmp

memory/2192-156-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3908-157-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4424-158-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4424-159-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bidvuqpainqhfenhuhhad

MD5 07c14121728256ad56b1ef039a28e4a6
SHA1 0f39e1e02cd5e2b1b22d9e5470757ae13fe96738
SHA256 8d46702077d776b04085cbe5ce2f0e5971595ea4e11b025a215c4379e7fc18f8
SHA512 03d9113095e7b6143c4f99b131462fa451a9c2d7e841461603dace64bd6d525cb63d074384d2b3ff285a7183116f1715138beeb756fced9a6b1ad6fde36d4789

memory/812-161-0x0000000010000000-0x0000000010019000-memory.dmp

memory/812-164-0x0000000010000000-0x0000000010019000-memory.dmp

memory/812-165-0x0000000010000000-0x0000000010019000-memory.dmp

memory/812-166-0x0000000010000000-0x0000000010019000-memory.dmp